6 réponses
relance combofix mais renomme le avant de le lancer.
clique droit/renommer
appelle le igor
Installe la console de récupération !
poste le rapport
clique droit/renommer
appelle le igor
Installe la console de récupération !
poste le rapport
Bonjour,
télécharge GenProc http://www.genproc.com/GenProc.exe
double-clique sur GenProc.exe et poste le contenu du rapport qui s'ouvre
télécharge GenProc http://www.genproc.com/GenProc.exe
double-clique sur GenProc.exe et poste le contenu du rapport qui s'ouvre
mille merci pour votre aide
j'ai cliqué sur Oui puisque je ne peux pas me débrouillé seule
c'est ce que j'ai eu comme fenetre
voila le rapport que j'ai eu :
Rapport GenProc 2.615 [1] - 26/08/2009 à 10:24:39
@ Windows XP Service Pack 2 - Mode normal
@ Internet Explorer (6.0.2900.2180) [Navigateur par défaut]
~~ ECHEC DU TELECHARGEMENT DE CM ~~
GenProc n'a détecté aucune infection caractéristique et suggère de suivre la procédure suivante :
Fais scanner le(s) fichier(s) suivant(s) sur ce site https://www.virustotal.com/gui/ :
C:\Documents and Settings\All Users\Application Data\18887504\18887504.exe
C:\WINDOWS\system32\XP-5BD424D0.exe
et poste le(s) rapport(s) obtenu(s) dans ta prochaine réponse.
~~~~ INFORMATION COMPLEMENTAIRE ~~~~
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:57, on 26/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
c:\oracle\ora81\bin\dbsnmp.exe
c:\oracle\ora81\bin\vppdc.exe
c:\oracle\ora81\Apache\Apache\Apache.exe
c:\oracle\ora81\BIN\TNSLSNR.exe
c:\oracle\ora81\bin\ORACLE.EXE
c:\oracle\ora81\bin\ORACLE.EXE
C:\Program Files\PDF Complete\pdfsvc.exe
c:\oracle\ora81\Apache\jdk\bin\java.exe
c:\oracle\ora81\Apache\Apache\Apache.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\Genproc\outil\bensaada_GenProc.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr?cobrand=hp-comm.msn.com&ocid=HPDHP&pc=CMDTDF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.msn.com/fr-fr?cobrand=hp-comm.msn.com&ocid=HPDHP&pc=CMDTDF
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.54.0.5:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [XP-5BD424D0] C:\WINDOWS\system32\XP-5BD424D0.EXE
O4 - HKLM\..\Run: [18887504] C:\Documents and Settings\All Users\Application Data\18887504\18887504.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\XP-5BD424D0.EXE
O8 - Extra context menu item: &Recherche AOL Toolbar - c:\program files\aol\aol toolbar 5.0\resources\fr-fr\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=https://www.msn.com/fr-fr?cobrand=hp-comm.msn.com&ocid=HPDHP&pc=CMDTDF
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = asiege-naftec.dz
O17 - HKLM\Software\..\Telephony: DomainName = asiege-naftec.dz
O17 - HKLM\System\CCS\Services\Tcpip\..\{19075FFA-1269-46B2-8341-B74722845919}: NameServer = 10.54.0.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = asiege-naftec.dz
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = asiege.naftec.dz
O17 - HKLM\System\CS1\Services\Tcpip\..\{19075FFA-1269-46B2-8341-B74722845919}: NameServer = 10.54.0.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = asiege.naftec.dz
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: Oracleorahome8iAgent - Oracle Corporation - c:\oracle\ora81\bin\dbsnmp.exe
O23 - Service: Oracleorahome8iClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Oracleorahome8iDataGatherer - Oracle Corporation - c:\oracle\ora81\bin\vppdc.exe
O23 - Service: Oracleorahome8iHTTPServer - Unknown owner - c:\oracle\ora81\Apache\Apache\Apache.exe
O23 - Service: Oracleorahome8iPagingServer - Unknown owner - c:\oracle\ora81/bin/pagntsrv.exe (file missing)
O23 - Service: Oracleorahome8iTNSListener - Unknown owner - c:\oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceMRSE - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleServiceSTOCK - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
j'ai cliqué sur Oui puisque je ne peux pas me débrouillé seule
c'est ce que j'ai eu comme fenetre
voila le rapport que j'ai eu :
Rapport GenProc 2.615 [1] - 26/08/2009 à 10:24:39
@ Windows XP Service Pack 2 - Mode normal
@ Internet Explorer (6.0.2900.2180) [Navigateur par défaut]
~~ ECHEC DU TELECHARGEMENT DE CM ~~
GenProc n'a détecté aucune infection caractéristique et suggère de suivre la procédure suivante :
Fais scanner le(s) fichier(s) suivant(s) sur ce site https://www.virustotal.com/gui/ :
C:\Documents and Settings\All Users\Application Data\18887504\18887504.exe
C:\WINDOWS\system32\XP-5BD424D0.exe
et poste le(s) rapport(s) obtenu(s) dans ta prochaine réponse.
