MALWARE DOCTOR Help

Glux -
Glux - 7 juin 2009 à 10:09

Bonjour,

Mon père a téléchargé Malware Doctor qui bloque à peu près tout sur son ordinateur. Je pensais même formater mais impossible. Impossible aussi de booter sur le CD au démarrage du PC...

J'ai vu qu'il y avait déjà des messages sur le sujet mais chaque cas étant différent, j'ai préféré en ouvrir un nouveau. J'ai aussi récupéré RSIT.exe dont voici ci-dessous le rapport. J'espère que ce sera utile.

Merci d'avance +

---------------------------

Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrateur at 2009-06-03 07:52:08
Microsoft Windows XP Professionnel Service Pack 3
System drive C: has 4 GB (18%) free of 20 GB
Total RAM: 1022 MB (53% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:52:21, on 03/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\bdfxgja.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Administrateur\Bureau\RSIT.exe
C:\Program Files\trend micro\Administrateur.exe
c:\lsass.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {65b20f92-686a-4273-ac3c-e2cc48227cbb} - C:\WINDOWS\system32\vajetezo.dll
O2 - BHO: C:\WINDOWS\system32\afnoinkdsfe.dll - {c2ba40a1-74f3-42bd-f434-12345a2c8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [6446] C:\bdfxgja.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\ujfkwkwe9.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\981759230.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\ujfkwkwe9.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [A00FEBADF.exe] C:\WINDOWS\TEMP\_A00FEBADF.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [A00FE603C.exe] C:\WINDOWS\TEMP\_A00FE603C.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'Default user')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Démarrage rapide du logiciel HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CCD4360-C880-40C7-B6ED-061595DB1629}: NameServer = 85.255.112.13,85.255.112.110
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.13,85.255.112.110
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.13,85.255.112.110
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: c:\windows\system32\pujawewo.dll C:\WINDOWS\system32\gumiviho.dll c:\progra~1\ThunMail\testabd.dll c:\windows\system32\lugibifi.dll
O20 - Winlogon Notify: bqcsgzcx - C:\WINDOWS\SYSTEM32\bqcsgzcx32.dll
O20 - Winlogon Notify: __c00A270D - C:\WINDOWS\system32\__c00A270D.dat
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lugibifi.dll
O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\yhs783ijfo3fe.dll
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lugibifi.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: Service de transfert intelligent en arrière-plan (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FCI (fci) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Afficher la suite

A voir également:

MALWARE DOCTOR Help
Malwarebytes anti-malware - Télécharger - Antivirus & Antimalwares
Pc doctor - Télécharger - Optimisation
Spyware doctor - Télécharger - Antivirus & Antimalwares
Disk doctor - Télécharger - Récupération de données
Car doctor - Télécharger - Vie quotidienne

23 réponses

Réponse 1 / 23

Utilisateur anonyme

Salut ,

tu es très infecter.

▶ Installe - Télécharge SmitfraudFix (de de S!Ri, balltrap34 et moe31)

▶ Option:1 => Recherche:

▶ Double cliquer sur SmitfraudFix.exe

▶ Sélectionner 1 et pressez =>Entrée dans le menu pour créer

▶ un rapport des fichiers responsables de l'infection. Le rapport se trouve à la racine du disque

▶ C:\rapport.txt et colle le rapport génèrer sur le forum.

▶ Ne pas faire l'option 2 sans un avis d'une personne compétente*<=

Tutoriel Smitfraudix

Si un rapport ne passe pas faire une alerte à la conciergerie avec le /!\ jaune.

Réponse 2 / 23

Glux

Merci V-X,

Voilà le rapport généré :

SmitFraudFix v2.418

Rapport fait à 15:40:28,15, 03/06/2009
Executé à partir de C:\Documents and Settings\Administrateur\Bureau\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est NTFS
Fix executé en mode normal

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\LocalService\Application Data\1361538659.exe
C:\Documents and Settings\LocalService\Application Data\1458931097.exe
C:\WINDOWS\System32\avast!AVSControlService.exe
C:\Documents and Settings\LocalService\Application Data\1458931097.exe
C:\bdfxgja.exe
C:\Documents and Settings\Administrateur\Bureau\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
c:\lsass.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\autorun.inf PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\ld08.exe PRESENT !
C:\WINDOWS\pp06.exe PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ahtn.htm PRESENT !
C:\WINDOWS\system32\DL32.exe PRESENT !
C:\WINDOWS\system32\frmwrk32.exe PRESENT !
C:\WINDOWS\system32\SYS32DLL.exe PRESENT !
C:\WINDOWS\system32\warning.gif PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrateur

