Supression de spyware.. Résolu

Question

Bonjour,

j'ai attrapé quelques spywares il y a quelques jours et tenté de les suprimer en verifiant le rapport hijackthis sur http://www.hijackthis.de/fr. j'ai essayé en mode sans echec mais rien n'y fait, les spyware reviennent. quelqu'un pourait verifier ce rapport et me dire exactement quoi suprimer lorsque je serais en mode sans échec? 
merci d'avance :)







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:52, on 2009-03-05
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Samsung\EmoDio\SMSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\System32
vsvc32.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\OO Software\DiskImage\oodiag.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27b567dc-ba4a-4651-a078-8b04323bcf0d} - C:\WINDOWS\system32\zegipaso.dll (file missing)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKLM\..\Run: [nabeyiraro] Rundll32.exe "C:\WINDOWS\system32\lekewelo.dll",s
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [nabeyiraro] Rundll32.exe "C:\WINDOWS\system32\lekewelo.dll",s (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\pabuwifo.dll gpiqzg.dll c:\windows\system32	elilobu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
vsvc32.exe
O23 - Service: O&O DiskImage - Unknown owner - C:\Program Files\OO Software\DiskImage\oodiag.exe

LapinouSexy · Accepted Answer

Bonjour,

Je n'ai aucune information sur les "spywares" dont vous parlez.

Je vous prie de télécharger Hijackthis.

Clique sur Do a system scan and save a logfile

A la fin du scan il devrait normalement ouvrir un fichier bloc-note copiez le texte qui est dedans en ENTIER et postez le ici.

Maxi · Answer

le rapport est la.. il faut clicé sur lire la suite. Le voila quand meme.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:47, on 2009-03-05
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Samsung\EmoDio\SMSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\System32
vsvc32.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\OO Software\DiskImage\oodiag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27b567dc-ba4a-4651-a078-8b04323bcf0d} - C:\WINDOWS\system32\zegipaso.dll (file missing)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKLM\..\Run: [nabeyiraro] Rundll32.exe "C:\WINDOWS\system32\lekewelo.dll",s
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [nabeyiraro] Rundll32.exe "C:\WINDOWS\system32\lekewelo.dll",s (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\pabuwifo.dll gpiqzg.dll c:\windows\system32	elilobu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
vsvc32.exe
O23 - Service: O&O DiskImage - Unknown owner - C:\Program Files\OO Software\DiskImage\oodiag.exe

LapinouSexy · Answer

Bon le rapport est long 
Tu va cocher cette ligne : O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE 

Mais avant va dans ton dossier Windows/System32 et cherche le fichier C:\WINDOWS\system32\RUNDLL32.EXE 

Existe t-il en en minuscule ?

O4 - HKLM\..\Run: [nabeyiraro] Rundll32.exe "C:\WINDOWS\system32\lekewelo.dll",s 
Ca aussi c'est bizarre,de plus google ne trouve rien à son propos:coche aussi.
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe:coche
O4 - HKUS\S-1-5-19\..\Run: [nabeyiraro] Rundll32.exe "C:\WINDOWS\system32\lekewelo.dll",s (User 'SERVICE LOCAL') 
O20 - AppInit_DLLs: C:\WINDOWS\system32\pabuwifo.dll gpiqzg.dll c:\windows\system32	elilobu.dll 
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file) 
O2 - BHO: (no name) - {27b567dc-ba4a-4651-a078-8b04323bcf0d} - C:\WINDOWS\system32\zegipaso.dll (file missing) 

Il y a du Vundo 

Télécharge Combo Fix et suis le tuto là : https://www.bleepingcomputer.com/combofix/fr/comment-utiliser-combofix#use puis poste le rapport ici.

Télécharge aussi https://www.malekal.com/tutoriel-malwarebyte-anti-malware/

Utilise les 2 progs en mode sans echec et suis bien le tuto de combo fix.

LapinouSexy · Answer

Et pour les truc a cochez :coche et clique sur Fix checked.

