Infecter par virusheat , SOS !!!
Fermé
jojo51
-
24 mars 2008 à 00:08
g!rly Messages postés 18209 Date d'inscription vendredi 17 août 2007 Statut Contributeur Dernière intervention 30 novembre 2014 - 19 mai 2008 à 20:24
g!rly Messages postés 18209 Date d'inscription vendredi 17 août 2007 Statut Contributeur Dernière intervention 30 novembre 2014 - 19 mai 2008 à 20:24
A voir également:
- Infecter par virusheat , SOS !!!
- L'ordinateur d'arthur a été infecté par un virus répertorié récemment. son anti-virus ne l'a pas détecté. qu'a-t-il pu se passer ? ✓ - Forum Antivirus
- L'ordinateur de samantha a été infecté par un virus répertorié récemment. son anti-virus ne l'a pas détecté. qu'a-t-il pu se passer ? - Forum Virus
- Infection par : ONLYPC Flow.co.in ✓ - Forum Virus
- Mon ordinateur a été infecté par un virus ou - Forum Virus
- Anti virus - Forum Antivirus
43 réponses
le debutant dinformatik
Messages postés
2
Date d'inscription
lundi 19 mai 2008
Statut
Membre
Dernière intervention
19 mai 2008
19 mai 2008 à 19:45
19 mai 2008 à 19:45
ComboFix 08-05-12.1 - U940CHE 2008-05-19 18:52:35.3 - [color=red][b]FAT32[/b][/color]x86
Running from: C:\Documents and Settings\u940che\Desktop\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.
2008-05-13 21:49 . 2008-05-13 21:49 <DIR> d--hs---- C:\FOUND.000
2008-05-13 16:17 . 2008-05-13 16:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-13 15:54 . 2008-05-13 15:54 <DIR> d-------- C:\Program Files\Common Files\WinPCDoctor
2008-05-13 15:54 . 2008-05-13 15:54 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\winpcdoctor
2008-05-13 15:54 . 2008-05-13 15:54 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-05-13 15:54 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-05-13 15:39 . 2008-05-13 15:39 <DIR> d-------- C:\Program Files\AntiVirProtect
2008-05-13 15:35 . 2008-05-13 15:35 <DIR> d-------- C:\WINDOWS\system32\834668
2008-05-07 17:35 . 2008-05-07 17:35 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-07 17:35 . 2008-05-07 17:35 <DIR> d-------- C:\Program Files\CCleaner
2008-04-27 09:12 . 2008-04-27 09:12 <DIR> d-------- C:\Program Files\FreeBlah
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 10:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-04-07 10:30 --------- d-----w C:\Program Files\Windows Live
2008-04-07 10:30 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-04-07 10:30 --------- d-----w C:\Program Files\Circle Developement
2008-04-07 10:30 --------- d-----w C:\Documents and Settings\u940che\Application Data\FreeBlah
2008-04-07 10:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Amok Copy User Bib
.
