Problème Spyware / Virus

Résolu
Charliek -  
chimay8 Messages postés 7947 Statut Contributeur sécurité -
Bonjour,

J'ai été attaqué par plusieurs virus/trojan suite à un téléchargement (malgré le scan préalable pr vérifier que le fichier était sain...)

J'ai fait plusieurs scans Spybot, Antivir, Spyeraser, Malwarebytes, mais il semble qu'il y ait des résistances. J'ai notamment un Keylogger.super-spy qui m'inquiète !
Autres problèmes : TR/Agent15456.A, BDS/Rustock.net, Tr/Rootkit.gen, TR/Patched.DY.1

Il semble que ces soucis bloquent la mise à jour Antivir / Spybot (erreur Spybot 'Erreur lors de la récupération du fichier d'info Maj).

Ci-dessous le log Hijack this :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:21, on 21/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\FTRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Wanadoo\GestionnaireInternet.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Wanadoo\Toaster.exe
C:\PROGRA~1\Wanadoo\Inactivity.exe
C:\PROGRA~1\Wanadoo\PollingModule.exe
C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\SpywareDetector\SDMainService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.criticsonline.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.criticsonline.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Orange
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -masquer
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PVE_Lite] "C:\Program Files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SDActiveMonitor] C:\Program Files\SpywareDetector\SDActiveMonitor.exe -AUTO
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WOOKIT] C:\Program Files\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Lancer le Gestionnaire Internet.lnk = C:\Program Files\Wanadoo\GestMAJ.exe
O8 - Extra context menu item: Ajouter la cible du lien à un fichier PDF existant - res://C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Ajouter à un fichier PDF existant - res://C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir au format Adobe PDF - res://C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir la cible du lien au format Adobe PDF - res://C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1D33~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
O15 - Trusted Zone: http://webmail-lhr.expeditors.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3E82BB3F-ABE4-458D-9281-0187286A4E51} (VoxsyncCtrl Class) - https://login.orange.fr/captcha?return_url=https%3A%2F%2Fmescontacts.orange.fr
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) -
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - http://webmail-lhr.expeditors.com/...
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111847736609
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypix.com/fr/fr/importer/ImageUploader4.cab
O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} (DLoader Class) - http://dl.uc.sina.com/cab/downloader.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - https://www.epson.eu/support/
O16 - DPF: {7DA181BB-EF8D-4A7E-8C53-7BFC718EF71D} (Upload Class) - http://photos.wanadoo.fr/al/presentation/pc/resources/activex/Ephoto.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BEF9DA9B-002E-4901-AEFD-53043E9F3965} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://livekuva.suomi.net/activex/AMC.cab
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - http://webmail-lhr.expeditors.com/...
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by106fd.bay106.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E77010A0-B029-4C5C-9676-7D11BC145D1B}: NameServer = 85.255.115.106,85.255.112.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.106,85.255.112.111
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.106,85.255.112.111
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Super Ad Blocker (SABSVC) - SuperAdBlocker.com - D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: SDMainSvc - Max Secure Software - C:\Program Files\SpywareDetector\SDMainService.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 16232 bytes

Help !!
Configuration: Windows XP
Internet Explorer 7.0

52 réponses

  • 1
  • 2
  • 3
Résumé de la discussion

Des infections multiples, incluant un Keylogger super-spy et des familles TR/Agent15456.A, BDS/Rustock.net, Tr/Rootkit.gen et TR/Patched.DY.1, bloquent les mises à jour d’Antivir et Spybot. Le log HijackThis détaillé montre de nombreux processus et modules potentiellement suspects ou non signés, avec des éléments liés à Wanadoo, SpyEraser et diverses applications système. Pour résoudre ces infections et rétablir les mises à jour, experts recommandent une analyse hors ligne, suppression manuelle des éléments douteux, et l’utilisation d’outils comme MBAM et d’un scanner en ligne, puis vérification des DNS. D'autres éléments utiles indiquent que certains processus légitimes peuvent être utilisés par les attaquants, ce qui rend l’identification des composants nuisibles délicate et suggère une approche méthodique de désinfection et de remise à niveau.

Généré automatiquement par IA
sur la base des meilleures réponses
  1. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    c'est la guigne...il s'accroche!!!

    Télécharge OTMoveIt3( de Old Timer )
    http://oldtimer.geekstogo.com/OTMoveIt3.exe
    Une fois téléchargé double-clique sur OTMoveIt3.exe pour le lancer.
    Assure toi que la case "Unregister Dll's and Ocx's" est cochée
    Copie les lignes(qui sont en gras) qui se trouvent en dessous :

    :Processes
    explorer.exe

    :Files
    C:\1684826783
    c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\???????sAppData
    c:\windows\COVERE~1.INI
    d:\resycled\ntldr.com
    e:\resycled\ntldr.com

    :Reg
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com d:
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com e:

    :Commands
    [emptytemp]
    [start explorer]
    [Reboot]


    et colle-les dans le cadre de gauche de OTMoveIt : "Paste List Of Files/Folders to Move."
    Clique sur "MoveIt!" pour lancer la suppression.
    Le résultat apparaitra dans le cadre "Results".
    Clique sur Exit pour fermer.
    Poste le rapport situé dans C:\_OTMoveIt\MovedFiles.
    -Il te sera peut-être demander de redémarrer le pc pour achever la suppression -> Accepte ( si il ne fait pas automatiquement , fait-le toi même )

    /!\ Note : Au démarrage ton bureau RISQUE de ne plus apparaître, dans ce cas fait --> CTRL+ALT+SUPP pour ouvrir le Gestionnaire des tâches.
    Puis rends toi sur l'onglet "Processus". Clique en haut à gauche sur "Fichiers" et choisis "Exécuter"
    Tape "explorer.exe"(sans les guillemèts) et valide. Cela fera réapparaître le Bureau.
    1
    1. Charliek
       
      Problème !

      le programme se bloque ! j'ai dû le fermer avec Ctrl + Alt + Suppr, en revanche dès que je ferme j'ai des alertes virus sur combo (fausses alertes je suppose). est-ce que je dois désactiver Antivir avant de relancer Otmoveit ?

      C:\1684826783 -> a bien atteri dans Moved Files
      c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 -> idem
      c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\???????sAppData
      c:\windows\COVERE~1.INI -> idem

      d:\resycled\ntldr.com -> le prog ne le trouve pas (file/folder not found)
      e:\resycled\ntldr.com -> le prog ne le trouve pas(file/folder not found)

      :Reg -> le prog plante après première ligne et je ne vois pas le résultat

      [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
      \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com d:
      [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
      \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com e:

      est-ce que je reboot ?
      0
      1. Charliek > Charliek
         
        pardon j'ai oublié une ligne :

        c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\???????sAppData -> a bien atteri dans Moved Files aussi
        0
      2. Charliek > Charliek
         
        Question, est-ce que l'on peut supprimer directement depuis l'éditeur du registre ? ou modifier ce qui ne va pas ?

        Celle-ci a été trouvée :

        C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com e:

        mais pas celle-ci (pas de répertoire D dans le regedit alors que c'est bien le second disque dur du pc)

        [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
        \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com d:

        Merci
        0
  2. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    Salut(merci à jlpjlp pour l'avancement)

    ==> Télécharge OAD http://sosvirus.changelog.fr/OAD.exe
    - Enregistre le sur ton bureau

    Double clique sur OAD pour le lancer

    - nom de fichier à rechercher tape ou fais un copier/coller de : resycled\ntldr.com e
    - Type de recherche : sélectionne l'option 6 puis valide [entree]

    OAD va maintenant rechercher le fichier. Laisse le travailler jusqu'à ce qu'il ai terminé.
    Le rapport de recherche s'affichera automatiquement dès qu'il aura terminé.

    - Fais un copier / coller de ce rapport dans ton prochain poste.

    Note importante : Suivant la taille des disques dur cette recherche peut prendre plusieurs minutes. Sois patient
    1
  3. V-X
     
    Salut,

    Plusieurs infections.

    ▶ Installe - Télécharge SmitfraudFix (de de S!Ri, balltrap34 et moe31)

    Option:1 => Recherche:

    Double cliquer sur SmitfraudFix.exe

    Sélectionner 1 et pressez =>Entrée dans le menu pour créer

    ▶ un rapport des fichiers responsables de l'infection. Le rapport se trouve à la racine du disque

    système

    C:\rapport.txt et colle le rapport génèrer sur le forum.

    Ne pas faire l'option 2 sans un avis d'une personne compétente*<=

    Tutoriel Smitfraudix

    Si un rapport ne passe pas faire une alerte à la conciergerie avec le /!\ jaune.
    0
    1. Charliek
       
      merci voici le rapport . que faire avec un DNS détourné ?!


      Rapport fait à 12:50:47,32, 21/01/2009
      Executé à partir de C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\SmitfraudFix
      OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
      Le type du système de fichiers est
      Fix executé en mode normal

      »»»»»»»»»»»»»»»»»»»»»»»» Process

      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\nslsvice.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Windows Defender\MsMpEng.exe
      C:\WINDOWS\System32\svchost.exe
      D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
      C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
      C:\WINDOWS\system32\drivers\CDAC11BA.EXE
      C:\WINDOWS\System32\FTRTSVC.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Java\jre6\bin\jqs.exe
      C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
      C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
      C:\Program Files\lotus\notes\ntmulti.exe
      C:\WINDOWS\system32\nvsvc32.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\wbem\wmiapsrv.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\system32\RunDll32.exe
      C:\WINDOWS\mHotkey.exe
      C:\WINDOWS\system32\rundll32.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
      C:\Program Files\Java\jre6\bin\jusched.exe
      C:\WINDOWS\Dit.exe
      C:\WINDOWS\system32\umonit.exe
      C:\Program Files\Windows Defender\MSASCui.exe
      C:\WINDOWS\system32\LVCOMSX.EXE
      C:\Program Files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe
      C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
      C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
      C:\Program Files\Windows Media Player\WMPNSCFG.exe
      C:\Program Files\Wanadoo\GestionnaireInternet.exe
      C:\Program Files\Wanadoo\ComComp.exe
      C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
      C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe
      C:\PROGRA~1\Wanadoo\Toaster.exe
      C:\PROGRA~1\Wanadoo\Inactivity.exe
      C:\PROGRA~1\Wanadoo\PollingModule.exe
      C:\Program Files\Wanadoo\Watch.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
      C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\WINDOWS\system32\cmd.exe

      »»»»»»»»»»»»»»»»»»»»»»»» hosts

      Fichier hosts corrompu !

      127.0.0.1 www.legal-at-spybot.info
      127.0.0.1 legal-at-spybot.info

      »»»»»»»»»»»»»»»»»»»»»»»» C:\

      C:\autorun.inf PRESENT !
      C:\resycled\ PRESENT !

      »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


      »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


      »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


      »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


      »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


      »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000


      »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ARNAUD~1.000\LOCALS~1\Temp


      »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data


      »»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer


      »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ARNAUD~1.000\Favoris


      »»»»»»»»»»»»»»»»»»»»»»»» Bureau


      »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


      »»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues


      »»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau

      [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
      "Source"="About:Home"
      "SubscribedURL"="About:Home"
      "FriendlyName"="Ma page d'accueil"


      »»»»»»»»»»»»»»»»»»»»»»»» o4Patch
      !!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

      o4Patch
      Credits: Malware Analysis & Diagnostic
      Code: S!Ri



      »»»»»»»»»»»»»»»»»»»»»»»» IEDFix
      !!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

      IEDFix
      Credits: Malware Analysis & Diagnostic
      Code: S!Ri



      »»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
      !!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

      Agent.OMZ.Fix
      Credits: Malware Analysis & Diagnostic
      Code: S!Ri


      »»»»»»»»»»»»»»»»»»»»»»»» VACFix
      !!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

      VACFix
      Credits: Malware Analysis & Diagnostic
      Code: S!Ri


      »»»»»»»»»»»»»»»»»»»»»»»» 404Fix
      !!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

      404Fix
      Credits: Malware Analysis & Diagnostic
      Code: S!Ri


      »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
      !!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

      SrchSTS.exe by S!Ri
      Search SharedTaskScheduler's .dll


      »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
      !!!Attention, les clés qui suivent ne sont pas forcément infectées!!!



      »»»»»»»»»»»»»»»»»»»»»»»» Winlogon
      !!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
      "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
      "System"=""


      »»»»»»»»»»»»»»»»»»»»»»»» RK



      »»»»»»»»»»»»»»»»»»»»»»»» DNS

      Votre ordinateur est certainement victime d'un détournement de DNS: 85.255.x.x détecté !

      Description: VIA VT6105 Rhine III Fast Ethernet Adapter - Miniport d'ordonnancement de paquets
      DNS Server Search Order: 85.255.115.106
      DNS Server Search Order: 85.255.112.111

      HKLM\SYSTEM\CCS\Services\Tcpip\..\{E77010A0-B029-4C5C-9676-7D11BC145D1B}: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CCS\Services\Tcpip\..\{E77010A0-B029-4C5C-9676-7D11BC145D1B}: NameServer=85.255.115.106,85.255.112.111
      HKLM\SYSTEM\CS1\Services\Tcpip\..\{E77010A0-B029-4C5C-9676-7D11BC145D1B}: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS1\Services\Tcpip\..\{E77010A0-B029-4C5C-9676-7D11BC145D1B}: NameServer=85.255.115.106,85.255.112.111
      HKLM\SYSTEM\CS2\Services\Tcpip\..\{E77010A0-B029-4C5C-9676-7D11BC145D1B}: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS2\Services\Tcpip\..\{E77010A0-B029-4C5C-9676-7D11BC145D1B}: NameServer=85.255.113.115,85.255.112.12
      HKLM\SYSTEM\CS3\Services\Tcpip\..\{E77010A0-B029-4C5C-9676-7D11BC145D1B}: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.115.106,85.255.112.111
      HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.115.106,85.255.112.111
      HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.113.115,85.255.112.12
      HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


      »»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll


      »»»»»»»»»»»»»»»»»»»»»»»» Fin
      0
  4. V-X
     
    Re,

    On va commencer par sa:

    Relance smithfraudix :

    Au panneau tu fait l'option 5.
    0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. V-X
     
    Re,

    Tu clic sur oui.

    Si problème suite a cela tu feras sa:

    PS:Salut chimay8..

    Télécharge se petit soft , ZEB_RESTORE :

    ici http://telechargement.zebulon.fr/zeb-restore.html
    ou https://forum.zebulon.fr/index.php?act=attach&type=blogentry&id=1153

    Enregistre ce fichier sur ton bureau.