Maxi · Answer

Donc si je comprend bien , je vai en mode sans echec et je suprime les lignes :
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE 
O4 - HKLM\..\Run: [nabeyiraro] Rundll32.exe "C:\WINDOWS\system32\lekewelo.dll",s
Ca aussi c'est bizarre,de plus google ne trouve rien à son propos:coche aussi.
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe:coche
O4 - HKUS\S-1-5-19\..\Run: [nabeyiraro] Rundll32.exe "C:\WINDOWS\system32\lekewelo.dll",s (User 'SERVICE LOCAL')
O20 - AppInit_DLLs: C:\WINDOWS\system32\pabuwifo.dll gpiqzg.dll c:\windows\system32	elilobu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O2 - BHO: (no name) - {27b567dc-ba4a-4651-a078-8b04323bcf0d} - C:\WINDOWS\system32\zegipaso.dll (file missing)
et après les avoirs suprimé je telecharge Combo Fix et ensuite tout ce qui vien avec?

et oui il y a un rundll32.dll en minuscule dans /windows/system32

Maxi · Answer

*  il y a un rundll32.dll mais pas de RUNDLL32.exe

Maxi · Answer

*pluto un rudll32  tout court

Maxi · Answer

* rundll32    (dsl jecris trop vite )

LapinouSexy · Answer

ok 
Oui tu coche ces lignes mais tu peux le faire en mode normal ensuite fait les trucs suivant en mode sans echec^^

Maxi · Answer

voila le rapport combofix (je revien avecv le rapport malwarebyte's anti-malware)

ComboFix 09-03-04.01 - Administrateur 2009-03-05 12:26:13.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professionnel 5.1.2600.3.1252.2.1036.18.2047.1798 [GMT 1:00]
Lancé depuis: c:\documents and settings\Maximilien\Bureau\ComboFix.exe

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.
[color=purple]Les fichiers ci-dessous ont été désactivés pendant l'exécution:[/color]
c:\windows\system32\pabuwifo.dll
c:\windows\system32\gpiqzg.dll

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gitaruza.dll
c:\windows\system32\gpiqzg.dll.vir
c:\windows\system32\howedera.dll
c:\windows\system32\sitflf.dll

.
((((((((((((((((((((((((((((( Fichiers créés du 2009-02-05 au 2009-03-05 ))))))))))))))))))))))))))))))))))))
.