((((((((((((((((((((((((((((( snapshot@2008-05-13_22.19.52.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 20:16:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-19 17:25:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"= "C:\Program Files\NetProject\wamdl.dll" [ ]
[HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"CEMW_R.exe"="C:\Program Files\CEMW\Ceml_rs.exe" [2004-01-14 16:39 73728]
"CEMLoginScript"="C:\Program Files\CEMTools\Login\CEMLoginScript.vbs" [2005-11-21 08:03 2931]
"CEMBackGround"="C:\Program Files\CEMTools\CEMBackground\CEMBackground.vbs" [2004-04-22 10:18 12137]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]
"4 MOVE"="C:\DOCUME~1\u940che\APPLIC~1\FreeBlah\windowuser.exe" [2008-04-27 09:12 449536]
"AntiVirProtect"="C:\Program Files\AntiVirProtect\AntiVirProtect.exe" [2008-05-13 15:39 440832]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-03-01 10:48 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-03-01 10:48 114688]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35 77824]
"PDFSettings"="C:\Program Files\CEMTools\Login\PDFSettings.vbs" [2005-05-25 14:41 1417]
"Office2K3Settings"="C:\Program Files\CEMTools\Login\Office2K3\Office2K3Settings.vbs" [2005-05-20 11:44 9156]
"OutlookIcone"="C:\Program Files\CEMTools\Login\Office2K3\OutlookIcone.vbs" [2005-01-13 10:02 1593]
"xpsp2"="C:\Program Files\CEMTools\Login\xpsp2\CEMXPSP2.vbs" [2005-09-09 12:55 7723]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-03-01 12:56 98304]
"user bib mp3 plan"="C:\Documents and Settings\All Users\Application Data\Amok Copy User Bib\Rule intra.exe" [2008-05-19 19:27 1176064]
"strpmon"="C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" [2008-02-26 10:40 426496]
"Salestart"="C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" [2008-02-26 10:40 426496]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"CEMW_R.exe"="C:\Program Files\CEMW\Ceml_rs.exe" [2004-01-14 16:39 73728]
"CEMLoginScript"="C:\Program Files\CEMTools\Login\CEMLoginScript.vbs" [2005-11-21 08:03 2931]
"CEMBackGround"="C:\Program Files\CEMTools\CEMBackground\CEMBackground.vbs" [2004-04-22 10:18 12137]
"UserConfig"="C:\Program Files\CEMTools\CEMCreateUserConfig\CEMUserConfig.vbs" [2004-05-17 16:25 47261]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
CEMConfig.lnk - C:\Program Files\CEMW\STLauncher_rs.exe [2004-01-14 16:40:56 73728]
C:\Documents and Settings\u930ek\Start Menu\Programs\Startup\
Outlook Backup.lnk - C:\Program Files\CEMTools\CEMotlbckp\GenerateOtlkBackupINI.vbs [2004-03-30 11:26:33 1399]
Restore user W98 data.lnk - C:\Program Files\CEMTools\CEMCreateUserConfig\RestoreFrom98.vbs [2004-03-30 11:27:08 18811]
C:\Documents and Settings\u940che\Start Menu\Programs\Startup\
Outlook Backup.lnk - C:\Program Files\CEMTools\CEMotlbckp\GenerateOtlkBackupINI.vbs [2004-03-30 11:26:33 1399]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Moniteur Gigaset WLAN Adapter.lnk - C:\Program Files\Siemens\Gigaset USB Adapter 108\Gcc.exe [2007-06-30 11:14:26 36864]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{e89fa8e9-5c0b-45f6-a70e-f7b177bcd193}"= C:\WINDOWS\system32\rtmipr.dll [2004-03-01 10:26 13312]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
R2 r_server;Remote Administrator Service;"C:\WINDOWS\System32\r_server.exe" /service []
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 22:28]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2004-09-24 23:36]
S3 AR5523;Gigaset USB Adapter 108;C:\WINDOWS\system32\DRIVERS\ar5523.sys [2005-07-27 21:11]
.
Contents of the 'Scheduled Tasks' folder
"2008-05-19 16:00:18 C:\WINDOWS\Tasks\ACFC2BBB918BDDAB.job"
- c:\docume~1\u940che\applic~1\freeblah\Mp3 audio tick.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 19:27:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\rtmipr.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCAN.EXE
C:\PROGRAM FILES\CITRIX\ICA CLIENT\SSONSVR.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Siemens\Gigaset USB Adapter 108\OdHost.exe
C:\WINDOWS\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-05-19 19:31:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-19 17:30:56
ComboFix2.txt 2008-05-13 20:20:56
Pre-Run: 1,578,639,360 bytes free
Post-Run: 1,589,379,072 bytes free
132
voila merci encore le hijack arrive
Running from: C:\Documents and Settings\u940che\Desktop\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.
