Lecture résumé HIJACKTHIS - Page 6

Précédent
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
Réponse 101 / 123
Lyonnais92 Messages postés 25708 Statut Contributeur sécurité 1 537
 
Bonour,

le pc infecté est toujours déconnecté d'Internet ?

Tu as la liste des 54 fichiers infectés ?
0
Réponse 102 / 123
ROSALLY Messages postés 80 Statut Membre
 
RE

OUI le pc concerné est tjrs deconecter d'internet
Je travail avec clé USB pour transferer les rapports

ci-après rapport de Malwarebytes anti-Malware
avec ça => Clé(s) du Registre infectée(s): 54

Malwarebytes' Anti-Malware 1.34
Version de la base de données: 1782
Windows 5.1.2600 Service Pack 3

04/03/2009 09:57:05
mbam-log-2009-03-04 (09-57-05).txt

Type de recherche: Examen rapide
Eléments examinés: 62507
Temps écoulé: 3 minute(s), 28 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 54
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icesword.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavService.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.exe (Security.Hijack) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)
0
Réponse 103 / 123
Lyonnais92 Messages postés 25708 Statut Contributeur sécurité 1 537
 
Re,

Télécharger GMER ( http://www2.gmer.net/gmer.zip )
Extraire le contenu du ZIP puis renommer "gmer.exe" en "bypass.exe"
Onglet "Rootkit" ; cliquez sur "SCAN" puis patienter...
En fin de traitement cliquez sur "SAVE" et enregistrer sur votre bureau "040309.txt"
Double cliquez sur "040309.txt" ; le fichier s'ouvre dans le bloc-notes.
Copiez le contenu et collez le sur votre prochain message.
0
Réponse 104 / 123
ROSALLY Messages postés 80 Statut Membre
 
re lyonnais

as tu vu mon message nbr 117
Merci
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 105 / 123
Lyonnais92 Messages postés 25708 Statut Contributeur sécurité 1 537
 
Re,

oui, j'avais lu.

mais comme l'ordi est déconnecté, je n'ai pas besoin de vérifier le fichier Hosts.

Le mécanisme de réinfection est dans l'ordi. Il faut que je le trouve.

De quand date le tout début de tes ennuis ?
0
Réponse 106 / 123
ROSALLY Messages postés 80 Statut Membre
 
Re bonjour
ci apres rapport de GMER

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-04 14:22:41
Windows 5.1.2600 Service Pack 3

---- Kernel code sections - GMER 1.0.14 ----

? C:\ComboFix\catchme.sys Le fichier spécifié est introuvable. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Le fichier spécifié est introuvable. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2344] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 05052422 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2344] USER32.dll!MessageBoxA 7E3D07EA 5 Bytes JMP 050523CC C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2344] USER32.dll!MessageBoxW 7E3E6534 5 Bytes JMP 050523F7 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (FileSpy Filter Driver/Windows (R) 2000 DDK provider)
AttachedDevice \FileSystem\Fastfat \Fat sisidex.sys (FileSpy Filter Driver/Windows (R) 2000 DDK provider)

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR

---- Files - GMER 1.0.14 ----

ADS C:\System Volume Information\_restore{27EBFB7B-BBBC-4581-83AC-C2A9C09C8DD1}\RP1072\A0233988.exe:ext.exe 32256 bytes executable
File C:\WINDOWS\WinShell.\daemon.exe 36864 bytes executable

---- EOF - GMER 1.0.14 ----
0
Réponse 107 / 123
ROSALLY Messages postés 80 Statut Membre
 
RE BONJOUR

je pense que je commencais a me rendre compte début Février
je me rappel un jour j'ai fais une restauration en date du le 01/02/09
0
Réponse 108 / 123
Lyonnais92 Messages postés 25708 Statut Contributeur sécurité 1 537
 
Re,

des nouveautés (dont ADS sur la restauration système !)

=============
Ouvre Hijackthis (cherche C:\Program Files\trend micro\Jonas.exe par l'explorateur windows et fais un double clic)

Choisi Open the misc tools section.

Clique sur Open ADS Spy

Vérifie que Quick scan et calculate MD5 sont cochés.

Clique sur scan.

En fin de scan, clique sur save log.

Donne lui un nom, édite le avec le Bloc-notes et poste son contenu ici.

0
Réponse 109 / 123
Lyonnais92 Messages postés 25708 Statut Contributeur sécurité 1 537
 
Re,

j'avais oublié des choses à supprimer.

Copie ou imprime les instructions avant.

Déconnecte toi d'internet et ferme toutes tes applications.

Désactive tes protections (antivirus, parefeu, garde en temps réel de l'antispyware)

Crée un nouveau document texte : clic droit de souris sur le bureau > Nouveau > Document Texte, et copie dedans les lignes suivantes :

KillAll::

RootKit::
c:\windows\Fonts\TIMPIatform.exe
c:\windows\Fonts\hdvlediv.dll
c:\windows\Fonts\wuauclt.exe
c:\windows\Fonts\zwkytzhe.dll
c:\windows\Fonts\qwinvafv.dll
c:\windows\Fonts\gzdnf01.dat
c:\windows\Fonts\GBUNHAK.nls
c:\windows\Fonts\ktuxlvyx.dll
c:\windows\Fonts\guhfpzpq.dll
c:\windows\Fonts\note.exe
c:\windows\TEMPIadHide3.dll
c:\program files\HJTInstall.7z
%System%\waudfe.exe
%System%\drivers\npf.sys
%System%\npptools.dll
%System%\Packet.dll
%System%\WanPacket.dll
%System%\wpcap.dll
%System%\dllcache\spoolsv.exe
c:\windows\system32\drivers\pnpmem.sys
c:\windows\battc.sys
c:\windows\system32\drivers\acpiec.sys
E:\CC.PIF
c:\program files\bccd.pif
c:\windows\system32\wauefe.exe
c:\windows\system32\wauefe.exe.vzr
c:\windows\tmp.dat
c:\windows\sys.ini
c:\windows\system32\drivers\pnpmem.s¬ys
c:\windows\system32\ormsgse.axz
c:\windows\system32\exlds.ini
c:\windows\system32\D64374E8.dll
c:\windows\system32\D64374E8.cfg
c:\windows\winyyy.sys
c:\windows\system32\201476D0.dll
c:\windows\system32\72B29486.dll
c:\windows\system32\91C7DF6D.dll.vzr
c:\windows\system32\91C7DF6D.cfg
c:\windows\system32\waudfe.exe
c:\windows\setupapi.log.3.old
c:\windows\system32\72B29486.cfg
c:\windows\winsys.inf
%FontsDir%\twabramn.nls
c:\windows\system32\eojcjojj.dll
c:\windows\system32\hbofjcgd.dll
c:\windows\system32\cpkhiooa.dll
c:\windows\system32\wauefe.exe.vzr
c:\windows\tmp.dat
c:\windows\sys.ini
c:\windows\system32\ormsgse.axz
c:\windows\system32\exlds.ini
c:\windows\system32\D64374E8.cfg
C:\zasuiteSetup_en.exe
c:\windows\system32\91C7DF6D.cfg
c:\windows\setupapi.log.3.old
c:\windows\system32\72B29486.cfg
c:\windows\winsys.inf
C:\mbam-log-2009-02-20 (21-42-58)VIRUS
c:\windows\system32\telechargement-159-hijackthis.htm
c:\windows\system32\dllcache\linkinfo.dll
c:\windows\system32\nsis_loader.dll
C:\WINDOWS\WinShell.\daemon.exe