~~~~ INFORMATION COMPLEMENTAIRE ~~~~
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:57, on 26/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
c:\oracle\ora81\bin\dbsnmp.exe
c:\oracle\ora81\bin\vppdc.exe
c:\oracle\ora81\Apache\Apache\Apache.exe
c:\oracle\ora81\BIN\TNSLSNR.exe
c:\oracle\ora81\bin\ORACLE.EXE
c:\oracle\ora81\bin\ORACLE.EXE
C:\Program Files\PDF Complete\pdfsvc.exe
c:\oracle\ora81\Apache\jdk\bin\java.exe
c:\oracle\ora81\Apache\Apache\Apache.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\Genproc\outil\bensaada_GenProc.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr?cobrand=hp-comm.msn.com&ocid=HPDHP&pc=CMDTDF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.msn.com/fr-fr?cobrand=hp-comm.msn.com&ocid=HPDHP&pc=CMDTDF
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.54.0.5:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [XP-5BD424D0] C:\WINDOWS\system32\XP-5BD424D0.EXE
O4 - HKLM\..\Run: [18887504] C:\Documents and Settings\All Users\Application Data\18887504\18887504.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\XP-5BD424D0.EXE
O8 - Extra context menu item: &Recherche AOL Toolbar - c:\program files\aol\aol toolbar 5.0\resources\fr-fr\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=https://www.msn.com/fr-fr?cobrand=hp-comm.msn.com&ocid=HPDHP&pc=CMDTDF
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = asiege-naftec.dz
O17 - HKLM\Software\..\Telephony: DomainName = asiege-naftec.dz
O17 - HKLM\System\CCS\Services\Tcpip\..\{19075FFA-1269-46B2-8341-B74722845919}: NameServer = 10.54.0.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = asiege-naftec.dz
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = asiege.naftec.dz
O17 - HKLM\System\CS1\Services\Tcpip\..\{19075FFA-1269-46B2-8341-B74722845919}: NameServer = 10.54.0.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = asiege.naftec.dz
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: Oracleorahome8iAgent - Oracle Corporation - c:\oracle\ora81\bin\dbsnmp.exe
O23 - Service: Oracleorahome8iClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Oracleorahome8iDataGatherer - Oracle Corporation - c:\oracle\ora81\bin\vppdc.exe
O23 - Service: Oracleorahome8iHTTPServer - Unknown owner - c:\oracle\ora81\Apache\Apache\Apache.exe
O23 - Service: Oracleorahome8iPagingServer - Unknown owner - c:\oracle\ora81/bin/pagntsrv.exe (file missing)
O23 - Service: Oracleorahome8iTNSListener - Unknown owner - c:\oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceMRSE - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleServiceSTOCK - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
[*] Télécharge combofix (sUBs) http://download.bleepingcomputer.com/sUBs/ComboFix.exe sur ton Bureau
[*] Double clique combofix.exe et suis les instructions.
[*] Installe la console de récupération si proposé et continue.
[*] Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse.
NOTE : Le rapport se trouve également ici : C:\Combofix.txt
[*] Double clique combofix.exe et suis les instructions.
[*] Installe la console de récupération si proposé et continue.
[*] Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse.