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrateur\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\Favoris

»»»»»»»»»»»»»»»»»»»»»»»» Bureau

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues

»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau

»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B2BA40A2-74F0-42BD-F434-12345A2C8953}"="jso8joigm409gopgmrlgd"

[HKEY_CLASSES_ROOT\CLSID\{B2BA40A2-74F0-42BD-F434-12345A2C8953}\InProcServer32]
@="C:\WINDOWS\system32\yhs783ijfo3fe.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B2BA40A2-74F0-42BD-F434-12345A2C8953}\InProcServer32]
@="C:\WINDOWS\system32\yhs783ijfo3fe.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C2BA40A1-74F3-42BD-F434-12345A2C8953}"="sdfsefsfdvdubgiungfuyd"

[HKEY_CLASSES_ROOT\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]
@="C:\WINDOWS\system32\afnoinkdsfe.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]
@="C:\WINDOWS\system32\afnoinkdsfe.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"="STS"

[HKEY_CLASSES_ROOT\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InProcServer32]
@="c:\windows\system32\lugibifi.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InProcServer32]
@="c:\windows\system32\lugibifi.dll"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="c:\\windows\\system32\\pujawewo.dll C:\\WINDOWS\\system32\\gumiviho.dll c:\\progra~1\\ThunMail\\testabd.dll c:\\windows\\system32\\lugibifi.dll"
"LoadAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Votre ordinateur est certainement victime d'un détournement de DNS: 85.255.x.x détecté !

Description: Intel(R) PRO/100 VE Network Connection - Miniport d'ordonnancement de paquets
DNS Server Search Order: 85.255.112.13
DNS Server Search Order: 85.255.112.110

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1CCD4360-C880-40C7-B6ED-061595DB1629}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1CCD4360-C880-40C7-B6ED-061595DB1629}: NameServer=85.255.112.13,85.255.112.110
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1CCD4360-C880-40C7-B6ED-061595DB1629}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1CCD4360-C880-40C7-B6ED-061595DB1629}: NameServer=85.255.112.13,85.255.112.110
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1CCD4360-C880-40C7-B6ED-061595DB1629}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1CCD4360-C880-40C7-B6ED-061595DB1629}: NameServer=85.255.112.13,85.255.112.110
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.112.13,85.255.112.110
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.112.13,85.255.112.110
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.112.13,85.255.112.110

»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll

»»»»»»»»»»»»»»»»»»»»»»»» Fin

Réponse 3 / 23

Utilisateur anonyme

Re,

Option 2 - Suppression :

Fais redémarrer ton ordinateur en mode sans échec

- Au démarrage, après le chargement du bios, appuie successivement sur la touche F8 (ou F5) de ton clavier jusqu'à l'apparition d'un menu sur fond noir. Une fois arrivé à ce stade, sélectionne à l'aide du clavier Mode sans Echec.

-- Dans ce mode, tu n'as pas accès à Internet, et tu te retrouves avec une configuration visuelle différente (pas de fond d'écran, icônes très grosses). Ne sois donc pas étonné.
--- C'est pour ces différentes raisons que je t'invite à imprimer, noter, ou enregistrer dans un document texte les informations suivantes afin de ne pas être perdu.

! Ne fais pas démarrer ton ordinateur en mode sans échec via MSConfig ! Pourquoi ? Certaines infections cassent les clefs du mode sans échec, ce qui ferait crasher ton ordinateur.

Relance SmitfraudFix.

Choisis l’option 2. (Oui à toutes les questions)

Si tu dois faire redémarrer ton ordi, fais-le. Quoi qu'il en soit, fais redémarrer ton ordinateur à la fin du Fix.

Poste le rapport qui se situe dans C:\rapport.txt (sans les lignes faisant référence au fichier Hosts) .

Si un rapport ne passe pas faire une alerte à la conciergerie avec le /!\ jaune.

Réponse 4 / 23

Glux

Merci. J'ai failli pas pouvoir poster le précédent rapport. Je n'ai plus accès à Internet en mode normal. La bonne nouvelle, ça a l'air un poil mieux et ça a viré le fond d'écran "warning"... Je suis donc en mode sans échec avec prise en charge du réseau. Bref, sympa de m'aider en tout cas.