2009-03-05 12:13 . 2009-03-05 12:13 <REP> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-05 12:13 . 2009-03-05 12:13 <REP> d-------- c:\documents and settings\Maximilien\Application Data\Malwarebytes
2009-03-05 12:13 . 2009-03-05 12:13 <REP> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-05 12:13 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-05 12:13 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-05 10:25 . 2009-01-18 17:57 <REP> d--h----- c:\documents and settings\Administrateur\Voisinage réseau
2009-03-05 10:25 . 2009-01-18 17:57 <REP> d--h----- c:\documents and settings\Administrateur\Voisinage d'impression
2009-03-05 10:25 . 2009-01-18 18:16 <REP> d--h----- c:\documents and settings\Administrateur\Modèles
2009-03-05 10:25 . 2009-01-18 17:57 <REP> d-------- c:\documents and settings\Administrateur\Mes documents
2009-03-05 10:25 . 2009-01-18 17:57 <REP> dr------- c:\documents and settings\Administrateur\Menu Démarrer
2009-03-05 10:25 . 2009-01-18 17:57 <REP> d-------- c:\documents and settings\Administrateur\Favoris
2009-03-05 10:25 . 2009-03-05 10:45 <REP> d-------- c:\documents and settings\Administrateur\Bureau
2009-03-05 10:25 . 2009-03-05 10:43 <REP> d-------- c:\documents and settings\Administrateur
2009-03-04 19:40 . 2009-03-04 19:40 <REP> d-------- c:\documents and settings\All Users\Application Data\CCP
2009-03-04 18:17 . 2009-03-05 10:38 211 --a------ c:\windows\wininit.ini
2009-03-04 17:25 . 2009-03-04 17:25 <REP> d-------- c:\program files\Easy Video Downloader
2009-03-03 20:57 . 2009-03-03 20:57 65 --a------ c:\windows\FISHUI.INI
2009-03-03 20:50 . 2009-03-03 20:50 <REP> d-------- c:\program files\MyFree Codec
2009-03-03 17:16 . 2009-03-03 17:16 <REP> d-------- c:\program files\MarkAny
2009-03-03 17:16 . 2009-03-03 20:50 <REP> d-------- C:\My Video
2009-03-03 17:16 . 2009-03-03 17:16 <REP> d-------- C:\My Photo
2009-03-03 17:16 . 2009-03-03 20:54 <REP> d-------- c:\documents and settings\Maximilien\Application Data\DataCast
2009-03-03 17:15 . 2009-03-03 17:15 <REP> d-------- c:\program files\Samsung
2009-02-28 01:02 . 2009-02-28 01:02 <REP> d-------- c:\windows\system32\Adobe
2009-02-16 22:02 . 2009-02-16 22:02 <REP> d-------- C:\Logs
2009-02-16 20:30 . 2009-02-16 20:30 <REP> d-------- c:\program files\OO Software
2009-02-16 20:30 . 2009-02-16 20:30 <REP> d-------- c:\documents and settings\All Users\Application Data\OO Software
2009-02-16 20:26 . 2009-02-16 20:26 <REP> d-------- c:\program files\Trend Micro
2009-02-16 18:22 . 2009-02-16 18:56 <REP> d-------- c:\program files\StepMania CVS
2009-02-15 21:14 . 2009-02-15 21:14 <REP> d-------- c:\program files\Logitech
2009-02-15 21:14 . 2009-02-15 21:14 <REP> d-------- c:\program files\Fichiers communs\Logitech
2009-02-15 21:00 . 2009-02-15 21:04 <REP> d-------- c:\windows\UbiSoft
2009-02-15 21:00 . 2009-02-15 21:00 <REP> d-------- C:\UbiSoft
2009-02-15 19:01 . 2009-02-15 19:01 <REP> d-------- c:\program files\Fichiers communs\Blizzard Entertainment
2009-02-15 18:57 . 2009-03-03 19:06 <REP> d-------- c:\program files\World of Warcraft
2009-02-15 00:09 . 2009-02-15 00:09 <REP> d-------- c:\program files\Common Files
2009-02-15 00:09 . 2003-07-19 16:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-02-15 00:09 . 2005-01-03 07:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-02-14 20:30 . 2009-02-14 20:54 <REP> d-------- c:\documents and settings\Maximilien\Application Data\GarageGames
2009-02-14 20:02 . 2009-03-05 11:07 <REP> d-------- c:\program files\DNA
2009-02-14 20:02 . 2009-03-05 12:07 <REP> d-------- c:\documents and settings\Maximilien\Application Data\DNA
2009-02-14 08:20 . 2009-02-14 08:20 <REP> d-------- c:\program files\Fichiers communs\DirectX
2009-02-13 20:10 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2009-02-13 20:10 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2009-02-13 20:10 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2009-02-13 20:10 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2009-02-06 13:37 . 2009-02-06 13:37 <REP> d-------- c:\program files\SMPlayer
2009-02-06 13:37 . 2009-03-05 00:22 <REP> d-------- c:\documents and settings\Maximilien\.smplayer
2009-02-06 11:27 . 2009-02-06 11:34 <REP> d-------- c:\program files\Cheat Engine
2009-02-06 11:27 . 2007-12-26 17:30 1,970,176 --a------ c:\windows\system32\d3dx9.dll
2009-02-06 11:27 . 2007-12-26 17:30 679,936 --a------ c:\windows\system32\D3DX81ab.dll

