Sujet Précédent Sujet Suivant

Gdmae.bmp, Gdooey Mae, wa6.vbs

Fermé
khmeritou Messages postés 5 Date d'inscription lundi 18 août 2008 Statut Membre Dernière intervention 23 août 2008 - 21 août 2008 à 13:27
 Tchics - 12 déc. 2008 à 18:05
Bonjour,
Je viens de trouver sur le forum de Kasperski la descrition de mon probleme, malheureusement pas la solution.
C'est exactement mon probléme.
1)
Le double click sur drive C: ou D: ne fonctionne pas. Le fichier autorun.inf est alteré par "shellexecute=wscript.exe wa6.vbs". Je l'ai supprimé, lancé "regsvr32 /i shell32", rebooté. Mais rien n'y fait le fichier autorun.inf est recréé.

2)
Le fond d'ecran disparait a chaque reboot au profit de "gdmae.bmp", que je n'arrive pas a trouver sur le disque.
Et dans le beandeau Internet Explorer on peut Lire "internet explorer Gdooey mae"

Est-ce que qq a une piste...Les antivirus, et Anti spyware n'ont rien trouvé.

Ci dessous l'article du forum Kasperski

https://community.kaspersky.com/?/topic/79820-new-viruses/#entry725465
i have:

va6.vbs:
i double click on a drive and it says: can not find script file "c:\wa6.vbs"
because i deleted it but it's not deleted 'cause i still can find it with "hidden files"

and

"Gdooey Mae.bmp":
when i open internet explorer i read on the upper blue part :
internet explorer Gdooey mae
and : blank page-Gdooey mae
and: what ever address GdooeyMae
i deleted it but it comes back.

9 réponses

Réponse 1 / 9
Utilisateur anonyme
21 août 2008 à 14:56
Salut,


Télécharge HijackThis ici :

-> Fais un clic droit sur un des liens et choisi enregistrer la cible sous .... le bureau
-> http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
-> ftp://ftp.commentcamarche.com/download/HJTInstall.exe

-> Fais un double-clic sur HJTInstall.exe afin de lancer l'installation

-> Clique sur Install ensuite sur I Accept

-> Clique sur Do a scan system and save log file

-> Le bloc-notes s'ouvrira, fais un copier-coller de tout son contenu ici dans ta prochaine réponse
1
Réponse 2 / 9
khmeritou Messages postés 5 Date d'inscription lundi 18 août 2008 Statut Membre Dernière intervention 23 août 2008
22 août 2008 à 11:38
Bon aprés moultes soucis... J'ai du lancer combofix 4 fois avant qu'il n'aille jusqu'au bout.

Finallement on progresse.
Le fond d'ecran reste en place aprés un reboot, et le double click sur C: et D: fonctionne, mais j'ai maintenant
gdmae.bmp, Gdooey Mae, wa6.vbs - Godooey Mae en titre de la fenetre IE
En revanche l'antivirus Symantec ne fonctionne plus, il me demande le reinstaller, et le port USD ou est branchée ma HP deskjet 5610 ne fonctionne plus.

Voici le rapport de Combofix.

ComboFix 08-08-21.02 - BACK OFFICE 2008-08-22 16:00:17.4 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.146 [GMT 7:00]
Running from: C:\Documents and Settings\BACK OFFICE\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
D:\Autorun.inf
.
---- Previous Run -------
.
C:\autorun.inf
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 )))))))))))))))))))))))))))))))
.