NOTE : Le rapport se trouve également ici : C:\Combofix.txt
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
voila le rapport :
ComboFix 09-08-25.04 - bensaada 26/08/2009 11:52.1.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1036.18.2037.1489 [GMT 1:00]
Running from: c:\documents and settings\bensaada\Mes documents\Mes fichiers reçus\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
PEV Error: CacheFolder
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\bensaada\APPLIC~1\tazebama
c:\docume~1\bensaada\APPLIC~1\tazebama\zPharaoh.dat
c:\docume~1\bensaada\LOCALS~1\Temp\E_4
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\com.run
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\dp1.fne
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\eAPI.fne
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\internet.fne
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\krnln.fnr
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\RegEx.fnr
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\shell.fne
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\spec.fne
c:\documents and settings\bensaada\Local Settings\Temp\E_4\com.run
c:\documents and settings\bensaada\Local Settings\Temp\E_4\dp1.fne
c:\documents and settings\bensaada\Local Settings\Temp\E_4\eAPI.fne
c:\documents and settings\bensaada\Local Settings\Temp\E_4\internet.fne
c:\documents and settings\bensaada\Local Settings\Temp\E_4\krnln.fnr
c:\documents and settings\bensaada\Local Settings\Temp\E_4\RegEx.fnr
c:\documents and settings\bensaada\Local Settings\Temp\E_4\shell.fne
c:\windows\system32\com.run
c:\windows\system32\dp1.fne
c:\windows\system32\eAPI.fne
c:\windows\system32\internet.fne
c:\windows\system32\krnln.fnr
c:\windows\system32\nerocheck.exe
c:\windows\system32\og.dll
c:\windows\system32\og.edt
c:\windows\system32\pxbzo.g
c:\windows\system32\RegEx.fnr
c:\windows\system32\shell.fne
c:\windows\system32\spec.fne
c:\windows\system32\ul.dll
c:\windows\system32\XP-5BD424D0.EXE
C:\zPharaoh.exe
Infected copy of c:\windows\system32\calc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\calc.exe
Infected copy of c:\windows\system32\charmap.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\charmap.exe
Infected copy of c:\windows\system32\freecell.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\freecell.exe
Infected copy of c:\windows\system32\mshearts.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mshearts.exe
Infected copy of c:\windows\system32\mspaint.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspaint.exe
Infected copy of c:\windows\system32\mstsc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mstsc.exe
Infected copy of c:\windows\system32\notepad.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\notepad.exe
Infected copy of c:\windows\system32\ntbackup.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ntbackup.exe
Infected copy of c:\windows\system32\odbcad32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\odbcad32.exe
Infected copy of c:\windows\system32\sndrec32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sndrec32.exe
Infected copy of c:\windows\system32\sndvol32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sndvol32.exe
Infected copy of c:\windows\system32\sol.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sol.exe
Infected copy of c:\windows\system32\spider.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\spider.exe
Infected copy of c:\windows\system32\winmine.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\winmine.exe
Infected copy of c:\windows\system32\Restore\rstrui.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rstrui.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 )))))))))))))))))))))))))))))))
.
2009-08-26 10:59 . 2009-08-26 10:59 155091 --sh--r- C:\zPharaoh.exe
2009-08-26 09:38 . 2009-08-26 09:39 -------- d-----w- C:\le dinner de selma
2009-08-26 09:35 . 2009-08-26 09:36 -------- d-----w- C:\fatha selma
2009-08-26 09:24 . 2009-08-26 09:24 -------- d-----w- C:\Genproc
2009-08-26 08:12 . 2009-08-26 08:12 -------- d-----w- C:\Qoobox[1]
2009-08-26 07:28 . 2009-08-26 09:20 -------- d-----w- C:\UsbFix
2009-08-25 09:00 . 2009-08-25 09:00 -------- d-----w- C:\Temp