folder::
c:\windows\$WIND$
c:\windows\WinShell
c:\windows\Intel

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EF2D7A6-0B99-4C44-B04A-D47125B76424}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74A92EE1-64BD-4233-90B8-2AEB715FBF2D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{7E4329EB-0F3A-4FC6-BAED-5648F708D30C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ZX.ZXAAATL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
{8342F32F-896F-4EDF-9E97-60E84C02EB9A} = -
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
%FontsDir%\twabramn.nls = -
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MewBogoMediaPop.PopBogo]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MezsAdPopup.BWLogc]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{489873CE-F3E1-44A3-8E89-04BE26BE4446}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentMatch]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IETimber]
[-HKEY_LOCAL_MACHINE\SOFTWARE\cpush]
[-HKEY_LOCAL_MACHINE\SOFTWARE\IETimber]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MicroPlugins]
[-HKEY_CURRENT_USER\Software\newpush]
[-HKEY_CURRENT_USER\Software\Sysisoft]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
360safe = -
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rpt.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safe.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safebox.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ANTIARP.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArSwp.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ast.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRun.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRunKiller.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvMonitor.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVP.COM]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVP.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Frameworkservice.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GFUpd.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GuardField.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Iparmor.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASARP.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kav32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPFW.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavstart.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kissvc.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPfwSvc.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonxp.KXP]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVSrvXP.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVWSC.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kwatch.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Mmsk.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapsvc.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nod32kui.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFW.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctor.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAV.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMonD.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ravservice.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStub.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavTask.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAVTRAY.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Regedit.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rfwstub.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsAgent.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rsaupd.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsMain.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rsnetsvr.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RSTray.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Runiep.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safeboxTray.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ScanFrm.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREngLdr.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojanDetector.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Trojanwall.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.KXP]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VPC32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VPTRAY.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WOPTILITIES.EXE]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{91C7DF6D-AEF5-4136-9252-AF030D7A5931}"= -
"{1957817A-94B2-4CAC-B113-A331809B5730}"=-
"{E83C3833-A1EE-4C18-B34E-ACD20C0A646C}"=-
"{1B8F3C0D-D80F-428C-BBE1-013634121393}"=-
"{C941288A-27FC-484E-AC78-BA04CB41FD53}"=-
"{D64374E8-8B1D-49AB-9284-5072687B6BD3}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
"E83C3833"= -
"1B8F3C0D"= -
"C941288A"= -
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows
"AppInit_DLLs"=””
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c984ab7c-e6f0-11dd-8d9e-00142a50775a}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"MSPolicyAgent"= -
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page" = ""

Driver::
pnpmem
myprotector
UPDATEDATA

Enregistre ce fichier sous le nom CFscript

Fait un glisser/déposer de ce fichier CFscript sur le fichier ComboFix.exe

Clique sur le fichier CFscript, maintient le doigt enfoncé et glisse la souris pour que l'icône du CFscrïpt vienne recouvrir l'icône de Combofix. Relache la souris. Combofix va démarrer.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Réactive ton parefeu, ton antivirus, la garde de ton antispyware

Une fois le scan achevé, un rapport va s'afficher: poste son contenu.

Si le fichier ne s'ouvre pas, il se trouve ici C:\ComboFix.txt

Attention : cette manip a été fait pour cet ordi. Tout réutilisation peut endommager sévèrement le système d'exploitation.
0
Réponse 110 / 123
ROSALLY Messages postés 80 Statut Membre
 
ren bonjour
excuses moi je te poste le rapport comboFix et je n'avais pas vu ton avant dernier message
bien a toi

ComboFix 09-03-01.01 - CKS Andre SNEYAERT 2009-03-04 17:45:49.17 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.1.1036.18.894.488 [GMT 1:00]
Lancé depuis: c:\documents and settings\CKS Andre SNEYAERT\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\CKS Andre SNEYAERT\Bureau\CFscript.txt
* Un nouveau point de restauration a été créé
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\HJTInstall.7z
c:\windows\Fonts\GBUNHAK.nls
c:\windows\Fonts\gzdnf01.dat
c:\windows\Fonts\TIMPIatform.exe
c:\windows\Fonts\wuauclt.exe
c:\windows\Intel
c:\windows\Intel\baiduc.dll.vzr
c:\windows\TEMPIadHide3.dll

.
((((((((((((((((((((((((((((( Fichiers créés du 2009-02-04 au 2009-03-04 ))))))))))))))))))))))))))))))))))))
.

2009-03-04 14:08 . 2009-03-04 14:09 250 --a------ c:\windows\gmer.ini
2009-03-03 13:59 . 2009-03-03 13:59 30,720 --a------ C:\Correspondance TEM 2009.doc
2009-03-03 10:03 . 2009-03-03 19:11 27,136 --a------ C:\TEM Entête.doc
2009-03-02 15:45 . 2009-03-02 16:21 13,531 --a------ c:\windows\system32\wauefe.exe.vzr
2009-03-02 11:38 . 2009-03-02 11:38 40 --a------ c:\windows\tmp.dat
2009-03-02 11:38 . 2009-03-02 11:38 37 --a------ c:\windows\sys.ini
2009-03-01 19:56 . 2009-03-01 19:56 32 --a------ c:\windows\system32\ormsgse.axz
2009-03-01 19:42 . 2009-03-03 20:47 <REP> d-------- c:\windows\system32\ZoneLabs
2009-03-01 19:15 . 2009-03-02 17:28 143 --a------ c:\windows\system32\exlds.ini
2009-03-01 19:00 . 2009-03-01 19:21 <REP> d-------- C:\Fixfix
2009-03-01 18:55 . 2009-03-01 18:55 236 --ahs---- c:\windows\system32\D64374E8.cfg
2009-03-01 13:15 . 2009-03-01 13:15 267,152 --a------ C:\zasuiteSetup_en.exe
2009-03-01 12:49 . 2009-03-01 16:20 388 --ahs---- c:\windows\system32\91C7DF6D.cfg
2009-03-01 12:19 . 2009-03-01 12:19 401,720 --a------ C:\HiJackThis.exe
2009-02-26 00:55 . 2009-03-01 18:50 1,354,483 --a------ c:\windows\setupapi.log.3.old
2009-02-25 23:29 . 2009-03-03 07:56 2,233 --a------ C:\rollback.ini
2009-02-25 20:26 . 2009-02-25 20:26 <REP> d-------- c:\program files\SonicWallES
2009-02-25 19:09 . 2009-02-25 19:26 <REP> d-------- C:\Combo-Fix
2009-02-25 17:25 . 2009-02-25 17:25 200 --ahs---- c:\windows\system32\72B29486.cfg
2009-02-25 13:58 . 2009-02-25 13:58 <REP> d-------- c:\program files\Zone Labs
2009-02-25 13:58 . 2009-03-02 17:24 4,212 --ah----- c:\windows\system32\zllictbl.dat
2009-02-25 13:56 . 2009-03-03 20:47 <REP> d-------- c:\windows\Internet Logs
2009-02-24 19:17 . 2009-03-01 19:01 2,681 --a------ c:\windows\winsys.inf
2009-02-24 18:55 . 2009-02-24 18:55 1,811 --a------ c:\windows\ACROREAD.INI
2009-02-23 16:50 . 2004-08-05 13:00 4,224 --a------ c:\windows\system32\drivers\beep.sys
2009-02-23 16:50 . 2004-08-05 13:00 4,224 --a--c--- c:\windows\system32\dllcache\beep.sys
2009-02-21 00:01 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-21 00:00 . 2009-02-21 00:01 <REP> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 00:00 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 23:13 . 2009-02-20 23:13 396,288 --a------ c:\windows\HijackThis.exe
2009-02-20 22:23 . 2009-03-01 12:13 <REP> d-------- C:\ToolBar SD
2009-02-20 21:43 . 2009-02-20 21:43 16,656 --a------ C:\mbam-log-2009-02-20 (21-42-58)VIRUS
2009-02-20 19:50 . 2009-02-20 19:50 15,069 --a------ c:\windows\system32\telechargement-159-hijackthis.htm
2009-02-20 19:04 . 2009-02-20 19:04 <REP> d-------- c:\program files\MediaChannel
2009-02-20 16:08 . 2009-02-20 16:08 <REP> d-------- c:\documents and settings\CKS Andre SNEYAERT\Application Data\Malwarebytes
2009-02-20 16:08 . 2009-02-20 16:08 <REP> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-20 13:11 . 2003-03-18 21:20 1,060,864 --a------ c:\windows\system32\mfc71.dll
2009-02-20 13:01 . 2009-02-20 13:01 520,052 --a------ c:\windows\system32\mfc71.7z
2009-02-20 12:55 . 2009-02-20 13:00 <REP> d-------- c:\windows\system32\mfc71
2009-02-20 12:01 . 2009-02-20 12:02 514,940 -rah----- c:\windows\system32\mfc71.zip
2009-02-20 11:31 . 2009-02-20 11:31 <REP> d-------- c:\documents and settings\CKS Andre SNEYAERT\Application Data\Uniblue
2009-02-19 18:50 . <REP> c:\windows\$WIND$
2009-02-19 18:45 . 2009-02-20 22:16 <REP> d-------- c:\program files\Goto Software
2009-02-19 18:45 . 2009-02-20 22:16 <REP> d-------- c:\program files\Fichiers communs\Goto Software
2009-02-19 18:45 . 2009-02-19 18:45 <REP> d-------- c:\documents and settings\CKS Andre SNEYAERT\Application Data\VadeRetro
2009-02-19 18:45 . 2009-02-20 22:16 <REP> d-------- c:\documents and settings\All Users\Application Data\VadeRetro
2009-02-19 16:43 . <REP> c:\windows\WinShell
2009-02-18 19:42 . 2009-02-18 19:42 31,232 --a------ C:\Relevé de compte LAW YAT au 31.12.2008.doc
2009-02-17 14:45 . 2008-04-14 03:33 19,968 --a--c--- c:\windows\system32\dllcache\linkinfo.dll
2009-02-07 23:10 . 2009-02-07 23:10 170,496 --a------ C:\FINE CRUSH LTD.doc
2009-02-04 10:50 . 2009-02-04 10:50 24,576 --a------ c:\windows\system32\nsis_loader.dll

