Encore cette saloperie de virtumonde
Résolu
ISBN
Messages postés
3
Statut
Membre
-
sKe69 Messages postés 21955 Statut Contributeur sécurité -
sKe69 Messages postés 21955 Statut Contributeur sécurité -
Bonjour, je n'arrive pas à me débarasser de cette saloperie de virtumonde. J'ai donc suivi les instruction données à un autre utilisateur qui avait le même problème.
Voilà, j'ai fait un scan avec vundofix, puis j'ai exécuté virtumondebegone dont voici le rapport :
_________________________________________________________
[05/10/2008, 0:49:25] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrateur\Bureau\Virtumonde\VirtumundoBeGone.exe" )
[05/10/2008, 0:49:46] - Detected System Information:
[05/10/2008, 0:49:46] - Windows Version: 5.1.2600, Service Pack 2
[05/10/2008, 0:49:46] - Current Username: Administrateur (Admin)
[05/10/2008, 0:49:46] - Windows is in NORMAL mode.
[05/10/2008, 0:49:46] - Searching for Browser Helper Objects:
[05/10/2008, 0:49:46] - BHO 1: {0347C33E-8762-4905-BF09-768834316C61} (HP Print Enhancer)
[05/10/2008, 0:49:46] - BHO 2: {053F9267-DC04-4294-A72C-58F732D338C0} (HP Print Clips)
[05/10/2008, 0:49:46] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/10/2008, 0:49:46] - BHO 4: {1D8CE2EA-51C8-478D-8BF0-F77F67258A13} ()
[05/10/2008, 0:49:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/10/2008, 0:49:46] - No filename found. Continuing.
[05/10/2008, 0:49:46] - BHO 5: {21C63899-6532-40D7-8379-7ED788B98D28} ()
[05/10/2008, 0:49:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/10/2008, 0:49:46] - Checking for HKLM\...\Winlogon\Notify\hgGyxUMg
[05/10/2008, 0:49:46] - Found: HKLM\...\Winlogon\Notify\hgGyxUMg - This is probably Virtumundo.
[05/10/2008, 0:49:46] - Assigning {21C63899-6532-40D7-8379-7ED788B98D28} MSEvents Object
[05/10/2008, 0:49:46] - BHO list has been changed! Starting over...
[05/10/2008, 0:49:46] - BHO 1: {0347C33E-8762-4905-BF09-768834316C61} (HP Print Enhancer)
[05/10/2008, 0:49:46] - BHO 2: {053F9267-DC04-4294-A72C-58F732D338C0} (HP Print Clips)
[05/10/2008, 0:49:46] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/10/2008, 0:49:46] - BHO 4: {1D8CE2EA-51C8-478D-8BF0-F77F67258A13} ()
[05/10/2008, 0:49:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/10/2008, 0:49:46] - No filename found. Continuing.
[05/10/2008, 0:49:46] - BHO 5: {21C63899-6532-40D7-8379-7ED788B98D28} (MSEvents Object)
[05/10/2008, 0:49:46] - ALERT: Found MSEvents Object!
[05/10/2008, 0:49:46] - BHO 6: {4115122B-85FF-4DD3-9515-F075BEDE5EB5} (PBlockHelper Class)
[05/10/2008, 0:49:46] - BHO 7: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/10/2008, 0:49:46] - BHO 8: {7E4640F7-F4B8-4711-9D1A-24C2D16B6C9C} ()
[05/10/2008, 0:49:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/10/2008, 0:49:46] - No filename found. Continuing.
[05/10/2008, 0:49:46] - BHO 9: {8170D7DC-BDD6-461e-88EB-F047257898C9} (IeMonitorBho Class)
[05/10/2008, 0:49:46] - BHO 10: {9AA2F14F-E956-44B8-8694-A5B615CDF341} (NOW!Imaging)
[05/10/2008, 0:49:46] - BHO 11: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[05/10/2008, 0:49:46] - Finished Searching Browser Helper Objects
[05/10/2008, 0:49:46] - *** Detected MSEvents Object
[05/10/2008, 0:49:46] - Trying to remove MSEvents Object...
[05/10/2008, 0:49:47] - Terminating Process: IEXPLORE.EXE
[05/10/2008, 0:49:47] - Terminating Process: RUNDLL32.EXE
[05/10/2008, 0:49:47] - Disabling Automatic Shell Restart
[05/10/2008, 0:49:47] - Terminating Process: EXPLORER.EXE
[05/10/2008, 0:49:48] - Suspending the NT Session Manager System Service
[05/10/2008, 0:49:48] - Terminating Windows NT Logon/Logoff Manager
[05/10/2008, 0:49:48] - Re-enabling Automatic Shell Restart
[05/10/2008, 0:49:48] - File to disable: C:\WINDOWS\system32\hgGyxUMg.dll
[05/10/2008, 0:49:48] - Renaming C:\WINDOWS\system32\hgGyxUMg.dll -> C:\WINDOWS\system32\hgGyxUMg.dll.vir
[05/10/2008, 0:49:48] - File successfully renamed!
[05/10/2008, 0:49:48] - Removing HKLM\...\Browser Helper Objects\{21C63899-6532-40D7-8379-7ED788B98D28}
[05/10/2008, 0:49:48] - Removing HKCR\CLSID\{21C63899-6532-40D7-8379-7ED788B98D28}
[05/10/2008, 0:49:48] - Adding Kill Bit for ActiveX for GUID: {21C63899-6532-40D7-8379-7ED788B98D28}
[05/10/2008, 0:49:48] - Deleting ATLEvents/MSEvents Registry entries
[05/10/2008, 0:49:48] - Removing HKLM\...\Winlogon\Notify\hgGyxUMg
[05/10/2008, 0:49:48] - Searching for Browser Helper Objects:
[05/10/2008, 0:49:48] - BHO 1: {0347C33E-8762-4905-BF09-768834316C61} (HP Print Enhancer)
[05/10/2008, 0:49:48] - BHO 2: {053F9267-DC04-4294-A72C-58F732D338C0} (HP Print Clips)
[05/10/2008, 0:49:48] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/10/2008, 0:49:48] - BHO 4: {1D8CE2EA-51C8-478D-8BF0-F77F67258A13} ()
[05/10/2008, 0:49:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/10/2008, 0:49:48] - No filename found. Continuing.
[05/10/2008, 0:49:48] - BHO 5: {4115122B-85FF-4DD3-9515-F075BEDE5EB5} (PBlockHelper Class)
[05/10/2008, 0:49:48] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/10/2008, 0:49:48] - BHO 7: {7E4640F7-F4B8-4711-9D1A-24C2D16B6C9C} ()
[05/10/2008, 0:49:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/10/2008, 0:49:48] - No filename found. Continuing.