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 11:31 --------- d-----w c:\program files\Steam
2009-03-05 09:43 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-04 23:43 --------- d-----w c:\documents and settings\Maximilien\Application Data\Skype
2009-03-04 15:07 --------- d-----w c:\documents and settings\Maximilien\Application Data\skypePM
2009-03-03 16:16 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-28 07:50 --------- d-----w c:\documents and settings\Maximilien\Application Data\uTorrent
2009-02-15 21:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-01 16:58 --------- d-----w c:\program files\uTorrent
2009-01-31 18:28 --------- d-----w c:\program files\Bethesda Softworks
2009-01-31 18:28 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3
2009-01-30 18:43 --------- d-----w c:\program files\Runes of Magic
2009-01-23 10:00 --------- d-----w c:\program files\Windows Media Connect 2
2009-01-22 21:19 --------- d-----w c:\documents and settings\Maximilien\Application Data\InstallShield
2009-01-19 09:38 --------- d--h--r c:\documents and settings\Maximilien\Application Data\SecuROM
2009-01-19 09:38 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-01-19 09:05 --------- d-----w c:\program files\Rockstar Games
2009-01-19 09:03 --------- d-----w c:\program files\MSBuild
2009-01-19 09:01 --------- d-----w c:\program files\Reference Assemblies
2009-01-19 08:25 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-19 08:25 --------- d-----w c:\program files\Windows Live
2009-01-19 08:25 --------- d-----w c:\program files\Microsoft
2009-01-19 08:23 --------- d-----w c:\program files\Fichiers communs\Windows Live
2009-01-19 00:43 --------- d-----w c:\program files\Skype
2009-01-19 00:43 --------- d-----w c:\program files\Fichiers communs\Skype
2009-01-19 00:43 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-01-19 00:17 --------- d-----w c:\program files\Avira
2009-01-18 23:41 --------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-01-18 23:38 --------- d-----w c:\program files\Fichiers communs\Wise Installation Wizard
2009-01-18 23:35 315,392 ----a-w c:\windows\HideWin.exe
2009-01-18 23:35 --------- d-----w c:\program files\Realtek
2009-01-18 20:24 --------- d-----w c:\documents and settings\Maximilien\Application Data\Media Player Classic
2009-01-18 20:24 --------- d-----w c:\documents and settings\Maximilien\Application Data\DivX
2009-01-18 19:50 --------- d-----w c:\program files\Fichiers communs\Adobe
2009-01-18 19:30 --------- d-----w c:\documents and settings\Maximilien\Application Data\Winamp
2009-01-18 19:27 --------- d-----w c:\program files\Gameforge4D
2009-01-18 19:24 64,703 ----a-w c:\windows\BricoPackUninst.cmd
2009-01-18 19:24 6,120 ----a-w c:\windows\BricoPackFoldersDelete.cmd
2009-01-18 19:02 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2009-01-18 18:58 --------- d-----w c:\program files\Winamp
2009-01-18 18:55 --------- d-----w c:\program files\QuickTime
2009-01-18 18:55 --------- d-----w c:\program files\Fichiers communs\Apple
2009-01-18 18:55 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-18 18:54 --------- d-----w c:\program files\DivX
2009-01-18 18:54 --------- d-----w c:\program files\Apple Software Update
2009-01-18 18:54 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-01-18 18:53 --------- d-----w c:\program files\Lavalys
2009-01-18 18:53 --------- d-----w c:\program files\CCleaner
2009-01-18 17:31 --------- d-----w c:\program files\Fichiers communs\InstallShield
2009-01-18 17:20 --------- d-----w c:\program files\microsoft frontpage
2009-01-18 17:16 --------- d-----w c:\program files\Services en ligne
2009-01-13 18:13 49,160 ----a-w c:\windows\system32\drivers\WmXlCore.sys
2009-01-13 18:13 29,192 ----a-w c:\windows\system32\drivers\WmFilter.sys
2009-01-13 18:13 19,336 ----a-w c:\windows\system32\drivers\WmBEnum.sys
2009-01-13 18:13 14,728 ----a-w c:\windows\system32\drivers\WmVirHid.sys
1601-01-01 00:12 47,616 --sha-w c:\windows\system32\lekewelo.dll
.

------- Sigcheck -------

2008-04-14 03:34 979968 3efe912dd25d2586e6a0341db0a66f69 c:\windows\explorer.exe
2004-08-20 00:09 1036288 2a7bd330924252a2fd80344fc949bb72 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-14 03:34 979968 3efe912dd25d2586e6a0341db0a66f69 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-20 00:10 112640 fc21787f32e3793a4c7c02d2bfaa5ae0 c:\windows\$NtServicePackUninstall$\wuauclt.exe
2008-10-16 14:09 66584 2275f45e257d46e6500558b2930cb9a4 c:\windows\ServicePackFiles\i386\wuauclt.exe
2008-10-16 14:09 66584 2275f45e257d46e6500558b2930cb9a4 c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51224 e654b78d2f1d791b30d0ed9a8195ec22 c:\windows\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OODIIcon]
@="{14A94384-BBED-47ed-86C0-6BF63FD892D0}"
[HKEY_CLASSES_ROOT\CLSID\{14A94384-BBED-47ed-86C0-6BF63FD892D0}]
2008-09-05 02:31 111872 --a------ c:\program files\OO Software\DiskImage\oodishi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2009-01-18 1410296]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]
"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2009-01-19 306088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2008-12-26 13680640]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2008-12-26 86016]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-01-21 92168]
"SMSTray"="c:\program files\Samsung\EmoDio\SMSTray.exe" [2009-02-18 484888]
"nabeyiraro"="c:\windows\system32\lekewelo.dll" [1601-01-01 47616]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-12-26 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\pabuwifo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Gameforge4D\AirRivals\Launcher.atm"= c:\program files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2
"c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"= c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\Steam\\steamapps\\jeu015\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\jeu015\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\warhammer 40,000 dawn of war ii - beta\\DOW2.exe"=
"c:\\Program Files\\Steam\\steamapps\\jeu015\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fear2spdemo\\FEAR2SPDemo.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"c:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0.7561-to-2.4.0.8089-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\last remnant - demo sei\\Binaries\\TLRDemo.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\eve online\\eve.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\eve online\\bin\\ExeFile.exe"=
"c:\\WINDOWS\\system32\\dmadmin.exe"=
"c:\\WINDOWS\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2009-01-19 22336]
R0 oodisr;O&O DiskImage Snapshot/Restore Driver;c:\windows\system32\drivers\oodisr.sys [2008-09-05 95752]
R0 oodisrh;oodisrh;c:\windows\system32\drivers\oodisrh.sys [2008-09-05 28680]
R0 oodivd;O&O DiskImage VirtualDisk Driver;c:\windows\system32\drivers\oodivd.sys [2008-09-05 133640]
R0 oodivdh;oodivdh;c:\windows\system32\drivers\oodivdh.sys [2008-09-05 31240]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-01-19 45376]
R2 O&O DiskImage;O&O DiskImage;c:\program files\OO Software\DiskImage\oodiag.exe [2008-09-05 1934592]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-01-18 36864]
.
- - - - ORPHELINS SUPPRIMES - - - -