Voilà le nouveau rapport (j'ai viré la ligne HOST mais je t'en colle peut-être trop, j'ai pas bien compris) :

Rapport fait à 16:01:00,60, 03/06/2009
Executé à partir de C:\Documents and Settings\Administrateur\Bureau\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est NTFS
Fix executé en mode sans echec

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B2BA40A2-74F0-42BD-F434-12345A2C8953}"="jso8joigm409gopgmrlgd"

[HKEY_CLASSES_ROOT\CLSID\{B2BA40A2-74F0-42BD-F434-12345A2C8953}\InProcServer32]
@="C:\WINDOWS\system32\yhs783ijfo3fe.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B2BA40A2-74F0-42BD-F434-12345A2C8953}\InProcServer32]
@="C:\WINDOWS\system32\yhs783ijfo3fe.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C2BA40A1-74F3-42BD-F434-12345A2C8953}"="sdfsefsfdvdubgiungfuyd"

[HKEY_CLASSES_ROOT\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]
@="C:\WINDOWS\system32\afnoinkdsfe.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]
@="C:\WINDOWS\system32\afnoinkdsfe.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"="STS"

[HKEY_CLASSES_ROOT\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InProcServer32]
@="c:\windows\system32\lugibifi.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InProcServer32]
@="c:\windows\system32\lugibifi.dll"

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés

C:\autorun.inf supprimé
C:\WINDOWS\ld08.exe supprimé
C:\WINDOWS\pp06.exe supprimé
C:\WINDOWS\system32\ahtn.htm supprimé
C:\WINDOWS\system32\DL32.exe supprimé
C:\WINDOWS\system32\frmwrk32.exe supprimé
C:\WINDOWS\system32\SYS32DLL.exe supprimé
C:\WINDOWS\system32\warning.gif supprimé

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1CCD4360-C880-40C7-B6ED-061595DB1629}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1CCD4360-C880-40C7-B6ED-061595DB1629}: NameServer=85.255.112.13,85.255.112.110
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1CCD4360-C880-40C7-B6ED-061595DB1629}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1CCD4360-C880-40C7-B6ED-061595DB1629}: NameServer=85.255.112.13,85.255.112.110
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1CCD4360-C880-40C7-B6ED-061595DB1629}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1CCD4360-C880-40C7-B6ED-061595DB1629}: NameServer=85.255.112.13,85.255.112.110
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.112.13,85.255.112.110
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.112.13,85.255.112.110
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.112.13,85.255.112.110

»»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» RK.2

»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre

Nettoyage terminé.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B2BA40A2-74F0-42BD-F434-12345A2C8953}"="jso8joigm409gopgmrlgd"

[HKEY_CLASSES_ROOT\CLSID\{B2BA40A2-74F0-42BD-F434-12345A2C8953}\InProcServer32]
@="C:\WINDOWS\system32\yhs783ijfo3fe.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B2BA40A2-74F0-42BD-F434-12345A2C8953}\InProcServer32]
@="C:\WINDOWS\system32\yhs783ijfo3fe.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C2BA40A1-74F3-42BD-F434-12345A2C8953}"="sdfsefsfdvdubgiungfuyd"

[HKEY_CLASSES_ROOT\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]
@="C:\WINDOWS\system32\afnoinkdsfe.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]
@="C:\WINDOWS\system32\afnoinkdsfe.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"="STS"

[HKEY_CLASSES_ROOT\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InProcServer32]
@="c:\windows\system32\lugibifi.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InProcServer32]
@="c:\windows\system32\lugibifi.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Fin

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question

Réponse 5 / 23

Utilisateur anonyme

Re,

▶ Télécharge et installe MalwareByte's Anti-Malware
Malwarebyte

▶ Mets le à jour

▶ Double clique sur le raccourci de MalwareByte's Anti-Malware qui est sur le bureau.

▶ Sélectionne Exécuter un examen COMPLET si ce n'est pas déjà fait

▶ clique sur Rechercher

▶ Une fois le scan terminé, une fenêtre s'ouvre, clique sur sur Ok

▶ Si MalwareByte's n'a rien détecté, clique sur Ok Un rapport va apparaître ferme-le.

▶ Si MalwareByte's a détecté des infections, clique sur Afficher les résultats ensuite sur Supprimer la sélection

▶ Enregistre le rapport sur ton Bureau comme cela il sera plus facile à retrouver, poste ensuite ce rapport.