2009-08-24 11:31 . 2009-08-24 11:31 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-24 10:53 . 2009-08-25 09:00 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-08-24 10:53 . 2009-08-25 09:00 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-08-24 10:53 . 2009-08-26 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-08-24 10:53 . 2009-08-26 10:57 2947872 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-24 10:53 . 2009-08-26 10:57 33056 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-08-24 10:29 . 2009-08-26 07:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-24 10:29 . 2009-08-25 12:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 10:58 . 2009-08-26 10:58 -------- d-----w- c:\docume~1\bensaada\APPLIC~1\tazebama
2009-08-26 10:56 . 2009-08-24 10:53 4124 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-26 10:56 . 2009-08-24 10:53 40484 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-26 09:04 . 2006-05-08 16:33 74366 ----a-w- c:\windows\system32\perfc00C.dat
2009-08-26 09:04 . 2006-05-08 16:33 467594 ----a-w- c:\windows\system32\perfh00C.dat
2009-08-25 12:13 . 2009-01-21 13:03 -------- d-----w- c:\program files\VDCodecPack1.7
2009-08-25 12:06 . 2008-11-17 06:17 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-25 08:59 . 2007-03-03 19:39 112144 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-08-24 10:32 . 2002-08-24 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\18887504
2009-08-24 09:48 . 2009-01-14 13:37 -------- d-----w- c:\program files\backups
2009-08-24 09:38 . 2009-01-14 13:35 7695 ----a-w- c:\program files\hijackthis.log
2009-08-20 14:31 . 2009-01-14 13:34 558247 ----a-w- c:\program files\HJT.exe
2009-08-20 08:37 . 2004-08-19 23:09 768512 ----a-w- c:\windows\pchealth\helpctr\binaries\helpctr.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2009-08-26 5830879]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-03-02 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-02 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-02 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-02 455168]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe" [2009-08-25 211568]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
c:\documents and settings\bensaada\Menu D‚marrer\Programmes\D‚marrage\
.lnk - c:\qoobox\Quarantine\C\WINDOWS\system32\XP-5BD424D0.EXE.vir [2009-8-26 1244127]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk
backup=c:\windows\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5692:TCP"= 5692:TCP:kvflnmuo
R2 Oracleorahome8iAgent;Oracleorahome8iAgent;c:\oracle\ora81\bin\dbsnmp.exe [11/11/2000 23:48 246332]
R2 Oracleorahome8iDataGatherer;Oracleorahome8iDataGatherer;c:\oracle\ora81\bin\vppdc.exe [11/11/2000 23:48 170724]
R2 Oracleorahome8iHTTPServer;Oracleorahome8iHTTPServer;c:\oracle\ora81\Apache\Apache\Apache.exe [09/11/2000 09:12 3584]
R2 Oracleorahome8iTNSListener;Oracleorahome8iTNSListener;c:\oracle\ora81\BIN\TNSLSNR --> c:\oracle\ora81\BIN\TNSLSNR [?]
R2 OracleServiceMRSE;OracleServiceMRSE;c:\oracle\ora81\bin\ORACLE.EXE MRSE --> c:\oracle\ora81\bin\ORACLE.EXE MRSE [?]
R2 OracleServiceSTOCK;OracleServiceSTOCK;c:\oracle\ora81\bin\ORACLE.EXE STOCK --> c:\oracle\ora81\bin\ORACLE.EXE STOCK [?]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [17/11/2008 07:21 540184]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [02/02/2007 12:31 24344]
S2 iwsaq;Network Universal;c:\windows\system32\svchost.exe -k netsvcs [20/08/2004 00:10 14336]
S2 qfyath;Update Security;c:\windows\system32\svchost.exe -k netsvcs [20/08/2004 00:10 14336]
S3 Oracleorahome8iClientCache;Oracleorahome8iClientCache;c:\oracle\ora81\bin\ONRSD.EXE [19/10/2000 11:55 411244]
S3 Oracleorahome8iPagingServer;Oracleorahome8iPagingServer;c:\oracle\ora81/bin/pagntsrv.exe --> c:\oracle\ora81/bin/pagntsrv.exe [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qfyath
iwsaq
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-XP-5BD424D0 - c:\windows\system32\XP-5BD424D0.EXE
HKLM-Run-18887504 - c:\documents and settings\All Users\Application Data\18887504\18887504.exe
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=74&bd=smb&pf=desktop
uInternet Settings,ProxyServer = 10.54.0.5:8080
IE: &Recherche AOL Toolbar - c:\program files\aol\aol toolbar 5.0\resources\fr-fr\local\search.html
TCP: {19075FFA-1269-46B2-8341-B74722845919} = 10.54.0.3
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-26 11:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Oracleorahome8iPagingServer]
"ImagePath"="c:\oracle\ora81/bin/pagntsrv.exe"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Oracleorahome8iTNSListener]
"ImagePath"="c:\oracle\ora81\BIN\TNSLSNR "
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iwsaq]