2008-05-13 21:49 . 2008-05-13 21:49 <DIR> d--hs---- C:\FOUND.000
2008-05-13 16:17 . 2008-05-13 16:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-13 15:54 . 2008-05-13 15:54 <DIR> d-------- C:\Program Files\Common Files\WinPCDoctor
2008-05-13 15:54 . 2008-05-13 15:54 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\winpcdoctor
2008-05-13 15:54 . 2008-05-13 15:54 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-05-13 15:54 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-05-13 15:39 . 2008-05-13 15:39 <DIR> d-------- C:\Program Files\AntiVirProtect
2008-05-13 15:35 . 2008-05-13 15:35 <DIR> d-------- C:\WINDOWS\system32\834668
2008-05-07 17:35 . 2008-05-07 17:35 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-07 17:35 . 2008-05-07 17:35 <DIR> d-------- C:\Program Files\CCleaner
2008-04-27 09:12 . 2008-04-27 09:12 <DIR> d-------- C:\Program Files\FreeBlah
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 10:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-04-07 10:30 --------- d-----w C:\Program Files\Windows Live
2008-04-07 10:30 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-04-07 10:30 --------- d-----w C:\Program Files\Circle Developement
2008-04-07 10:30 --------- d-----w C:\Documents and Settings\u940che\Application Data\FreeBlah
2008-04-07 10:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Amok Copy User Bib
.
((((((((((((((((((((((((((((( snapshot@2008-05-13_22.19.52.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 20:16:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-19 17:25:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"= "C:\Program Files\NetProject\wamdl.dll" [ ]
[HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"CEMW_R.exe"="C:\Program Files\CEMW\Ceml_rs.exe" [2004-01-14 16:39 73728]
"CEMLoginScript"="C:\Program Files\CEMTools\Login\CEMLoginScript.vbs" [2005-11-21 08:03 2931]
"CEMBackGround"="C:\Program Files\CEMTools\CEMBackground\CEMBackground.vbs" [2004-04-22 10:18 12137]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]
"4 MOVE"="C:\DOCUME~1\u940che\APPLIC~1\FreeBlah\windowuser.exe" [2008-04-27 09:12 449536]
"AntiVirProtect"="C:\Program Files\AntiVirProtect\AntiVirProtect.exe" [2008-05-13 15:39 440832]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-03-01 10:48 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-03-01 10:48 114688]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35 77824]
"PDFSettings"="C:\Program Files\CEMTools\Login\PDFSettings.vbs" [2005-05-25 14:41 1417]
"Office2K3Settings"="C:\Program Files\CEMTools\Login\Office2K3\Office2K3Settings.vbs" [2005-05-20 11:44 9156]
"OutlookIcone"="C:\Program Files\CEMTools\Login\Office2K3\OutlookIcone.vbs" [2005-01-13 10:02 1593]
"xpsp2"="C:\Program Files\CEMTools\Login\xpsp2\CEMXPSP2.vbs" [2005-09-09 12:55 7723]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-03-01 12:56 98304]
"user bib mp3 plan"="C:\Documents and Settings\All Users\Application Data\Amok Copy User Bib\Rule intra.exe" [2008-05-19 19:27 1176064]
"strpmon"="C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" [2008-02-26 10:40 426496]
"Salestart"="C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" [2008-02-26 10:40 426496]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"CEMW_R.exe"="C:\Program Files\CEMW\Ceml_rs.exe" [2004-01-14 16:39 73728]
"CEMLoginScript"="C:\Program Files\CEMTools\Login\CEMLoginScript.vbs" [2005-11-21 08:03 2931]
"CEMBackGround"="C:\Program Files\CEMTools\CEMBackground\CEMBackground.vbs" [2004-04-22 10:18 12137]
"UserConfig"="C:\Program Files\CEMTools\CEMCreateUserConfig\CEMUserConfig.vbs" [2004-05-17 16:25 47261]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
CEMConfig.lnk - C:\Program Files\CEMW\STLauncher_rs.exe [2004-01-14 16:40:56 73728]
C:\Documents and Settings\u930ek\Start Menu\Programs\Startup\
Outlook Backup.lnk - C:\Program Files\CEMTools\CEMotlbckp\GenerateOtlkBackupINI.vbs [2004-03-30 11:26:33 1399]
Restore user W98 data.lnk - C:\Program Files\CEMTools\CEMCreateUserConfig\RestoreFrom98.vbs [2004-03-30 11:27:08 18811]
C:\Documents and Settings\u940che\Start Menu\Programs\Startup\