2008-08-21 20:19 . 2008-08-21 20:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-21 16:57 . 2008-08-21 16:57 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-08-21 14:50 . 2008-08-21 14:50 120 --a------ C:\WINDOWS\Winchat.ini
2008-08-19 19:23 . 2008-03-27 21:40 1,952 --ah----- C:\wa6.vbs
2008-08-19 19:23 . 2008-08-21 17:23 88 -rahs---- C:\autorun.sav.inf
2008-08-18 12:29 . 2008-08-18 12:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 12:29 . 2008-08-18 12:29 <DIR> d-------- C:\Documents and Settings\BACK OFFICE\Application Data\Malwarebytes
2008-08-18 12:29 . 2008-08-18 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 12:29 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 12:29 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-17 17:58 . 2008-08-16 17:15 106,279 --------- C:\WINDOWS\hpoins07.dat.temp
2008-08-17 17:58 . 2005-06-22 09:19 17,505 --------- C:\WINDOWS\hpomdl07.dat.temp
2008-08-17 11:48 . 2008-08-17 11:48 <DIR> d--hs---- C:\FOUND.000
2008-08-16 17:21 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-16 17:15 . 2008-08-16 17:15 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-08-16 17:14 . 2008-08-16 17:14 <DIR> d-------- C:\Program Files\HP
2008-08-16 17:14 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-08-16 17:14 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-08-16 17:14 . 2008-08-17 17:58 106,192 --a------ C:\WINDOWS\hpoins07.dat
2008-08-16 17:14 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-08-16 17:14 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-08-16 17:14 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-08-16 17:14 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-08-16 17:14 . 2005-06-22 09:19 17,505 --------- C:\WINDOWS\hpomdl07.dat
2008-08-16 17:13 . 2005-04-08 14:51 606,208 --a------ C:\WINDOWS\system32\hpotscl.dll
2008-08-16 17:13 . 2005-04-08 14:51 278,528 --a------ C:\WINDOWS\system32\hpgwiamd.dll
2008-08-16 17:13 . 2005-03-08 18:39 274,432 --a------ C:\WINDOWS\system32\HPZc3212.dll
2008-08-16 17:13 . 2005-04-08 14:51 258,122 --a------ C:\WINDOWS\system32\hpovst08.dll
2008-08-16 17:13 . 2005-02-05 01:58 98,304 --a------ C:\WINDOWS\system32\hpzjsn01.dll
2008-08-16 17:13 . 2005-03-08 18:43 51,120 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-08-16 17:13 . 2005-03-08 18:43 21,744 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-08-16 17:13 . 2005-03-08 18:43 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-08-16 17:12 . 2005-03-08 18:41 393,216 --a------ C:\WINDOWS\system32\hpzcon12.dll
2008-08-16 17:12 . 2005-03-08 18:41 196,608 --a------ C:\WINDOWS\system32\hpzcoi12.dll
2008-08-16 17:12 . 2005-03-18 17:32 180,315 --a------ C:\WINDOWS\system32\hpzsnt12.dll
2008-08-16 07:25 . 2008-05-01 21:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-07-26 13:02 . 2008-07-26 13:02 2,000 --a------ C:\WINDOWS\ESwork.ini
2008-07-26 13:00 . 2008-07-26 13:00 <DIR> d-------- C:\Program Files\Interstem
2008-07-26 13:00 . 2008-07-26 13:00 <DIR> d-------- C:\Documents and Settings\BACK OFFICE\WINDOWS
2008-07-26 13:00 . 1998-02-06 20:39 304,128 --a------ C:\WINDOWS\unin040c.exe
2008-07-26 13:00 . 2008-07-26 13:02 244 --a------ C:\WINDOWS\hotel.INI
2008-07-26 13:00 . 2008-07-26 13:00 31 --a------ C:\WINDOWS\ESPROTECT.ini
2008-07-26 13:00 . 2008-07-26 13:00 0 --a------ C:\WINDOWS\PROTOCOL.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 03:58 74 ----a-w C:\Documents and Settings\BACK OFFICE\copie.bat
2008-07-07 20:06 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:06 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:28 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:28 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 16:12 667,136 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-23 16:12 667,136 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2008-06-23 16:12 618,496 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-06-23 16:12 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2008-06-23 16:12 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-06-23 16:12 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2008-06-23 16:12 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-06-23 16:12 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2008-06-23 16:12 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-06-23 16:11 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2008-06-23 16:11 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2008-06-23 16:11 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2008-06-23 16:11 3,067,392 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 16:11 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2008-06-23 16:11 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2008-06-23 16:11 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2008-06-23 16:11 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-06-23 16:11 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2008-06-23 16:11 1,024,000 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2008-06-23 09:53 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:36 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:36 147,968 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2004-09-28 02:00 26,240 ----a-w C:\WINDOWS\inf\RAMDSK.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:26 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-15 08:42 68856]
"PlaxoUpdate"="C:\Program Files\Plaxo\3.13.1.2\PlaxoHelper_en.exe" [2008-06-27 18:06 297543]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 15:17 4670704]
"PlaxoSysTray"="C:\Program Files\Plaxo\3.13.1.2\PlaxoSysTray.exe" [2008-06-27 18:06 20480]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 23:02 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 23:02 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 23:02 455168]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 18:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 18:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 18:10 114688]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 20:31 66680]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"Zip"="wscript.exe" [2005-10-12 17:14 114688 C:\WINDOWS\system32\wscript.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-08-12 14:00:35 25214]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-12 21:13:20 110592]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
R2 MSSQL$ASI;MSSQL$ASI;C:\Program Files\Microsoft SQL Server\MSSQL$ASI\Binn\sqlservr.exe [2002-12-17 17:26]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
R3 camvid20;Philips ToUcam Camera; Video;C:\WINDOWS\system32\DRIVERS\camdrv21.sys []
S3 SQLAgent$ASI;SQLAgent$ASI;C:\Program Files\Microsoft SQL Server\MSSQL$ASI\Binn\sqlagent.EXE [2002-12-17 17:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{828a83a5-7eb9-11dc-a78d-0016768e9a31}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92dc15cc-6de9-11dd-a97b-0016768e9a31}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe wa6.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e49cf0de-2fa3-11dc-ac47-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe wa6.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e49cf0df-2fa3-11dc-ac47-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe wa6.vbs
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-TaskSwitchXP - C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
HKU-Default-Run-Free Download Manager - C:\Program Files\Free Download Manager\fdm.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Start Page = hxxp://www.mysteres-angkor.com/
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 -: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 -: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 -: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
.
.
------- File Associations (Beta) -------
.
inffile=C:\WINDOWS\system32\NOTEPAD2.EXE %1
inifile=C:\WINDOWS\system32\NOTEPAD2.EXE %1
txtfile=C:\WINDOWS\system32\NOTEPAD2.EXE %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 16:01:40
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