Note : Si MalwareByte's a besoin de redémarrer pour terminer la suppression, accepte en cliquant sur Ok

Tutoriel pour MalwareByte's

Si un rapport ne passe pas faire une alerte à la conciergerie avec le /!\ jaune.

Réponse 6 / 23

Glux

Cool ! Beaucoup mieux !!! Malware doctor a disparu et les choses recommencent à fonctionner ! Eu beaucoup de mal à downloader et à installer Malware car les liens internet ne voulaient pas s'initialiser à cause du (ou d'un) virus. Bref, voilà le dernier rapport (je n'ai par contre pas réussi à mettre à jour le soft):

Malwarebytes' Anti-Malware 1.37
Version de la base de données: 2182
Windows 5.1.2600 Service Pack 3

03/06/2009 21:25:23
mbam-log-2009-06-03 (21-25-23).txt

Type de recherche: Examen complet (C:\|D:\|E:\|)
Eléments examinés: 157783
Temps écoulé: 18 minute(s), 47 second(s)

Processus mémoire infecté(s): 1
Module(s) mémoire infecté(s): 5
Clé(s) du Registre infectée(s): 28
Valeur(s) du Registre infectée(s): 10
Elément(s) de données du Registre infecté(s): 16
Dossier(s) infecté(s): 3
Fichier(s) infecté(s): 116

Processus mémoire infecté(s):
C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Unloaded process successfully.

Module(s) mémoire infecté(s):
c:\WINDOWS\system32\hufovora.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gumiviho.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\afnoinkdsfe.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\__c00A270D.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yhs783ijfo3fe.dll (Roorkit.Agent) -> Delete on reboot.

Clé(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65b20f92-686a-4273-ac3c-e2cc48227cbb} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{65b20f92-686a-4273-ac3c-e2cc48227cbb} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00a270d (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Roorkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Roorkit.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{65b20f92-686a-4273-ac3c-e2cc48227cbb} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\455354e2 (Rootkit.Rustok) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\455354e2 (Rootkit.Rustok) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\455354e2 (Rootkit.Rustok) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fci (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fci (Rootkit.ADS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\fci (Rootkit.ADS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!Antivirus (Trojan.Agent) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a4e5d39e (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\viyowojeso (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpma7d6e002 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svc (Spyware.OnlineGamer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7605 (Trojan.Downloader) -> Quarantined and deleted successfully.

Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\hufovora.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\gumiviho.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\gumiviho.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.OnlineGamer) -> Data: c:\progra~1\thunmail\testabd.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.13,85.255.112.110 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ccd4360-c880-40c7-b6ed-061595db1629}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.13,85.255.112.110 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.13,85.255.112.110 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1ccd4360-c880-40c7-b6ed-061595db1629}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.13,85.255.112.110 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.13,85.255.112.110 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{1ccd4360-c880-40c7-b6ed-061595db1629}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.13,85.255.112.110 -> Quarantined and deleted successfully.

Dossier(s) infecté(s):
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556 (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Program Files\ThunMail (Spyware.OnlineGamer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\796525 (Trojan.BHO) -> Quarantined and deleted successfully.