    -Clique droit Zeb-Restore.zip ==> "Extraire tout" choisis comme lieu d'enregistrement le bureau.
    -Ouvre le dossier ZR_1.0.0.37 ==> double clique sur Zeb-Restore.exe
    ---> Coche les cases devant ( et uniquement celles-ci ! ) :

    * regedit : rétablis l'editeur de registre
    * clés run : réactive les valeurs bloquant l'utilisation de celles-ci
    * Bouton Arrêter : rétablit le bouton Arrêter
    * Windows Update : rétablit la fonction Windows Update
    * Gestionnaire des tâches : réactive le gestionnaire des tâches
    * Panneau de configuration : réactive le Panneau de configuration
    * Ajout/Suppression de programmes : restaure la fonction Ajout-Suppression de programmes
    * Policies : remet en place des éléments désactivés par "Policies"
    * Bureau : réactive le bureau
    * Réparation IE : répare Internet Exploreur (pages de recherche)
    * Extension des fichiers : répare les extensions des fichiers .exe .bat .reg .pif .cmd .scr .com
    * Sites de confiance et sensibles : efface le contenu de ces zones (à utiliser si vous êtes infecté par des malwares)
    * Préfixes et Protocoles Internet : restore les clés des protocoles Internet (ZoneMap etc.)
    * Réinitialiser Fichier Hosts : réinitialise le fichier Hosts
    * restauration du système : répare l'option "restauration du système" ...

    -Clique sur : " Restaurer " et laisse faire ....

    --> Une fois finit, redémarre ton PC .

    Egalement =>https://www.pcastuces.com/newsletter/adj/1943.htm
    0
    1. Charliek
       
      Alos voilà ça a l'air mieux, est-ce que je lance l'autre programme par sécurité ?

      SmitFraudFix v2.391

      Rapport fait à 13:11:47,98, 21/01/2009
      Executé à partir de C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\SmitfraudFix
      OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
      Le type du système de fichiers est
      Fix executé en mode normal

      »»»»»»»»»»»»»»»»»»»»»»»» DNS Avant Fix

      Description: VIA VT6105 Rhine III Fast Ethernet Adapter - Miniport d'ordonnancement de paquets
      DNS Server Search Order: 192.168.1.1

      HKLM\SYSTEM\CCS\Services\Tcpip\..\{E77010A0-B029-4C5C-9676-7D11BC145D1B}: DhcpNameServer=192.168.1.1

      »»»»»»»»»»»»»»»»»»»»»»»» DNS Après Fix

      Description: VIA VT6105 Rhine III Fast Ethernet Adapter - Miniport d'ordonnancement de paquets
      DNS Server Search Order: 192.168.1.1

      HKLM\SYSTEM\CCS\Services\Tcpip\..\{E77010A0-B029-4C5C-9676-7D11BC145D1B}: DhcpNameServer=192.168.1.1
      0
  7. V-X
     
    Re,

    Non pas besoin.

    Maintenant fait ce qui suit:

    2) Nettoyage:==>En mode sans échec obligatoirement

    Redemarrer l'ordinateur en mode sans échec:

    Double cliquer sur smitfraudix:

    ▶ Sélectionner 2 et pressez Entrée dans le menu pour supprimer les fichiers responsables de l'infection.

    ▶ A la question: Voulez-vous nettoyer le registre ? répondre O (oui) et pressez Entrée afin de débloquer le fond d'écran et supprimer les clés de registre de l'infection:.

    ▶ Le fix déterminera si le fichier wininet.dll est infecté. A la question: Corriger le fichier infecté ? répondre O (oui) et pressez Entrée pour remplacer le fichier corrompu:.

    ▶ Un redemarrage sera peut être necessaire pour terminer la procedure de nettoyage. Le rapport se trouve à la racine du disque système C:\rapport.txt:

    Option::

    * Pour effacer la liste des sites de confiance et sensibles, sélectionner 3 et pressez Entrée dans le menu.

    A la question: Réinitialiser la liste des sites de confiance et sensibles ? répondre O (oui) et pressez Entrée afin de restaurer les zones de confiances et sensibles:.

    :FAUX POSITIF::

    process.exe est détecté par certains antivirus (AntiVir, Dr.Web, Kaspersky Anti-Virus) comme étant un RiskTool. Il ne s'agit pas d'un virus, mais d'un utilitaire destiné à mettre fin à des processus. Mis entre de mauvaises mains, cet utilitaire pourrait arrêter des logiciels de sécurité (Antivirus, Firewall...) d'où l'alerte émise par ces antivirus.

    Si un rapport ne passe pas faire une alerte à la conciergerie avec le /!\ jaune.
    0
    1. Charliek
       
      ok je vais essayer le reboot en sans échec, merci pr tout (en espérant que ça se résolve rapidement)
      0
  8. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    est-ce que je lance l'autre programme par sécurité ?

    si tu as du rustock,ce n'est pas avec un tool que tu vas t'en sortir...
    0
    1. Charliek
       
      bon certaines choses semblent aller mieux ms j'ai un problème persistant de trojan qui se logent dans le folder Temp : tmp38.tmp et d'autres du même genre tmp33...

      Antivir les détecte mais même en les effaçant ils semblent revenir.

      Autre souci, Spybot détecte toujours un Zlob.DNSchanger :
      Zlob.DNSChanger: [SBI $041D1396] TCP/IP Settings #1 (Undefined) (Modification du Registre, nothing done)
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer=208.67.220.220,208.67.222.222

      Zlob.DNSChanger: [SBI $041D1396] TCP/IP Settings #2 (Undefined) (Modification du Registre, nothing done)
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E77010A0-B029-4C5C-9676-7D11BC145D1B}\NameServer=208.67.220.220,208.67.222.222

      Que faire ?!
      0
      1. Charliek > Charliek
         
        j'ai relancé Malwarebyte qui a retrouvé les éléments que je pensais avoir déjà virer via Smitfraudfix...

        Fichier(s) infecté(s):
        C:\WINDOWS\system32\gaopdxyekyjpin.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
        C:\WINDOWS\system32\gsrf7iunwefihaw3und.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
        C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully.
        C:\resycled\ntldr.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
        C:\WINDOWS\Temp\tempo-2A1.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
        C:\WINDOWS\Temp\tempo-BAD.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
        0
  9. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    fais ceci stp

    vide ton cache dns
    clic sur démarrer--> exécuter
    tape cmd puis valide par [Enter]
    ensuite tape où copie/colle ce qui est en gras:

    ipconfig /flushdns **n'oublie pas l'espace entre ...ipconfig[espace]/flushdns**

    puis valide par [Enter]

    Redémarre l'ordinateur en mode sans échec .
    Comment aller en Mode sans échec
    1) Redémarre ton ordi
    2) Tapote la touche F8 immédiatement, (F5 sur certains PC) juste après le "Bip"
    3) Tu verras un écran avec options de démarrage apparaître
    4) Choisis la première option : Sans Échec, et valide avec "Entrée"
    5) Choisis ton compte habituel, et non Administrateur (si besoin ... )
    ( ps : n'oublies pas , en mode sans échec , pas de connexion ! Donc copie ou imprime bien les infos ci-dessous ...)

    *Double click sur SmitfraudFix.exe

    * Sélectionnes 2 et presses "Entrée" dans le menu pour supprimer les fichiers responsables de l'infection.

    * A la question: Voulez-vous nettoyer le registre ? répondre O (oui) et presse Entrée afin de débloquer le fond d'écran et supprimer les clés de registre de l'infection.

    ( Le correctif déterminera si le fichier wininet.dll est infecté.)

    * A la question: "Corriger le fichier infecté ?" répondre O (oui) et presser Entrée
    pour remplacer le fichier corrompu.

    * Un redémarrage sera peut être nécessaire pour terminer la procédure de nettoyage ( sinon fais le manuellement )

    Le rapport se trouve à la racine de C\:
    (dans le fichier "rapport.txt")

    redémarre ton pc

    poste un nouveau rapport Hijack avec stp
    0
    1. Charliek
       
      Re !
      Bons gros soucis notamment avec Internet Explorer, après le passage se Smithfraudfix option 2. IE ne se lance plus (message d'erreur windows de fermeture de programme), ni via iexplore.exe . j'ai pu réaccéder via le moteur de recherche windows mais difficilement... du coup j'ose plus rebooter car je galère

      Retour du problème de Dns dc j'ai refait l'option 5, puis l'option 2 en sans échec.

      Voici les rapports Hijack :
      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 20:43:19, on 21/01/2009
      Platform: Windows XP SP3 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.6000.16762)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\nslsvice.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Windows Defender\MsMpEng.exe
      C:\WINDOWS\System32\svchost.exe
      D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\mHotkey.exe
      C:\WINDOWS\system32\rundll32.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
      C:\Program Files\Java\jre6\bin\jusched.exe
      C:\WINDOWS\Dit.exe
      C:\WINDOWS\system32\umonit.exe
      C:\Program Files\Windows Defender\MSASCui.exe
      C:\WINDOWS\system32\LVCOMSX.EXE
      C:\Program Files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
      C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
      C:\WINDOWS\system32\drivers\CDAC11BA.EXE
      C:\WINDOWS\System32\FTRTSVC.exe
      C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
      C:\Program Files\Java\jre6\bin\jqs.exe
      C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
      C:\PROGRA~1\Wanadoo\GestionnaireInternet.exe
      C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
      C:\Program Files\lotus\notes\ntmulti.exe
      C:\WINDOWS\system32\nvsvc32.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
      C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe
      C:\WINDOWS\System32\wbem\wmiapsrv.exe
      C:\PROGRA~1\Wanadoo\ComComp.exe
      C:\PROGRA~1\Wanadoo\Toaster.exe
      C:\PROGRA~1\Wanadoo\Inactivity.exe
      C:\PROGRA~1\Wanadoo\PollingModule.exe
      C:\PROGRA~1\Wanadoo\Watch.exe
      C:\Program Files\Internet Explorer\IEXPLORE.EXE
      C:\WINDOWS\system32\drwtsn32.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
      O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.DLL
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
      O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
      O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
      O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
      O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
      O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
      O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
      O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
      O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
      O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
      O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
      O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
      O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
      O4 - HKLM\..\Run: [Dit] Dit.exe
      O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
      O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -masquer
      O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
      O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [PVE_Lite] "C:\Program Files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe"
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [WOOKIT] C:\Program Files\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx
      O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
      O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
      O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
      O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
      O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
      O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
      O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
      O4 - Global Startup: Lancer le Gestionnaire Internet.lnk = C:\Program Files\Wanadoo\GestMAJ.exe
      O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
      O9 - Extra 'Tools' menuitem: &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
      O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
      O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
      O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
      O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
      O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
      O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
      O16 - DPF: {3E82BB3F-ABE4-458D-9281-0187286A4E51} (VoxsyncCtrl Class) - https://login.orange.fr/captcha?return_url=https%3A%2F%2Fmescontacts.orange.fr
      O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) -
      O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
      O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - http://webmail-lhr.expeditors.com/...
      O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111847736609
      O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
      O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - http://www.mypix.com/fr/fr/importer/ImageUploader4.cab
      O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - http://dl.uc.sina.com/cab/downloader.cab
      O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - https://www.epson.eu/support/
      O16 - DPF: {7DA181BB-EF8D-4A7E-8C53-7BFC718EF71D} - http://photos.wanadoo.fr/al/presentation/pc/resources/activex/Ephoto.cab
      O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} -
      O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
      O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
      O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
      O16 - DPF: {BEF9DA9B-002E-4901-AEFD-53043E9F3965} -
      O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
      O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://livekuva.suomi.net/activex/AMC.cab
      O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - http://webmail-lhr.expeditors.com/...
      O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - http://by106fd.bay106.hotmail.msn.com/activex/HMAtchmt.ocx
      O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
      O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
      O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
      O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
      O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
      O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
      O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
      O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
      O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
      O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
      O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
      O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
      O23 - Service: Super Ad Blocker (SABSVC) - SuperAdBlocker.com - D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
      O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
      O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
      0
  10. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    regarde le poste 6

    tu coches : * Réparation IE

    tu as fais ça?

    vide ton cache dns
    clic sur démarrer--> exécuter
    tape cmd puis valide par [Enter]
    ensuite tape où copie/colle ce qui est en gras:

    ipconfig /flushdns **n'oublie pas l'espace entre ...ipconfig[espace]/flushdns**

    puis valide par [Enter]

    si oui,ne le fais plus(inutile)

    refais un scan rapide avec MBAM

    poste le rapport
    0
    1. Charliek
       
      Oui j'avais bien fais les deux manips. Je refais un scan avec Mbam et reviens.. Merci de ton aide !
      0
      1. Charliek > Charliek
         
        Et voilà le rapport :

        est-ce que je supprime ?

        Malwarebytes' Anti-Malware 1.33
        Version de la base de données: 1673
        Windows 5.1.2600 Service Pack 3

        21/01/2009 21:19:01
        mbam-log-2009-01-21 (21-18-54).txt

        Type de recherche: Examen rapide
        Eléments examinés: 75152
        Temps écoulé: 11 minute(s), 7 second(s)

        Processus mémoire infecté(s): 0
        Module(s) mémoire infecté(s): 0
        Clé(s) du Registre infectée(s): 0
        Valeur(s) du Registre infectée(s): 0
        Elément(s) de données du Registre infecté(s): 0
        Dossier(s) infecté(s): 0
        Fichier(s) infecté(s): 3

        Processus mémoire infecté(s):
        (Aucun élément nuisible détecté)

        Module(s) mémoire infecté(s):
        (Aucun élément nuisible détecté)

        Clé(s) du Registre infectée(s):
        (Aucun élément nuisible détecté)

        Valeur(s) du Registre infectée(s):
        (Aucun élément nuisible détecté)

        Elément(s) de données du Registre infecté(s):
        (Aucun élément nuisible détecté)

        Dossier(s) infecté(s):
        (Aucun élément nuisible détecté)

        Fichier(s) infecté(s):
        C:\WINDOWS\system32\gaopdxyekyjpin.dll (Trojan.DNSChanger) -> No action taken.
        C:\WINDOWS\Temp\tempo-11.tmp (Trojan.DNSChanger) -> No action taken.
        C:\WINDOWS\Temp\tempo-1D.tmp (Trojan.DNSChanger) -> No action taken.
        0
  11. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    oui
    tu supprimes

    je n'ai pas vu le rapport de l'option 2 avec smitfraudfix
    c'est important pour savoir si les autoruns ont été dégommé
    0
    1. Charliek
       
      Ok merci je remets pas la main sur le rapport, je le relance et reviens (je croise les doigts pr Ie)
      0
  12. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    Le rapport se trouve à la racine de C\:
    (dans le fichier "rapport.txt")
    0
    1. Charliek
       
      Et voici :
      SmitFraudFix v2.391

      Rapport fait à 21:38:30,23, 21/01/2009
      Executé à partir de C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\SmitfraudFix
      OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
      Le type du système de fichiers est
      Fix executé en mode sans echec

      »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix
      !!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

      SrchSTS.exe by S!Ri
      Search SharedTaskScheduler's .dll

      »»»»»»»»»»»»»»»»»»»»»»»» Arret des processus


      »»»»»»»»»»»»»»»»»»»»»»»» hosts


      127.0.0.1 localhost



      »»»»»»»»»»»»»»»»»»»»»»»» VACFix

      VACFix
      Credits: Malware Analysis & Diagnostic
      Code: S!Ri


      »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

      S!Ri's WS2Fix: LSP not Found.