C:\WINDOWS\EXPLORER.EXE [224] 0x82120588

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-22 16:02:10
ComboFix-quarantined-files.txt 2008-08-22 09:02:10

Pre-Run: 20,302,151,680 bytes free
Post-Run: 20,407,746,560 bytes free

219 --- E O F --- 2008-08-16 07:18:12




Puis le rapport de HJT, lancé aprés reboot
Le R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Gdooey Mae est toujours present

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:33 PM, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ASI\Binn\sqlservr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Plaxo\3.13.1.2\PlaxoHelper_en.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD2.EXE
C:\WINDOWS\system32\NOTEPAD2.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mysteres-angkor.com/html/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Gdooey Mae
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Zip] wscript.exe /E:vbs C:\autoexec.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.13.1.2\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PlaxoSysTray] C:\Program Files\Plaxo\3.13.1.2\PlaxoSysTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
1
Réponse 3 / 9
LaoM
11 oct. 2008 à 07:21
Bonjour,

je ne sais pas si j'aurais une réponse mais j'ai exactement le même virus, je vous lais savoir si les infos à suivre que tu donnes seront les mêmes pour n'importe quel ordi infecté ou si chaque désinfection demandera à sélectionner des fichier spécifique et dans ce cas là (moi qui n'y connais rien)j' aurais besoin d'aide de quelqu'un d'expérimenté...

Merci d'avance.
0
Tchics
12 déc. 2008 à 18:05
Bonjour,
J'ai le même problème... Je ne m'y connais pas non plus assez pour décripter toutes les étapes précédemment citées. Quelqu'un pourrait il m'expliquer comment faire ?