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-04 17:44 --------- d-----w c:\program files\Wanadoo
2009-03-04 12:25 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-04 08:30 --------- d-----w c:\documents and settings\CKS Andre SNEYAERT\Application Data\Skype
2009-02-27 19:26 --------- d-----w c:\program files\SurfingEnhancer
2009-02-26 10:44 --------- d-----w c:\program files\FenAffiche
2009-02-25 17:50 --------- d-----w c:\program files\Common
2009-02-18 18:10 --------- d-----w c:\program files\Google
2009-01-23 20:21 --------- d-----w c:\documents and settings\All Users\Application Data\288537758
2009-01-21 19:07 --------- d-----w c:\program files\EnveloppesEditor1.09
2009-01-21 16:56 --------- d-----w c:\documents and settings\CKS Andre SNEYAERT\Application Data\PC-FAX TX
2009-01-16 17:15 137,664 ----a-w c:\windows\system32\drivers\adiusbaw.sys
2008-09-22 09:52 85,504 ----a-w c:\documents and settings\CKS Andre SNEYAERT\Application Data\GDIPFONTCACHEV1.DAT
2008-09-04 14:43 1,940 ----a-w c:\documents and settings\CKS Andre SNEYAERT\Application Data\ViewerApp.dat
2008-09-27 10:02 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-03-01_19.19.27.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-04 13:08:15 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 20:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2009-03-04 13:08:15 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2009-03-01 18:15:49 49,152 ----a-w c:\windows\system32\npptools.dll
+ 2008-04-14 02:33:36 55,296 ----a-w c:\windows\system32\npptools.dll
+ 2009-03-03 15:33:04 9,828,864 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2009-03-04 17:41:13 16,384 ----atw c:\windows\temp\Perflib_Perfdata_5bc.dat
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08CBFE20-8DC8-4195-B8E2-DD66F860469D}]
c:\program files\Internet Explorer\PowerJa.ask [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WOOKIT"="c:\progra~1\Wanadoo\Shell.exe" [2004-08-23 122880]
"Livecom"="c:\progra~1\Livecom\APPLIC~1\CommunicationAgent\CommunicationAgent.exe" [2006-02-23 237568]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-02-09 25388584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 204863]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fenaffiche"="c:\program files\FenAffiche\FenUnika.exe" [BU]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Microsoft Works Update Detection"="c:\program files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-18 28672]
"WOOWATCH"="c:\progra~1\Wanadoo\Watch.exe" [2004-08-23 20480]
"WOOTASKBARICON"="c:\progra~1\Wanadoo\GestMaj.exe" [2004-10-14 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CAMTRAY.EXE" [2003-10-13 184320]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-27 29744]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"SSBkgdUpdate"="c:\program files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-23 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"SiSPower"="SiSPower.dll" [2005-04-12 c:\windows\system32\SiSPower.dll]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9d.exe" [2007-06-11 190696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"360safe"="c:\windows\Fonts\wuauclt.exe" [BU]

c:\documents and settings\CKS Andre SNEYAERT\Menu D‚marrer\Programmes\D‚marrage\
Outil de d‚tection de support Picture Motion Browser.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-07-19 385024]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-04-28 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-04-28 106496]
Utilitaire r‚seau pour SAGEM Wi-Fi 11g USB adapter.lnk - c:\program files\SAGEM Wi-Fi USB 802.11g\WLANUTL.exe [2007-04-20 835584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{08CBFE20-8DC8-4195-B8E2-DD66F860469D}"= "c:\program files\Internet Explorer\PowerJa.ask" [BU]
"{815EDE81-767D-4636-80F5-141578667A98}"= "c:\windows\fonts\spswdgis.dll" [BU]
"{CA8ABC8B-93B1-4818-ACA5-37131E0523D8}"= "c:\windows\system32\caoabcob.dll" [BU]
"{9556EE7F-D5B7-4DE4-819F-90B9408AF39E}"= "c:\windows\system32\pllmeenf.dll" [BU]
"{2A97029D-5F87-40B7-AC87-BDFC8BE941E3}"= "c:\windows\system32\iapngipd.dll" [BU]
"{1A8DD36E-3DE4-484B-B498-51E0F66688E6}"= "c:\windows\system32\haoddjme.dll" [BU]
"{F6B2817A-4836-4870-928F-236264E3AF32}"= "c:\windows\system32\fmbiohna.dll" [BU]
"{147C7481-5793-4972-A433-C7C6DCB2A4DA}"= "c:\windows\system32\hkncnkoh.dll" [BU]
"{A218ACB1-0EC2-413A-B72D-5411FBC6193F}"= "c:\windows\system32\aihoacbh.dll" [BU]
"{840C288D-33C2-4932-846F-5B3A1FC6FCAD}"= "c:\windows\system32\okgciood.dll" [BU]
"{449D2A6F-94FC-40BF-A260-6968AC4B060B}"= "c:\windows\system32\kkpdiamf.dll" [BU]
"{1B8F3C0D-D80F-428C-BBE1-013634121393}"= "c:\windows\system32\hbofjcgd.dll" [2008-08-14 49152]
"{C941288A-27FC-484E-AC78-BA04CB41FD53}"= "c:\windows\system32\cpkhiooa.dll" [2008-08-14 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"1B8F3C0D"= {1B8F3C0D-D80F-428C-BBE1-013634121393} - c:\windows\system32\hbofjcgd.dll [2008-08-14 49152]
"C941288A"= {C941288A-27FC-484E-AC78-BA04CB41FD53} - c:\windows\system32\cpkhiooa.dll [2008-08-14 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=hbofjcgd.dll cpkhiooa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rpt.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safe.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safebox.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
"Debugger"=c:\windows\system32\keepSafe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ANTIARP.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArSwp.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ast.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRun.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRunKiller.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvMonitor.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVP.COM]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVP.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Frameworkservice.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GFUpd.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GuardField.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HijackThis.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Iparmor.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASARP.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kav32.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPFW.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavstart.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kissvc.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPfwSvc.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonxp.KXP]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVSrvXP.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVWSC.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kwatch.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Mmsk.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapsvc.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nod32kui.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFW.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctor.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAV.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMonD.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ravservice.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStub.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavTask.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAVTRAY.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Regedit.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rfwstub.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsAgent.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rsaupd.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsMain.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rsnetsvr.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RSTray.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Runiep.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safeboxTray.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ScanFrm.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREngLdr.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojanDetector.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Trojanwall.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.KXP]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VPC32.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VPTRAY.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WOPTILITIES.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Livecom\\Application\\eConfv4\\livecomp.exe"=
"c:\\PROGRA~1\\Livecom\\APPLIC~1\\Exe\\Livecom.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2007-11-21 29744]
S3 P1120VID;Creative WebCam NX Ultra;c:\windows\system32\drivers\P1120Vid.sys [2006-02-01 1252474]
S3 PsShutdownSvc;PsShutdown;c:\windows\system32\PSSDNSVC.EXE [2005-08-22 65536]
S3 SG760_XP;SAGEM 802.11g XG760 1211 Driver;c:\windows\system32\drivers\WlanUZXP.sys [2007-04-20 260608]
S3 ZDCndis5;ZDCndis5 Protocol Driver;c:\windows\system32\zdcndis5.sys [2009-01-16 137664]