BHO-{27b567dc-ba4a-4651-a078-8b04323bcf0d} - c:\windows\system32\zegipaso.dll

.
------- Examen supplémentaire -------
.
FF - ProfilePath - c:\documents and settings\Maximilien\Application Data\Mozilla\Firefox\Profiles\6naw1gvt.default\
FF - plugin: c:\documents and settings\Maximilien\Application Data\Mozilla\Firefox\Profiles\6naw1gvt.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 12:31:40
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_USERS\S-1-5-21-796845957-1935655697-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:fd,28,fe,e4,7e,4e,49,36,6d,8f,3a,36,ca,de,1e,70,af,0f,cf,f4,4c,
93,4a,44,62,66,f2,38,d0,47,ed,d5,1d,f4,68,4f,c1,e1,3a,b8,6e,74,bd,22,98,b4,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODI03.00.00.01PRO"="0094C6061E0CB84B9ADE645D19F55B6FFBF39A9926F79A225D97B9E3FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808FEBC9E127BECC74CA6A0AC4980AC79332C2A1AADAC23CBAC26237F8D64E27AE425EC1FC6C80E6CC692B8A1AE63D31A654BACD9EE59F3D78B158180507E5CFDCB6D203F12D2D757A89B5E10D6B8D1EDBD9AC3E8A28C9B9B8955DE36DB7F53EBBFAA2EA9EF4D4B54A8C91455F7B990B613D5DD99F4DF6F39DC64DB6018561D657DC088A8A19CDDA02E86B968C95E466F198C6D30B580080A9F179D2F8C8355BFA868247C09B6CAAE0591B83426B2ED45E220ECE45C2E4017CE16CBC8E99ED682C5AE7D56AC278EA3DBFA791A0F57489B6848D5E4014038A1CADA94480052C26AC1730E5E380D6C59C6A8ECED28815809851028535F20551DDA38A6B9C55C7F67E96DDBAE799C6A5D3DD404F73978E3D77B55E8C2D8C93F31274F38A2D40FB51FEF2369D7651CD26F1B0D35F32D97F607EE4C9D3EF2CD61393C1980756A50D1EA6AF2C0DB90E734879DB37D1115D1604968795440D5D36DC38D613E1E699B0554D48D7031B66D5FCEE97DD7F3A429340353391ABBCF13D5166FC7AF7AD67DC51E8C760BC4B7B26AA008F4C9B533B6C851813A0596CFD9D3259BBF9B5B5D99CC3CD408A373944C3111E1F7D9E0BCA6398225FE2B276C0962202F11C9884B2517D753ED5691F5E65165C73812F6E2B8E396D8DE283CDC1743E2AB59863B11EB65CB92A9BE66A5C02C15EC3A8069E6C2EE4717839C177F0C7A837706A322454A3C2A028F002C932FE8CF675AB723B12B3DFCC26D2C6B55844FC8D9DAF35D2334663872C8BE91D117717635C34F7F50EF7E579E6DFD6301B34E2D81715184852FF06C9A51A53B9675F29DB3F9624CF0201EA8D22BBD1BCE5DC6E1803418A2F1D52BF3967A62BEBED8DF10A7D00E50E860D0F6ECA09A2529DB4EC94A63A9B20B562BAF626A252748E4EECA37F4F543AFE88DFDDB1F4905229ABB7B39926A291DF14C346296A5F455519A006E6140CEDF8590A975460034ED9D2C448C2AC16B1580A8C9DACE1B982E6720133CEA18953B97D61FF00FFB20E5F700A263E59DD3056B22EC7833C57B3C0982217434ABAA2513A4B46B43FC2886D35AC9C2D36EAFA231DECEC837E4F78FA70774CE382E16258082F3E40245A3F06EA3229659A84148E446523DA4BF5DDBC93810E64556D3E67BB89B43BE1D5BE99909462A2F443FF2AA8892AD981F6D758D6529BA7DDDD33B34591ECC3E500BDBB9F886AFDD3FD145BF9359D38351DF58219EA8AED484F915EEB5A22E9C2EE351C7A965BC48191905EF1E294EAA28E02546BA2E8A960C1F0D05E403F9C88A0BFCD1911CC9A1D7271C1EA1B51F25780E1C"
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Heure de fin: 2009-03-05 12:33:17 - La machine a redémarré [Maximilien]
ComboFix-quarantined-files.txt 2009-03-05 11:33:15