[05/10/2008, 0:49:48] - BHO 8: {8170D7DC-BDD6-461e-88EB-F047257898C9} (IeMonitorBho Class)
[05/10/2008, 0:49:48] - BHO 9: {9AA2F14F-E956-44B8-8694-A5B615CDF341} (NOW!Imaging)
[05/10/2008, 0:49:48] - BHO 10: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[05/10/2008, 0:49:48] - Finished Searching Browser Helper Objects
[05/10/2008, 0:49:48] - Finishing up...
[05/10/2008, 0:49:48] - A restart is needed.
[05/10/2008, 0:50:24] - Attempting to Restart via STOP error (Blue Screen!)
___________________________________________________________
J'ai ensuite exécuté Combofix dont voici un rapport :
___________________________________________________________
ComboFix 08-05-09.1 - Administrateur 2008-05-10 0:58:30.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.1206 [GMT -5:00]
Endroit: C:\Documents and Settings\Administrateur\Bureau\ComboFixRename.exe
* Création d'un nouveau point de restauration
[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!/b/color
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Michel\Application Data\inst.exe
C:\Documents and Settings\Michel\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\byXRhGVM.dll
C:\WINDOWS\system32\CbKTDMoq.ini
C:\WINDOWS\system32\CbKTDMoq.ini2
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\fccbcBRH.dll
C:\WINDOWS\system32\msvcsv60.dll
C:\WINDOWS\system32\opnmJCtu.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\qoMfgHBq.dll
C:\WINDOWS\system32\rqRLcbAp.dll
C:\WINDOWS\system32\urqNGaxv.dll
C:\WINDOWS\system32\UvxabdMp.ini
C:\WINDOWS\system32\UvxabdMp.ini2
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_NPF
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-04-10 to 2008-05-10 ))))))))))))))))))))))))))))))))))))
.
2008-05-10 00:58 . 2008-05-10 00:58 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-10 00:35 . 2008-05-10 00:42 <REP> d-------- C:\VundoFix Backups
2008-05-09 13:40 . 2008-05-09 13:40 33,161 --a------ C:\WINDOWS\system32\hgGyxUMg.dll.vir
2008-04-26 23:48 . 2008-04-26 23:50 <REP> d-------- C:\Program Files\cybershamanfree
2008-04-26 11:06 . 2008-04-26 11:07 <REP> d-------- C:\Program Files\Flash Player Pro
2008-04-26 11:00 . 2008-04-26 11:00 <REP> d-------- C:\WINDOWS\Full Speed
2008-04-26 11:00 . 2008-04-26 11:01 <REP> d-------- C:\Program Files\Full Speed
2008-04-25 12:30 . 2008-04-25 12:30 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Media Player Classic
2008-04-25 12:28 . 2008-04-25 12:28 <REP> d-------- C:\Program Files\Real Alternative
2008-04-25 11:59 . 2008-04-25 11:59 <REP> d-------- C:\Program Files\Fichiers communs\xing shared
2008-04-23 08:56 . 2003-03-08 12:38 155,648 --a------ C:\WINDOWS\system32\Tunnel.scr
2008-04-21 15:37 . 2008-04-22 13:43 <REP> d-------- C:\Program Files\ProMash
2008-04-20 13:44 . 2008-04-20 14:30 <REP> d-------- C:\Program Files\ShapeCh
2008-04-20 11:44 . 2008-04-20 11:44 <REP> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 11:43 . 2008-04-20 11:43 <REP> d-------- C:\Program Files\Nsasoft
2008-04-16 07:29 . 2008-04-16 07:30 <REP> d-------- C:\Program Files\Offline Explorer Enterprise
2008-04-15 15:34 . 2008-04-15 15:38 <REP> d-------- C:\Program Files\BrainWave Generator
2008-04-13 09:26 . 2008-04-14 17:13 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Lingoes
2008-04-13 09:25 . 2008-04-13 09:25 <REP> d-------- C:\Program Files\Lingoes
2008-04-13 09:22 . 2008-04-13 09:22 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Ectaco
2008-04-13 09:19 . 2008-04-13 09:19 <REP> d-------- C:\Program Files\LingvoSoft
2008-04-12 22:07 . 2008-04-12 22:07 <REP> d-------- C:\Program Files\7-Zip
2008-04-12 21:41 . 2008-04-12 21:42 <REP> d-------- C:\Program Files\CHM To PDF Converter PRO
2008-04-12 20:58 . 2008-04-12 20:58 <REP> d-------- C:\Program Files\PDF Reader
2008-04-12 18:30 . 2008-04-12 21:59 <REP> d-------- C:\Program Files\InCtrl5
2008-04-12 17:59 . 2008-04-12 18:02 59 --a------ C:\WINDOWS\ANS2000.INI
2008-04-12 17:59 . 2008-04-12 17:59 20 --ah----- C:\WINDOWS\akebook.ini
2008-04-12 17:59 . 2008-04-12 17:59 4 --ah----- C:\WINDOWS\a3kebook.ini
2008-04-12 17:24 . 2008-04-12 17:24 <REP> d-------- C:\WINDOWS\Blaiz Enterprises
2008-04-11 19:00 . 2008-05-09 13:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-11 19:00 . 2008-04-11 19:00 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 05:44 --------- d-----w C:\Program Files\PowerISO
2008-05-10 03:05 --------- d-----w C:\Program Files\Elaborate Bytes
2008-05-10 03:04 --------- d-----w C:\Program Files\SlySoft
2008-05-10 03:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-05-10 02:39 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Offline Explorer
2008-05-05 16:08 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\SlipStream
2008-05-01 11:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 09:24 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\uTorrent
2008-04-27 04:48 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-04-27 04:48 249,856 ------w C:\WINDOWS\Setup1.exe
2008-04-25 17:28 --------- d-----w C:\Program Files\Media Player Classic
2008-04-25 16:59 --------- d-----w C:\Program Files\Fichiers communs\Real
2008-04-13 00:06 --------- d-----w C:\Program Files\Google