Merci :-)
0
Réponse 4 / 9
khmeritou Messages postés 5 Date d'inscription lundi 18 août 2008 Statut Membre Dernière intervention 23 août 2008
21 août 2008 à 15:29
Voila le log de HJT.
J'ai mis en gras une ligne suspecte, qui contient "Gdooey Mae"
Merci poyr l 'aide
Phil

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:20:04, on 21/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Plaxo\3.13.1.2\PlaxoHelper_en.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mysteres-angkor.com/html/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Gdooey Mae
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Zip] wscript.exe /E:vbs C:\autoexec.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.13.1.2\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PlaxoSysTray] C:\Program Files\Plaxo\3.13.1.2\PlaxoSysTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
-1

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 5 / 9
Utilisateur anonyme
21 août 2008 à 15:39
réouvre hijackthis
fais scan only
coches ces lignes :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Gdooey Mae

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

tu les coches et tu clic sur fix checked


ensuite fai sceci :

Démarrer > executer > tape : services.msc

- Clic droit sur le service cité - ASP.NET State Service
- propriétés
- et dans "type de démarrage" et mets le sur « désactivé ».
- Ensuite si le "Status du service" est sur "Démarré" faire : « arrêté »

Tutorial : https://www.zebulon.fr/dossiers/windows/31-services.html


ensuite :

- Branche tes sources de données externes à ton PC (clé USB, disque dur externe, etc...) sans les ouvrir


Télécharge combofix : http://download.bleepingcomputer.com/sUBs/ComboFix.exe




-> Double clique sur combofix.exe.
-> Tape sur la touche 1 (Yes) pour démarrer le scan.
-> Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse.

NOTE : Le rapport se trouve également ici : C:\Combofix.txt

Avant d'utiliser ComboFix :

-> Déconnecte toi d'internet et referme les fenêtres de tous les programmes en cours.

-> Désactive provisoirement et seulement le temps de l'utilisation de ComboFix, la protection en temps réel de ton Antivirus et de tes Antispywares, qui peuvent géner fortement la procédure de recherche et de nettoyage de l'outil.

Une fois fait, sur ton bureau double-clic sur Combofix.exe.

- Répond oui au message d'avertissement, pour que le programme commence à procéder à l'analyse du pc.

/!\ Pendant la durée de cette étape, ne te sert pas du pc et n'ouvre aucun programmes.

- En fin de scan il est possible que ComboFix ait besoin de redemarrer le pc pour finaliser la désinfection\recherche, laisses-le faire.

- Un rapport s'ouvrira ensuite dans le bloc notes, ce fichier rapport Combofix.txt, est automatiquement sauvegardé et rangé à C:\Combofix.txt)

-> Réactive la protection en temps réel de ton Antivirus et de tes Antispywares, avant de te reconnecter à internet.

-> Reviens sur le forum, et copie et colle la totalité du contenu de C:\Combofix.txt dans ton prochain message.
-1
Réponse 6 / 9
Utilisateur anonyme
22 août 2008 à 12:22
Copie le texte ci-dessous :

File::
C:\wa6.vbs
C:\autorun.sav.inf
C:\WINDOWS\hpoins07.dat.temp
C:\WINDOWS\hpomdl07.dat.temp
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe wa6.vbs
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe
C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.pif
C:\autorun.inf
D:\Autorun.inf

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zip"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{828a83a5-7eb9-11dc-a78d-0016768e9a31}]
[--HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92dc15cc-6de9-11dd-a97b-0016768e9a31}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e49cf0de-2fa3-11dc-ac47-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e49cf0df-2fa3-11dc-ac47-806d6172696f}]



Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://sd-1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix,

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt

S'il n'y a pas de rédémarrage, poste quand même le rapport.


-1
khmeritou Messages postés 5 Date d'inscription lundi 18 août 2008 Statut Membre Dernière intervention 23 août 2008
22 août 2008 à 13:29
On progresse, on progresse...Merci de ton aide
1)Double click sur C: D: ok
2)Fond d'ecran ok.
3)Bandeau IE ok...Le gdooey mae a disparu.