Outlook Backup.lnk - C:\Program Files\CEMTools\CEMotlbckp\GenerateOtlkBackupINI.vbs [2004-03-30 11:26:33 1399]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Moniteur Gigaset WLAN Adapter.lnk - C:\Program Files\Siemens\Gigaset USB Adapter 108\Gcc.exe [2007-06-30 11:14:26 36864]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{e89fa8e9-5c0b-45f6-a70e-f7b177bcd193}"= C:\WINDOWS\system32\rtmipr.dll [2004-03-01 10:26 13312]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
R2 r_server;Remote Administrator Service;"C:\WINDOWS\System32\r_server.exe" /service []
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 22:28]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2004-09-24 23:36]
S3 AR5523;Gigaset USB Adapter 108;C:\WINDOWS\system32\DRIVERS\ar5523.sys [2005-07-27 21:11]
.
Contents of the 'Scheduled Tasks' folder
"2008-05-19 16:00:18 C:\WINDOWS\Tasks\ACFC2BBB918BDDAB.job"
- c:\docume~1\u940che\applic~1\freeblah\Mp3 audio tick.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 19:27:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\rtmipr.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCAN.EXE
C:\PROGRAM FILES\CITRIX\ICA CLIENT\SSONSVR.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Siemens\Gigaset USB Adapter 108\OdHost.exe
C:\WINDOWS\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-05-19 19:31:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-19 17:30:56
ComboFix2.txt 2008-05-13 20:20:56
Pre-Run: 1,578,639,360 bytes free
Post-Run: 1,589,379,072 bytes free
132
voila merci encore le hijack arrive
le debutant dinformatik
Messages postés
2
Date d'inscription
lundi 19 mai 2008
Statut
Membre
Dernière intervention
19 mai 2008
19 mai 2008 à 19:46
19 mai 2008 à 19:46
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:38, on 2008-05-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\WinPCDoctor\strpmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CEMW\Ceml_rs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Siemens\Gigaset USB Adapter 108\Gcc.exe
C:\Program Files\Siemens\Gigaset USB Adapter 108\OdHost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = https://internetsearchservice.com/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = https://internetsearchservice.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://internetsearchservice.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://internetsearchservice.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PDFSettings] C:\Program Files\CEMTools\Login\PDFSettings.vbs
O4 - HKLM\..\Run: [Office2K3Settings] C:\Program Files\CEMTools\Login\Office2K3\Office2K3Settings.vbs
O4 - HKLM\..\Run: [OutlookIcone] C:\Program Files\CEMTools\Login\Office2K3\OutlookIcone.vbs
O4 - HKLM\..\Run: [xpsp2] C:\Program Files\CEMTools\Login\xpsp2\CEMXPSP2.vbs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [user bib mp3 plan] C:\Documents and Settings\All Users\Application Data\Amok Copy User Bib\Rule intra.exe
O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" dm=http://winpcdoctor.com ad=http://winpcdoctor.com sd=http://inspaid.winpcdoctor.com
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CEMW_R.exe] "C:\Program Files\CEMW\Ceml_rs.exe" -Company="Consultas S.A." -LaunchExe="Cemw_rs.exe" -LaunchArgs="-sti=Cemw.sti -v -pi=.." -Path="C:\Program Files\CEMW"
O4 - HKCU\..\Run: [CEMLoginScript] C:\Program Files\CEMTools\Login\CEMLoginScript.vbs
O4 - HKCU\..\Run: [CEMBackGround] "C:\Program Files\CEMTools\CEMBackground\CEMBackground.vbs"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [4 MOVE] C:\DOCUME~1\u940che\APPLIC~1\FreeBlah\windowuser.exe
O4 - HKCU\..\Run: [AntiVirProtect] C:\Program Files\AntiVirProtect\AntiVirProtect.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CEMBackGround] "C:\Program Files\CEMTools\CEMBackground\CEMBackground.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [UserConfig] C:\Program Files\CEMTools\CEMCreateUserConfig\CEMUserConfig.vbs (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: CEMConfigOutlook.lnk = C:\Program Files\CEMTools\CEMConfigOutlook\CEMConfigOutlook.vbs (User 'Default user')
O4 - Startup: Outlook Backup.lnk = ?