"ServiceDll"="c:\windows\system32\pxbzo.dll"
ComboFix 09-08-25.04 - bensaada 26/08/2009 11:52.1.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1036.18.2037.1489 [GMT 1:00]
Running from: c:\documents and settings\bensaada\Mes documents\Mes fichiers reçus\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
PEV Error: CacheFolder
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\bensaada\APPLIC~1\tazebama
c:\docume~1\bensaada\APPLIC~1\tazebama\zPharaoh.dat
c:\docume~1\bensaada\LOCALS~1\Temp\E_4
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\com.run
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\dp1.fne
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\eAPI.fne
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\internet.fne
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\krnln.fnr
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\RegEx.fnr
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\shell.fne
c:\docume~1\bensaada\LOCALS~1\Temp\E_4\spec.fne
c:\documents and settings\bensaada\Local Settings\Temp\E_4\com.run
c:\documents and settings\bensaada\Local Settings\Temp\E_4\dp1.fne
c:\documents and settings\bensaada\Local Settings\Temp\E_4\eAPI.fne
c:\documents and settings\bensaada\Local Settings\Temp\E_4\internet.fne
c:\documents and settings\bensaada\Local Settings\Temp\E_4\krnln.fnr
c:\documents and settings\bensaada\Local Settings\Temp\E_4\RegEx.fnr
c:\documents and settings\bensaada\Local Settings\Temp\E_4\shell.fne
c:\windows\system32\com.run
c:\windows\system32\dp1.fne
c:\windows\system32\eAPI.fne
c:\windows\system32\internet.fne
c:\windows\system32\krnln.fnr
c:\windows\system32\nerocheck.exe
c:\windows\system32\og.dll
c:\windows\system32\og.edt
c:\windows\system32\pxbzo.g
c:\windows\system32\RegEx.fnr
c:\windows\system32\shell.fne
c:\windows\system32\spec.fne
c:\windows\system32\ul.dll
c:\windows\system32\XP-5BD424D0.EXE
C:\zPharaoh.exe
Infected copy of c:\windows\system32\calc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\calc.exe
Infected copy of c:\windows\system32\charmap.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\charmap.exe
Infected copy of c:\windows\system32\freecell.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\freecell.exe
Infected copy of c:\windows\system32\mshearts.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mshearts.exe
Infected copy of c:\windows\system32\mspaint.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspaint.exe
Infected copy of c:\windows\system32\mstsc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mstsc.exe
Infected copy of c:\windows\system32\notepad.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\notepad.exe
Infected copy of c:\windows\system32\ntbackup.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ntbackup.exe
Infected copy of c:\windows\system32\odbcad32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\odbcad32.exe
Infected copy of c:\windows\system32\sndrec32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sndrec32.exe
Infected copy of c:\windows\system32\sndvol32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sndvol32.exe
Infected copy of c:\windows\system32\sol.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sol.exe
Infected copy of c:\windows\system32\spider.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\spider.exe
Infected copy of c:\windows\system32\winmine.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\winmine.exe
Infected copy of c:\windows\system32\Restore\rstrui.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rstrui.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 )))))))))))))))))))))))))))))))
.
2009-08-26 10:59 . 2009-08-26 10:59 155091 --sh--r- C:\zPharaoh.exe
2009-08-26 09:38 . 2009-08-26 09:39 -------- d-----w- C:\le dinner de selma
2009-08-26 09:35 . 2009-08-26 09:36 -------- d-----w- C:\fatha selma
2009-08-26 09:24 . 2009-08-26 09:24 -------- d-----w- C:\Genproc
2009-08-26 08:12 . 2009-08-26 08:12 -------- d-----w- C:\Qoobox[1]
2009-08-26 07:28 . 2009-08-26 09:20 -------- d-----w- C:\UsbFix
2009-08-25 09:00 . 2009-08-25 09:00 -------- d-----w- C:\Temp