Par contre, toujours l'install de Norton Antivirus qui cherche a se lancer qunad je click sur une icone.
et puis l'imprimante HP5110 ur USB qui me dit "Safely remove Hardware"
et puis y toujours des traces de mes vers dans autoexec.bat

fileToCopy= sourcedrv & "wa6.vbs"
destinationPath = drv.path & "\wa6.vbs"
fso.CopyFile fileToCopy, destinationPath
destinationPath = "C:\autoexec.bat"
fso.CopyFile fileToCopy, destinationPath, true
fileToCopy= sourcedrv & "gdmae.bmp"
destinationPath = drv.path & "\gdmae.bmp"

Ci -dessous le dernier rapport de Combofix:
ComboFix 08-08-21.02 - BACK OFFICE 2008-08-22 18:05:37.6 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.158 [GMT 7:00]
Running from: C:\Documents and Settings\BACK OFFICE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\BACK OFFICE\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\autorun.inf
C:\autorun.sav.inf
C:\wa6.vbs
C:\WINDOWS\hpoins07.dat.temp
C:\WINDOWS\hpomdl07.dat.temp
C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.pif
C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe
C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe wa6.vbs
C:\WINDOWS\system32\wscript.exe
D:\Autorun.inf
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\autorun.inf
C:\autorun.sav.inf
C:\wa6.vbs
C:\WINDOWS\hpoins07.dat.temp
C:\WINDOWS\hpomdl07.dat.temp
C:\WINDOWS\system32\wscript.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 )))))))))))))))))))))))))))))))
.

2008-08-21 20:19 . 2008-08-21 20:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-21 16:57 . 2008-08-21 16:57 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-08-21 14:50 . 2008-08-21 14:50 120 --a------ C:\WINDOWS\Winchat.ini
2008-08-18 12:29 . 2008-08-18 12:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 12:29 . 2008-08-18 12:29 <DIR> d-------- C:\Documents and Settings\BACK OFFICE\Application Data\Malwarebytes
2008-08-18 12:29 . 2008-08-18 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 12:29 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 12:29 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-17 11:48 . 2008-08-17 11:48 <DIR> d--hs---- C:\FOUND.000
2008-08-16 17:21 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-16 17:15 . 2008-08-16 17:15 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-08-16 17:14 . 2008-08-16 17:14 <DIR> d-------- C:\Program Files\HP
2008-08-16 17:14 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-08-16 17:14 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-08-16 17:14 . 2008-08-17 17:58 106,192 --a------ C:\WINDOWS\hpoins07.dat
2008-08-16 17:14 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-08-16 17:14 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-08-16 17:14 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-08-16 17:14 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-08-16 17:14 . 2005-06-22 09:19 17,505 --------- C:\WINDOWS\hpomdl07.dat
2008-08-16 17:13 . 2005-04-08 14:51 606,208 --a------ C:\WINDOWS\system32\hpotscl.dll
2008-08-16 17:13 . 2005-04-08 14:51 278,528 --a------ C:\WINDOWS\system32\hpgwiamd.dll
2008-08-16 17:13 . 2005-03-08 18:39 274,432 --a------ C:\WINDOWS\system32\HPZc3212.dll
2008-08-16 17:13 . 2005-04-08 14:51 258,122 --a------ C:\WINDOWS\system32\hpovst08.dll
2008-08-16 17:13 . 2005-02-05 01:58 98,304 --a------ C:\WINDOWS\system32\hpzjsn01.dll
2008-08-16 17:13 . 2005-03-08 18:43 51,120 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-08-16 17:13 . 2005-03-08 18:43 21,744 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-08-16 17:13 . 2005-03-08 18:43 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-08-16 17:12 . 2005-03-08 18:41 393,216 --a------ C:\WINDOWS\system32\hpzcon12.dll
2008-08-16 17:12 . 2005-03-08 18:41 196,608 --a------ C:\WINDOWS\system32\hpzcoi12.dll
2008-08-16 17:12 . 2005-03-18 17:32 180,315 --a------ C:\WINDOWS\system32\hpzsnt12.dll
2008-08-16 07:25 . 2008-05-01 21:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-07-26 13:02 . 2008-07-26 13:02 2,000 --a------ C:\WINDOWS\ESwork.ini
2008-07-26 13:00 . 2008-07-26 13:00 <DIR> d-------- C:\Program Files\Interstem
2008-07-26 13:00 . 2008-07-26 13:00 <DIR> d-------- C:\Documents and Settings\BACK OFFICE\WINDOWS
2008-07-26 13:00 . 1998-02-06 20:39 304,128 --a------ C:\WINDOWS\unin040c.exe
2008-07-26 13:00 . 2008-07-26 13:02 244 --a------ C:\WINDOWS\hotel.INI
2008-07-26 13:00 . 2008-07-26 13:00 31 --a------ C:\WINDOWS\ESPROTECT.ini
2008-07-26 13:00 . 2008-07-26 13:00 0 --a------ C:\WINDOWS\PROTOCOL.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 03:58 74 ----a-w C:\Documents and Settings\BACK OFFICE\copie.bat
2008-07-07 20:06 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:06 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:28 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:28 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 16:12 667,136 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-23 16:12 667,136 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2008-06-23 16:12 618,496 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-06-23 16:12 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2008-06-23 16:12 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-06-23 16:12 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2008-06-23 16:12 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-06-23 16:12 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2008-06-23 16:12 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-06-23 16:11 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2008-06-23 16:11 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2008-06-23 16:11 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2008-06-23 16:11 3,067,392 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 16:11 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2008-06-23 16:11 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2008-06-23 16:11 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2008-06-23 16:11 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-06-23 16:11 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2008-06-23 16:11 1,024,000 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2008-06-23 09:53 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:36 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:36 147,968 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2004-09-28 02:00 26,240 ----a-w C:\WINDOWS\inf\RAMDSK.SYS
.