--- Autres Services/Pilotes en mémoire ---

*NewlyCreated* - ZDPNDIS5
.
Contenu du dossier 'Tâches planifiées'

2009-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 14:21]

2009-03-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-23 15:32]

2009-03-04 c:\windows\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHELINS SUPPRIMES - - - -

ShellExecuteHooks-{B3DDF3DF-0A05-4BE9-B37D-7021BD501C7A} - (no file)
ShellExecuteHooks-{A9386267-1CF0-48EC-9DBA-412A44C76334} - (no file)
ShellExecuteHooks-{9B8978FE-5B0E-476D-8F15-3FB5119A42F3} - (no file)
ShellExecuteHooks-{FE494031-756B-4865-99B4-4DE92DDCF609} - (no file)
ShellExecuteHooks-{46184B86-19FF-4A37-9167-4C538027CEBC} - (no file)
ShellExecuteHooks-{AC9A4670-B0B6-4EC7-B6A5-B29FA3530420} - (no file)
ShellExecuteHooks-{9B3DC09A-2613-4613-96F8-F8E305BFF825} - (no file)
ShellExecuteHooks-{C13945CA-D00B-4474-B105-3838809607EA} - (no file)
ShellExecuteHooks-{22EC45F3-1651-409E-8273-6D80E39B4549} - (no file)
ShellExecuteHooks-{391597A0-67FF-4D4F-9AFF-8471E5D0D3C9} - (no file)
ShellExecuteHooks-{BA9620A6-68E8-492D-9B28-7B7416F69673} - (no file)
ShellExecuteHooks-{04D3233B-EC1F-44B3-BBE4-9D76438EEC1E} - (no file)
ShellExecuteHooks-{51E74159-54A6-4355-A78F-55998328FC07} - (no file)
ShellExecuteHooks-{8342F32F-896F-4EDF-9E97-60E84C02EB9A} - (no file)

.
------- Examen supplémentaire -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page =
mStart Page = hxxp://www.google.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - https://onedrive.live.com/?id=favorites
FF - ProfilePath - c:\documents and settings\CKS Andre SNEYAERT\Application Data\Mozilla\Firefox\Profiles\h6n3nsr0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:fr:official
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 18:42:02
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\FTRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Wanadoo\TaskBarIcon.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfcMon.exe
c:\progra~1\Wanadoo\Toaster.exe
c:\progra~1\Wanadoo\Inactivity.exe
c:\progra~1\Wanadoo\PollingModule.exe
.
**************************************************************************
.
Heure de fin: 2009-03-04 18:49:44 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-03-04 17:49:41
ComboFix2.txt 2009-03-04 10:06:52
ComboFix3.txt 2009-03-03 19:58:06
ComboFix4.txt 2009-03-03 15:59:43
ComboFix5.txt 2009-03-04 16:44:37

Avant-CF: 152 730 832 896 octets libres
Après-CF: 152,719,560,704 octets libres

391 --- E O F --- 2009-03-03 21:16:22
0
Réponse 111 / 123
ROSALLY Messages postés 80 Statut Membre
 
Re,
des nouveautés (dont ADS sur la restauration système !)
=============
Ouvre Hijackthis (cherche C:\Program Files\trend micro\Jonas.exe par l'explorateur windows et fais un double clic)

suite à ton message audessus => C:\Program Files\trend micro
je trouve hijackthis la mais je n'arrive pas a aller loin comme indiquer sur ton message n° 126
que faire ? si tu pouver expliquer un peu plus s'il y a manipulation a faire
merci d'avance
0
Réponse 112 / 123
Lyonnais92 Messages postés 25708 Statut Contributeur sécurité 1 537
 
Re,

essaye comme ça :

Clique sur ce lien
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
pour télécharger le fichier d'installation d'HijackThis.

Enregistre HJTInstall.exe sur ton bureau.

Double-clique sur HJTInstall.exe pour lancer le programme

Par défaut, il s'installera là :
C:\Program Files\Trend Micro\HijackThis

Accepte la license en cliquant sur le bouton "I Accept"

Choisi Open the misc tools section.

Clique sur Open ADS Spy

Vérifie que Quick scan et calculate MD5 sont cochés.

Clique sur scan.

En fin de scan, clique sur save log.

Donne lui un nom, édite le avec le Bloc-notes et poste son contenu ici.
0
Réponse 113 / 123
ROSALLY Messages postés 80 Statut Membre
 
bonsour Lyonnais
j'ai respecté tes instructions à la lettre
j'ai scaner ça a pris 5 seconde et rien comme rapport
il n y a pas eu de rapport ........... RIEN
0
Réponse 114 / 123
Lyonnais92 Messages postés 25708 Statut Contributeur sécurité 1 537
 
Re,

on essaye comme ça :

Ouvre ce lien :

http://service1.symantec.com/SUPPORT/INTER/tsgeninfointl.nsf/fr_docid/20020830101856924

dans un premier temps tu le suis pour désactiver la restauration système.

Tu fermes la fenêtre.

Dans un deuxième temps, tu le suis pour réactiver la restauration.

Ceci recréé automatiquement un point de restauration daté de l"heure de la réactivation.

Rescanne avec gmer et poste le rapport.
0
Réponse 115 / 123
ROSALLY Messages postés 80 Statut Membre
 
bonjour Lyonnais
ci après le rapport de gmer

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-05 09:38:38
Windows 5.1.2600 Service Pack 3

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (FileSpy Filter Driver/Windows (R) 2000 DDK provider)
AttachedDevice \FileSystem\Fastfat \Fat sisidex.sys (FileSpy Filter Driver/Windows (R) 2000 DDK provider)

---- EOF - GMER 1.0.14 ----
0
Réponse 116 / 123
Lyonnais92 Messages postés 25708 Statut Contributeur sécurité 1 537
 
Bonjour,

Copie ou imprime les instructions avant.

Déconnecte toi d'internet et ferme toutes tes applications.