2008-04-10 04:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-04-09 05:37 --------- d-----w C:\Program Files\Foxit Software
2008-04-09 03:27 --------- d-----w C:\Program Files\HP
2008-04-09 03:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-09 03:27 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\HPAppData
2008-04-09 03:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-04-09 03:24 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-29 05:28 --------- d-----w C:\Program Files\PeerGuardian2
2008-03-29 02:19 --------- d-----w C:\Program Files\nLite
2008-03-27 00:22 --------- d-----w C:\Program Files\Collectorz.com
2008-03-26 07:51 --------- d-----w C:\Program Files\Mindscape
2008-03-23 20:37 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\vlc
2008-03-23 20:36 --------- d-----w C:\Program Files\VideoLAN
2008-03-20 13:24 --------- d-----w C:\Program Files\Pixarra
2008-03-20 01:44 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\VCOM
2008-03-20 01:43 --------- d-----w C:\Program Files\VCOM
2008-03-20 01:40 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-03-16 16:39 --------- d-----w C:\Program Files\Smart Phone Recorder Demo
2008-03-13 19:27 --------- d-----w C:\Program Files\Ubisoft
2008-03-13 19:20 --------- d-----w C:\Program Files\Mp3tag
2008-03-13 03:24 --------- d-----w C:\Program Files\Unrelated Inventions
2008-03-13 01:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-10 02:27 --------- d-----w C:\Program Files\Computronic Corporation
2008-03-10 02:10 --------- d-----w C:\Program Files\Biorhythm Expert
2008-02-15 01:44 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-01-30 04:17 275,120 ----a-w C:\Documents and Settings\Administrateur\Application Data\GDIPFONTCACHEV1.DAT
2007-11-10 01:39 47,360 ----a-w C:\Documents and Settings\Michel\Application Data\pcouffin.sys
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D8CE2EA-51C8-478D-8BF0-F77F67258A13}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E4640F7-F4B8-4711-9D1A-24C2D16B6C9C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:09 15360]
"Gestionnaire Antidote.exe"="C:\PROGRA~1\Antidote\Antidote\Gestionnaire Antidote.exe" [2007-11-26 18:53 393216]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Lingoes"="C:\Program Files\Lingoes\Translator2\Lingoes.exe" [2008-01-09 05:18 1945600]
"Le Petit Robert Hyperappel"="C:\Program Files\Le Robert\Le Petit Robert\prhyper.exe" [2001-10-11 12:11 22560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SlipStream"="C:\Program Files\Distributel Web Accelerator\slipcore.exe" [2006-12-11 14:34 253952]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-05-01 08:40 262401]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-12-18 14:18 307200]
"vsc32cnf.exe"="C:\Program Files\Roland\VSC32\vsc32cnf.exe" [2000-02-07 03:02 36864]
"vscvol.exe"="C:\Program Files\Roland\VSC32\vscvol.exe" [2000-02-08 23:19 36864]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-26 23:43 56320]
"DeltTray"="DeltTray.exe" [2004-08-26 23:43 56320 C:\WINDOWS\system32\DeltTray.exe]
"SxgTkBar"="SxgTkBar.exe" [2001-07-11 09:29 53248 C:\WINDOWS\system32\Sxgtkbar.exe]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"NeroFilterCheck"="C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15:09 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2004-08-19 15:09 101888 C:\WINDOWS\system32\advpack.dll]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-19 14:52 44544]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)
"DisableCAD"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
"msacm.divxa32"= msaud32_divx.acm
"Midi1"= vscapi.dll
"MIDI3"= vscapi.dll
"WAVE4"= vscapi.dll
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"InCD"=C:\Program Files\Nero\Nero 7\InCD\InCD.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Antidote\\Antidote\\Antido32.exe"=
R0 CLBStor;InstantBurn Storage Helper Driver;C:\WINDOWS\system32\drivers\CLBStor.sys [2006-08-31 16:03]
R2 CLBUDF;CyberLink UDF Filesystem;C:\WINDOWS\system32\drivers\CLBUDF.sys [2006-08-31 16:03]
R2 RVIEG01;VSC Engine;C:\Program Files\Roland\Virtual Sound Canvas DXi\RVIEg01.sys [2001-04-13 19:16]
R2 RVIEGVST;VSC VST Engine;C:\Program Files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [2001-04-13 19:18]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-19 10:53]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-12-18 14:18]
R3 SOFTXG;YAMAHA XG WDM SoftSynthesizer;C:\WINDOWS\system32\drivers\sxgxgwdm.sys [2001-10-05 09:40]
R3 vsc32;Virtual Sound Canvas 3.2;C:\WINDOWS\system32\DRIVERS\vsc.sys [2001-04-16 09:16]
S3 StMp3Rec;Pilote de périphérique de la restauration de lecteur;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2006-12-11 11:42]
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 22:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - M:\UbiSetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - N:\autorun.exe
*Newly Created Service* - WUAUSERV
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-10 01:04:13
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cach‚s ...
Balayage cach‚ autostart entries ...
Balayage des fichiers cach‚s ...
Scan termin‚ avec succŠs
Les fichiers cach‚s: 0
**************************************************************************
.