((((((((((((((((((((((((((((( snapshot@2008-08-22_16.01.54.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-22 11:02:14 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_5fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:26 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-15 08:42 68856]
"PlaxoUpdate"="C:\Program Files\Plaxo\3.13.1.2\PlaxoHelper_en.exe" [2008-06-27 18:06 297543]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 15:17 4670704]
"PlaxoSysTray"="C:\Program Files\Plaxo\3.13.1.2\PlaxoSysTray.exe" [2008-06-27 18:06 20480]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 23:02 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 23:02 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 23:02 455168]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 18:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 18:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 18:10 114688]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 20:31 66680]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-08-12 14:00:35 25214]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-12 21:13:20 110592]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
R2 MSSQL$ASI;MSSQL$ASI;C:\Program Files\Microsoft SQL Server\MSSQL$ASI\Binn\sqlservr.exe [2002-12-17 17:26]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
R3 camvid20;Philips ToUcam Camera; Video;C:\WINDOWS\system32\DRIVERS\camdrv21.sys []
S3 SQLAgent$ASI;SQLAgent$ASI;C:\Program Files\Microsoft SQL Server\MSSQL$ASI\Binn\sqlagent.EXE [2002-12-17 17:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92dc15cc-6de9-11dd-a97b-0016768e9a31}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe wa6.vbs
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Zip - wscript.exe
0
Réponse 7 / 9
Utilisateur anonyme
22 août 2008 à 13:58
Copie le texte ci-dessous :

File::
C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe
C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe wa6.vbs

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92dc15cc-6de9-11dd-a97b-0016768e9a31}]



Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://sd-1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix,

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.

S'il n'y a pas de rédémarrage, poste quand même les rapports.


-1
Réponse 8 / 9
khmeritou Messages postés 5 Date d'inscription lundi 18 août 2008 Statut Membre Dernière intervention 23 août 2008
23 août 2008 à 05:52
J'ai ete obligé de relancer Combofix plusieurs fois.
En effet il se bloque aprés "Complete Stage 4" ou "complete stage 17", ou autre. La seule solution est de faire hard reset de la machine.
De plus il ne se comporte pas comme tu me l'a decrit: Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.
Le message "Type 1 to continue, or 2 to abort", n'apparrait jamais. Le scan demarrage automatiquement.