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Moniteur Gigaset WLAN Adapter.lnk = C:\Program Files\Siemens\Gigaset USB Adapter 108\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\u940che\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = publigroupe.net
O17 - HKLM\Software\..\Telephony: DomainName = publigroupe.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = publigroupe.net
O22 - SharedTaskScheduler: delayingly - {e89fa8e9-5c0b-45f6-a70e-f7b177bcd193} - C:\WINDOWS\system32\rtmipr.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe
Scan saved at 19:38, on 2008-05-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\WinPCDoctor\strpmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CEMW\Ceml_rs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Siemens\Gigaset USB Adapter 108\Gcc.exe
C:\Program Files\Siemens\Gigaset USB Adapter 108\OdHost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = https://internetsearchservice.com/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = https://internetsearchservice.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://internetsearchservice.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://internetsearchservice.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PDFSettings] C:\Program Files\CEMTools\Login\PDFSettings.vbs
O4 - HKLM\..\Run: [Office2K3Settings] C:\Program Files\CEMTools\Login\Office2K3\Office2K3Settings.vbs
O4 - HKLM\..\Run: [OutlookIcone] C:\Program Files\CEMTools\Login\Office2K3\OutlookIcone.vbs
O4 - HKLM\..\Run: [xpsp2] C:\Program Files\CEMTools\Login\xpsp2\CEMXPSP2.vbs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [user bib mp3 plan] C:\Documents and Settings\All Users\Application Data\Amok Copy User Bib\Rule intra.exe
O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" dm=http://winpcdoctor.com ad=http://winpcdoctor.com sd=http://inspaid.winpcdoctor.com
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CEMW_R.exe] "C:\Program Files\CEMW\Ceml_rs.exe" -Company="Consultas S.A." -LaunchExe="Cemw_rs.exe" -LaunchArgs="-sti=Cemw.sti -v -pi=.." -Path="C:\Program Files\CEMW"
O4 - HKCU\..\Run: [CEMLoginScript] C:\Program Files\CEMTools\Login\CEMLoginScript.vbs
O4 - HKCU\..\Run: [CEMBackGround] "C:\Program Files\CEMTools\CEMBackground\CEMBackground.vbs"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [4 MOVE] C:\DOCUME~1\u940che\APPLIC~1\FreeBlah\windowuser.exe
O4 - HKCU\..\Run: [AntiVirProtect] C:\Program Files\AntiVirProtect\AntiVirProtect.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CEMBackGround] "C:\Program Files\CEMTools\CEMBackground\CEMBackground.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [UserConfig] C:\Program Files\CEMTools\CEMCreateUserConfig\CEMUserConfig.vbs (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: CEMConfigOutlook.lnk = C:\Program Files\CEMTools\CEMConfigOutlook\CEMConfigOutlook.vbs (User 'Default user')
O4 - Startup: Outlook Backup.lnk = ?