--------------------- DLLs a charg‚ sous des processus courants ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Lingoes\Translator2\opentext.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Distributel Web Accelerator\slipgui.exe
C:\WINDOWS\eXcentrix\eXcentrix Startup.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-05-10 1:08:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-10 06:08:05
Pre-Run: 49,388,056,576 octets libres
Post-Run: 49,404,669,952 octets libres
228
________________________________________________________________
Puis j'ai exécuté hijackthis dont voici le rapport :
________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 01:20:27, on 2008-05-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Distributel Web Accelerator\slipcore.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Roland\VSC32\vsc32cnf.exe
C:\Program Files\Roland\VSC32\vscvol.exe
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\system32\SxgTkBar.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Antidote\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lingoes\Translator2\Lingoes.exe
C:\Program Files\Le Robert\Le Petit Robert\prhyper.exe
C:\Program Files\Distributel Web Accelerator\slipgui.exe
C:\WINDOWS\eXcentrix\eXcentrix Startup.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\- Hikackthis\HiJackThis_v2rename.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.distributel.net/distributel-portail_fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.ca/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.distributel.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.distributel.net/distributel-portail_fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.distributel.net/distributel-portail_fr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.distributel.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Distributel Web Accelerator\PBHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeMonitor - {8170D7DC-BDD6-461e-88EB-F047257898C9} - C:\Program Files\Conceiva\DownloadStudio\DLMonitr.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Distributel Web Accelerator\components\NOWImaging.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &DownloadStudio - {CB789373-04D5-4ef4-9C16-871463FD0830} - C:\Program Files\Conceiva\DownloadStudio\WebDLBar.dll
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Distributel Web Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Program Files\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Program Files\Roland\VSC32\vscvol.exe
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\PROGRA~1\Antidote\Antidote\Gestionnaire Antidote.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Lingoes] C:\Program Files\Lingoes\Translator2\Lingoes.exe
O4 - HKCU\..\Run: [Le Petit Robert Hyperappel] C:\Program Files\Le Robert\Le Petit Robert\prhyper.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Dialog Helper.lnk = C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
O4 - Global Startup: Accelerateur Web Distributel.lnk = C:\Program Files\Distributel Web Accelerator\slipgui.exe
O4 - Global Startup: eXcentrix Startup.lnk = C:\WINDOWS\eXcentrix\eXcentrix Startup.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Enterprise\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Enterprise\Add_AllO.htm
O8 - Extra context menu item: Add Page To DownloadStudio Scrapbook... - C:\Program Files\Conceiva\DownloadStudio\ds_snap.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download Image Using DownloadStudio... - C:\Program Files\Conceiva\DownloadStudio\ds_img.htm
O8 - Extra context menu item: Download Page Using DownloadStudio... - C:\Program Files\Conceiva\DownloadStudio\ds_all.htm
O8 - Extra context menu item: Download Selection Using DownloadStudio... - C:\Program Files\Conceiva\DownloadStudio\ds_sel.htm
O8 - Extra context menu item: Download Target Using DownloadStudio... - C:\Program Files\Conceiva\DownloadStudio\ds_file.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: English<->French - C:\Program Files\LingvoSoft\LingvoSoft Talking Dictionary 2007 (English-French) for Windows\Plugins\IE.htm
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
O8 - Extra context menu item: Show Page Links Using DownloadStudio... - C:\Program Files\Conceiva\DownloadStudio\ds_link.htm
O8 - Extra context menu item: Subscribe To RSS Feed... - C:\Program Files\Conceiva\DownloadStudio\ds_rss.htm
O9 - Extra button: Livre de reliures HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Sélection intelligente HP - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Traduction - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PROMT98\promtie4\promtie5.htm
O9 - Extra 'Tools' menuitem: Traduire - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PROMT98\promtie4\promtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PROMT98\promtie4\options.htm
O9 - Extra 'Tools' menuitem: Personnalisez traduction - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PROMT98\promtie4\options.htm
O9 - Extra button: DownloadStudio - {7FCA7BD7-8F4D-4a81-BE72-A470F4E517D5} - C:\Program Files\Conceiva\DownloadStudio\WebDLBar.dll
O9 - Extra button: English<->French - {82BBDDF2-9A58-044E-8DF7-28C041BE933C} - C:\Program Files\LingvoSoft\LingvoSoft Talking Dictionary 2007 (English-French) for Windows\Plugins\IE.htm
O9 - Extra 'Tools' menuitem: English<->French - {82BBDDF2-9A58-044E-8DF7-28C041BE933C} - C:\Program Files\LingvoSoft\LingvoSoft Talking Dictionary 2007 (English-French) for Windows\Plugins\IE.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Correcteur - {F7C8E5F6-B6D1-45db-8D91-2BCFA5DF11A9} - C:\PROGRA~1\Antidote\Antidote\Internet Explorer\6\Antidote K - IE 6.htm (HKCU)
O9 - Extra button: Dictionnaire - {FB4AE6A3-EE20-442c-9189-251885352358} - C:\PROGRA~1\Antidote\Antidote\Internet Explorer\6\Antidote D - IE 6.htm (HKCU)
O9 - Extra button: Synonymes - {FDD637F8-2693-49ce-817E-1AD59574900C} - C:\PROGRA~1\Antidote\Antidote\Internet Explorer\6\Antidote S - IE 6.htm (HKCU)
O9 - Extra button: Conjugueur - {FF229BEC-9E1F-48c1-99A6-AF34ABEFAB0A} - C:\PROGRA~1\Antidote\Antidote\Internet Explorer\6\Antidote C - IE 6.htm (HKCU)
O9 - Extra button: Grammaire - {FFB5EE7F-726F-423e-83C2-572FE7CEB3F0} - C:\PROGRA~1\Antidote\Antidote\Internet Explorer\6\Antidote G - IE 6.htm (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://127.0.0.1:800/D%E9faut/download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
Voilà, j'ai fait un scan avec vundofix, puis j'ai exécuté virtumondebegone dont voici le rapport :
_________________________________________________________
[05/10/2008, 0:49:25] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrateur\Bureau\Virtumonde\VirtumundoBeGone.exe" )
[05/10/2008, 0:49:46] - Detected System Information:
[05/10/2008, 0:49:46] - Windows Version: 5.1.2600, Service Pack 2
[05/10/2008, 0:49:46] - Current Username: Administrateur (Admin)
[05/10/2008, 0:49:46] - Windows is in NORMAL mode.
[05/10/2008, 0:49:46] - Searching for Browser Helper Objects:
[05/10/2008, 0:49:46] - BHO 1: {0347C33E-8762-4905-BF09-768834316C61} (HP Print Enhancer)
[05/10/2008, 0:49:46] - BHO 2: {053F9267-DC04-4294-A72C-58F732D338C0} (HP Print Clips)
[05/10/2008, 0:49:46] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/10/2008, 0:49:46] - BHO 4: {1D8CE2EA-51C8-478D-8BF0-F77F67258A13} ()
[05/10/2008, 0:49:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/10/2008, 0:49:46] - No filename found. Continuing.
[05/10/2008, 0:49:46] - BHO 5: {21C63899-6532-40D7-8379-7ED788B98D28} ()
[05/10/2008, 0:49:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/10/2008, 0:49:46] - Checking for HKLM\...\Winlogon\Notify\hgGyxUMg
[05/10/2008, 0:49:46] - Found: HKLM\...\Winlogon\Notify\hgGyxUMg - This is probably Virtumundo.
[05/10/2008, 0:49:46] - Assigning {21C63899-6532-40D7-8379-7ED788B98D28} MSEvents Object
[05/10/2008, 0:49:46] - BHO list has been changed! Starting over...
[05/10/2008, 0:49:46] - BHO 1: {0347C33E-8762-4905-BF09-768834316C61} (HP Print Enhancer)
[05/10/2008, 0:49:46] - BHO 2: {053F9267-DC04-4294-A72C-58F732D338C0} (HP Print Clips)
[05/10/2008, 0:49:46] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/10/2008, 0:49:46] - BHO 4: {1D8CE2EA-51C8-478D-8BF0-F77F67258A13} ()
[05/10/2008, 0:49:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/10/2008, 0:49:46] - No filename found. Continuing.