Désactive tes protections (antivirus, parefeu, garde en temps réel de l'antispyware)

Crée un nouveau document texte : clic droit de souris sur le bureau > Nouveau > Document Texte, et copie dedans les lignes suivantes : 

KillAll::

RootKit::
c:\windows\Fonts\TIMPIatform.exe
c:\windows\Fonts\hdvlediv.dll
c:\windows\Fonts\wuauclt.exe
c:\windows\Fonts\zwkytzhe.dll
c:\windows\Fonts\qwinvafv.dll
c:\windows\Fonts\gzdnf01.dat
c:\windows\Fonts\GBUNHAK.nls
c:\windows\Fonts\ktuxlvyx.dll
c:\windows\Fonts\guhfpzpq.dll
c:\windows\Fonts\note.exe
c:\windows\TEMPIadHide3.dll
c:\program files\HJTInstall.7z
%System%\waudfe.exe
%System%\drivers\npf.sys
%System%\npptools.dll
%System%\Packet.dll
%System%\WanPacket.dll
%System%\wpcap.dll
%System%\dllcache\spoolsv.exe
c:\windows\system32\drivers\pnpmem.sys
c:\windows\battc.sys
c:\windows\system32\drivers\acpiec.sys
E:\CC.PIF
c:\program files\bccd.pif
c:\windows\system32\wauefe.exe
c:\windows\system32\wauefe.exe.vzr
c:\windows\tmp.dat
c:\windows\sys.ini
c:\windows\system32\drivers\pnpmem.s¬ys
c:\windows\system32\ormsgse.axz
c:\windows\system32\exlds.ini
c:\windows\system32\D64374E8.dll
c:\windows\system32\D64374E8.cfg
c:\windows\winyyy.sys
c:\windows\system32\201476D0.dll
c:\windows\system32\72B29486.dll
c:\windows\system32\91C7DF6D.dll.vzr
c:\windows\system32\91C7DF6D.cfg
c:\windows\system32\waudfe.exe
c:\windows\setupapi.log.3.old
c:\windows\system32\72B29486.cfg
c:\windows\winsys.inf
%FontsDir%\twabramn.nls
c:\windows\system32\eojcjojj.dll
c:\windows\system32\hbofjcgd.dll
c:\windows\system32\cpkhiooa.dll
c:\windows\system32\wauefe.exe.vzr
c:\windows\tmp.dat
c:\windows\sys.ini
c:\windows\system32\ormsgse.axz
c:\windows\system32\exlds.ini
c:\windows\system32\D64374E8.cfg
C:\zasuiteSetup_en.exe
c:\windows\system32\91C7DF6D.cfg
c:\windows\setupapi.log.3.old
c:\windows\system32\72B29486.cfg
c:\windows\winsys.inf
C:\mbam-log-2009-02-20 (21-42-58)VIRUS
c:\windows\system32\telechargement-159-hijackthis.htm
c:\windows\system32\dllcache\linkinfo.dll
c:\windows\system32\nsis_loader.dll
C:\WINDOWS\WinShell.\daemon.exe
c:\windows\system32\wauefe.exe.vzr

folder::
c:\windows\$WIND$
c:\windows\WinShell
c:\windows\Intel

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EF2D7A6-0B99-4C44-B04A-D47125B76424}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74A92EE1-64BD-4233-90B8-2AEB715FBF2D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{7E4329EB-0F3A-4FC6-BAED-5648F708D30C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ZX.ZXAAATL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
{8342F32F-896F-4EDF-9E97-60E84C02EB9A} = -
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
%FontsDir%\twabramn.nls = -
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MewBogoMediaPop.PopBogo]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MezsAdPopup.BWLogc]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{489873CE-F3E1-44A3-8E89-04BE26BE4446}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentMatch]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IETimber]
[-HKEY_LOCAL_MACHINE\SOFTWARE\cpush]
[-HKEY_LOCAL_MACHINE\SOFTWARE\IETimber]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MicroPlugins]
[-HKEY_CURRENT_USER\Software\newpush]
[-HKEY_CURRENT_USER\Software\Sysisoft]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
360safe = -
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rpt.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safe.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safebox.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ANTIARP.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArSwp.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ast.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRun.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRunKiller.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvMonitor.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVP.COM]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVP.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Frameworkservice.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GFUpd.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GuardField.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Iparmor.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASARP.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kav32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPFW.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavstart.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kissvc.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPfwSvc.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonxp.KXP]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVSrvXP.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVWSC.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kwatch.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Mmsk.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapsvc.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nod32kui.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFW.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctor.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAV.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMonD.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ravservice.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStub.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavTask.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAVTRAY.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Regedit.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rfwstub.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsAgent.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rsaupd.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsMain.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rsnetsvr.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RSTray.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Runiep.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safeboxTray.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ScanFrm.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREngLdr.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojanDetector.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Trojanwall.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.KXP]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VPC32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VPTRAY.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WOPTILITIES.EXE]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{91C7DF6D-AEF5-4136-9252-AF030D7A5931}"= -
"{1957817A-94B2-4CAC-B113-A331809B5730}"=-
"{E83C3833-A1EE-4C18-B34E-ACD20C0A646C}"=-
"{1B8F3C0D-D80F-428C-BBE1-013634121393}"=-
"{C941288A-27FC-484E-AC78-BA04CB41FD53}"=-
"{D64374E8-8B1D-49AB-9284-5072687B6BD3}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
"E83C3833"= -
"1B8F3C0D"= -
"C941288A"= -
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows
"AppInit_DLLs"=””
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c984ab7c-e6f0-11dd-8d9e-00142a50775a}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"MSPolicyAgent"= -
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page" = ""

Driver::
pnpmem
myprotector
UPDATEDATA


Enregistre ce fichier sous le nom CFscript

Fait un glisser/déposer de ce fichier CFscript sur le fichier ComboFix.exe

Clique sur le fichier CFscript, maintient le doigt enfoncé et glisse la souris pour que l'icône du CFscrïpt vienne recouvrir l'icône de Combofix. Relache la souris. Combofix va démarrer.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Réactive ton parefeu, ton antivirus, la garde de ton antispyware

Une fois le scan achevé, un rapport va s'afficher: poste son contenu.

Si le fichier ne s'ouvre pas, il se trouve ici C:\ComboFix.txt

Attention : cette manip a été fait pour cet ordi. Tout réutilisation peut endommager sévèrement le système d'exploitation.
0
Réponse 117 / 123
ROSALLY Messages postés 80 Statut Membre
 
Re bonjour Lyonnais
rapport ComboFix

ComboFix 09-03-01.01 - CKS Andre SNEYAERT 2009-03-05 11:38:40.18 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.1.1036.18.894.470 [GMT 1:00]
Lancé depuis: c:\documents and settings\CKS Andre SNEYAERT\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\CKS Andre SNEYAERT\Bureau\CFscript.txt
* Un nouveau point de restauration a été créé
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\bccd.pif
c:\program files\HJTInstall.7z
c:\windows\Fonts\GBUNHAK.nls
c:\windows\Fonts\gzdnf01.dat
c:\windows\Fonts\TIMPIatform.exe
c:\windows\Fonts\wuauclt.exe
c:\windows\Intel
c:\windows\system32\B4eocaps.SRG
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\TEMPIadHide3.dll

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_npf

((((((((((((((((((((((((((((( Fichiers créés du 2009-02-05 au 2009-03-05 ))))))))))))))))))))))))))))))))))))
.