      »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

      GenericRenosFix by S!Ri


      »»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés


      »»»»»»»»»»»»»»»»»»»»»»»» IEDFix

      IEDFix
      Credits: Malware Analysis & Diagnostic
      Code: S!Ri



      »»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

      Agent.OMZ.Fix
      Credits: Malware Analysis & Diagnostic
      Code: S!Ri


      »»»»»»»»»»»»»»»»»»»»»»»» 404Fix

      404Fix
      Credits: Malware Analysis & Diagnostic
      Code: S!Ri


      »»»»»»»»»»»»»»»»»»»»»»»» RK


      »»»»»»»»»»»»»»»»»»»»»»»» DNS

      HKLM\SYSTEM\CCS\Services\Tcpip\..\{E77010A0-B029-4C5C-9676-7D11BC145D1B}: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS1\Services\Tcpip\..\{E77010A0-B029-4C5C-9676-7D11BC145D1B}: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS2\Services\Tcpip\..\{E77010A0-B029-4C5C-9676-7D11BC145D1B}: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS3\Services\Tcpip\..\{E77010A0-B029-4C5C-9676-7D11BC145D1B}: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


      »»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires


      »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
      !!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
      "System"=""


      »»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre

      Nettoyage terminé.

      »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix
      !!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

      SrchSTS.exe by S!Ri
      Search SharedTaskScheduler's .dll


      »»»»»»»»»»»»»»»»»»»»»»»» Fin

      Dis moi que c'est bon ! :-)
      0
  13. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    bin c'est vachement plus propre

    y a encore ton histoire de rustock

    mais avant,un zeste de nettoyage

    relance Hijack(scan only) et coche ces lignes

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - http://dl.uc.sina.com/cab/downloader.cab
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} -
    O16 - DPF: {BEF9DA9B-002E-4901-AEFD-53043E9F3965} -

    clic sur fix checked

    ensuite

    Télécharge Combofix sUBs : http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    et sauvegarde le sur ton bureau et pas ailleurs!

    **Désactive les logiciels de protection** (Antivirus, Antispywares) puis :
    deconnecte toi d'internet,ferme tout les programmes

    Double-clique sur combofix,si il te demande d'installer la console,fais le(voir plus bas)
    ensuite,
    il va te poser une question, réponds par la touche 1 et entrée pour valider.
    ne touche plus à rien, même pas ta souris!!

    Attends que combofix ait terminé, un rapport sera créé. Poste le rapport.

    0
    1. Charliek
       
      Alors voilà le rapport. Un souci j'ai bien désactivé comme demandé (y compris internet), mais à un moment pr la console il m'a demandé justement une connection active, le travail a continué et le pc a rebooté, mais au reboot l'antivirus s'est remis en route. combo a quand même terminé mais j'ai dû suivre les alerts et laisser faire le programme (en bougeant la souris seulement).
      Je n'ai pas eu de question pr répondre 1 aussi.

      ComboFix 09-01-21.01 - Arnaud Meunier 2009-01-21 22:29:10.1 - NTFSx86
      Microsoft Windows XP Édition familiale 5.1.2600.3.1252.1.1036.18.1023.649 [GMT 1:00]
      Lancé depuis: c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\ComboFix.exe
      AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning disabled* (Updated)
      AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
      AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

      AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
      .

      (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
      .

      c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Local Settings\Tempdesktopsetup_1_14_1_0.exe
      c:\windows\system32\drivers\gaopdxmilmpfpw.sys
      c:\windows\system32\drivers\gaopdxsegtlnkd.sys
      c:\windows\system32\drivers\gaopdxuogeaeaw.sys
      c:\windows\system32\gaopdxyekyjpin.dll
      c:\windows\system32\tmp.reg
      D:\Autorun.inf
      D:\resycled
      d:\resycled\ntldr.com
      E:\Autorun.inf
      E:\resycled
      e:\resycled\ntldr.com

      .
      ((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      -------\Service_gaopdxserv.sys


      ((((((((((((((((((((((((((((( Fichiers créés du 2008-12-21 au 2009-01-21 ))))))))))))))))))))))))))))))))))))
      .

      2009-01-21 17:47 . 2009-01-21 18:05 <REP> d-------- c:\program files\CCleaner
      2009-01-21 12:21 . 2009-01-21 12:21 <REP> d-------- c:\program files\Malwarebytes' Anti-Malware
      2009-01-21 12:21 . 2009-01-21 12:21 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\Malwarebytes
      2009-01-21 12:21 . 2009-01-21 12:21 <REP> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
      2009-01-21 12:21 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
      2009-01-21 12:21 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
      2009-01-21 12:18 . 2009-01-21 12:18 <REP> d-------- c:\program files\Trend Micro
      2009-01-21 12:00 . 2009-01-21 13:24 <REP> d-------- c:\program files\SpywareDetector
      2009-01-21 12:00 . 2009-01-21 12:05 63 --a------ c:\windows\system\SysSD.dll
      2009-01-21 09:24 . 2009-01-21 09:24 <REP> d-------- c:\program files\iLike
      2009-01-20 20:11 . 2009-01-20 20:11 2 --a------ C:\1684826783
      2009-01-20 20:10 . 2009-01-20 20:10 108,336 --a------ c:\windows\system32\mswinsck.ocx
      2009-01-20 20:09 . 2009-01-20 20:10 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\_4f2bbb3471001f5bd7db6d2d8f3817e4
      2009-01-20 20:09 . 2009-01-20 20:09 33 --a------ c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\__t.bin
      2009-01-19 16:35 . 2009-01-19 16:35 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Library
      2009-01-19 16:35 . 2009-01-19 16:35 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\com.adobe.ExMan
      2009-01-19 15:50 . 2009-01-19 15:50 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
      2009-01-19 14:25 . 2009-01-19 15:11 <REP> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\FLEXnet
      2009-01-19 14:04 . 2008-04-07 05:38 45,392 -ra------ c:\windows\system32\AdobePDF.dll
      2009-01-19 14:04 . 2008-04-07 05:38 22,872 -ra------ c:\windows\system32\AdobePDFUI.dll
      2009-01-19 12:03 . 2009-01-19 13:24 <REP> d-------- c:\program files\Adobe CS4
      2009-01-17 18:56 . 2009-01-17 18:56 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\Todae
      2009-01-15 19:18 . 2009-01-15 19:18 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\Expeditors
      2009-01-03 15:44 . 2009-01-03 16:13 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\???????sAppData
      2009-01-03 15:43 . 2009-01-03 15:43 391 --a------ c:\windows\COVERE~1.INI
      2008-12-29 08:04 . 2008-12-08 17:01 55,136 --a------ c:\windows\system32\drivers\fssfltr_tdi.sys
      2008-12-29 08:01 . 2008-12-29 08:01 <REP> d-------- c:\program files\Windows Live SkyDrive
      2008-12-29 08:01 . 2008-12-29 08:04 <REP> d-------- c:\program files\Microsoft
      2008-12-21 13:11 . 2008-12-21 13:11 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\360desktop

      .
      (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2009-01-21 21:23 --------- d-----w c:\program files\Wanadoo
      2009-01-21 20:47 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
      2009-01-21 20:46 13,440 ----a-w c:\windows\system32\drivers\USBCRFT.SYS
      2009-01-21 19:54 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\AntiVir PersonalEdition classic
      2009-01-21 16:57 --------- d-----w c:\program files\Fichiers communs\Real
      2009-01-21 16:55 --------- d-----w c:\program files\Veetle
      2009-01-21 13:08 --------- d-----w c:\program files\QuickTime
      2009-01-21 12:41 --------- d-----w c:\program files\eMule
      2009-01-20 22:35 --------- d-----w c:\program files\Fichiers communs\Adobe
      2009-01-20 19:12 --------- d-----w c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\uTorrent
      2009-01-19 12:29 --------- d-----w c:\program files\Fichiers communs\Macrovision Shared
      2009-01-19 11:38 --------- d-----w c:\program files\Windows Media Connect 2
      2009-01-19 11:37 --------- d-----w c:\program files\Make bootable flashcards
      2009-01-19 10:52 --------- d-----w c:\program files\Final Draft 7
      2009-01-19 10:52 --------- d-----w c:\program files\DivX
      2009-01-17 14:27 --------- d-----w c:\program files\Macromedia
      2008-12-29 07:04 --------- d-----w c:\program files\Windows Live
      2008-12-28 20:44 --------- d-----w c:\program files\Fichiers communs\Wise Installation Wizard
      2008-12-21 12:15 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\nView_Profiles
      2008-12-16 12:32 410,984 ----a-w c:\windows\system32\deploytk.dll
      2008-12-16 12:32 --------- d-----w c:\program files\Java
      2008-12-14 16:16 --------- d-----w c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\Synthesia
      2008-12-13 14:07 --------- d-----w c:\program files\SpywareBlaster
      2008-12-13 14:05 --------- d-----w c:\program files\Apple Software Update
      2008-12-13 14:01 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
      2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
      2008-12-04 23:11 308,584 ----a-w c:\windows\WLXPGSS.SCR
      2008-12-02 21:37 49,480 ----a-w c:\windows\system32\sirenacm.dll
      2008-12-02 20:25 --------- d-----w c:\program files\VstPlugins
      2008-12-02 20:25 --------- d-----w c:\program files\Outsim
      2008-12-02 20:25 --------- d-----w c:\program files\Image-Line
      2008-12-02 20:25 --------- d-----w c:\program files\ASIO4ALL v2
      2008-12-02 19:22 290,816 ----a-w c:\windows\system32\PVE_Lite.dll
      2008-12-02 19:20 200,704 ----a-w c:\windows\system32\DDDE.tmp
      2008-12-02 19:20 200,704 ----a-w c:\windows\system32\DDDD.tmp
      2008-12-02 19:20 --------- d-----w c:\program files\Prodipe
      2008-12-02 19:17 200,704 ----a-w c:\windows\system32\DDDC.tmp
      2008-12-02 19:09 200,704 ----a-w c:\windows\system32\DDDB.tmp
      2008-12-02 18:57 200,704 ----a-w c:\windows\system32\DDD6.tmp
      2008-11-28 06:27 200,704 ----a-w c:\windows\system32\DDD9.tmp
      2008-11-16 18:45 48,396 ----a-w c:\windows\UninstVeetleTVPlayer.exe
      2008-11-04 18:50 270,128 ----a-w c:\program files\utorrent.exe
      2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
      2008-09-12 19:55 137,399 ----a-w c:\program files\CS4 Design Premium — Lisez-moi.pdf
      2008-01-19 15:59 869,376 ----a-w c:\program files\Printkey2000.exe
      2006-12-15 06:10 66,608 ----a-w c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\GDIPFONTCACHEV1.DAT
      2006-02-05 08:11 53,650 ----a-w c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\wklnhst.dat
      2003-05-07 12:52 657 ----a-w c:\program files\Advanced MP3 Converter v1.81.txt
      2003-05-02 16:15 1,616,269 ----a-w c:\program files\advanced-mp3-converter.exe
      1999-05-05 13:49 463,872 ----a-w c:\program files\Convert.exe
      2008-09-20 16:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012008092020080921\index.dat
      .

      ------- Sigcheck -------

      2005-05-25 20:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
      2006-01-13 18:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
      2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
      2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
      2008-06-20 11:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
      2008-06-20 12:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
      2008-06-20 12:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
      2008-06-20 11:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
      2004-08-04 07:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
      2005-05-25 20:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$NtUninstallKB913446$\tcpip.sys
      2006-01-13 03:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
      2006-04-20 12:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
      2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
      2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
      2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
      2008-06-20 12:51 361600 4afb3b0919649f95c1964aa1fad27d73 c:\windows\system32\dllcache\tcpip.sys
      2008-06-20 12:51 361600 4afb3b0919649f95c1964aa1fad27d73 c:\windows\system32\drivers\tcpip.sys
      .
      ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
      REGEDIT4

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "WOOKIT"="c:\program files\Wanadoo\Shell.exe" [2004-08-23 122880]
      "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
      "Uniblue SpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2008-04-02 9442584]
      "Uniblue SpyEraser"="c:\program files\Uniblue\SpyEraser\SpyEraser.exe" [2008-04-02 1424648]
      "ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2008-12-19 1434864]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497]
      "UMonit"="c:\windows\system32\umonit.exe" [2005-08-06 53248]
      "WOOWATCH"="c:\progra~1\Wanadoo\Watch.exe" [2004-08-23 20480]
      "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
      "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-04-01 86016]
      "PVE_Lite"="c:\program files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe" [2008-12-02 856064]
      "CHotkey"="mHotkey.exe" [2002-07-23 c:\windows\mHotkey.exe]
      "Dit"="Dit.exe" [2004-04-02 c:\windows\Dit.exe]

      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
      "iLike"="c:\program files\iLike\1.2.11\ilikesidebar.exe" [2008-09-11 63024]

      c:\documents and settings\All Users.WINDOWS\Menu D‚marrer\Programmes\D‚marrage\
      Lancer le Gestionnaire Internet.lnk - c:\program files\Wanadoo\GestMAJ.exe [2008-08-05 32768]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
      "VIDC.ACDV"= ACDV.dll
      "midi"= PVE_Lite.dll

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
      --a------ 2008-06-11 22:43 640376 c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
      --a------ 2008-06-12 02:25 37232 c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
      "c:\\Program Files\\Messenger\\msmsgs.exe"=
      "c:\\Program Files\\FileZilla\\FileZilla.exe"=
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
      "c:\\WINDOWS\\system32\\dxdiag.exe"=
      "c:\\Program Files\\Fichiers communs\\Ahead\\Nero Web\\SetupX.exe"=
      "c:\\Program Files\\Fichiers communs\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
      "c:\\Program Files\\sina\\SAP\\SAPlatform.exe"=
      "c:\\WINDOWS\\system32\\dpvsetup.exe"=
      "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
      "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
      "c:\\Program Files\\uTorrent\\uTorrent.exe"=
      "c:\\WINDOWS\\system32\\sessmgr.exe"=

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
      "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

      R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2006-01-31 22336]
      R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2006-01-31 45376]
      R3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2006-11-19 13440]
      R3 cmudax;C-Media Azalia Audio Interface;c:\windows\system32\drivers\cmudax.sys [2004-06-25 1390976]
      R4 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2008-12-29 55136]
      R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
      S1 7c5c634b;7c5c634b;c:\windows\system32\drivers\7c5c634b.sys --> c:\windows\system32\drivers\7c5c634b.sys [?]
      S1 SDManager;SDManager;\??\c:\program files\SpywareDetector\SDManager.sys --> c:\program files\SpywareDetector\SDManager.sys [?]
      S3 Defender;Defender;\??\c:\program files\SinEspias\Defender.sys --> c:\program files\SinEspias\Defender.sys [?]
      S3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2007-01-13 6656]
      S3 fsssvc;Windows Live Contrôle parental;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
      S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2006-08-12 87824]
      S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2006-08-11 85696]
      S3 WlanUIG;Sagem 802.11g Wireless LAN USB Adapter Driver;c:\windows\system32\drivers\WlanUIG.sys [2004-11-18 379456]

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
      \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com d:
      \Shell\Open\command - d:\resycled\ntldr.com d:

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
      \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com e:
      \Shell\Open\command - e:\resycled\ntldr.com e:

      [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
      "c:\program files\Fichiers communs\LightScribe\LSRunOnce.exe"
      .
      Contenu du dossier 'Tâches planifiées'

      2009-01-21 c:\windows\Tasks\MP Scheduled Scan.job
      - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

      2009-01-18 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
      - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 08:50]

      2008-05-23 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
      - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 08:50]

      2008-05-23 c:\windows\Tasks\Uniblue SpyEraser.job
      - c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-02 08:50]

      2006-01-14 c:\windows\Tasks\XoftSpy.job
      - c:\program files\XoftSpy\XoftSpy.exe []
      .
      .
      ------- Examen supplémentaire -------
      .
      uStart Page = hxxp://www.criticsonline.org/
      IE: { - c:\program files\Messenger\msmsgs.exe
      Trusted Zone: expeditors.com\webmail-lhr
      DPF: {3E82BB3F-ABE4-458D-9281-0187286A4E51} - hxxp://contacts.orange.fr/wfr_webab/VoxsyncX.cab
      DPF: {7DA181BB-EF8D-4A7E-8C53-7BFC718EF71D} - hxxp://photos.wanadoo.fr/al/presentation/pc/resources/activex/Ephoto.cab
      DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://livekuva.suomi.net/activex/AMC.cab
      .