[05/10/2008, 0:49:46] - BHO 5: {21C63899-6532-40D7-8379-7ED788B98D28} (MSEvents Object)
[05/10/2008, 0:49:46] - ALERT: Found MSEvents Object!
[05/10/2008, 0:49:46] - BHO 6: {4115122B-85FF-4DD3-9515-F075BEDE5EB5} (PBlockHelper Class)
[05/10/2008, 0:49:46] - BHO 7: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/10/2008, 0:49:46] - BHO 8: {7E4640F7-F4B8-4711-9D1A-24C2D16B6C9C} ()
[05/10/2008, 0:49:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/10/2008, 0:49:46] - No filename found. Continuing.
[05/10/2008, 0:49:46] - BHO 9: {8170D7DC-BDD6-461e-88EB-F047257898C9} (IeMonitorBho Class)
[05/10/2008, 0:49:46] - BHO 10: {9AA2F14F-E956-44B8-8694-A5B615CDF341} (NOW!Imaging)
[05/10/2008, 0:49:46] - BHO 11: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[05/10/2008, 0:49:46] - Finished Searching Browser Helper Objects
[05/10/2008, 0:49:46] - *** Detected MSEvents Object
[05/10/2008, 0:49:46] - Trying to remove MSEvents Object...
[05/10/2008, 0:49:47] - Terminating Process: IEXPLORE.EXE
[05/10/2008, 0:49:47] - Terminating Process: RUNDLL32.EXE
[05/10/2008, 0:49:47] - Disabling Automatic Shell Restart
[05/10/2008, 0:49:47] - Terminating Process: EXPLORER.EXE
[05/10/2008, 0:49:48] - Suspending the NT Session Manager System Service
[05/10/2008, 0:49:48] - Terminating Windows NT Logon/Logoff Manager
[05/10/2008, 0:49:48] - Re-enabling Automatic Shell Restart
[05/10/2008, 0:49:48] - File to disable: C:\WINDOWS\system32\hgGyxUMg.dll
[05/10/2008, 0:49:48] - Renaming C:\WINDOWS\system32\hgGyxUMg.dll -> C:\WINDOWS\system32\hgGyxUMg.dll.vir
[05/10/2008, 0:49:48] - File successfully renamed!
[05/10/2008, 0:49:48] - Removing HKLM\...\Browser Helper Objects\{21C63899-6532-40D7-8379-7ED788B98D28}
[05/10/2008, 0:49:48] - Removing HKCR\CLSID\{21C63899-6532-40D7-8379-7ED788B98D28}
[05/10/2008, 0:49:48] - Adding Kill Bit for ActiveX for GUID: {21C63899-6532-40D7-8379-7ED788B98D28}
[05/10/2008, 0:49:48] - Deleting ATLEvents/MSEvents Registry entries
[05/10/2008, 0:49:48] - Removing HKLM\...\Winlogon\Notify\hgGyxUMg
[05/10/2008, 0:49:48] - Searching for Browser Helper Objects:
[05/10/2008, 0:49:48] - BHO 1: {0347C33E-8762-4905-BF09-768834316C61} (HP Print Enhancer)
[05/10/2008, 0:49:48] - BHO 2: {053F9267-DC04-4294-A72C-58F732D338C0} (HP Print Clips)
[05/10/2008, 0:49:48] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/10/2008, 0:49:48] - BHO 4: {1D8CE2EA-51C8-478D-8BF0-F77F67258A13} ()
[05/10/2008, 0:49:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/10/2008, 0:49:48] - No filename found. Continuing.
[05/10/2008, 0:49:48] - BHO 5: {4115122B-85FF-4DD3-9515-F075BEDE5EB5} (PBlockHelper Class)
[05/10/2008, 0:49:48] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/10/2008, 0:49:48] - BHO 7: {7E4640F7-F4B8-4711-9D1A-24C2D16B6C9C} ()
[05/10/2008, 0:49:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/10/2008, 0:49:48] - No filename found. Continuing.
[05/10/2008, 0:49:48] - BHO 8: {8170D7DC-BDD6-461e-88EB-F047257898C9} (IeMonitorBho Class)
[05/10/2008, 0:49:48] - BHO 9: {9AA2F14F-E956-44B8-8694-A5B615CDF341} (NOW!Imaging)
[05/10/2008, 0:49:48] - BHO 10: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[05/10/2008, 0:49:48] - Finished Searching Browser Helper Objects
[05/10/2008, 0:49:48] - Finishing up...
[05/10/2008, 0:49:48] - A restart is needed.
[05/10/2008, 0:50:24] - Attempting to Restart via STOP error (Blue Screen!)
___________________________________________________________
J'ai ensuite exécuté Combofix dont voici un rapport :
___________________________________________________________
ComboFix 08-05-09.1 - Administrateur 2008-05-10 0:58:30.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.1206 [GMT -5:00]
Endroit: C:\Documents and Settings\Administrateur\Bureau\ComboFixRename.exe
* Création d'un nouveau point de restauration
[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!/b/color
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Michel\Application Data\inst.exe
C:\Documents and Settings\Michel\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\byXRhGVM.dll
C:\WINDOWS\system32\CbKTDMoq.ini
C:\WINDOWS\system32\CbKTDMoq.ini2
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\fccbcBRH.dll
C:\WINDOWS\system32\msvcsv60.dll
C:\WINDOWS\system32\opnmJCtu.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\qoMfgHBq.dll
C:\WINDOWS\system32\rqRLcbAp.dll
C:\WINDOWS\system32\urqNGaxv.dll
C:\WINDOWS\system32\UvxabdMp.ini
C:\WINDOWS\system32\UvxabdMp.ini2
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_NPF
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-04-10 to 2008-05-10 ))))))))))))))))))))))))))))))))))))
.