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Moniteur Gigaset WLAN Adapter.lnk = C:\Program Files\Siemens\Gigaset USB Adapter 108\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\u940che\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = publigroupe.net
O17 - HKLM\Software\..\Telephony: DomainName = publigroupe.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = publigroupe.net
O22 - SharedTaskScheduler: delayingly - {e89fa8e9-5c0b-45f6-a70e-f7b177bcd193} - C:\WINDOWS\system32\rtmipr.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe
g!rly
Messages postés
18209
Date d'inscription
vendredi 17 août 2007
Statut
Contributeur
Dernière intervention
30 novembre 2014
406
19 mai 2008 à 20:24
19 mai 2008 à 20:24
salut,
passe ceci :
Télécharge FixWareout d'un de ces deux sites sur le bureau:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe
-> Lance le fix : clique sur Next, puis Install, puis assure toi que "Run fixit" est activé puis click sur Finish.
Le fix va commencer, suis les messages à l'écran. Il te sera demandé de redémarrer ton ordinateur, fais le. Ton système mettra un peu plus de temps au démarrage, c'est normal.
-> Poste (Copie/colle) le contenu du rapport qui va s'afficher à l'écran (report.txt) avec un nouveau rapport HijackThis! dans ta prochaine réponse.
puis
Copie le texte ci-dessous :
File::
C:\FOUND.000
C:\WINDOWS\system32\atl71.dll
C:\WINDOWS\system32\834668
C:\WINDOWS\system32\rtmipr.dll
Folder::
C:\Program Files\Common Files\WinPCDoctor
C:\Documents and Settings\All Users\Application Data\winpcdoctor
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Program Files\AntiVirProtect
C:\WINDOWS\system32\834668
C:\Documents and Settings\u940che\Application Data\FreeBlah
C:\Documents and Settings\All Users\Application Data\Amok Copy User Bib
C:\DOCUME~1\u940che\APPLIC~1\FreeBlah
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"=-
[-HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"4 MOVE"=-
"AntiVirProtect"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"user bib mp3 plan"=-
"strpmon"=-
"Salestart"=-
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"=0
"NoAutoUpdate"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{e89fa8e9-5c0b-45f6-a70e-f7b177bcd193}"=-
Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.
Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :
http://sd-1.archive-host.com/membres/up/1366464061/CFScript.gif
Cela va relancer Combofix,
Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.
Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!
Ne touche à rien tant que le scan n'est pas terminé.
Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.
S'il n'y a pas de rédémarrage, poste quand même les rapports.
@+
passe ceci :
Télécharge FixWareout d'un de ces deux sites sur le bureau:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe
-> Lance le fix : clique sur Next, puis Install, puis assure toi que "Run fixit" est activé puis click sur Finish.
Le fix va commencer, suis les messages à l'écran. Il te sera demandé de redémarrer ton ordinateur, fais le. Ton système mettra un peu plus de temps au démarrage, c'est normal.
-> Poste (Copie/colle) le contenu du rapport qui va s'afficher à l'écran (report.txt) avec un nouveau rapport HijackThis! dans ta prochaine réponse.
puis
Copie le texte ci-dessous :
File::
C:\FOUND.000
C:\WINDOWS\system32\atl71.dll
C:\WINDOWS\system32\834668
C:\WINDOWS\system32\rtmipr.dll
Folder::
C:\Program Files\Common Files\WinPCDoctor
C:\Documents and Settings\All Users\Application Data\winpcdoctor
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Program Files\AntiVirProtect
C:\WINDOWS\system32\834668
C:\Documents and Settings\u940che\Application Data\FreeBlah
C:\Documents and Settings\All Users\Application Data\Amok Copy User Bib
C:\DOCUME~1\u940che\APPLIC~1\FreeBlah
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"=-
[-HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"4 MOVE"=-
"AntiVirProtect"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"user bib mp3 plan"=-
"strpmon"=-
"Salestart"=-
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"=0
"NoAutoUpdate"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{e89fa8e9-5c0b-45f6-a70e-f7b177bcd193}"=-
Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.
Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :
http://sd-1.archive-host.com/membres/up/1366464061/CFScript.gif
Cela va relancer Combofix,
Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.
Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!
Ne touche à rien tant que le scan n'est pas terminé.
Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.
S'il n'y a pas de rédémarrage, poste quand même les rapports.
@+