      **************************************************************************

      catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2009-01-21 22:32:55
      Windows 5.1.2600 Service Pack 3 NTFS

      Recherche de processus cachés ...

      Recherche d'éléments en démarrage automatique cachés ...

      HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      UMonit = c:\windows\system32\umonit.exe?ixustor.sys??_0fce&Pi??????$?I_01??658???B\?O???????????????????????????w??????????????P?l??????|p??|????m??|C??w??????????$?B$?|???w???w*?,???$????????????????????????????????w??????????????P?????T???~?P???????P???P????????

      Recherche de fichiers cachés ...

      Scan terminé avec succès
      Fichiers cachés: 0

      **************************************************************************
      .
      --------------------- CLES DE REGISTRE BLOQUEES ---------------------

      [HKEY_USERS\S-1-5-21-1957994488-484061587-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
      @Allowed: (Read) (RestrictedCode)
      @Allowed: (Read) (RestrictedCode)

      [HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\USB\Vid_0db0&Pid_4011\AAAA12345678\LogConf]
      @DACL=(02 0000)
      .
      Heure de fin: 2009-01-21 22:34:53
      ComboFix-quarantined-files.txt 2009-01-21 21:34:51

      Avant-CF: 46,140,588,032 octets libres
      Après-CF: 46,476,079,104 octets libres

      248 --- E O F --- 2009-01-20 08:17:29


      J'espère toucher au but !
      0
      1. Charliek > Charliek
         
        Pr info un nouveau scan mbam n'a rien fait sortir et les mises à jour spybot et antivir sont de nouveau possible.

        Par sécurité je refais un scan spybot & antivir complet + mbam complet.
        0
  14. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    y a encore du boulot...

    combofix a bien travaillé mais il reste des crasses

    si tu le permets,on reprends demain car je suis vidé

    ++
    0
    1. Charliek
       
      pas de souci moi aussi je suis mort !
      0
  15. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    ok,
    a demain
    je te rassure on a bien avancé!!!
    0
  16. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    Copie le texte ci-dessous :

    File::
    c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    c:\windows\system\SysSD.dll
    c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\__t.bin
    c:\windows\system32\DDDE.tmp
    c:\windows\system32\DDDD.tmp
    c:\windows\system32\DDDC.tmp
    c:\windows\system32\DDDB.tmp
    c:\windows\system32\DDD6.tmp
    c:\windows\system32\DDD9.tmp
    c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\wklnhst.dat

    Folder::
    c:\program files\SpywareDetector
    c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\_4f2bbb3471001f5bd7db6d2d8f3817e4
    C:\1684826783

    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com d:
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com e:

    Ouvre le Bloc-Notes puis colle le texte copié.
    (Démarrer\Tous les programmes\Accessoires\Bloc notes.)
    Sauvegarde ce fichier(sur le bureau) sous le nom de CFScript.txt

    Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ceci :
    http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

    Cela va relancer Combofix,

    Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

    Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

    Ne touche à rien tant que le scan n'est pas terminé.

    Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.

    S'il n'y a pas de rédémarrage, poste quand même les rapports.
    0
    1. Charliek
       
      Salut,

      tu es matinal !

      Est-ce que je dois couper internet et applications également cette fois ?
      0
      1. Charliek > Charliek
         
        Alors j'ai lancé comme indiqué (par contre toujours pas de "1" peut-être parce que consol manquante ?)

        Rapport combo :
        ComboFix 09-01-21.01 - Arnaud Meunier 2009-01-22 9:46:18.2 - NTFSx86
        Microsoft Windows XP Édition familiale 5.1.2600.3.1252.1.1036.18.1023.575 [GMT 1:00]
        Lancé depuis: c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\ComboFix.exe
        Commutateurs utilisés :: c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\CFScript.txt
        AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning disabled* (Updated)
        AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
        AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
        * Un nouveau point de restauration a été créé

        AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!

        FILE ::
        c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\__t.bin
        c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8C­E.1
        c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\wklnhst.dat
        c:\windows\system\SysSD.dll
        c:\windows\system32\DDD6.tmp
        c:\windows\system32\DDD9.tmp
        c:\windows\system32\DDDB.tmp
        c:\windows\system32\DDDC.tmp
        c:\windows\system32\DDDD.tmp
        c:\windows\system32\DDDE.tmp
        .

        (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
        .

        c:\1684826783\
        c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\__t.bin
        c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\_4f2bbb3471001f5bd7db6d2d8f3817e4
        c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\_4f2bbb3471001f5bd7db6d2d8f3817e4\control.ini
        c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\_4f2bbb3471001f5bd7db6d2d8f3817e4\down\924184482285.exe
        c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\_4f2bbb3471001f5bd7db6d2d8f3817e4\down\chimera.exe000
        c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\_4f2bbb3471001f5bd7db6d2d8f3817e4\down\rp000.exe
        c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\_4f2bbb3471001f5bd7db6d2d8f3817e4\down\xxx000.exe
        c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\_4f2bbb3471001f5bd7db6d2d8f3817e4\save.ini
        c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\wklnhst.dat
        c:\program files\SpywareDetector
        c:\program files\SpywareDetector\SDNotify.dll1
        c:\windows\system\SysSD.dll
        c:\windows\system32\DDD6.tmp
        c:\windows\system32\DDD9.tmp
        c:\windows\system32\DDDB.tmp
        c:\windows\system32\DDDC.tmp
        c:\windows\system32\DDDD.tmp
        c:\windows\system32\DDDE.tmp

        .
        ((((((((((((((((((((((((((((( Fichiers créés du 2008-12-22 au 2009-01-22 ))))))))))))))))))))))))))))))))))))
        .

        2009-01-21 17:47 . 2009-01-21 18:05 <REP> d-------- c:\program files\CCleaner
        2009-01-21 12:21 . 2009-01-21 12:21 <REP> d-------- c:\program files\Malwarebytes' Anti-Malware
        2009-01-21 12:21 . 2009-01-21 12:21 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\Malwarebytes
        2009-01-21 12:21 . 2009-01-21 12:21 <REP> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
        2009-01-21 12:21 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
        2009-01-21 12:21 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
        2009-01-21 12:18 . 2009-01-21 12:18 <REP> d-------- c:\program files\Trend Micro
        2009-01-21 09:24 . 2009-01-21 09:24 <REP> d-------- c:\program files\iLike
        2009-01-20 20:11 . 2009-01-20 20:11 2 --a------ C:\1684826783
        2009-01-20 20:10 . 2009-01-20 20:10 108,336 --a------ c:\windows\system32\mswinsck.ocx
        2009-01-19 16:35 . 2009-01-19 16:35 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Library
        2009-01-19 16:35 . 2009-01-19 16:35 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\com.adobe.ExMan
        2009-01-19 15:50 . 2009-01-19 15:50 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
        2009-01-19 14:25 . 2009-01-19 15:11 <REP> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\FLEXnet
        2009-01-19 14:04 . 2008-04-07 05:38 45,392 -ra------ c:\windows\system32\AdobePDF.dll
        2009-01-19 14:04 . 2008-04-07 05:38 22,872 -ra------ c:\windows\system32\AdobePDFUI.dll
        2009-01-19 12:03 . 2009-01-19 13:24 <REP> d-------- c:\program files\Adobe CS4
        2009-01-17 18:56 . 2009-01-17 18:56 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\Todae
        2009-01-15 19:18 . 2009-01-15 19:18 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\Expeditors
        2009-01-03 15:44 . 2009-01-03 16:13 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\???????sAppData
        2009-01-03 15:43 . 2009-01-03 15:43 391 --a------ c:\windows\COVERE~1.INI
        2008-12-29 08:04 . 2008-12-08 17:01 55,136 --a------ c:\windows\system32\drivers\fssfltr_tdi.sys
        2008-12-29 08:01 . 2008-12-29 08:01 <REP> d-------- c:\program files\Windows Live SkyDrive
        2008-12-29 08:01 . 2008-12-29 08:04 <REP> d-------- c:\program files\Microsoft

        .
        (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
        .
        2009-01-22 08:44 --------- d-----w c:\program files\Wanadoo
        2009-01-22 08:12 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
        2009-01-21 21:48 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\AntiVir PersonalEdition classic
        2009-01-21 20:46 13,440 ----a-w c:\windows\system32\drivers\USBCRFT.SYS
        2009-01-21 16:57 --------- d-----w c:\program files\Fichiers communs\Real
        2009-01-21 16:55 --------- d-----w c:\program files\Veetle
        2009-01-21 13:08 --------- d-----w c:\program files\QuickTime
        2009-01-21 12:41 --------- d-----w c:\program files\eMule
        2009-01-20 22:35 --------- d-----w c:\program files\Fichiers communs\Adobe
        2009-01-20 19:12 --------- d-----w c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\uTorrent
        2009-01-19 12:29 --------- d-----w c:\program files\Fichiers communs\Macrovision Shared
        2009-01-19 11:38 --------- d-----w c:\program files\Windows Media Connect 2
        2009-01-19 11:37 --------- d-----w c:\program files\Make bootable flashcards
        2009-01-19 10:52 --------- d-----w c:\program files\Final Draft 7
        2009-01-19 10:52 --------- d-----w c:\program files\DivX
        2009-01-17 14:27 --------- d-----w c:\program files\Macromedia
        2008-12-29 07:04 --------- d-----w c:\program files\Windows Live
        2008-12-28 20:44 --------- d-----w c:\program files\Fichiers communs\Wise Installation Wizard
        2008-12-21 12:15 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\nView_Profiles
        2008-12-21 12:11 --------- d-----w c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\360desktop
        2008-12-16 12:32 410,984 ----a-w c:\windows\system32\deploytk.dll
        2008-12-16 12:32 --------- d-----w c:\program files\Java
        2008-12-14 16:16 --------- d-----w c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\Synthesia
        2008-12-13 14:07 --------- d-----w c:\program files\SpywareBlaster
        2008-12-13 14:05 --------- d-----w c:\program files\Apple Software Update
        2008-12-13 14:01 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
        2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
        2008-12-04 23:11 308,584 ----a-w c:\windows\WLXPGSS.SCR
        2008-12-02 21:37 49,480 ----a-w c:\windows\system32\sirenacm.dll
        2008-12-02 20:25 --------- d-----w c:\program files\VstPlugins
        2008-12-02 20:25 --------- d-----w c:\program files\Outsim
        2008-12-02 20:25 --------- d-----w c:\program files\Image-Line
        2008-12-02 20:25 --------- d-----w c:\program files\ASIO4ALL v2
        2008-12-02 19:22 290,816 ----a-w c:\windows\system32\PVE_Lite.dll
        2008-12-02 19:20 --------- d-----w c:\program files\Prodipe
        2008-11-16 18:45 48,396 ----a-w c:\windows\UninstVeetleTVPlayer.exe
        2008-11-04 18:50 270,128 ----a-w c:\program files\utorrent.exe
        2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
        2008-09-12 19:55 137,399 ----a-w c:\program files\CS4 Design Premium — Lisez-moi.pdf
        2008-01-19 15:59 869,376 ----a-w c:\program files\Printkey2000.exe
        2006-12-15 06:10 66,608 ----a-w c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\GDIPFONTCACHEV1.DAT
        2003-05-07 12:52 657 ----a-w c:\program files\Advanced MP3 Converter v1.81.txt
        2003-05-02 16:15 1,616,269 ----a-w c:\program files\advanced-mp3-converter.exe
        1999-05-05 13:49 463,872 ----a-w c:\program files\Convert.exe
        2008-09-20 16:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012008092020080921\index.dat
        .

        ------- Sigcheck -------

        2005-05-25 20:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
        2006-01-13 18:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
        2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
        2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
        2008-06-20 11:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
        2008-06-20 12:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
        2008-06-20 12:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
        2008-06-20 11:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
        2004-08-04 07:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
        2005-05-25 20:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$NtUninstallKB913446$\tcpip.sys
        2006-01-13 03:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
        2006-04-20 12:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
        2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
        2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
        2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
        2008-06-20 12:51 361600 4afb3b0919649f95c1964aa1fad27d73 c:\windows\system32\dllcache\tcpip.sys
        2008-06-20 12:51 361600 4afb3b0919649f95c1964aa1fad27d73 c:\windows\system32\drivers\tcpip.sys
        .
        ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
        .
        .
        *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
        REGEDIT4

        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "WOOKIT"="c:\program files\Wanadoo\Shell.exe" [2004-08-23 122880]
        "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
        "Uniblue SpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2008-04-02 9442584]
        "Uniblue SpyEraser"="c:\program files\Uniblue\SpyEraser\SpyEraser.exe" [2008-04-02 1424648]
        "ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2008-12-19 1434864]
        "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497]
        "UMonit"="c:\windows\system32\umonit.exe" [2005-08-06 53248]
        "WOOWATCH"="c:\progra~1\Wanadoo\Watch.exe" [2004-08-23 20480]
        "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
        "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-04-01 86016]
        "PVE_Lite"="c:\program files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe" [2008-12-02 856064]
        "CHotkey"="mHotkey.exe" [2002-07-23 c:\windows\mHotkey.exe]
        "Dit"="Dit.exe" [2004-04-02 c:\windows\Dit.exe]

        [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
        "DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
        "iLike"="c:\program files\iLike\1.2.11\ilikesidebar.exe" [2008-09-11 63024]

        c:\documents and settings\All Users.WINDOWS\Menu D‚marrer\Programmes\D‚marrage\
        Lancer le Gestionnaire Internet.lnk - c:\program files\Wanadoo\GestMAJ.exe [2008-08-05 32768]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
        "VIDC.ACDV"= ACDV.dll
        "midi"= PVE_Lite.dll

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
        --a------ 2008-06-11 22:43 640376 c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
        --a------ 2008-06-12 02:25 37232 c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

        [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
        "c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
        "c:\\Program Files\\Messenger\\msmsgs.exe"=
        "c:\\Program Files\\FileZilla\\FileZilla.exe"=
        "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
        "c:\\WINDOWS\\system32\\dxdiag.exe"=
        "c:\\Program Files\\Fichiers communs\\Ahead\\Nero Web\\SetupX.exe"=
        "c:\\Program Files\\Fichiers communs\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
        "c:\\Program Files\\sina\\SAP\\SAPlatform.exe"=
        "c:\\WINDOWS\\system32\\dpvsetup.exe"=
        "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
        "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
        "c:\\Program Files\\uTorrent\\uTorrent.exe"=
        "c:\\WINDOWS\\system32\\sessmgr.exe"=