2009-03-04 20:30 . 2009-03-04 20:30 <REP> d-------- c:\program files\Trend Micro
2009-03-04 20:27 . 2009-03-05 09:39 13,531 --a------ c:\windows\system32\wauefe.exe
2009-03-04 14:08 . 2009-03-05 09:32 250 --a------ c:\windows\gmer.ini
2009-03-03 13:59 . 2009-03-03 13:59 30,720 --a------ C:\Correspondance TEM 2009.doc
2009-03-03 10:03 . 2009-03-03 19:11 27,136 --a------ C:\TEM Entête.doc
2009-03-02 15:45 . 2009-03-02 16:21 13,531 --a------ c:\windows\system32\wauefe.exe.vzr
2009-03-02 11:38 . 2009-03-02 11:38 40 --a------ c:\windows\tmp.dat
2009-03-02 11:38 . 2009-03-02 11:38 37 --a------ c:\windows\sys.ini
2009-03-01 19:56 . 2009-03-01 19:56 32 --a------ c:\windows\system32\ormsgse.axz
2009-03-01 19:42 . 2009-03-03 20:47 <REP> d-------- c:\windows\system32\ZoneLabs
2009-03-01 19:15 . 2009-03-05 09:38 173 --a------ c:\windows\system32\exlds.ini
2009-03-01 19:00 . 2009-03-01 19:21 <REP> d-------- C:\Fixfix
2009-03-01 18:55 . 2009-03-01 18:55 236 --ahs---- c:\windows\system32\D64374E8.cfg
2009-03-01 13:15 . 2009-03-01 13:15 267,152 --a------ C:\zasuiteSetup_en.exe
2009-03-01 12:49 . 2009-03-01 16:20 388 --ahs---- c:\windows\system32\91C7DF6D.cfg
2009-02-26 00:55 . 2009-03-01 18:50 1,354,483 --a------ c:\windows\setupapi.log.3.old
2009-02-25 23:29 . 2009-03-03 07:56 2,233 --a------ C:\rollback.ini
2009-02-25 20:26 . 2009-02-25 20:26 <REP> d-------- c:\program files\SonicWallES
2009-02-25 19:09 . 2009-02-25 19:26 <REP> d-------- C:\Combo-Fix
2009-02-25 17:25 . 2009-02-25 17:25 200 --ahs---- c:\windows\system32\72B29486.cfg
2009-02-25 13:58 . 2009-02-25 13:58 <REP> d-------- c:\program files\Zone Labs
2009-02-25 13:58 . 2009-03-02 17:24 4,212 --ah----- c:\windows\system32\zllictbl.dat
2009-02-25 13:56 . 2009-03-03 20:47 <REP> d-------- c:\windows\Internet Logs
2009-02-24 19:17 . 2009-03-01 19:01 2,681 --a------ c:\windows\winsys.inf
2009-02-24 18:55 . 2009-02-24 18:55 1,811 --a------ c:\windows\ACROREAD.INI
2009-02-23 16:50 . 2004-08-05 13:00 4,224 --a------ c:\windows\system32\drivers\beep.sys
2009-02-23 16:50 . 2004-08-05 13:00 4,224 --a--c--- c:\windows\system32\dllcache\beep.sys
2009-02-21 00:01 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-21 00:00 . 2009-02-21 00:01 <REP> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 00:00 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 23:13 . 2009-02-20 23:13 396,288 --a------ c:\windows\HijackThis.exe
2009-02-20 22:23 . 2009-03-01 12:13 <REP> d-------- C:\ToolBar SD
2009-02-20 21:43 . 2009-02-20 21:43 16,656 --a------ C:\mbam-log-2009-02-20 (21-42-58)VIRUS
2009-02-20 19:50 . 2009-02-20 19:50 15,069 --a------ c:\windows\system32\telechargement-159-hijackthis.htm
2009-02-20 19:04 . 2009-02-20 19:04 <REP> d-------- c:\program files\MediaChannel
2009-02-20 16:08 . 2009-02-20 16:08 <REP> d-------- c:\documents and settings\CKS Andre SNEYAERT\Application Data\Malwarebytes
2009-02-20 16:08 . 2009-02-20 16:08 <REP> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-20 13:11 . 2003-03-18 21:20 1,060,864 --a------ c:\windows\system32\mfc71.dll
2009-02-20 13:01 . 2009-02-20 13:01 520,052 --a------ c:\windows\system32\mfc71.7z
2009-02-20 12:55 . 2009-02-20 13:00 <REP> d-------- c:\windows\system32\mfc71
2009-02-20 12:01 . 2009-02-20 12:02 514,940 -rah----- c:\windows\system32\mfc71.zip
2009-02-20 11:31 . 2009-02-20 11:31 <REP> d-------- c:\documents and settings\CKS Andre SNEYAERT\Application Data\Uniblue
2009-02-19 18:50 . <REP> c:\windows\$WIND$
2009-02-19 18:45 . 2009-02-20 22:16 <REP> d-------- c:\program files\Goto Software
2009-02-19 18:45 . 2009-02-20 22:16 <REP> d-------- c:\program files\Fichiers communs\Goto Software
2009-02-19 18:45 . 2009-02-19 18:45 <REP> d-------- c:\documents and settings\CKS Andre SNEYAERT\Application Data\VadeRetro
2009-02-19 18:45 . 2009-02-20 22:16 <REP> d-------- c:\documents and settings\All Users\Application Data\VadeRetro
2009-02-19 16:43 . <REP> c:\windows\WinShell
2009-02-18 19:42 . 2009-02-18 19:42 31,232 --a------ C:\Relevé de compte LAW YAT au 31.12.2008.doc
2009-02-17 14:45 . 2008-04-14 03:33 19,968 --a--c--- c:\windows\system32\dllcache\linkinfo.dll
2009-02-07 23:10 . 2009-02-07 23:10 170,496 --a------ C:\FINE CRUSH LTD.doc

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 11:42 --------- d-----w c:\program files\Wanadoo
2009-03-05 08:02 --------- d-----w c:\documents and settings\CKS Andre SNEYAERT\Application Data\Skype
2009-03-04 12:25 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-27 19:26 --------- d-----w c:\program files\SurfingEnhancer
2009-02-26 10:44 --------- d-----w c:\program files\FenAffiche
2009-02-25 17:50 --------- d-----w c:\program files\Common
2009-02-18 18:10 --------- d-----w c:\program files\Google
2009-01-23 20:21 --------- d-----w c:\documents and settings\All Users\Application Data\288537758
2009-01-21 19:07 --------- d-----w c:\program files\EnveloppesEditor1.09
2009-01-21 16:56 --------- d-----w c:\documents and settings\CKS Andre SNEYAERT\Application Data\PC-FAX TX
2009-01-16 17:15 137,664 ----a-w c:\windows\system32\drivers\adiusbaw.sys
2008-09-22 09:52 85,504 ----a-w c:\documents and settings\CKS Andre SNEYAERT\Application Data\GDIPFONTCACHEV1.DAT
2008-09-04 14:43 1,940 ----a-w c:\documents and settings\CKS Andre SNEYAERT\Application Data\ViewerApp.dat
2008-09-27 10:02 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-03-01_19.19.27.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-05 08:04:52 53,248 ----a-w c:\windows\Fonts\prjowkdh.dll
+ 2009-03-05 08:04:53 53,248 ----a-w c:\windows\Fonts\scdtolvs.dll
+ 2009-03-05 08:04:54 53,248 ----a-w c:\windows\Fonts\wefyhlod.dll
+ 2009-03-04 13:08:15 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 20:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2009-03-04 13:08:15 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2009-03-01 18:15:49 49,152 ----a-w c:\windows\system32\npptools.dll
+ 2008-04-14 02:33:36 55,296 ----a-w c:\windows\system32\npptools.dll
+ 2009-03-03 15:33:04 9,828,864 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2009-03-05 10:48:41 16,384 ----atw c:\windows\temp\Perflib_Perfdata_5a8.dat
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08CBFE20-8DC8-4195-B8E2-DD66F860469D}]
c:\program files\Internet Explorer\PowerJa.ask [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WOOKIT"="c:\progra~1\Wanadoo\Shell.exe" [2004-08-23 122880]
"Livecom"="c:\progra~1\Livecom\APPLIC~1\CommunicationAgent\CommunicationAgent.exe" [2006-02-23 237568]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-02-09 25388584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 204863]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fenaffiche"="c:\program files\FenAffiche\FenUnika.exe" [BU]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Microsoft Works Update Detection"="c:\program files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-18 28672]
"WOOWATCH"="c:\progra~1\Wanadoo\Watch.exe" [2004-08-23 20480]
"WOOTASKBARICON"="c:\progra~1\Wanadoo\GestMaj.exe" [2004-10-14 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CAMTRAY.EXE" [2003-10-13 184320]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-27 29744]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"SSBkgdUpdate"="c:\program files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-23 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"SiSPower"="SiSPower.dll" [2005-04-12 c:\windows\system32\SiSPower.dll]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9d.exe" [2007-06-11 190696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"360safe"="c:\windows\Fonts\wuauclt.exe" [BU]