2009-08-24 11:31 . 2009-08-24 11:31 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-24 10:53 . 2009-08-25 09:00 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-08-24 10:53 . 2009-08-25 09:00 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-08-24 10:53 . 2009-08-26 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-08-24 10:53 . 2009-08-26 10:57 2947872 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-24 10:53 . 2009-08-26 10:57 33056 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-08-24 10:29 . 2009-08-26 07:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-24 10:29 . 2009-08-25 12:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 10:58 . 2009-08-26 10:58 -------- d-----w- c:\docume~1\bensaada\APPLIC~1\tazebama
2009-08-26 10:56 . 2009-08-24 10:53 4124 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-26 10:56 . 2009-08-24 10:53 40484 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-26 09:04 . 2006-05-08 16:33 74366 ----a-w- c:\windows\system32\perfc00C.dat
2009-08-26 09:04 . 2006-05-08 16:33 467594 ----a-w- c:\windows\system32\perfh00C.dat
2009-08-25 12:13 . 2009-01-21 13:03 -------- d-----w- c:\program files\VDCodecPack1.7
2009-08-25 12:06 . 2008-11-17 06:17 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-25 08:59 . 2007-03-03 19:39 112144 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-08-24 10:32 . 2002-08-24 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\18887504
2009-08-24 09:48 . 2009-01-14 13:37 -------- d-----w- c:\program files\backups
2009-08-24 09:38 . 2009-01-14 13:35 7695 ----a-w- c:\program files\hijackthis.log
2009-08-20 14:31 . 2009-01-14 13:34 558247 ----a-w- c:\program files\HJT.exe
2009-08-20 08:37 . 2004-08-19 23:09 768512 ----a-w- c:\windows\pchealth\helpctr\binaries\helpctr.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2009-08-26 5830879]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-03-02 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-02 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-02 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-02 455168]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe" [2009-08-25 211568]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
c:\documents and settings\bensaada\Menu D‚marrer\Programmes\D‚marrage\
.lnk - c:\qoobox\Quarantine\C\WINDOWS\system32\XP-5BD424D0.EXE.vir [2009-8-26 1244127]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk
backup=c:\windows\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5692:TCP"= 5692:TCP:kvflnmuo
R2 Oracleorahome8iAgent;Oracleorahome8iAgent;c:\oracle\ora81\bin\dbsnmp.exe [11/11/2000 23:48 246332]
R2 Oracleorahome8iDataGatherer;Oracleorahome8iDataGatherer;c:\oracle\ora81\bin\vppdc.exe [11/11/2000 23:48 170724]
R2 Oracleorahome8iHTTPServer;Oracleorahome8iHTTPServer;c:\oracle\ora81\Apache\Apache\Apache.exe [09/11/2000 09:12 3584]
R2 Oracleorahome8iTNSListener;Oracleorahome8iTNSListener;c:\oracle\ora81\BIN\TNSLSNR --> c:\oracle\ora81\BIN\TNSLSNR [?]
R2 OracleServiceMRSE;OracleServiceMRSE;c:\oracle\ora81\bin\ORACLE.EXE MRSE --> c:\oracle\ora81\bin\ORACLE.EXE MRSE [?]
R2 OracleServiceSTOCK;OracleServiceSTOCK;c:\oracle\ora81\bin\ORACLE.EXE STOCK --> c:\oracle\ora81\bin\ORACLE.EXE STOCK [?]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [17/11/2008 07:21 540184]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [02/02/2007 12:31 24344]
S2 iwsaq;Network Universal;c:\windows\system32\svchost.exe -k netsvcs [20/08/2004 00:10 14336]
S2 qfyath;Update Security;c:\windows\system32\svchost.exe -k netsvcs [20/08/2004 00:10 14336]
S3 Oracleorahome8iClientCache;Oracleorahome8iClientCache;c:\oracle\ora81\bin\ONRSD.EXE [19/10/2000 11:55 411244]
S3 Oracleorahome8iPagingServer;Oracleorahome8iPagingServer;c:\oracle\ora81/bin/pagntsrv.exe --> c:\oracle\ora81/bin/pagntsrv.exe [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qfyath
iwsaq
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-XP-5BD424D0 - c:\windows\system32\XP-5BD424D0.EXE
HKLM-Run-18887504 - c:\documents and settings\All Users\Application Data\18887504\18887504.exe
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=74&bd=smb&pf=desktop
uInternet Settings,ProxyServer = 10.54.0.5:8080
IE: &Recherche AOL Toolbar - c:\program files\aol\aol toolbar 5.0\resources\fr-fr\local\search.html
TCP: {19075FFA-1269-46B2-8341-B74722845919} = 10.54.0.3
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-26 11:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Oracleorahome8iPagingServer]
"ImagePath"="c:\oracle\ora81/bin/pagntsrv.exe"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Oracleorahome8iTNSListener]
"ImagePath"="c:\oracle\ora81\BIN\TNSLSNR "
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iwsaq]
"ServiceDll"="c:\windows\system32\pxbzo.dll"