        [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
        "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

        R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2006-01-31 22336]
        R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2006-01-31 45376]
        R3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2006-11-19 13440]
        R3 cmudax;C-Media Azalia Audio Interface;c:\windows\system32\drivers\cmudax.sys [2004-06-25 1390976]
        R4 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2008-12-29 55136]
        R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
        S1 7c5c634b;7c5c634b;c:\windows\system32\drivers\7c5c634b.sys --> c:\windows\system32\drivers\7c5c634b.sys [?]
        S1 SDManager;SDManager;\??\c:\program files\SpywareDetector\SDManager.sys --> c:\program files\SpywareDetector\SDManager.sys [?]
        S3 Defender;Defender;\??\c:\program files\SinEspias\Defender.sys --> c:\program files\SinEspias\Defender.sys [?]
        S3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2007-01-13 6656]
        S3 fsssvc;Windows Live Contrôle parental;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
        S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2006-08-12 87824]
        S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2006-08-11 85696]
        S3 WlanUIG;Sagem 802.11g Wireless LAN USB Adapter Driver;c:\windows\system32\drivers\WlanUIG.sys [2004-11-18 379456]

        [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
        \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com d:
        \Shell\Open\command - d:\resycled\ntldr.com d:

        [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
        \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com e:
        \Shell\Open\command - e:\resycled\ntldr.com e:

        [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
        "c:\program files\Fichiers communs\LightScribe\LSRunOnce.exe"
        .
        Contenu du dossier 'Tâches planifiées'

        2009-01-22 c:\windows\Tasks\MP Scheduled Scan.job
        - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

        2009-01-18 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
        - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 08:50]

        2008-05-23 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
        - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 08:50]

        2008-05-23 c:\windows\Tasks\Uniblue SpyEraser.job
        - c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-02 08:50]

        2006-01-14 c:\windows\Tasks\XoftSpy.job
        - c:\program files\XoftSpy\XoftSpy.exe []
        .
        .
        ------- Examen supplémentaire -------
        .
        uStart Page = hxxp://www.criticsonline.org/
        IE: { - c:\program files\Messenger\msmsgs.exe
        Trusted Zone: expeditors.com\webmail-lhr
        DPF: {3E82BB3F-ABE4-458D-9281-0187286A4E51} - hxxp://contacts.orange.fr/wfr_webab/VoxsyncX.cab
        DPF: {7DA181BB-EF8D-4A7E-8C53-7BFC718EF71D} - hxxp://photos.wanadoo.fr/al/presentation/pc/resources/activex/Ephoto.cab
        DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://livekuva.suomi.net/activex/AMC.cab
        .

        **************************************************************************

        catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
        Rootkit scan 2009-01-22 09:49:13
        Windows 5.1.2600 Service Pack 3 NTFS

        Recherche de processus cachés ...

        Recherche d'éléments en démarrage automatique cachés ...

        HKLM\Software\Microsoft\Windows\CurrentVersion\Run
        UMonit = c:\windows\system32\umonit.exe?ixustor.sys??_0fce&Pi??????$?I_01??658???B\?O???????????????????????????w??????????????P?l??????|p??|????m??|C??w??????????$?B$?|???w???w*?,???$????????????????????????????????w??????????????P?????T???~?P???????P???P????????

        Recherche de fichiers cachés ...

        Scan terminé avec succès
        Fichiers cachés: 0

        **************************************************************************
        .
        --------------------- CLES DE REGISTRE BLOQUEES ---------------------

        [HKEY_USERS\S-1-5-21-1957994488-484061587-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
        @Allowed: (Read) (RestrictedCode)
        @Allowed: (Read) (RestrictedCode)

        [HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\USB\Vid_0db0&Pid_4011\AAAA12345678\LogConf]
        @DACL=(02 0000)
        .
        Heure de fin: 2009-01-22 9:51:08
        ComboFix-quarantined-files.txt 2009-01-22 08:51:06
        ComboFix2.txt 2009-01-21 21:34:54

        Avant-CF: 46 818 459 648 octets libres
        Après-CF: 46,818,238,464 octets libres

        256 --- E O F --- 2009-01-21 22:21:23


        Rapport Hijack :
        Logfile of Trend Micro HijackThis v2.0.2
        Scan saved at 09:54:51, on 22/01/2009
        Platform: Windows XP SP3 (WinNT 5.01.2600)
        MSIE: Internet Explorer v7.00 (7.00.6000.16762)
        Boot mode: Normal

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\nslsvice.exe
        C:\WINDOWS\system32\svchost.exe
        C:\Program Files\Windows Defender\MsMpEng.exe
        C:\WINDOWS\System32\svchost.exe
        D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
        C:\WINDOWS\system32\spoolsv.exe
        C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
        C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
        C:\WINDOWS\system32\drivers\CDAC11BA.EXE
        C:\WINDOWS\System32\FTRTSVC.exe
        C:\Program Files\Java\jre6\bin\jqs.exe
        C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
        C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
        C:\Program Files\lotus\notes\ntmulti.exe
        C:\WINDOWS\system32\nvsvc32.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\System32\wbem\wmiapsrv.exe
        C:\WINDOWS\mHotkey.exe
        C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
        C:\WINDOWS\Dit.exe
        C:\WINDOWS\system32\umonit.exe
        C:\Program Files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe
        C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
        C:\WINDOWS\system32\ctfmon.exe
        C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
        C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe
        C:\WINDOWS\explorer.exe
        C:\Program Files\internet explorer\iexplore.exe
        C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.criticsonline.org/
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
        O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.DLL
        O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
        O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
        O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
        O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
        O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
        O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
        O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
        O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
        O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
        O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
        O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
        O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
        O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
        O4 - HKLM\..\Run: [Dit] Dit.exe
        O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
        O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
        O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
        O4 - HKLM\..\Run: [PVE_Lite] "C:\Program Files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe"
        O4 - HKCU\..\Run: [WOOKIT] C:\Program Files\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx
        O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
        O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
        O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
        O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
        O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
        O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
        O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
        O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
        O4 - Global Startup: Lancer le Gestionnaire Internet.lnk = C:\Program Files\Wanadoo\GestMAJ.exe
        O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
        O9 - Extra 'Tools' menuitem: &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
        O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
        O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
        O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
        O15 - Trusted Zone: http://webmail-lhr.expeditors.com
        O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
        O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
        O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
        O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
        O16 - DPF: {3E82BB3F-ABE4-458D-9281-0187286A4E51} (VoxsyncCtrl Class) - https://login.orange.fr/captcha?return_url=https%3A%2F%2Fmescontacts.orange.fr
        O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) -
        O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
        O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - http://webmail-lhr.expeditors.com/...
        O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
        O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111847736609
        O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
        O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
        O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - http://www.mypix.com/fr/fr/importer/ImageUploader4.cab
        O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - https://www.epson.eu/support/
        O16 - DPF: {7DA181BB-EF8D-4A7E-8C53-7BFC718EF71D} - http://photos.wanadoo.fr/al/presentation/pc/resources/activex/Ephoto.cab
        O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
        O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
        O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
        O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
        O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://livekuva.suomi.net/activex/AMC.cab
        O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - http://webmail-lhr.expeditors.com/...
        O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - http://by106fd.bay106.hotmail.msn.com/activex/HMAtchmt.ocx
        O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
        O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
        O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
        O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
        O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
        O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
        O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
        O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
        O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
        O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
        O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
        O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
        O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
        O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
        O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
        O23 - Service: Super Ad Blocker (SABSVC) - SuperAdBlocker.com - D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
        O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
        O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
        0
  17. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    ah zut,
    les mountpoints2 relance l'infection

    Télécharge RavAntivirus d'Evosla :
    http://ww25.evosla.com/compteur.php?soft=rav_antivirus

    # Si tu as une clé USB, disque dur externe, etc, branche-les sans les ouvrir avant de lancer ce FIX
    # Fais un clic droit sur le fichier .ZIP > Extraire sur > le Bureau
    # Doucle-clique sur >> RAV.exe << afin de lancer l'outil.
    # Une fois RAV ANTIVIRUS lancé, laisse-le réagir , il scanne automatiquement tout les lecteurs (disques fixes et amovibles)
    # Si infection > un log s'établira, sinon le soft affichera (très rapide) ==>Votre Ordinateur est sain .
    # Retire tes disques amovibles et redémarrez votre ordinateur.
    # Poste le rapport, si infection!

    2/ Télécharge sur le bureau Flash Disinfector (de SUBS) à cette adresse : http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

    Double-clique sur l’icône.
    Les icônes vont disparaître. C’est normal.
    Si un rapport est généré en cas d'infection, sauvegarde-le sur le bureau, et poste le ensuite
    Redémarre ensuite le PC.

    Pour RAV, le rapport est là https://imageshack.com/
    0
    1. Charliek
       
      Apparemment Rav ne voit rien (il affiche ordinateur sain depuis 5 minutes mais la bare bleue scanne tjs)mais Antivir a détecté les mêmes Trojan, Spy Eraser m'a trouvé des trucs aussi.

      Est-ce que je dois laisser tourner Rav ou je peuxrebooter et passer à la deuxième étape ?

      Antivir report :
      Avira AntiVir Personal
      Report file date: jeudi 22 janvier 2009 10:10

      Scanning for 1245673 virus strains and unwanted programs.

      Licensed to: Avira AntiVir PersonalEdition Classic
      Serial number: 0000149996-ADJIE-0001
      Platform: Windows XP
      Windows version: (Service Pack 3) [5.1.2600]
      Boot mode: Normally booted
      Username: SYSTEM
      Computer name: ARNAUD-PC1

      Version information:
      BUILD.DAT : 8.2.0.337 16934 Bytes 18/11/2008 13:05:00
      AVSCAN.EXE : 8.1.4.10 315649 Bytes 26/11/2008 07:00:50
      AVSCAN.DLL : 8.1.4.0 40705 Bytes 18/07/2008 05:24:08
      LUKE.DLL : 8.1.4.5 164097 Bytes 18/07/2008 05:24:09
      LUKERES.DLL : 8.1.4.0 12033 Bytes 18/07/2008 05:24:09
      ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 12:09:23
      ANTIVIR1.VDF : 7.1.1.113 2817536 Bytes 14/01/2009 17:36:04
      ANTIVIR2.VDF : 7.1.1.148 440832 Bytes 20/01/2009 17:32:47
      ANTIVIR3.VDF : 7.1.1.160 162816 Bytes 21/01/2009 21:48:31
      Engineversion : 8.2.0.57
      AEVDF.DLL : 8.1.0.6 102772 Bytes 16/10/2008 06:28:09
      AESCRIPT.DLL : 8.1.1.26 340347 Bytes 16/01/2009 17:36:42
      AESCN.DLL : 8.1.1.5 123251 Bytes 07/11/2008 19:46:43
      AERDL.DLL : 8.1.1.3 438645 Bytes 06/11/2008 20:46:32
      AEPACK.DLL : 8.1.3.5 393588 Bytes 10/01/2009 06:29:44
      AEOFFICE.DLL : 8.1.0.33 196987 Bytes 11/12/2008 19:15:37
      AEHEUR.DLL : 8.1.0.84 1540471 Bytes 16/01/2009 17:36:38
      AEHELP.DLL : 8.1.2.0 119159 Bytes 18/11/2008 21:11:24
      AEGEN.DLL : 8.1.1.10 323957 Bytes 16/01/2009 17:36:19
      AEEMU.DLL : 8.1.0.9 393588 Bytes 16/10/2008 06:28:04
      AECORE.DLL : 8.1.5.2 172405 Bytes 01/12/2008 20:55:42
      AEBB.DLL : 8.1.0.3 53618 Bytes 16/10/2008 06:28:03
      AVWINLL.DLL : 1.0.0.12 15105 Bytes 18/07/2008 05:24:08
      AVPREF.DLL : 8.0.2.0 38657 Bytes 18/07/2008 05:24:08
      AVREP.DLL : 8.0.0.2 98344 Bytes 31/07/2008 17:39:30
      AVREG.DLL : 8.0.0.1 33537 Bytes 18/07/2008 05:24:08
      AVARKT.DLL : 1.0.0.23 307457 Bytes 14/04/2008 19:52:43
      AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 18/07/2008 05:24:08
      SQLITE3.DLL : 3.3.17.1 339968 Bytes 14/04/2008 19:52:44
      SMTPLIB.DLL : 1.2.0.23 28929 Bytes 18/07/2008 05:24:09
      NETNT.DLL : 8.0.0.1 7937 Bytes 14/04/2008 19:52:43
      RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 18/07/2008 05:24:06
      RCTEXT.DLL : 8.0.52.0 86273 Bytes 18/07/2008 05:24:06

      Configuration settings for the scan:
      Jobname..........................: Complete system scan
      Configuration file...............: c:\program files\antivir personaledition classic\sysscan.avp
      Logging..........................: low
      Primary action...................: interactive
      Secondary action.................: ignore
      Scan master boot sector..........: on
      Scan boot sector.................: on
      Boot sectors.....................: C:, D:, E:,
      Process scan.....................: on
      Scan registry....................: on
      Search for rootkits..............: off
      Scan all files...................: All files
      Scan archives....................: on
      Recursion depth..................: 20
      Smart extensions.................: on
      Deviating archive types..........: +Squid cache, +Eudora Mailbox, +Netscape/Mozilla Mailbox, +BSD Mailbox,
      Macro heuristic..................: on
      File heuristic...................: off
      Deviating risk categories........: +GAME,+JOKE,+PCK,+SPR,

      Start of the scan: jeudi 22 janvier 2009 10:10

      The scan of running processes will be started
      Scan process 'avwsc.exe' - '1' Module(s) have been scanned
      Scan process 'avscan.exe' - '1' Module(s) have been scanned
      Scan process 'avcenter.exe' - '1' Module(s) have been scanned
      Scan process 'java.exe' - '1' Module(s) have been scanned
      Scan process 'ilikesidebar.exe' - '1' Module(s) have been scanned
      Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
      Scan process 'svchost.exe' - '1' Module(s) have been scanned
      Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
      Scan process 'wmplayer.exe' - '1' Module(s) have been scanned
      Scan process 'SpyEraser.exe' - '1' Module(s) have been scanned
      Scan process 'iexplore.exe' - '1' Module(s) have been scanned
      Scan process 'explorer.exe' - '1' Module(s) have been scanned
      Scan process 'NMIndexStoreSvr.exe' - '1' Module(s) have been scanned
      Scan process 'NMIndexingService.exe' - '1' Module(s) have been scanned
      Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
      Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
      Scan process 'PVE_GMMode_Lite.exe' - '1' Module(s) have been scanned
      Scan process 'umonit.exe' - '1' Module(s) have been scanned
      Scan process 'Dit.exe' - '1' Module(s) have been scanned
      Scan process 'avgnt.exe' - '1' Module(s) have been scanned
      Scan process 'mHotkey.exe' - '1' Module(s) have been scanned
      Scan process 'wmiapsrv.exe' - '1' Module(s) have been scanned
      Scan process 'alg.exe' - '1' Module(s) have been scanned
      Scan process 'svchost.exe' - '1' Module(s) have been scanned
      Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
      Scan process 'ntmulti.exe' - '1' Module(s) have been scanned
      Scan process 'mdm.exe' - '1' Module(s) have been scanned
      Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
      Scan process 'jqs.exe' - '1' Module(s) have been scanned
      Scan process 'FTRTSVC.exe' - '1' Module(s) have been scanned
      Scan process 'CDAC11BA.EXE' - '1' Module(s) have been scanned
      Scan process 'avguard.exe' - '1' Module(s) have been scanned
      Scan process 'sched.exe' - '1' Module(s) have been scanned
      Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
      Scan process 'SABSVC.EXE' - '1' Module(s) have been scanned
      Scan process 'svchost.exe' - '1' Module(s) have been scanned
      Scan process 'svchost.exe' - '1' Module(s) have been scanned
      Scan process 'svchost.exe' - '1' Module(s) have been scanned
      Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
      Scan process 'svchost.exe' - '1' Module(s) have been scanned
      Scan process 'svchost.exe' - '1' Module(s) have been scanned
      Scan process 'nsl.exe' - '1' Module(s) have been scanned
      Scan process 'nslsvice.exe' - '1' Module(s) have been scanned
      Scan process 'lsass.exe' - '1' Module(s) have been scanned
      Scan process 'services.exe' - '1' Module(s) have been scanned
      Scan process 'winlogon.exe' - '1' Module(s) have been scanned
      Scan process 'csrss.exe' - '1' Module(s) have been scanned
      Scan process 'smss.exe' - '1' Module(s) have been scanned
      48 processes with 48 modules were scanned

      Starting master boot sector scan:
      Master boot sector HD0
      [INFO] No virus was found!
      Master boot sector HD1
      [INFO] No virus was found!
      [WARNING] System error [21]: Le périphérique n'est pas prêt.
      Master boot sector HD2
      [INFO] No virus was found!
      [WARNING] System error [21]: Le périphérique n'est pas prêt.
      Master boot sector HD3
      [INFO] No virus was found!
      [WARNING] System error [21]: Le périphérique n'est pas prêt.
      Master boot sector HD4
      [INFO] No virus was found!
      [WARNING] System error [21]: Le périphérique n'est pas prêt.