c:\documents and settings\CKS Andre SNEYAERT\Menu D‚marrer\Programmes\D‚marrage\
Outil de d‚tection de support Picture Motion Browser.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-07-19 385024]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-04-28 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-04-28 106496]
Utilitaire r‚seau pour SAGEM Wi-Fi 11g USB adapter.lnk - c:\program files\SAGEM Wi-Fi USB 802.11g\WLANUTL.exe [2007-04-20 835584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{08CBFE20-8DC8-4195-B8E2-DD66F860469D}"= "c:\program files\Internet Explorer\PowerJa.ask" [BU]
"{815EDE81-767D-4636-80F5-141578667A98}"= "c:\windows\fonts\wefyhlod.dll" [2009-03-05 53248]
"{CA8ABC8B-93B1-4818-ACA5-37131E0523D8}"= "c:\windows\system32\caoabcob.dll" [BU]
"{9556EE7F-D5B7-4DE4-819F-90B9408AF39E}"= "c:\windows\system32\pllmeenf.dll" [BU]
"{2A97029D-5F87-40B7-AC87-BDFC8BE941E3}"= "c:\windows\system32\iapngipd.dll" [BU]
"{1A8DD36E-3DE4-484B-B498-51E0F66688E6}"= "c:\windows\system32\haoddjme.dll" [BU]
"{F6B2817A-4836-4870-928F-236264E3AF32}"= "c:\windows\system32\fmbiohna.dll" [BU]
"{147C7481-5793-4972-A433-C7C6DCB2A4DA}"= "c:\windows\system32\hkncnkoh.dll" [BU]
"{A218ACB1-0EC2-413A-B72D-5411FBC6193F}"= "c:\windows\system32\aihoacbh.dll" [BU]
"{840C288D-33C2-4932-846F-5B3A1FC6FCAD}"= "c:\windows\system32\okgciood.dll" [BU]
"{449D2A6F-94FC-40BF-A260-6968AC4B060B}"= "c:\windows\system32\kkpdiamf.dll" [BU]
"{C941288A-27FC-484E-AC78-BA04CB41FD53}"= "c:\windows\system32\cpkhiooa.dll" [2008-08-14 45056]
"{1B8F3C0D-D80F-428C-BBE1-013634121393}"= "c:\windows\system32\hbofjcgd.dll" [2008-08-14 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"1B8F3C0D"= {1B8F3C0D-D80F-428C-BBE1-013634121393} - c:\windows\system32\hbofjcgd.dll [2008-08-14 49152]
"C941288A"= {C941288A-27FC-484E-AC78-BA04CB41FD53} - c:\windows\system32\cpkhiooa.dll [2008-08-14 45056]
"c:\windows\fonts\jmpszywj.dll"= {815EDE81-767D-4636-80F5-141578667A98} - c:\windows\fonts\wefyhlod.dll [2009-03-05 53248]
"c:\windows\fonts\prjowkdh.dll"= {815EDE81-767D-4636-80F5-141578667A98} - c:\windows\fonts\wefyhlod.dll [2009-03-05 53248]
"c:\windows\fonts\scdtolvs.dll"= {815EDE81-767D-4636-80F5-141578667A98} - c:\windows\fonts\wefyhlod.dll [2009-03-05 53248]
"c:\windows\fonts\wefyhlod.dll"= {815EDE81-767D-4636-80F5-141578667A98} - c:\windows\fonts\wefyhlod.dll [2009-03-05 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=hbofjcgd.dll cpkhiooa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rpt.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safe.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safebox.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
"Debugger"=c:\windows\system32\keepSafe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ANTIARP.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArSwp.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ast.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRun.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRunKiller.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvMonitor.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVP.COM]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVP.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Frameworkservice.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GFUpd.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GuardField.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HijackThis.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Iparmor.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASARP.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kav32.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPFW.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavstart.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kissvc.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPfwSvc.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonxp.KXP]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVSrvXP.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVWSC.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kwatch.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Mmsk.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapsvc.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nod32kui.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFW.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctor.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAV.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMonD.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ravservice.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStub.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavTask.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAVTRAY.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Regedit.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rfwstub.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsAgent.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rsaupd.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsMain.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rsnetsvr.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RSTray.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Runiep.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safeboxTray.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ScanFrm.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREngLdr.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojanDetector.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Trojanwall.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.KXP]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VPC32.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VPTRAY.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WOPTILITIES.EXE]
"debugger"=c:\windows\system32\dllcache\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Livecom\\Application\\eConfv4\\livecomp.exe"=
"c:\\PROGRA~1\\Livecom\\APPLIC~1\\Exe\\Livecom.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2007-11-21 29744]
S3 P1120VID;Creative WebCam NX Ultra;c:\windows\system32\drivers\P1120Vid.sys [2006-02-01 1252474]
S3 PsShutdownSvc;PsShutdown;c:\windows\system32\PSSDNSVC.EXE [2005-08-22 65536]
S3 SG760_XP;SAGEM 802.11g XG760 1211 Driver;c:\windows\system32\drivers\WlanUZXP.sys [2007-04-20 260608]
S3 ZDCndis5;ZDCndis5 Protocol Driver;c:\windows\system32\zdcndis5.sys [2009-01-16 137664]

--- Autres Services/Pilotes en mémoire ---

*NewlyCreated* - ZDPNDIS5
.
Contenu du dossier 'Tâches planifiées'

2009-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 14:21]

2009-03-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-23 15:32]

2009-03-05 c:\windows\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHELINS SUPPRIMES - - - -

ShellExecuteHooks-{B3DDF3DF-0A05-4BE9-B37D-7021BD501C7A} - (no file)
ShellExecuteHooks-{A9386267-1CF0-48EC-9DBA-412A44C76334} - (no file)
ShellExecuteHooks-{9B8978FE-5B0E-476D-8F15-3FB5119A42F3} - (no file)
ShellExecuteHooks-{FE494031-756B-4865-99B4-4DE92DDCF609} - (no file)
ShellExecuteHooks-{46184B86-19FF-4A37-9167-4C538027CEBC} - (no file)
ShellExecuteHooks-{AC9A4670-B0B6-4EC7-B6A5-B29FA3530420} - (no file)
ShellExecuteHooks-{9B3DC09A-2613-4613-96F8-F8E305BFF825} - (no file)
ShellExecuteHooks-{C13945CA-D00B-4474-B105-3838809607EA} - (no file)
ShellExecuteHooks-{22EC45F3-1651-409E-8273-6D80E39B4549} - (no file)
ShellExecuteHooks-{391597A0-67FF-4D4F-9AFF-8471E5D0D3C9} - (no file)
ShellExecuteHooks-{BA9620A6-68E8-492D-9B28-7B7416F69673} - (no file)
ShellExecuteHooks-{04D3233B-EC1F-44B3-BBE4-9D76438EEC1E} - (no file)
ShellExecuteHooks-{51E74159-54A6-4355-A78F-55998328FC07} - (no file)
ShellExecuteHooks-{8342F32F-896F-4EDF-9E97-60E84C02EB9A} - (no file)

.
------- Examen supplémentaire -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page =
mStart Page = hxxp://www.google.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - https://onedrive.live.com/?id=favorites
FF - ProfilePath - c:\documents and settings\CKS Andre SNEYAERT\Application Data\Mozilla\Firefox\Profiles\h6n3nsr0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:fr:official
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 12:42:18
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

c:\windows\explorer.exe [1200] 0x8509C2C0

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\FTRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Wanadoo\TaskBarIcon.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfcMon.exe
.
**************************************************************************
.
Heure de fin: 2009-03-05 12:47:29 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-03-05 11:47:26
ComboFix2.txt 2009-03-04 17:49:47
ComboFix3.txt 2009-03-04 10:06:52
ComboFix4.txt 2009-03-03 19:58:06
ComboFix5.txt 2009-03-05 10:37:52