2008-05-10 00:58 . 2008-05-10 00:58 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-10 00:35 . 2008-05-10 00:42 <REP> d-------- C:\VundoFix Backups
2008-05-09 13:40 . 2008-05-09 13:40 33,161 --a------ C:\WINDOWS\system32\hgGyxUMg.dll.vir
2008-04-26 23:48 . 2008-04-26 23:50 <REP> d-------- C:\Program Files\cybershamanfree
2008-04-26 11:06 . 2008-04-26 11:07 <REP> d-------- C:\Program Files\Flash Player Pro
2008-04-26 11:00 . 2008-04-26 11:00 <REP> d-------- C:\WINDOWS\Full Speed
2008-04-26 11:00 . 2008-04-26 11:01 <REP> d-------- C:\Program Files\Full Speed
2008-04-25 12:30 . 2008-04-25 12:30 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Media Player Classic
2008-04-25 12:28 . 2008-04-25 12:28 <REP> d-------- C:\Program Files\Real Alternative
2008-04-25 11:59 . 2008-04-25 11:59 <REP> d-------- C:\Program Files\Fichiers communs\xing shared
2008-04-23 08:56 . 2003-03-08 12:38 155,648 --a------ C:\WINDOWS\system32\Tunnel.scr
2008-04-21 15:37 . 2008-04-22 13:43 <REP> d-------- C:\Program Files\ProMash
2008-04-20 13:44 . 2008-04-20 14:30 <REP> d-------- C:\Program Files\ShapeCh
2008-04-20 11:44 . 2008-04-20 11:44 <REP> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 11:43 . 2008-04-20 11:43 <REP> d-------- C:\Program Files\Nsasoft
2008-04-16 07:29 . 2008-04-16 07:30 <REP> d-------- C:\Program Files\Offline Explorer Enterprise
2008-04-15 15:34 . 2008-04-15 15:38 <REP> d-------- C:\Program Files\BrainWave Generator
2008-04-13 09:26 . 2008-04-14 17:13 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Lingoes
2008-04-13 09:25 . 2008-04-13 09:25 <REP> d-------- C:\Program Files\Lingoes
2008-04-13 09:22 . 2008-04-13 09:22 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Ectaco
2008-04-13 09:19 . 2008-04-13 09:19 <REP> d-------- C:\Program Files\LingvoSoft
2008-04-12 22:07 . 2008-04-12 22:07 <REP> d-------- C:\Program Files\7-Zip
2008-04-12 21:41 . 2008-04-12 21:42 <REP> d-------- C:\Program Files\CHM To PDF Converter PRO
2008-04-12 20:58 . 2008-04-12 20:58 <REP> d-------- C:\Program Files\PDF Reader
2008-04-12 18:30 . 2008-04-12 21:59 <REP> d-------- C:\Program Files\InCtrl5
2008-04-12 17:59 . 2008-04-12 18:02 59 --a------ C:\WINDOWS\ANS2000.INI
2008-04-12 17:59 . 2008-04-12 17:59 20 --ah----- C:\WINDOWS\akebook.ini
2008-04-12 17:59 . 2008-04-12 17:59 4 --ah----- C:\WINDOWS\a3kebook.ini
2008-04-12 17:24 . 2008-04-12 17:24 <REP> d-------- C:\WINDOWS\Blaiz Enterprises
2008-04-11 19:00 . 2008-05-09 13:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-11 19:00 . 2008-04-11 19:00 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 05:44 --------- d-----w C:\Program Files\PowerISO
2008-05-10 03:05 --------- d-----w C:\Program Files\Elaborate Bytes
2008-05-10 03:04 --------- d-----w C:\Program Files\SlySoft
2008-05-10 03:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-05-10 02:39 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Offline Explorer
2008-05-05 16:08 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\SlipStream
2008-05-01 11:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 09:24 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\uTorrent
2008-04-27 04:48 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-04-27 04:48 249,856 ------w C:\WINDOWS\Setup1.exe
2008-04-25 17:28 --------- d-----w C:\Program Files\Media Player Classic
2008-04-25 16:59 --------- d-----w C:\Program Files\Fichiers communs\Real
2008-04-13 00:06 --------- d-----w C:\Program Files\Google
2008-04-10 04:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-04-09 05:37 --------- d-----w C:\Program Files\Foxit Software
2008-04-09 03:27 --------- d-----w C:\Program Files\HP
2008-04-09 03:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-09 03:27 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\HPAppData
2008-04-09 03:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-04-09 03:24 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-29 05:28 --------- d-----w C:\Program Files\PeerGuardian2
2008-03-29 02:19 --------- d-----w C:\Program Files\nLite
2008-03-27 00:22 --------- d-----w C:\Program Files\Collectorz.com
2008-03-26 07:51 --------- d-----w C:\Program Files\Mindscape
2008-03-23 20:37 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\vlc
2008-03-23 20:36 --------- d-----w C:\Program Files\VideoLAN
2008-03-20 13:24 --------- d-----w C:\Program Files\Pixarra
2008-03-20 01:44 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\VCOM
2008-03-20 01:43 --------- d-----w C:\Program Files\VCOM
2008-03-20 01:40 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-03-16 16:39 --------- d-----w C:\Program Files\Smart Phone Recorder Demo
2008-03-13 19:27 --------- d-----w C:\Program Files\Ubisoft
2008-03-13 19:20 --------- d-----w C:\Program Files\Mp3tag
2008-03-13 03:24 --------- d-----w C:\Program Files\Unrelated Inventions
2008-03-13 01:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-10 02:27 --------- d-----w C:\Program Files\Computronic Corporation
2008-03-10 02:10 --------- d-----w C:\Program Files\Biorhythm Expert
2008-02-15 01:44 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-01-30 04:17 275,120 ----a-w C:\Documents and Settings\Administrateur\Application Data\GDIPFONTCACHEV1.DAT
2007-11-10 01:39 47,360 ----a-w C:\Documents and Settings\Michel\Application Data\pcouffin.sys
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D8CE2EA-51C8-478D-8BF0-F77F67258A13}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E4640F7-F4B8-4711-9D1A-24C2D16B6C9C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:09 15360]
"Gestionnaire Antidote.exe"="C:\PROGRA~1\Antidote\Antidote\Gestionnaire Antidote.exe" [2007-11-26 18:53 393216]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Lingoes"="C:\Program Files\Lingoes\Translator2\Lingoes.exe" [2008-01-09 05:18 1945600]
"Le Petit Robert Hyperappel"="C:\Program Files\Le Robert\Le Petit Robert\prhyper.exe" [2001-10-11 12:11 22560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SlipStream"="C:\Program Files\Distributel Web Accelerator\slipcore.exe" [2006-12-11 14:34 253952]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-05-01 08:40 262401]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-12-18 14:18 307200]
"vsc32cnf.exe"="C:\Program Files\Roland\VSC32\vsc32cnf.exe" [2000-02-07 03:02 36864]
"vscvol.exe"="C:\Program Files\Roland\VSC32\vscvol.exe" [2000-02-08 23:19 36864]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-26 23:43 56320]
"DeltTray"="DeltTray.exe" [2004-08-26 23:43 56320 C:\WINDOWS\system32\DeltTray.exe]
"SxgTkBar"="SxgTkBar.exe" [2001-07-11 09:29 53248 C:\WINDOWS\system32\Sxgtkbar.exe]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"NeroFilterCheck"="C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15:09 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2004-08-19 15:09 101888 C:\WINDOWS\system32\advpack.dll]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-19 14:52 44544]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)
"DisableCAD"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
"msacm.divxa32"= msaud32_divx.acm
"Midi1"= vscapi.dll
"MIDI3"= vscapi.dll
"WAVE4"= vscapi.dll
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"InCD"=C:\Program Files\Nero\Nero 7\InCD\InCD.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Antidote\\Antidote\\Antido32.exe"=
R0 CLBStor;InstantBurn Storage Helper Driver;C:\WINDOWS\system32\drivers\CLBStor.sys [2006-08-31 16:03]
R2 CLBUDF;CyberLink UDF Filesystem;C:\WINDOWS\system32\drivers\CLBUDF.sys [2006-08-31 16:03]
R2 RVIEG01;VSC Engine;C:\Program Files\Roland\Virtual Sound Canvas DXi\RVIEg01.sys [2001-04-13 19:16]
R2 RVIEGVST;VSC VST Engine;C:\Program Files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [2001-04-13 19:18]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-19 10:53]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-12-18 14:18]
R3 SOFTXG;YAMAHA XG WDM SoftSynthesizer;C:\WINDOWS\system32\drivers\sxgxgwdm.sys [2001-10-05 09:40]
R3 vsc32;Virtual Sound Canvas 3.2;C:\WINDOWS\system32\DRIVERS\vsc.sys [2001-04-16 09:16]
S3 StMp3Rec;Pilote de périphérique de la restauration de lecteur;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2006-12-11 11:42]
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 22:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - M:\UbiSetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - N:\autorun.exe
*Newly Created Service* - WUAUSERV
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-10 01:04:13
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cach‚s ...