      Start scanning boot sectors:
      Boot sector 'C:\'
      [INFO] No virus was found!
      Boot sector 'D:\'
      [INFO] No virus was found!
      Boot sector 'E:\'
      [INFO] No virus was found!

      Starting to scan the registry.
      The registry was scanned ( '60' files ).


      Starting the file scan:

      Begin scan in 'C:\' <BOOT>
      C:\pagefile.sys
      [WARNING] The file could not be opened!
      C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1\Local Settings\Temporary Internet Files\Content.IE5\OFNZAGXP\enavweb[1].cab
      [0] Archive type: CAB (Microsoft)
      --> navex32a.dll
      [WARNING] No further files can be extracted from this archive. The archive will be closed
      C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1\Local Settings\Temporary Internet Files\Content.IE5\OFNZAGXP\enavweb[2].cab
      [0] Archive type: CAB (Microsoft)
      --> navex32a.dll
      [WARNING] No further files can be extracted from this archive. The archive will be closed
      C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\ComboFix.exe
      [0] Archive type: RAR SFX (self extracting)
      --> 32788R22FWJFW\hidec.exe
      [DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program
      [WARNING] The file was ignored!
      C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\IS\SmitfraudFix\Agent.OMZ.Fix.exe
      [DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
      [WARNING] The file was ignored!
      C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\IS\SmitfraudFix\Reboot.exe
      [DETECTION] Contains recognition pattern of the SPR/Tool.Reboot.F program
      [WARNING] The file was ignored!
      C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\IS\SmitfraudFix\restart.exe
      [DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program
      [WARNING] The file was ignored!
      C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gaopdxmilmpfpw.sys.vir
      [DETECTION] Is the TR/Rootkit.Gen Trojan
      [NOTE] The file was deleted!
      C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gaopdxsegtlnkd.sys.vir
      [DETECTION] Is the TR/Rootkit.Gen Trojan
      [NOTE] The file was deleted!
      C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gaopdxuogeaeaw.sys.vir
      [DETECTION] Is the TR/Rootkit.Gen Trojan
      [NOTE] The file was deleted!
      C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1339\A0175962.sys
      [DETECTION] Is the TR/Rootkit.Gen Trojan
      [NOTE] The file was moved to '49a95001.qua'!
      C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1339\A0175980.sys
      [DETECTION] Is the TR/Rootkit.Gen Trojan
      [NOTE] The file was moved to '49a95005.qua'!
      C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1339\A0175981.sys
      [DETECTION] Is the TR/Rootkit.Gen Trojan
      [NOTE] The file was moved to '49a9500d.qua'!
      C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1339\A0176069.exe
      [DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program
      [NOTE] The file was moved to '49a95030.qua'!
      C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1342\A0176197.exe
      [DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program
      [NOTE] The file was moved to '49a9503a.qua'!


      End of the scan: jeudi 22 janvier 2009 11:58
      Used time: 1:47:57 Hour(s)

      The scan has been canceled!

      11874 Scanning directories
      938626 Files were scanned
      12 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      3 files were deleted
      0 files were repaired
      5 files were moved to quarantine
      0 files were renamed
      1 Files cannot be scanned
      938613 Files not concerned
      5073 Archives were scanned
      11 Warnings
      8 Notes
      0
  18. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    Antivir n'a rien trouvé de plus que la quarantaine de Combo

    evite de faire tourner plusieurs tools en même temps,tu risques de planter ton pc.

    et je suis sur que spy eraser a trouvé les mêmes trucs dans la quarantaine de combo

    des que rav a terminé,dis moi quoi!
    0
    1. Charliek
       
      Ok, c'est noté !

      Eh bien Rav ne semble rien trouvé du tout, et Flash Disinfector non plus. J'ai fait un reboot entre chaque.

      En fait ce qui m'inquiète c'est ce qu'a trouvé Antivir hors de la quarantaine Combo, je les ai mis en quarantaine Antivir mais est-ce que je peux les deleter définitivement ?

      C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1339\A0175962.sys
      [DETECTION] Is the TR/Rootkit.Gen Trojan
      [NOTE] The file was moved to '49a95001.qua'!
      C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1339\A0175980.sys
      [DETECTION] Is the TR/Rootkit.Gen Trojan
      [NOTE] The file was moved to '49a95005.qua'!
      C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1339\A0175981.sys
      [DETECTION] Is the TR/Rootkit.Gen Trojan
      [NOTE] The file was moved to '49a9500d.qua'!
      C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1339\A0176069.exe
      [DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program
      [NOTE] The file was moved to '49a95030.qua'!
      C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1342\A0176197.exe
      [DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program
      [NOTE] The file was moved to '49a9503a.qua'!

      voici le rapport Hijack maintenant :

      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 12:40:36, on 22/01/2009
      Platform: Windows XP SP3 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.6000.16762)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\nslsvice.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Windows Defender\MsMpEng.exe
      C:\WINDOWS\System32\svchost.exe
      D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
      C:\WINDOWS\system32\drivers\CDAC11BA.EXE
      C:\WINDOWS\System32\FTRTSVC.exe
      C:\Program Files\Java\jre6\bin\jqs.exe
      C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
      C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
      C:\Program Files\lotus\notes\ntmulti.exe
      C:\WINDOWS\system32\nvsvc32.exe
      C:\WINDOWS\mHotkey.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
      C:\WINDOWS\Dit.exe
      C:\WINDOWS\system32\umonit.exe
      C:\Program Files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe
      C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
      C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Windows Media Player\WMPNSCFG.exe
      C:\Program Files\Wanadoo\GestionnaireInternet.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Wanadoo\ComComp.exe
      C:\PROGRA~1\Wanadoo\Toaster.exe
      C:\PROGRA~1\Wanadoo\Inactivity.exe
      C:\PROGRA~1\Wanadoo\PollingModule.exe
      C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
      C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE
      C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\wbem\wmiapsrv.exe
      C:\Program Files\Wanadoo\Watch.exe
      C:\Program Files\internet explorer\iexplore.exe
      C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\rav.exe
      c:\program files\antivir personaledition classic\avcenter.exe
      C:\WINDOWS\system32\notepad.exe
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.criticsonline.org/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
      O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.DLL
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
      O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
      O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
      O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
      O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
      O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
      O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
      O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
      O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
      O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
      O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
      O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
      O4 - HKLM\..\Run: [Dit] Dit.exe
      O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
      O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [PVE_Lite] "C:\Program Files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe"
      O4 - HKCU\..\Run: [WOOKIT] C:\Program Files\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx
      O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
      O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
      O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
      O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
      O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
      O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
      O4 - Global Startup: Lancer le Gestionnaire Internet.lnk = C:\Program Files\Wanadoo\GestMAJ.exe
      O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
      O9 - Extra 'Tools' menuitem: &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
      O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
      O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
      O15 - Trusted Zone: http://webmail-lhr.expeditors.com
      O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
      O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
      O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
      O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
      O16 - DPF: {3E82BB3F-ABE4-458D-9281-0187286A4E51} (VoxsyncCtrl Class) - https://login.orange.fr/captcha?return_url=https%3A%2F%2Fmescontacts.orange.fr
      O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) -
      O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
      O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - http://webmail-lhr.expeditors.com/...
      O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111847736609
      O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
      O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - http://www.mypix.com/fr/fr/importer/ImageUploader4.cab
      O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - https://www.epson.eu/support/
      O16 - DPF: {7DA181BB-EF8D-4A7E-8C53-7BFC718EF71D} - http://photos.wanadoo.fr/al/presentation/pc/resources/activex/Ephoto.cab
      O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
      O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
      O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
      O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
      O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://livekuva.suomi.net/activex/AMC.cab
      O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - http://webmail-lhr.expeditors.com/...
      O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - http://by106fd.bay106.hotmail.msn.com/activex/HMAtchmt.ocx
      O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
      O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
      O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
      O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
      O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
      O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
      O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
      O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
      O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
      O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
      O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
      O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
      O23 - Service: Super Ad Blocker (SABSVC) - SuperAdBlocker.com - D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
      O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
      O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
      0
  19. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    en fait ils étaient dans la restauration système
    donc inactifs tant qu'il n'y a pas de restauration;mais dans tout les cas je fais nettoyer la restauration à la fin de la désinfection

    c'est ceci qui m'inquiète

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com d:
    \Shell\Open\command - d:\resycled\ntldr.com d:

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com e:
    \Shell\Open\command - e:\resycled\ntldr.com e:

    il faut que je me renseigne

    patiente un peu que l'on me réponde et je te dis quoi faire
    0
    1. Charliek
       
      Ok merci, j'attends tes infos.
      0
  20. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    Copie le texte ci-dessous :

    File::
    d:\resycled\ntldr.com
    e:\resycled\ntldr.com

    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com d:
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com e:

    Ouvre le Bloc-Notes puis colle le texte copié.
    (Démarrer\Tous les programmes\Accessoires\Bloc notes.)
    Sauvegarde ce fichier(sur le bureau) sous le nom de CFScript.txt

    Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ceci :
    http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

    Cela va relancer Combofix,

    Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

    Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

    Ne touche à rien tant que le scan n'est pas terminé.

    Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.

    S'il n'y a pas de rédémarrage, poste quand même les rapports.
    0
    1. Charliek
       
      Alors voilà (il n'y a pas eu de redémarrage auto.) :

      Combo :
      ComboFix 09-01-21.02 - Arnaud Meunier 2009-01-22 14:11:36.3 - NTFSx86
      Microsoft Windows XP Édition familiale 5.1.2600.3.1252.1.1036.18.1023.538 [GMT 1:00]
      Lancé depuis: c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\ComboFix.exe
      Commutateurs utilisés :: c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\CFScript.txt
      AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning disabled* (Updated)
      AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
      AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
      * Un nouveau point de restauration a été créé

      FILE ::
      d:\resycled\ntldr.com
      e:\resycled\ntldr.com
      .

      ((((((((((((((((((((((((((((( Fichiers créés du 2008-12-22 au 2009-01-22 ))))))))))))))))))))))))))))))))))))
      .

      2009-01-22 13:04 . 2009-01-22 13:04 172 --a------ C:\curr_ver.tmp
      2009-01-21 17:47 . 2009-01-21 18:05 <REP> d-------- c:\program files\CCleaner
      2009-01-21 12:21 . 2009-01-21 12:21 <REP> d-------- c:\program files\Malwarebytes' Anti-Malware
      2009-01-21 12:21 . 2009-01-21 12:21 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\Malwarebytes
      2009-01-21 12:21 . 2009-01-21 12:21 <REP> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
      2009-01-21 12:21 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
      2009-01-21 12:21 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
      2009-01-21 12:18 . 2009-01-21 12:18 <REP> d-------- c:\program files\Trend Micro
      2009-01-21 09:24 . 2009-01-21 09:24 <REP> d-------- c:\program files\iLike
      2009-01-20 20:11 . 2009-01-20 20:11 2 --a------ C:\1684826783
      2009-01-20 20:10 . 2009-01-20 20:10 108,336 --a------ c:\windows\system32\mswinsck.ocx
      2009-01-19 16:35 . 2009-01-19 16:35 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Library
      2009-01-19 16:35 . 2009-01-19 16:35 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\com.adobe.ExMan
      2009-01-19 15:50 . 2009-01-19 15:50 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
      2009-01-19 14:25 . 2009-01-19 15:11 <REP> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\FLEXnet
      2009-01-19 14:04 . 2008-04-07 05:38 45,392 -ra------ c:\windows\system32\AdobePDF.dll
      2009-01-19 14:04 . 2008-04-07 05:38 22,872 -ra------ c:\windows\system32\AdobePDFUI.dll
      2009-01-19 12:03 . 2009-01-19 13:24 <REP> d-------- c:\program files\Adobe CS4
      2009-01-17 18:56 . 2009-01-17 18:56 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\Todae
      2009-01-15 19:18 . 2009-01-15 19:18 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\Expeditors
      2009-01-03 15:44 . 2009-01-03 16:13 <REP> d-------- c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\???????sAppData
      2009-01-03 15:43 . 2009-01-03 15:43 391 --a------ c:\windows\COVERE~1.INI
      2008-12-29 08:04 . 2008-12-08 17:01 55,136 --a------ c:\windows\system32\drivers\fssfltr_tdi.sys
      2008-12-29 08:01 . 2008-12-29 08:01 <REP> d-------- c:\program files\Windows Live SkyDrive
      2008-12-29 08:01 . 2008-12-29 08:04 <REP> d-------- c:\program files\Microsoft