Avant-CF: 154 807 422 976 octets libres
Après-CF: 154,790,469,632 octets libres

405 --- E O F --- 2009-03-04 22:32:19
0
Réponse 118 / 123
Lyonnais92 Messages postés 25708 Statut Contributeur sécurité 1 537
 
Re,

ceci est vraiment à toi :

FINE CRUSH LTD.doc ?
0
Réponse 119 / 123
ROSALLY Messages postés 80 Statut Membre
 
oui c a moi c'est un doc sous word
0
Réponse 120 / 123
Lyonnais92 Messages postés 25708 Statut Contributeur sécurité 1 537
 
1. Télécharge The Avenger par Swandog46 sur le Bureau

http://www.geekstogo.com/forum/files/file/393-the-avenger-by-swandog46/

Clique sur Avenger.zip pour ouvrir le fichier
Extraire avenger.exe sur le bureau

2. Copier tout le texte en gras ci-dessous : mettre en surbrillance et appuyer sur les touches(Ctrl+C):

Begin copying here:

Files to delete:
c:\windows\Fonts\TIMPIatform.exe
c:\windows\Fonts\hdvlediv.dll
c:\windows\Fonts\wuauclt.exe
c:\windows\Fonts\zwkytzhe.dll
c:\windows\Fonts\qwinvafv.dll
c:\windows\Fonts\gzdnf01.dat
c:\windows\Fonts\GBUNHAK.nls
c:\windows\Fonts\ktuxlvyx.dll
c:\windows\Fonts\guhfpzpq.dll
c:\windows\Fonts\note.exe
c:\windows\TEMPIadHide3.dll
c:\program files\HJTInstall.7z
%System%\waudfe.exe
%System%\drivers\npf.sys
%System%\npptools.dll
%System%\Packet.dll
%System%\WanPacket.dll
%System%\wpcap.dll
%System%\dllcache\spoolsv.exe
c:\windows\system32\drivers\pnpmem.sys
c:\windows\battc.sys
c:\windows\system32\drivers\acpiec.sys
E:\CC.PIF
c:\program files\bccd.pif
c:\windows\system32\wauefe.exe
c:\windows\system32\wauefe.exe.vzr
c:\windows\tmp.dat
c:\windows\sys.ini
c:\windows\system32\drivers\pnpmem.s¬ys
c:\windows\system32\ormsgse.axz
c:\windows\system32\exlds.ini
c:\windows\system32\D64374E8.dll
c:\windows\system32\D64374E8.cfg
c:\windows\winyyy.sys
c:\windows\system32\201476D0.dll
c:\windows\system32\72B29486.dll
c:\windows\system32\91C7DF6D.dll.vzr
c:\windows\system32\91C7DF6D.cfg
c:\windows\system32\waudfe.exe
c:\windows\setupapi.log.3.old
c:\windows\system32\72B29486.cfg
c:\windows\winsys.inf
%FontsDir%\twabramn.nls
c:\windows\system32\eojcjojj.dll
c:\windows\system32\hbofjcgd.dll
c:\windows\system32\cpkhiooa.dll
c:\windows\system32\wauefe.exe.vzr
c:\windows\tmp.dat
c:\windows\sys.ini
c:\windows\system32\ormsgse.axz
c:\windows\system32\exlds.ini
c:\windows\system32\D64374E8.cfg
C:\zasuiteSetup_en.exe
c:\windows\system32\91C7DF6D.cfg
c:\windows\setupapi.log.3.old
c:\windows\system32\72B29486.cfg
c:\windows\winsys.inf
C:\mbam-log-2009-02-20 (21-42-58)VIRUS
c:\windows\system32\telechargement-159-hijackthis.htm
c:\windows\system32\dllcache\linkinfo.dll
c:\windows\system32\nsis_loader.dll
C:\WINDOWS\WinShell.\daemon.exe
c:\windows\system32\wauefe.exe.vzr

Folders to delete:
c:\windows\$WIND$
c:\windows\WinShell
c:\windows\Intel

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EF2D7A6-0B99-4C44-B04A-D47125B76424}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74A92EE1-64BD-4233-90B8-2AEB715FBF2D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{7E4329EB-0F3A-4FC6-BAED-5648F708D30C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ZX.ZXAAATL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MewBogoMediaPop.PopBogo
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MezsAdPopup.BWLogc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{489873CE-F3E1-44A3-8E89-04BE26BE4446}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentMatch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IETimber
HKEY_LOCAL_MACHINE\SOFTWARE\cpush
HKEY_LOCAL_MACHINE\SOFTWARE\IETimber
HKEY_LOCAL_MACHINE\SOFTWARE\MicroPlugins
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rpt.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safe.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safebox.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ANTIARP.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArSwp.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ast.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRun.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRunKiller.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvMonitor.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVP.COM
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVP.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Frameworkservice.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GFUpd.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GuardField.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Iparmor.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASARP.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kav32.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPFW.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavstart.EXE
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kissvc.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPfwSvc.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonxp.KXP
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVSrvXP.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVWSC.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kwatch.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Mmsk.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapsvc.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nod32kui.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFW.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctor.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAV.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMonD.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ravservice.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStub.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavTask.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAVTRAY.EXE]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Regedit.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rfwstub.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsAgent.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rsaupd.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsMain.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rsnetsvr.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RSTray.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Runiep.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safeboxTray.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ScanFrm.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREngLdr.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojanDetector.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Trojanwall.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.KXP
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VPC32.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VPTRAY.EXE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WOPTILITIES.EXE

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | "{8342F32F-896F-4EDF-9E97-60E84C02EB9A}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | "%FontsDir%\twabramn.nls"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run | "360safe"
hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks | "{91C7DF6D-AEF5-4136-9252-AF030D7A5931}"
hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks | "{1957817A-94B2-4CAC-B113-A331809B5730}"
hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks | "{E83C3833-A1EE-4C18-B34E-ACD20C0A646C}"
hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks | "{1B8F3C0D-D80F-428C-BBE1-013634121393}"
hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks | "{C941288A-27FC-484E-AC78-BA04CB41FD53}"
hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks | "{D64374E8-8B1D-49AB-9284-5072687B6BD3}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad |
"E83C3833"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | "1B8F3C0D"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | "C941288A"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows | "AppInit_DLLs"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost | "MSPolicyAgent"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main | "Start Page"<gras>

<gras>IMPORTANT: Le code ci-dessus a été intentionnellement rédigé pour CET utilisateur.
si vous n'êtes pas CET utilisateur, NE PAS appliquer ces directives : elles pourraient endommager votre système.

Ferme toutes les applications et ton navigateur

3. Maintenant, lance The Avenger en cliquant sur son icône du bureau.

Vérifie que la case devant "Automatically disable any rootkits found" n'est pas cochée.

Cclique sur l'icone de droite (en rose et bleu). Le texte va se copier dans la fenêtre.

Clique sur Execute

4. The Avenger va automatiquement faire ce qui suit:

Il va Re-démarrer le système.
Pendant le re-démarrage, il apparaitra brièvement une fenêtre de commande de windows noire sur le bureau, ceci est NORMAL.
Après le re-démarrage, il crée un fichier log qui s'ouvrira, faisant apparaitre les actions exécutées par The Avenger. Ce fichier log se trouve ici : C:\avenger.txt
The Avenger aura également sauvegardé tous les fichiers, etc., que tu lui as demandé de supprimer, les aura compactés (zipped) et tranféré l'archive zip ici C:\avenger\backup.zip.

5. Pour finir copier/coller le contenu du ficher c:\avenger.txt dans ta réponse
0
Précédent
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

Discussions similaires

Erreur de lecture sur iptv smarters
Bogs -
bazfile -

1 réponse
Erreur de lecture des tv film et series sur mon appli iptv smarters pro
Constantenzostanley -
glandu -

1 réponse
Message "Un bloqueur de publicité empêche la lecture..."
pistouri -
pistouri -

0 réponse