scan gmer.exe Résolu/Fermé

Question

Bonjour,
Je viens de faire un scan avec Gmer.exe, il m'a trouvé ceci:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-04 12:40:48
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT   95DFEA8C                                                                                   ZwCreateThread
SSDT   95DFEA78                                                                                   ZwOpenProcess
SSDT   95DFEA7D                                                                                   ZwOpenThread
SSDT   95DFEA87                                                                                   ZwTerminateProcess
SSDT   95DFEA82                                                                                   ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

.text  ntkrnlpa.exe!KeSetTimerEx + 454                                                            818CAAA8 4 Bytes  JMP E81595DF 
.text  ntkrnlpa.exe!KeSetTimerEx + 624                                                            818CAC78 4 Bytes  JMP F2A195DF 
.text  ntkrnlpa.exe!KeSetTimerEx + 854                                                            818CAEA8 4 Bytes  JMP 171995DF 
.text  ntkrnlpa.exe!KeSetTimerEx + 8B4                                                            818CAF08 4 Bytes  JMP 919C95DF 
PAGE   spsys.sys!?SPVersion@@3PADA + 1A67                                                         970BB03F 240 Bytes  [ 8B, FF, 55, 8B, EC, 8B, 45, ... ]
PAGE   spsys.sys!?SPVersion@@3PADA + 1B58                                                         970BB130 6 Bytes  [ 0E, 83, 78, 14, 01, 75 ]
PAGE   spsys.sys!?SPVersion@@3PADA + 1B5F                                                         970BB137 2214 Bytes  [ 83, 78, 18, 37, 75, 02, B3, ... ]
PAGE   spsys.sys!?SPVersion@@3PADA + 2406                                                         970BB9DE 47 Bytes  [ 04, BB, A8, 01, 00, 00, 8D, ... ]
PAGE   spsys.sys!?SPVersion@@3PADA + 2436                                                         970BBA0E 44 Bytes  [ 05, 00, 00, 39, 54, 8D, D0, ... ]
PAGE   ...                                                                                        

---- Registry - GMER 1.0.14 ----

Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines                                          
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines@CurrentVersion                           2.0
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\1.0                                      
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\1.0\0                                    
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\1.0\0@Flags                              1
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\1.0\0\CoreOS                             
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\1.0\0\CoreOS@Version                     6.0.6000.16386
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\1.0\0\CoreOS@DisplayName                 Windows Core OS Components
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\1.0\0\CoreOS@Type                        0
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\2.0                                      
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\2.0\0                                    
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\2.0\0@Flags                              1
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\2.0\0\CoreOS                             
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\2.0\0\CoreOS@Version                     6.0.6000.16386
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\2.0\0\CoreOS@DisplayName                 Windows Core OS Components
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\2.0\0\CoreOS@Type                        0
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\2.0\1                                    
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\2.0\1\CoreOS                             
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\2.0\1\CoreOS@Version                     6.0.6001.18000
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\2.0\1\CoreOS@DisplayName                 Windows Core OS Components
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Baselines\2.0\1\CoreOS@Type                        0
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Components                                         
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Components\CoreOS                                  
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Components\CoreOS@Version                          6.0.6001.18000
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Components\CoreOS@DisplayName                      Windows Core OS Components
Reg    HKLM\SYSTEM\Setup\Service Reporting API\Components\CoreOS@Type                             0
Reg    HKLM\SYSTEM\Setup\SetupCL@DriveMask                                                        4
Reg    HKLM\SYSTEM\Setup\SetupCL@RUNTIME                                                          57
Reg    HKLM\SYSTEM\Setup\SetupCL@HIVETIME                                                         10
Reg    HKLM\SYSTEM\Setup\SetupCL@FILEACLTIME                                                      47
Reg    HKLM\SYSTEM\Setup\SetupCL@EXECUTIONSUCCESSFUL                                              1
Reg    HKLM\SYSTEM\Setup\Status@AuditBoot                                                         0
Reg    HKLM\SYSTEM\Setup\Status\ChildCompletion                                                   
Reg    HKLM\SYSTEM\Setup\Status\ChildCompletion@setup.exe                                         3
Reg    HKLM\SYSTEM\Setup\Status\ChildCompletion@oobeldr.exe                                       3
Reg    HKLM\SYSTEM\Setup\Status\ChildCompletion@audit.exe                                         0
Reg    HKLM\SYSTEM\Setup\Status\SysprepStatus                                                     
Reg    HKLM\SYSTEM\Setup\Status\SysprepStatus@GeneralizationState                                 7
Reg    HKLM\SYSTEM\Setup\Status\SysprepStatus@CleanupState                                        2
Reg    HKLM\SYSTEM\Setup\Status\UnattendPasses                                                    
Reg    HKLM\SYSTEM\Setup\Status\UnattendPasses@specialize                                         9
Reg    HKLM\SYSTEM\Setup\Status\UnattendPasses@oobeSystem                                         9
Reg    HKLM\SYSTEM\Setup\Status\UnattendPasses@windowsPE                                          0
Reg    HKLM\SYSTEM\Setup\Status\UnattendPasses@offlineServicing                                   0
Reg    HKLM\SYSTEM\Setup\Status\UnattendPasses@generalize                                         0
Reg    HKLM\SYSTEM\Setup\Status\UnattendPasses@auditSystem                                        0
Reg    HKLM\SYSTEM\Setup\Status\UnattendPasses@auditUser                                          0
Reg    HKLM\SOFTWARE\Classes\CLSID\{8066FB71-AFA1-343E-8070-44AB4F3F85C9}\InprocServer32\2.0.0.0  

---- EOF - GMER 1.0.14 ----


Comment faire pour supprimer les rootkits sur Gmer?
Pouvez-vous m'aider SVP?
Merci

benurrr · Answer

salut

regarde içi sa peut aider je pense

https://forum.malekal.com/viewtopic.php?f=58&p=77060

hooligan63780 · Answer

salut Commence par poster un rapport HijackThis stp, 
>Télécharge HiJackThis : https://www.commentcamarche.net/telecharger/ 159 hijackthis 
- Lance le programme, puis sélectionne < do a system scan and save a logfile > 
- Enregistre le rapport sur ton bureau. 
Et envoie, par copier/coller, ton log Hijackthis sur le forum, 

 

Tuto : si problème : http://perso.orange.fr/rginformatique/section%20virus/demohijack.htm

jipierre13 · Answer

bonjour, merci de vos réponses
ci-dessous le rapport hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:05:35, on 04/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SYSTEM32	askeng.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.laposte.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\Program Files\AdsAway Software\aproxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min /nosplash
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUpldfr-fr.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\Windows\system32\o2flash.exe

hooligan63780 · Answer

il manque une partit du scan je croi  quand tu as le rapport ton rapport apparait tu fait seléctionné tous copier/coller dans le forum

jipierre13 · Answer

re!
Voici le rapport complet, en tout cas c'est tout ce que j'ai!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:22:45, on 04/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SYSTEM32	askeng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.laposte.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUpldfr-fr.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\Windows\system32\o2flash.exe

jipierre13 · Answer

je me suis renseigné, le rapport Gmer est exempt de rootkit
Merci!

roro04 · Answer

Bonjour à tous.
Pour supprimer les rootkits avec GMER, il faut que tu fasse un clique droit sur un des trucs en rouge et que tu clique sur la ligne où le mot "disabled" apparait. Puis il faut confirmer par yes. fait sa avec toutes les lignes en rouje puis redémarre ton ordi et normalement c'est bon.

Scan gmer.exe

7 réponses

Discussions similaires