      .
      (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2009-01-22 12:20 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
      2009-01-22 11:34 --------- d-----w c:\program files\Wanadoo
      2009-01-22 11:33 13,440 ----a-w c:\windows\system32\drivers\USBCRFT.SYS
      2009-01-22 11:10 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\AntiVir PersonalEdition classic
      2009-01-21 16:57 --------- d-----w c:\program files\Fichiers communs\Real
      2009-01-21 16:55 --------- d-----w c:\program files\Veetle
      2009-01-21 13:08 --------- d-----w c:\program files\QuickTime
      2009-01-21 12:41 --------- d-----w c:\program files\eMule
      2009-01-20 22:35 --------- d-----w c:\program files\Fichiers communs\Adobe
      2009-01-20 19:12 --------- d-----w c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\uTorrent
      2009-01-19 12:29 --------- d-----w c:\program files\Fichiers communs\Macrovision Shared
      2009-01-19 11:38 --------- d-----w c:\program files\Windows Media Connect 2
      2009-01-19 11:37 --------- d-----w c:\program files\Make bootable flashcards
      2009-01-19 10:52 --------- d-----w c:\program files\Final Draft 7
      2009-01-19 10:52 --------- d-----w c:\program files\DivX
      2009-01-17 14:27 --------- d-----w c:\program files\Macromedia
      2008-12-29 07:04 --------- d-----w c:\program files\Windows Live
      2008-12-28 20:44 --------- d-----w c:\program files\Fichiers communs\Wise Installation Wizard
      2008-12-21 12:15 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\nView_Profiles
      2008-12-21 12:11 --------- d-----w c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\360desktop
      2008-12-16 12:32 410,984 ----a-w c:\windows\system32\deploytk.dll
      2008-12-16 12:32 --------- d-----w c:\program files\Java
      2008-12-14 16:16 --------- d-----w c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\Synthesia
      2008-12-13 14:07 --------- d-----w c:\program files\SpywareBlaster
      2008-12-13 14:05 --------- d-----w c:\program files\Apple Software Update
      2008-12-13 14:01 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
      2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
      2008-12-04 23:11 308,584 ----a-w c:\windows\WLXPGSS.SCR
      2008-12-02 21:37 49,480 ----a-w c:\windows\system32\sirenacm.dll
      2008-12-02 20:25 --------- d-----w c:\program files\VstPlugins
      2008-12-02 20:25 --------- d-----w c:\program files\Outsim
      2008-12-02 20:25 --------- d-----w c:\program files\Image-Line
      2008-12-02 20:25 --------- d-----w c:\program files\ASIO4ALL v2
      2008-12-02 19:22 290,816 ----a-w c:\windows\system32\PVE_Lite.dll
      2008-12-02 19:20 --------- d-----w c:\program files\Prodipe
      2008-11-16 18:45 48,396 ----a-w c:\windows\UninstVeetleTVPlayer.exe
      2008-11-04 18:50 270,128 ----a-w c:\program files\utorrent.exe
      2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
      2008-09-12 19:55 137,399 ----a-w c:\program files\CS4 Design Premium — Lisez-moi.pdf
      2008-01-19 15:59 869,376 ----a-w c:\program files\Printkey2000.exe
      2006-12-15 06:10 66,608 ----a-w c:\documents and settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\GDIPFONTCACHEV1.DAT
      2003-05-07 12:52 657 ----a-w c:\program files\Advanced MP3 Converter v1.81.txt
      2003-05-02 16:15 1,616,269 ----a-w c:\program files\advanced-mp3-converter.exe
      1999-05-05 13:49 463,872 ----a-w c:\program files\Convert.exe
      2008-09-20 16:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012008092020080921\index.dat
      .

      ------- Sigcheck -------

      2005-05-25 20:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
      2006-01-13 18:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
      2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
      2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
      2008-06-20 11:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
      2008-06-20 12:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
      2008-06-20 12:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
      2008-06-20 11:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
      2004-08-04 07:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
      2005-05-25 20:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$NtUninstallKB913446$\tcpip.sys
      2006-01-13 03:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
      2006-04-20 12:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
      2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
      2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
      2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
      2008-06-20 12:51 361600 4afb3b0919649f95c1964aa1fad27d73 c:\windows\system32\dllcache\tcpip.sys
      2008-06-20 12:51 361600 4afb3b0919649f95c1964aa1fad27d73 c:\windows\system32\drivers\tcpip.sys
      .
      ((((((((((((((((((((((((((((( snapshot@2009-01-22_ 9.49.57,87 )))))))))))))))))))))))))))))))))))))))))
      .
      + 2009-01-22 11:33:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_90.dat
      .
      ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
      REGEDIT4

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "WOOKIT"="c:\program files\Wanadoo\Shell.exe" [2004-08-23 122880]
      "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
      "Uniblue SpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2008-04-02 9442584]
      "Uniblue SpyEraser"="c:\program files\Uniblue\SpyEraser\SpyEraser.exe" [2008-04-02 1424648]
      "ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2008-12-19 1434864]
      "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
      "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 204288]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497]
      "UMonit"="c:\windows\system32\umonit.exe" [2005-08-06 53248]
      "WOOWATCH"="c:\progra~1\Wanadoo\Watch.exe" [2004-08-23 20480]
      "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
      "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-04-01 86016]
      "PVE_Lite"="c:\program files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe" [2008-12-02 856064]
      "CHotkey"="mHotkey.exe" [2002-07-23 c:\windows\mHotkey.exe]
      "Dit"="Dit.exe" [2004-04-02 c:\windows\Dit.exe]

      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
      "iLike"="c:\program files\iLike\1.2.11\ilikesidebar.exe" [2008-09-11 63024]

      c:\documents and settings\All Users.WINDOWS\Menu D‚marrer\Programmes\D‚marrage\
      Lancer le Gestionnaire Internet.lnk - c:\program files\Wanadoo\GestMAJ.exe [2008-08-05 32768]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
      "VIDC.ACDV"= ACDV.dll
      "midi"= PVE_Lite.dll

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
      --a------ 2008-06-11 22:43 640376 c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
      --a------ 2008-06-12 02:25 37232 c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
      "c:\\Program Files\\Messenger\\msmsgs.exe"=
      "c:\\Program Files\\FileZilla\\FileZilla.exe"=
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
      "c:\\WINDOWS\\system32\\dxdiag.exe"=
      "c:\\Program Files\\Fichiers communs\\Ahead\\Nero Web\\SetupX.exe"=
      "c:\\Program Files\\Fichiers communs\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
      "c:\\Program Files\\sina\\SAP\\SAPlatform.exe"=
      "c:\\WINDOWS\\system32\\dpvsetup.exe"=
      "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
      "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
      "c:\\Program Files\\uTorrent\\uTorrent.exe"=
      "c:\\WINDOWS\\system32\\sessmgr.exe"=

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
      "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

      R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2006-01-31 22336]
      R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2006-01-31 45376]
      R3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2006-11-19 13440]
      R3 cmudax;C-Media Azalia Audio Interface;c:\windows\system32\drivers\cmudax.sys [2004-06-25 1390976]
      R4 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2008-12-29 55136]
      R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
      S1 7c5c634b;7c5c634b;c:\windows\system32\drivers\7c5c634b.sys --> c:\windows\system32\drivers\7c5c634b.sys [?]
      S1 SDManager;SDManager;\??\c:\program files\SpywareDetector\SDManager.sys --> c:\program files\SpywareDetector\SDManager.sys [?]
      S3 Defender;Defender;\??\c:\program files\SinEspias\Defender.sys --> c:\program files\SinEspias\Defender.sys [?]
      S3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2007-01-13 6656]
      S3 fsssvc;Windows Live Contrôle parental;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
      S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2006-08-12 87824]
      S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2006-08-11 85696]
      S3 WlanUIG;Sagem 802.11g Wireless LAN USB Adapter Driver;c:\windows\system32\drivers\WlanUIG.sys [2004-11-18 379456]

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
      \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com d:
      \Shell\Open\command - d:\resycled\ntldr.com d:

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
      \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com e:
      \Shell\Open\command - e:\resycled\ntldr.com e:

      [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
      "c:\program files\Fichiers communs\LightScribe\LSRunOnce.exe"
      .
      Contenu du dossier 'Tâches planifiées'

      2009-01-22 c:\windows\Tasks\MP Scheduled Scan.job
      - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

      2009-01-18 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
      - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 08:50]

      2008-05-23 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
      - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 08:50]

      2008-05-23 c:\windows\Tasks\Uniblue SpyEraser.job
      - c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-02 08:50]

      2006-01-14 c:\windows\Tasks\XoftSpy.job
      - c:\program files\XoftSpy\XoftSpy.exe []
      .
      .
      ------- Examen supplémentaire -------
      .
      uStart Page = hxxp://www.criticsonline.org/
      IE: { - c:\program files\Messenger\msmsgs.exe
      Trusted Zone: expeditors.com\webmail-lhr
      DPF: {3E82BB3F-ABE4-458D-9281-0187286A4E51} - hxxp://contacts.orange.fr/wfr_webab/VoxsyncX.cab
      DPF: {7DA181BB-EF8D-4A7E-8C53-7BFC718EF71D} - hxxp://photos.wanadoo.fr/al/presentation/pc/resources/activex/Ephoto.cab
      DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://livekuva.suomi.net/activex/AMC.cab
      .

      **************************************************************************

      catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2009-01-22 14:12:53
      Windows 5.1.2600 Service Pack 3 NTFS

      Recherche de processus cachés ...

      Recherche d'éléments en démarrage automatique cachés ...

      HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      UMonit = c:\windows\system32\umonit.exe?ixustor.sys??_0fce&Pi??????$?I_01??658???B\?O???????????????????????????w??????????????P?l??????|p??|????m??|C??w??????????$?B$?|???w???w*?,???$????????????????????????????????w??????????????P?????T???~?P???????P???P????????

      Recherche de fichiers cachés ...

      Scan terminé avec succès
      Fichiers cachés: 0

      **************************************************************************
      .
      --------------------- CLES DE REGISTRE BLOQUEES ---------------------

      [HKEY_USERS\S-1-5-21-1957994488-484061587-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
      @Allowed: (Read) (RestrictedCode)
      @Allowed: (Read) (RestrictedCode)

      [HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\USB\Vid_0db0&Pid_4011\AAAA12345678\LogConf]
      @DACL=(02 0000)
      .
      Heure de fin: 2009-01-22 14:14:59
      ComboFix-quarantined-files.txt 2009-01-22 13:14:57
      ComboFix2.txt 2009-01-22 08:51:09
      ComboFix3.txt 2009-01-21 21:34:54

      Avant-CF: 46 745 894 912 octets libres
      Après-CF: 46,730,637,312 octets libres

      WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
      [boot loader]
      timeout=2
      default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
      [operating systems]
      c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
      multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP dition familiale" /fastdetect /NoExecute=OptIn

      239 --- E O F --- 2009-01-21 22:21:23

      Hijack :
      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 14:18:12, on 22/01/2009
      Platform: Windows XP SP3 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.6000.16762)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\nslsvice.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Windows Defender\MsMpEng.exe
      C:\WINDOWS\System32\svchost.exe
      D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
      C:\WINDOWS\system32\drivers\CDAC11BA.EXE
      C:\WINDOWS\System32\FTRTSVC.exe
      C:\Program Files\Java\jre6\bin\jqs.exe
      C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
      C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
      C:\Program Files\lotus\notes\ntmulti.exe
      C:\WINDOWS\system32\nvsvc32.exe
      C:\WINDOWS\mHotkey.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
      C:\WINDOWS\Dit.exe
      C:\WINDOWS\system32\umonit.exe
      C:\Program Files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe
      C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Windows Media Player\WMPNSCFG.exe
      C:\Program Files\Wanadoo\GestionnaireInternet.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Wanadoo\ComComp.exe
      C:\PROGRA~1\Wanadoo\Toaster.exe
      C:\PROGRA~1\Wanadoo\Inactivity.exe
      C:\PROGRA~1\Wanadoo\PollingModule.exe
      C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
      C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\wbem\wmiapsrv.exe
      C:\Program Files\Wanadoo\Watch.exe
      C:\WINDOWS\system32\LVComsX.exe
      C:\WINDOWS\explorer.exe
      C:\Program Files\internet explorer\iexplore.exe
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.criticsonline.org/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
      O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.DLL
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
      O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
      O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
      O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
      O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
      O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
      O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
      O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
      O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
      O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
      O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
      O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
      O4 - HKLM\..\Run: [Dit] Dit.exe
      O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
      O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [PVE_Lite] "C:\Program Files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe"
      O4 - HKCU\..\Run: [WOOKIT] C:\Program Files\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx
      O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
      O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
      O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
      O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
      O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
      O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
      O4 - Global Startup: Lancer le Gestionnaire Internet.lnk = C:\Program Files\Wanadoo\GestMAJ.exe
      O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
      O9 - Extra 'Tools' menuitem: &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
      O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
      O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
      O15 - Trusted Zone: http://webmail-lhr.expeditors.com
      O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
      O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
      O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
      O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
      O16 - DPF: {3E82BB3F-ABE4-458D-9281-0187286A4E51} (VoxsyncCtrl Class) - https://login.orange.fr/captcha?return_url=https%3A%2F%2Fmescontacts.orange.fr
      O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) -
      O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
      O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - http://webmail-lhr.expeditors.com/...
      O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111847736609
      O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
      O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - http://www.mypix.com/fr/fr/importer/ImageUploader4.cab
      O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - https://www.epson.eu/support/
      O16 - DPF: {7DA181BB-EF8D-4A7E-8C53-7BFC718EF71D} - http://photos.wanadoo.fr/al/presentation/pc/resources/activex/Ephoto.cab
      O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
      O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
      O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
      O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
      O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://livekuva.suomi.net/activex/AMC.cab
      O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - http://webmail-lhr.expeditors.com/...
      O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - http://by106fd.bay106.hotmail.msn.com/activex/HMAtchmt.ocx
      O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
      O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
      O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
      O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
      O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
      O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
      O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
      O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
      O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
      O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
      O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
      O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
      O23 - Service: Super Ad Blocker (SABSVC) - SuperAdBlocker.com - D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
      O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
      O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
      0
  21. chimay8 Messages postés 7947 Statut Contributeur sécurité 60
     
    non

    relance MBAM,fais un scan complet et supprime tout ce qu'il trouve

    n'oublie pas de poster le rapport
    0
    1. Charliek
       
      ok, je viens de voir ton dernier message. Mbam tourne...Je te tiens au courant !
      0
      1. Charliek > Charliek
         
        Re,

        Pendant que Mbam tournait,Antivir a détecté plusieurs Trojan :

        TR/Crypt.Xpack.Gen (3 fois dans C, E et D, les trois disques dur)
        SPR/Tool.Hide.A (2 fois dans C)

        Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
        detected in file 'D:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1334\A0175917.com.
        Action performed: Deny access

        22/01/2009 22:45 [Guard] Malware found
        Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
        detected in file 'E:\System Volume
        Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1334\A0175919.com.
        Action performed: Deny access

        Virus or unwanted program 'SPR/Tool.Hide.A [riskware]'
        detected in file 'C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1343\A0176337.exe.
        Action performed: Deny access

        Virus or unwanted program 'SPR/Tool.Hide.A [riskware]'
        detected in file 'C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1342\A0176287.exe.
        Action performed: Deny access

        Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
        detected in file 'C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1334\A0175914.com.
        Action performed: Deny access


        Voici le rapport Mbam également, j'ai supprimé les deux fichiers.