Balayage cach‚ autostart entries ...
Balayage des fichiers cach‚s ...
Scan termin‚ avec succŠs
Les fichiers cach‚s: 0
**************************************************************************
.
--------------------- DLLs a charg‚ sous des processus courants ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Lingoes\Translator2\opentext.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Distributel Web Accelerator\slipgui.exe
C:\WINDOWS\eXcentrix\eXcentrix Startup.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-05-10 1:08:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-10 06:08:05
Pre-Run: 49,388,056,576 octets libres
Post-Run: 49,404,669,952 octets libres
228
________________________________________________________________
Puis j'ai exécuté hijackthis dont voici le rapport :
________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 01:20:27, on 2008-05-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Distributel Web Accelerator\slipcore.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Roland\VSC32\vsc32cnf.exe
C:\Program Files\Roland\VSC32\vscvol.exe
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\system32\SxgTkBar.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Antidote\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lingoes\Translator2\Lingoes.exe
C:\Program Files\Le Robert\Le Petit Robert\prhyper.exe
C:\Program Files\Distributel Web Accelerator\slipgui.exe
C:\WINDOWS\eXcentrix\eXcentrix Startup.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\- Hikackthis\HiJackThis_v2rename.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.distributel.net/distributel-portail_fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.ca/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.distributel.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.distributel.net/distributel-portail_fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.distributel.net/distributel-portail_fr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.distributel.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Distributel Web Accelerator\PBHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeMonitor - {8170D7DC-BDD6-461e-88EB-F047257898C9} - C:\Program Files\Conceiva\DownloadStudio\DLMonitr.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Distributel Web Accelerator\components\NOWImaging.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &DownloadStudio - {CB789373-04D5-4ef4-9C16-871463FD0830} - C:\Program Files\Conceiva\DownloadStudio\WebDLBar.dll
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Distributel Web Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Program Files\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Program Files\Roland\VSC32\vscvol.exe
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\PROGRA~1\Antidote\Antidote\Gestionnaire Antidote.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Lingoes] C:\Program Files\Lingoes\Translator2\Lingoes.exe
O4 - HKCU\..\Run: [Le Petit Robert Hyperappel] C:\Program Files\Le Robert\Le Petit Robert\prhyper.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Dialog Helper.lnk = C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
O4 - Global Startup: Accelerateur Web Distributel.lnk = C:\Program Files\Distributel Web Accelerator\slipgui.exe
O4 - Global Startup: eXcentrix Startup.lnk = C:\WINDOWS\eXcentrix\eXcentrix Startup.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Enterprise\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Enterprise\Add_AllO.htm
O8 - Extra context menu item: Add Page To DownloadStudio Scrapbook... - C:\Program Files\Conceiva\DownloadStudio\ds_snap.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download Image Using DownloadStudio... - C:\Program Files\Conceiva\DownloadStudio\ds_img.htm
O8 - Extra context menu item: Download Page Using DownloadStudio... - C:\Program Files\Conceiva\DownloadStudio\ds_all.htm
O8 - Extra context menu item: Download Selection Using DownloadStudio... - C:\Program Files\Conceiva\DownloadStudio\ds_sel.htm
O8 - Extra context menu item: Download Target Using DownloadStudio... - C:\Program Files\Conceiva\DownloadStudio\ds_file.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: English<->French - C:\Program Files\LingvoSoft\LingvoSoft Talking Dictionary 2007 (English-French) for Windows\Plugins\IE.htm
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
O8 - Extra context menu item: Show Page Links Using DownloadStudio... - C:\Program Files\Conceiva\DownloadStudio\ds_link.htm
O8 - Extra context menu item: Subscribe To RSS Feed... - C:\Program Files\Conceiva\DownloadStudio\ds_rss.htm
O9 - Extra button: Livre de reliures HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Sélection intelligente HP - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Traduction - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PROMT98\promtie4\promtie5.htm
O9 - Extra 'Tools' menuitem: Traduire - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PROMT98\promtie4\promtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PROMT98\promtie4\options.htm
O9 - Extra 'Tools' menuitem: Personnalisez traduction - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PROMT98\promtie4\options.htm
O9 - Extra button: DownloadStudio - {7FCA7BD7-8F4D-4a81-BE72-A470F4E517D5} - C:\Program Files\Conceiva\DownloadStudio\WebDLBar.dll
O9 - Extra button: English<->French - {82BBDDF2-9A58-044E-8DF7-28C041BE933C} - C:\Program Files\LingvoSoft\LingvoSoft Talking Dictionary 2007 (English-French) for Windows\Plugins\IE.htm
O9 - Extra 'Tools' menuitem: English<->French - {82BBDDF2-9A58-044E-8DF7-28C041BE933C} - C:\Program Files\LingvoSoft\LingvoSoft Talking Dictionary 2007 (English-French) for Windows\Plugins\IE.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Correcteur - {F7C8E5F6-B6D1-45db-8D91-2BCFA5DF11A9} - C:\PROGRA~1\Antidote\Antidote\Internet Explorer\6\Antidote K - IE 6.htm (HKCU)
O9 - Extra button: Dictionnaire - {FB4AE6A3-EE20-442c-9189-251885352358} - C:\PROGRA~1\Antidote\Antidote\Internet Explorer\6\Antidote D - IE 6.htm (HKCU)
O9 - Extra button: Synonymes - {FDD637F8-2693-49ce-817E-1AD59574900C} - C:\PROGRA~1\Antidote\Antidote\Internet Explorer\6\Antidote S - IE 6.htm (HKCU)
O9 - Extra button: Conjugueur - {FF229BEC-9E1F-48c1-99A6-AF34ABEFAB0A} - C:\PROGRA~1\Antidote\Antidote\Internet Explorer\6\Antidote C - IE 6.htm (HKCU)
O9 - Extra button: Grammaire - {FFB5EE7F-726F-423e-83C2-572FE7CEB3F0} - C:\PROGRA~1\Antidote\Antidote\Internet Explorer\6\Antidote G - IE 6.htm (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://127.0.0.1:800/D%E9faut/download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
2 réponses
salut,
Apparement Virtumonde a bien été suprimer ...