Voici le rapport Combofix
ComboFix 08-08-21.02 - BACK OFFICE 2008-08-23 10:23:01.12 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.211 [GMT 7:00]
Running from: C:\Documents and Settings\BACK OFFICE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\BACK OFFICE\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe
C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe wa6.vbs
.

((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-21 20:19 . 2008-08-21 20:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-21 16:57 . 2008-08-21 16:57 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-08-21 14:50 . 2008-08-21 14:50 120 --a------ C:\WINDOWS\Winchat.ini
2008-08-18 12:29 . 2008-08-18 12:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 12:29 . 2008-08-18 12:29 <DIR> d-------- C:\Documents and Settings\BACK OFFICE\Application Data\Malwarebytes
2008-08-18 12:29 . 2008-08-18 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 12:29 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 12:29 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-17 11:48 . 2008-08-17 11:48 <DIR> d--hs---- C:\FOUND.000
2008-08-16 17:21 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-16 17:15 . 2008-08-16 17:15 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-08-16 17:14 . 2008-08-16 17:14 <DIR> d-------- C:\Program Files\HP
2008-08-16 17:14 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-08-16 17:14 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-08-16 17:14 . 2008-08-17 17:58 106,192 --a------ C:\WINDOWS\hpoins07.dat
2008-08-16 17:14 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-08-16 17:14 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-08-16 17:14 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-08-16 17:14 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-08-16 17:14 . 2005-06-22 09:19 17,505 --------- C:\WINDOWS\hpomdl07.dat
2008-08-16 17:13 . 2005-04-08 14:51 606,208 --a------ C:\WINDOWS\system32\hpotscl.dll
2008-08-16 17:13 . 2005-04-08 14:51 278,528 --a------ C:\WINDOWS\system32\hpgwiamd.dll
2008-08-16 17:13 . 2005-03-08 18:39 274,432 --a------ C:\WINDOWS\system32\HPZc3212.dll
2008-08-16 17:13 . 2005-04-08 14:51 258,122 --a------ C:\WINDOWS\system32\hpovst08.dll
2008-08-16 17:13 . 2005-02-05 01:58 98,304 --a------ C:\WINDOWS\system32\hpzjsn01.dll
2008-08-16 17:13 . 2005-03-08 18:43 51,120 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-08-16 17:13 . 2005-03-08 18:43 21,744 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-08-16 17:13 . 2005-03-08 18:43 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-08-16 17:12 . 2005-03-08 18:41 393,216 --a------ C:\WINDOWS\system32\hpzcon12.dll
2008-08-16 17:12 . 2005-03-08 18:41 196,608 --a------ C:\WINDOWS\system32\hpzcoi12.dll
2008-08-16 17:12 . 2005-03-18 17:32 180,315 --a------ C:\WINDOWS\system32\hpzsnt12.dll
2008-08-16 07:25 . 2008-05-01 21:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-07-26 13:02 . 2008-07-26 13:02 2,000 --a------ C:\WINDOWS\ESwork.ini
2008-07-26 13:00 . 2008-07-26 13:00 <DIR> d-------- C:\Program Files\Interstem
2008-07-26 13:00 . 2008-07-26 13:00 <DIR> d-------- C:\Documents and Settings\BACK OFFICE\WINDOWS
2008-07-26 13:00 . 1998-02-06 20:39 304,128 --a------ C:\WINDOWS\unin040c.exe
2008-07-26 13:00 . 2008-07-26 13:02 244 --a------ C:\WINDOWS\hotel.INI
2008-07-26 13:00 . 2008-07-26 13:00 31 --a------ C:\WINDOWS\ESPROTECT.ini
2008-07-26 13:00 . 2008-07-26 13:00 0 --a------ C:\WINDOWS\PROTOCOL.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 03:58 74 ----a-w C:\Documents and Settings\BACK OFFICE\copie.bat
2008-07-07 20:06 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:06 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:28 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:28 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 16:12 667,136 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-23 16:12 667,136 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2008-06-23 16:12 618,496 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-06-23 16:12 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2008-06-23 16:12 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-06-23 16:12 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2008-06-23 16:12 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-06-23 16:12 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2008-06-23 16:12 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-06-23 16:11 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2008-06-23 16:11 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2008-06-23 16:11 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2008-06-23 16:11 3,067,392 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 16:11 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2008-06-23 16:11 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2008-06-23 16:11 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2008-06-23 16:11 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-06-23 16:11 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2008-06-23 16:11 1,024,000 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2008-06-23 09:53 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:36 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:36 147,968 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2004-09-28 02:00 26,240 ----a-w C:\WINDOWS\inf\RAMDSK.SYS
.