        Malwarebytes' Anti-Malware 1.33
        Version de la base de données: 1673
        Windows 5.1.2600 Service Pack 3

        22/01/2009 22:49:41
        mbam-log-2009-01-22 (22-49-41).txt

        Type de recherche: Examen complet (C:\|D:\|E:\|)
        Eléments examinés: 294778
        Temps écoulé: 3 hour(s), 31 minute(s), 31 second(s)

        Processus mémoire infecté(s): 0
        Module(s) mémoire infecté(s): 0
        Clé(s) du Registre infectée(s): 0
        Valeur(s) du Registre infectée(s): 0
        Elément(s) de données du Registre infecté(s): 0
        Dossier(s) infecté(s): 0
        Fichier(s) infecté(s): 2

        Processus mémoire infecté(s):
        (Aucun élément nuisible détecté)

        Module(s) mémoire infecté(s):
        (Aucun élément nuisible détecté)

        Clé(s) du Registre infectée(s):
        (Aucun élément nuisible détecté)

        Valeur(s) du Registre infectée(s):
        (Aucun élément nuisible détecté)

        Elément(s) de données du Registre infecté(s):
        (Aucun élément nuisible détecté)

        Dossier(s) infecté(s):
        (Aucun élément nuisible détecté)

        Fichier(s) infecté(s):
        C:\Qoobox\Quarantine\C\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Application Data\_4f2bbb3471001f5bd7db6d2d8f3817e4\down\924184482285.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
        C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1342\A0176171.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

        Que puis-je faire maintenant ?..
        0
      2. Charliek > Charliek
         
        Bonjour,

        Alors j'ai relancé un full scan Antivir, qui me ressort des fichiers infectés toujours dans C, D & E..

        J'ai vu que certains semblaient avoir résolu en désactivant/réactivant restauration système et faire un nouveau point. est-ce que ça marche vraiment ?

        Start of the scan: vendredi 23 janvier 2009 08:56

        The scan of running processes will be started
        Scan process 'avscan.exe' - '1' Module(s) have been scanned
        Scan process 'Watch.exe' - '1' Module(s) have been scanned
        Scan process 'NMIndexStoreSvr.exe' - '1' Module(s) have been scanned
        Scan process 'NMIndexingService.exe' - '1' Module(s) have been scanned
        Scan process 'ALERTM~1.EXE' - '1' Module(s) have been scanned
        Scan process 'PollingModule.exe' - '1' Module(s) have been scanned
        Scan process 'Inactivity.exe' - '1' Module(s) have been scanned
        Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
        Scan process 'Toaster.exe' - '1' Module(s) have been scanned
        Scan process 'ComComp.exe' - '1' Module(s) have been scanned
        Scan process 'svchost.exe' - '1' Module(s) have been scanned
        Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
        Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
        Scan process 'SpyEraser.exe' - '1' Module(s) have been scanned
        Scan process 'GestionnaireInternet.exe' - '1' Module(s) have been scanned
        Scan process 'SpeedUpMyPC.exe' - '1' Module(s) have been scanned
        Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
        Scan process 'PVE_GMMode_Lite.exe' - '1' Module(s) have been scanned
        Scan process 'umonit.exe' - '1' Module(s) have been scanned
        Scan process 'Dit.exe' - '1' Module(s) have been scanned
        Scan process 'avgnt.exe' - '1' Module(s) have been scanned
        Scan process 'mHotkey.exe' - '1' Module(s) have been scanned
        Scan process 'explorer.exe' - '1' Module(s) have been scanned
        Scan process 'wmiapsrv.exe' - '1' Module(s) have been scanned
        Scan process 'alg.exe' - '1' Module(s) have been scanned
        Scan process 'svchost.exe' - '1' Module(s) have been scanned
        Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
        Scan process 'ntmulti.exe' - '1' Module(s) have been scanned
        Scan process 'mdm.exe' - '1' Module(s) have been scanned
        Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
        Scan process 'jqs.exe' - '1' Module(s) have been scanned
        Scan process 'FTRTSVC.exe' - '1' Module(s) have been scanned
        Scan process 'CDAC11BA.EXE' - '1' Module(s) have been scanned
        Scan process 'avguard.exe' - '1' Module(s) have been scanned
        Scan process 'sched.exe' - '1' Module(s) have been scanned
        Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
        Scan process 'SABSVC.EXE' - '1' Module(s) have been scanned
        Scan process 'svchost.exe' - '1' Module(s) have been scanned
        Scan process 'svchost.exe' - '1' Module(s) have been scanned
        Scan process 'svchost.exe' - '1' Module(s) have been scanned
        Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
        Scan process 'svchost.exe' - '1' Module(s) have been scanned
        Scan process 'svchost.exe' - '1' Module(s) have been scanned
        Scan process 'nsl.exe' - '1' Module(s) have been scanned
        Scan process 'nslsvice.exe' - '1' Module(s) have been scanned
        Scan process 'lsass.exe' - '1' Module(s) have been scanned
        Scan process 'services.exe' - '1' Module(s) have been scanned
        Scan process 'winlogon.exe' - '1' Module(s) have been scanned
        Scan process 'csrss.exe' - '1' Module(s) have been scanned
        Scan process 'smss.exe' - '1' Module(s) have been scanned
        50 processes with 50 modules were scanned

        Starting master boot sector scan:
        Master boot sector HD0
        [INFO] No virus was found!
        Master boot sector HD1
        [INFO] No virus was found!
        [WARNING] System error [21]: Le périphérique n'est pas prêt.
        Master boot sector HD2
        [INFO] No virus was found!
        [WARNING] System error [21]: Le périphérique n'est pas prêt.
        Master boot sector HD3
        [INFO] No virus was found!
        [WARNING] System error [21]: Le périphérique n'est pas prêt.
        Master boot sector HD4
        [INFO] No virus was found!
        [WARNING] System error [21]: Le périphérique n'est pas prêt.

        Start scanning boot sectors:
        Boot sector 'C:\'
        [INFO] No virus was found!
        Boot sector 'D:\'
        [INFO] No virus was found!
        Boot sector 'E:\'
        [INFO] No virus was found!

        Starting to scan the registry.
        The registry was scanned ( '60' files ).


        Starting the file scan:

        Begin scan in 'C:\' <BOOT>
        C:\pagefile.sys
        [WARNING] The file could not be opened!
        C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1\Local Settings\Temporary Internet Files\Content.IE5\OFNZAGXP\enavweb[1].cab
        [0] Archive type: CAB (Microsoft)
        --> navex32a.dll
        [WARNING] No further files can be extracted from this archive. The archive will be closed
        C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1\Local Settings\Temporary Internet Files\Content.IE5\OFNZAGXP\enavweb[2].cab
        [0] Archive type: CAB (Microsoft)
        --> navex32a.dll
        [WARNING] No further files can be extracted from this archive. The archive will be closed
        C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\ComboFix.exe
        [0] Archive type: RAR SFX (self extracting)
        --> 32788R22FWJFW\hidec.exe
        [DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program
        [WARNING] The file was ignored!
        C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\IS\SmitfraudFix\Agent.OMZ.Fix.exe
        [DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
        [WARNING] The file was ignored!
        C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\IS\SmitfraudFix\Reboot.exe
        [DETECTION] Contains recognition pattern of the SPR/Tool.Reboot.F program
        [WARNING] The file was ignored!
        C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Bureau\IS\SmitfraudFix\restart.exe
        [DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program
        [WARNING] The file was ignored!
        C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1334\A0175914.com
        [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
        [NOTE] The file was moved to '49aa8b04.qua'!
        C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1334\A0175949.com
        [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
        [NOTE] The file was moved to '49aa8b1d.qua'!
        C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1342\A0176270.exe
        [0] Archive type: RAR SFX (self extracting)
        --> 32788R22FWJFW\hidec.exe
        [DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program
        [NOTE] The file was moved to '49aa8bc5.qua'!
        C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1342\A0176287.exe
        [DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program
        [NOTE] The file was moved to '49aa8bdf.qua'!
        C:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1343\A0176337.exe
        [DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program
        [NOTE] The file was moved to '49aa8bf7.qua'!
        C:\System Volume Information\_restore{A61B6F04-AF7F-45C2-99EF-530A20F7F002}\RP44\A0007472.exe
        [0] Archive type: CAB SFX (self extracting)
        --> Readme\porrme.txt
        [WARNING] No further files can be extracted from this archive. The archive will be closed
        Begin scan in 'D:\' <BACKUP>
        D:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1334\A0175917.com
        [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
        [NOTE] The file was moved to '49aa9321.qua'!
        D:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1334\A0175952.com
        [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
        [NOTE] The file was moved to '49aa933a.qua'!
        D:\Tools\eTrust Antivirus\eAV_S.Win\AlertCab.exe
        [0] Archive type: RSRC
        --> Object
        [1] Archive type: CAB (Microsoft)
        --> alert.exe
        [WARNING] No further files can be extracted from this archive. The archive will be closed
        D:\Tools\eTrust Antivirus\eAV_S.Win\Cpackage.exe
        [0] Archive type: RSRC
        --> Object
        [1] Archive type: CAB (Microsoft)
        --> AVH32DLL.DLL
        [WARNING] No further files can be extracted from this archive. The archive will be closed
        Begin scan in 'E:\' <RECOVER>
        E:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1334\A0175919.com
        [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
        [NOTE] The file was moved to '49aa945d.qua'!
        E:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1334\A0175954.com
        [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
        [NOTE] The file was moved to '49aa9470.qua'!
        E:\System Volume Information\_restore{06F68E53-00BC-4B00-AF56-317698F0D65B}\RP1338\A0175958.com
        [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
        [NOTE] The file was moved to '49aa9483.qua'!

        Malaware en mode rapide ne ressort rien

        Spyeraser en mode Deep Scan ressort deux infections registre

        Start Date:January 23, 2009 at 11:08:26AM

        End Date:January 23, 2009 at 11:27:43AM

        Total Time:19 Mins 17 Secs
        Detected Infections

        Cookie.SmartAdServer.com

        Status:Removed
        Category: Tracking Cookie



        Infected Cookies
        C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Cookies\arnaud_meunier@smartadserver[2].txt

        Cookie.Weborama

        Status:Removed
        Category: Tracking Cookie
        Infected Cookies
        C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Cookies\arnaud_meunier@weborama[1].txt
        Cookie.Tracking-Cookie
        Details: A Tracking Cookie is any cookie that is installed on a computer to save and access various activities of the user. It may be used by web sites to identify returning visitors who have registered for special services; to monitor, measure, and scrutinize visitors' navigation and use of web site features. It can also count the number of visitors to web sites and allow web surfers to use virtual "shopping carts". All this information is saved for future target advertising and marketing campaigns by various internet Advertising and Marketing companies. Though these cookies do not pose immediate threats but they can be misused to capture confidential information like user names and passwords.
        Status:Removed
        Category: Tracking Cookie
        Infected Cookies
        C:\Documents and Settings\Arnaud Meunier.ARNAUD-PC1.000\Cookies\arnaud_meunier@xiti[1].txt
        Malware (General Components)
        Details: Malware is a malicious program that is developed to seriously harm and damage the targeted system and may be installed on it without the knowledge or consent of the user. It can change system settings, corrupt the registry and destroy personal data. The Programs that cannot be classified in other categories or carry more than one traits which belong to different categories have been categorized under this categories.
        Status:Removed
        Category: Malware (General)Infected registry keys/values detected
        hkey_local_machine\software\microsoft\windows\currentversion\control panel\load\
        hkey_local_machine\software\microsoft\windows\currentversion\policies\system\disableregistrytools\


        Hijack this :
        Logfile of Trend Micro HijackThis v2.0.2
        Scan saved at 11:32:27, on 23/01/2009
        Platform: Windows XP SP3 (WinNT 5.01.2600)
        MSIE: Internet Explorer v7.00 (7.00.6000.16762)
        Boot mode: Normal

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\nslsvice.exe
        C:\WINDOWS\system32\svchost.exe
        C:\Program Files\Windows Defender\MsMpEng.exe
        C:\WINDOWS\System32\svchost.exe
        D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
        C:\WINDOWS\system32\spoolsv.exe
        C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
        C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
        C:\WINDOWS\system32\drivers\CDAC11BA.EXE
        C:\WINDOWS\System32\FTRTSVC.exe
        C:\Program Files\Java\jre6\bin\jqs.exe
        C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
        C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
        C:\Program Files\lotus\notes\ntmulti.exe
        C:\WINDOWS\system32\nvsvc32.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\System32\wbem\wmiapsrv.exe
        C:\WINDOWS\Explorer.EXE
        C:\WINDOWS\mHotkey.exe
        C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
        C:\WINDOWS\Dit.exe
        C:\WINDOWS\system32\umonit.exe
        C:\Program Files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe
        C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
        C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
        C:\PROGRA~1\Wanadoo\GestionnaireInternet.exe
        C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
        C:\WINDOWS\system32\ctfmon.exe
        C:\Program Files\Windows Media Player\WMPNSCFG.exe
        C:\WINDOWS\System32\svchost.exe
        C:\PROGRA~1\Wanadoo\ComComp.exe
        C:\PROGRA~1\Wanadoo\Toaster.exe
        C:\PROGRA~1\Wanadoo\Inactivity.exe
        C:\PROGRA~1\Wanadoo\PollingModule.exe
        C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE
        C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
        C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe
        C:\PROGRA~1\Wanadoo\Watch.exe
        C:\Program Files\internet explorer\iexplore.exe
        C:\Program Files\internet explorer\iexplore.exe
        C:\Program Files\Java\jre6\bin\java.exe
        C:\WINDOWS\system32\notepad.exe
        C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.criticsonline.org/
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
        O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.DLL
        O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
        O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
        O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
        O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
        O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
        O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
        O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
        O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
        O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
        O4 - HKLM\..\Run: [Dit] Dit.exe
        O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
        O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
        O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
        O4 - HKLM\..\Run: [PVE_Lite] "C:\Program Files\Prodipe\Prodipe\PVE_Lite\PVE_GMMode_Lite.exe"
        O4 - HKCU\..\Run: [WOOKIT] C:\Program Files\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx
        O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
        O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
        O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
        O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
        O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
        O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
        O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
        O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
        O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
        O4 - Global Startup: Lancer le Gestionnaire Internet.lnk = C:\Program Files\Wanadoo\GestMAJ.exe
        O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
        O9 - Extra 'Tools' menuitem: &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
        O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
        O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
        O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
        O15 - Trusted Zone: http://webmail-lhr.expeditors.com
        O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
        O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
        O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
        O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
        O16 - DPF: {3E82BB3F-ABE4-458D-9281-0187286A4E51} (VoxsyncCtrl Class) - https://login.orange.fr/captcha?return_url=https%3A%2F%2Fmescontacts.orange.fr
        O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) -
        O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
        O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - http://webmail-lhr.expeditors.com/...
        O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
        O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111847736609
        O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
        O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
        O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - http://www.mypix.com/fr/fr/importer/ImageUploader4.cab
        O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - https://www.epson.eu/support/
        O16 - DPF: {7DA181BB-EF8D-4A7E-8C53-7BFC718EF71D} - http://photos.wanadoo.fr/al/presentation/pc/resources/activex/Ephoto.cab
        O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
        O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
        O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
        O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
        O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://livekuva.suomi.net/activex/AMC.cab
        O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - http://webmail-lhr.expeditors.com/...
        O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - http://by106fd.bay106.hotmail.msn.com/activex/HMAtchmt.ocx
        O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
        O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
        O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
        O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
        O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
        O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
        O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
        O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
        O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
        O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
        O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
        O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
        O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
        O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
        O23 - Service: Super Ad Blocker (SABSVC) - SuperAdBlocker.com - D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
        O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
        O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
        0
  • 1
  • 2
  • 3