Fais ce-ci maintenant :
1-Télécharge OTMoveIt (de Old_Timer) sur ton Bureau.
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
clic double sur OTMoveIt.exe pour le lancer.
copie la liste qui se trouve en citation ci-dessous,
C:\VundoFix Backups
C:\WINDOWS\system32\hgGyxUMg.dll.vir
et colles-la dans le cadre de gauche de OTMoveIt2 :
Paste standard List of Files/Folders to be moved.
cliques sur MoveIt! pour lancer la suppression.
le résultat apparaîtra dans le cadre Results.
cliques sur Exit pour fermer.
postes le rapport situé dans C:\\\_OTMoveIt\MovedFiles.
il te sera peut-être demandé de redémarrer le pc pour achever la suppression.
si c'est le cas acceptes par "Yes".
Apparement Virtumonde a bien été suprimer ...
Fais ce-ci maintenant :
1-Télécharge OTMoveIt (de Old_Timer) sur ton Bureau.
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
clic double sur OTMoveIt.exe pour le lancer.
copie la liste qui se trouve en citation ci-dessous,
C:\VundoFix Backups
C:\WINDOWS\system32\hgGyxUMg.dll.vir
et colles-la dans le cadre de gauche de OTMoveIt2 :
Paste standard List of Files/Folders to be moved.
cliques sur MoveIt! pour lancer la suppression.
le résultat apparaîtra dans le cadre Results.
cliques sur Exit pour fermer.
postes le rapport situé dans C:\\\_OTMoveIt\MovedFiles.
il te sera peut-être demandé de redémarrer le pc pour achever la suppression.
si c'est le cas acceptes par "Yes".
Bizard ... on va faire autrement :
1-Crée un doc texte sur ton bureau :
pointes ta souris sur ton bureau , click droit : vas dans "nouveau" et choisis "document texte" .
Ensuite copie/colle le texte ci-dessous ( et rien d'autre!) dans le fichier texte que tu viens de crée :
File::
C:\WINDOWS\system32\hgGyxUMg.dll.vir
Folder::
C:\VundoFix Backups
Puis vas dans "fichier" et choisis "enregistrer sous ..." et tu le nommes exactement ainsi :
CFScript puis valides ...
2-Nettoyage :
!!Déconnectes toi,fermes toute tes application et désactive ton antivirus le temps de la manipe ( tu le réactiveras après ) !!
--->Sur ton bureau, fais un glisser avec ta souris le fichier CFScript sur l'icone de ComboFix.exe .
(Regarde ici : http://i261.photobucket.com/albums/ii49/Malekal_morte/CFScript.gif )
Cette manipulation va relancer combofix .
--> Une fenêtre bleue va apparaître: au message qui apparaît "Type 1 to continue, or 2 to abort" : tape 1 puis valide.
Puis patientes le temps du scan.( Le Bureau va disparaître à plusieurs reprises : c'est normal!)
!!Ne touche à rien tant que le scan n'est pas terminé !!
Note : en fin de scan, il est possible que ComboFix ait besoin de redémarrer le PC pour finaliser la désinfection, laisses-le faire.
Une fois le scan achevé, un rapport va s'afficher : Postes le pour analyse ...
1-Crée un doc texte sur ton bureau :
pointes ta souris sur ton bureau , click droit : vas dans "nouveau" et choisis "document texte" .
Ensuite copie/colle le texte ci-dessous ( et rien d'autre!) dans le fichier texte que tu viens de crée :
File::
C:\WINDOWS\system32\hgGyxUMg.dll.vir
Folder::
C:\VundoFix Backups
Puis vas dans "fichier" et choisis "enregistrer sous ..." et tu le nommes exactement ainsi :
CFScript puis valides ...
2-Nettoyage :
!!Déconnectes toi,fermes toute tes application et désactive ton antivirus le temps de la manipe ( tu le réactiveras après ) !!
--->Sur ton bureau, fais un glisser avec ta souris le fichier CFScript sur l'icone de ComboFix.exe .
(Regarde ici : http://i261.photobucket.com/albums/ii49/Malekal_morte/CFScript.gif )
Cette manipulation va relancer combofix .
--> Une fenêtre bleue va apparaître: au message qui apparaît "Type 1 to continue, or 2 to abort" : tape 1 puis valide.
Puis patientes le temps du scan.( Le Bureau va disparaître à plusieurs reprises : c'est normal!)
!!Ne touche à rien tant que le scan n'est pas terminé !!
Note : en fin de scan, il est possible que ComboFix ait besoin de redémarrer le PC pour finaliser la désinfection, laisses-le faire.
Une fois le scan achevé, un rapport va s'afficher : Postes le pour analyse ...
Error creating log file
Error creating Restore file
puis dans la fenêtre Results :
Folder move failed. C:\VundoFix Backups scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\hgGyxUMg.dll.vir scheduled to be moved on reboot.
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05102008_032808
ensuite, je reboot et j'ai un autre message d'erreur :
Cannot open file \\C_OTMoveIt\MovedFiles±05102008_032808.log
et toujours le même message dans la fenêtre Results
Merci quand même !