((((((((((((((((((((((((((((( snapshot@2008-08-22_16.01.54.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-23 03:16:34 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_54c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:26 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-15 08:42 68856]
"PlaxoUpdate"="C:\Program Files\Plaxo\3.13.1.2\PlaxoHelper_en.exe" [2008-06-27 18:06 297543]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 15:17 4670704]
"PlaxoSysTray"="C:\Program Files\Plaxo\3.13.1.2\PlaxoSysTray.exe" [2008-06-27 18:06 20480]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 23:02 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 23:02 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 23:02 455168]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 18:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 18:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 18:10 114688]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 20:31 66680]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-08-12 14:00:35 25214]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-12 21:13:20 110592]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
R2 MSSQL$ASI;MSSQL$ASI;C:\Program Files\Microsoft SQL Server\MSSQL$ASI\Binn\sqlservr.exe [2002-12-17 17:26]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
R3 camvid20;Philips ToUcam Camera; Video;C:\WINDOWS\system32\DRIVERS\camdrv21.sys []
S3 SQLAgent$ASI;SQLAgent$ASI;C:\Program Files\Microsoft SQL Server\MSSQL$ASI\Binn\sqlagent.EXE [2002-12-17 17:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92dc15cc-6de9-11dd-a97b-0016768e9a31}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe wa6.vbs
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 10:24:20
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 10:24:47
ComboFix-quarantined-files.txt 2008-08-23 03:24:46
ComboFix3.txt 2008-08-22 09:06:18
ComboFix2.txt 2008-08-22 11:07:30

Pre-Run: 20,024,885,248 bytes free
Post-Run: 20,020,461,568 bytes free

177 --- E O F --- 2008-08-16 07:18:12



Et le rapport HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:04 AM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ASI\Binn\sqlservr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Plaxo\3.13.1.2\PlaxoHelper_en.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mysteres-angkor.com/html/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.13.1.2\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PlaxoSysTray] C:\Program Files\Plaxo\3.13.1.2\PlaxoSysTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
-1
Réponse 9 / 9
Utilisateur anonyme
23 août 2008 à 15:30
Télécharge RavAntivirus d'Evosla sur ton bureau : http://ww25.evosla.com/compteur.php?soft=rav_antivirus
- Branche tes sources de données externes à ton PC (clé USB, disque dur externe, etc...) sans les ouvrir avant de lancer ce FIX
- Clique droit sur le fichier .ZIP, puis "Extraire vers" Bureau.
- Doucle-clique sur "RAV.exe" pour lancer le fix.
- Laisse le programme agir (10 min) : il scanne automatiquement tout les lecteurs (disques fixes et amovibles)

- Ensuite : retire tes disques amovibles et redémarre le PC. et dis moi si il a trouvé quelque chose stp
-1

Discussions similaires

Faire une pause en VBS
quent -
quent -

3 réponses
Comment poser une questions a Christophe mae
Isa -
Utilisateur anonyme -

3 réponses
fichier vbs
wessim -
Utilisateur anonyme -

19 réponses
adresse mail de Christophe Maé
jeannes24 -
isa -

2 réponses
shutdown en vbscript
seth -
lsjduejd -

13 réponses