Avant-CF: 152 562 769 920 octets libres
Après-CF: 152,555,278,336 octets libres

247 --- E O F --- 2009-02-28 02:00:26

LapinouSexy · Answer

Ok j'attend l'autre rapport

Maxi · Answer

désolé du délai, le second et dernier rapport sera posté ce soir. le scan est long et jai du quitter. ausitot que je revien a mon ordinateur je le poste.

Maxi · Answer

voici le rapport de malwarebyts après la supression des infection.


Malwarebytes' Anti-Malware 1.34
Database version: 1820
Windows 5.1.2600 Service Pack 3

2009-03-05 21:37:58
mbam-log-2009-03-05 (21-37-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 204899
Time elapsed: 2 hour(s), 4 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\pabuwifo.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27b567dc-ba4a-4651-a078-8b04323bcf0d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{27b567dc-ba4a-4651-a078-8b04323bcf0d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
abeyiraro (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\pabuwifo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\pabuwifo.dll  -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\pabuwifo.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lekewelo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pabuwifo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090304-180650-995.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090304-190831-416.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090305-104737-840.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2938E362-45FC-447B-9B34-8FE610A2EB05}\RP14\A0005084.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2938E362-45FC-447B-9B34-8FE610A2EB05}\RP14\A0006130.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2938E362-45FC-447B-9B34-8FE610A2EB05}\RP40\A0010202.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2938E362-45FC-447B-9B34-8FE610A2EB05}\RP65\A0024765.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2938E362-45FC-447B-9B34-8FE610A2EB05}\RP66\A0025862.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtServicePackUninstall$\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\ServicePackFiles\i386\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

LapinouSexy · Answer

Ah j'avais raison du Vundo , saleté de virus >< bon refait un petit rapport HijackThis et un petit nettoyage avec Ccleaner et sa devrait être bon^^

Maxi · Answer

nettoyage avec ccleaner affectué et voici le rapport hijackthis :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:17, on 2009-03-06
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32
vsvc32.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\OO Software\DiskImage\oodiag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [nabeyiraro] Rundll32.exe "C:\WINDOWS\system32\lekewelo.dll",s (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:  gpiqzg.dll c:\windows\system32	elilobu.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
vsvc32.exe
O23 - Service: O&O DiskImage - Unknown owner - C:\Program Files\OO Software\DiskImage\oodiag.exe

LapinouSexy · Answer

Coche ça :

O20 - AppInit_DLLs: gpiqzg.dll c:\windows\system32	elilobu.dll 

O4 - HKUS\S-1-5-20\..\Run: [nabeyiraro] Rundll32.exe "C:\WINDOWS\system32\lekewelo.dll",s (User 'SERVICE RÉSEAU') 

Et fix checked mais en mode sans echec !

Maxi · Answer

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11, on 2009-03-06
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Samsung\EmoDio\SMSTray.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe
C:\Program Files\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32
vsvc32.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\OO Software\DiskImage\oodiag.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
vsvc32.exe
O23 - Service: O&O DiskImage - Unknown owner - C:\Program Files\OO Software\DiskImage\oodiag.exe

LapinouSexy · Answer

Magie! C'est parti !

Bon maintenant je te conseille de faire attention a ton surf sur le web  et d'installer:
Anti-Vir+Comodo Firewall+Spyware Terminator+un HIPS.

Plus d'information sur Malekal.com

Maxi · Answer

Merci beaucoup LapinouSexy ! je vaisi suivre tes recommandation :)

problême resolu :D

Supression de spyware..

19 réponses

Votre réponse

Newsletters