Fichier(s) infecté(s):
c:\WINDOWS\system32\dimojumi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\imujomid.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\fepabavi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ivabapef.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\fifiteko.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\oketifif.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\jawohame.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\emahowaj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\kamujibi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ibijumak.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lidanufu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ufunadil.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\numisufe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\efusimun.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\pahiboji.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ijobihap.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\sebiniha.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ahinibes.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wefakuve.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\evukafew.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\yinuyoni.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\inoyuniy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\zefumiwu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\uwimufez.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zikewapo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\hufovora.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vajetezo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yhs783ijfo3fe.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\afnoinkdsfe.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\gumiviho.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\__c00A270D.dat (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\LocalService\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\796525\796525.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\celkadaa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\ohkbrkoo.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\okex.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\pdtivk.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\tqrsiug.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\wwmeoblk.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\xmrgycj.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\administrateur\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
c:\documents and settings\administrateur\reader_s.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\administrateur\menu démarrer\programmes\démarrage\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-1225878157-3580828234-054595695-6191\service.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\instsp2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ak1.exe (Trojan.Ertfor) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\AshEvtSvc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\glsetup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\jibilidi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\jkshfuiehi.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\junetike.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\kubuyula.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lemutuja.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mibewoja.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\nilokuke.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\norefose.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\pemivubu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\reader_s.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\rugobiho.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\stfa.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\viheheji.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\vusurewi.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\winglsetup.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\yigejiyu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\yugobuku.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c0011990.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c001AAE4.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c003DF2C.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c0048400.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c00581BE.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c007C07C.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c00FE46A.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\config\systemprofile\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\config\systemprofile\menu démarrer\programmes\démarrage\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dllcache\userinit.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\455354e2.sys (Rootkit.Rustok) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-0243636035-3055115376-381863306-1556\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\program files\ThunMail\testabd.dll (Spyware.OnlineGamer) -> Quarantined and deleted successfully.
c:\program files\ThunMail\testabd.exe (Spyware.OnlineGamer) -> Quarantined and deleted successfully.
c:\WINDOWS\t55ft2692f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Invité\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\RECYCLER\S-6-1-73-100024263-100032242-100016182-2969.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ftp_non_crp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Invité\Local Settings\Temp\mousehook.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\p2hhr.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svchost.exe:ext.exe (Rootkit.ADS) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\setupapi.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\pujawewo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\autochk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Invité\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\cecyooc_navps.dat (Adware.NaviPromo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\cecyooc_nav.dat (Adware.NaviPromo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvs2.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dowuvedo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tewetopi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Invité\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prnet.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmppcsetup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\loader49.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmn_setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\poedmta.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\bdfxgja.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zeginizo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\benituyo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\service-466.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\avast!Antivirus.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Super en tout cas. Je suis très content :)

Réponse 7 / 23

Utilisateur anonyme

Re,

Supprime la quarantaine de malwarebyte.

▶ Télécharge CCleaner (N'installe pas la Yahoo Toolbar) :
CCLEANER

▶ Lance-le. Va dans "Options" puis "Avancé",

▶ Tu décoches la case "Effacer uniquement les fichiers etc...".

▶ Tu vas dans "Nettoyeur", tu fais "Analyse". Une fois terminé, tu lances le nettoyage.

▶ Tu vas dans "Registre", tu fais "Chercher des erreurs".

Une fois terminé, tu répares toutes les erreurs sans sauvegarder la base de registre.

▶ Un tuto ( aide )

Puis tu redémarre ton PC et refait un log avec RSIT

Réponse 8 / 23

Glux

C'est fait. Voilà le log :

Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrateur at 2009-06-03 22:04:47
Microsoft Windows XP Professionnel Service Pack 3
System drive C: has 4 GB (22%) free of 20 GB
Total RAM: 1022 MB (61% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:04:50, on 03/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\avast!AVSControlService.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrateur\Bureau\RSIT.exe
C:\Program Files\trend micro\Administrateur.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\ujfkwkwe9.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\981759230.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\ujfkwkwe9.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [A00FEBADF.exe] C:\WINDOWS\TEMP\_A00FEBADF.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [A00FE603C.exe] C:\WINDOWS\TEMP\_A00FE603C.exe (User 'Default user')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Démarrage rapide du logiciel HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: c:\windows\system32\pujawewo.dll
O20 - Winlogon Notify: bqcsgzcx - C:\WINDOWS\SYSTEM32\bqcsgzcx32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast!avscontrolservice - Unknown owner - C:\WINDOWS\System32\avast!AVSControlService.exe
O23 - Service: Service de transfert intelligent en arrière-plan (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Réponse 9 / 23

Utilisateur anonyme

Re,

---> Télécharge OTM (D'OldTimer) sur ton Bureau :

---> Double-clique sur OTMoveIt3.exe afin de le lancer.

---> Copie (Ctrl+C) le texte suivant en gras ci-dessous :

:processes
explorer.exe

:files
c:\windows\temp\981759230.exe
c:\windows\temp\ujfkwkwe9.exe
c:\windows\system32\gumiviho.dll
c:\windows\system32\ashevtsvc.exe
c:\windows\system32\lklf32.dll
c:\windows\system32\jhxm32.dll
c:\windows\system32\kesezila.dll
c:\windows\system32\gunowini.dll
c:\windows\system32\helileve.dll
c:\windows\system32\kidohili.dll
c:\windows\system32\hifofiga.dll
c:\windows\system32\zemupalu.exe
C:\WINDOWS\system32\jbnmcd.dll
C:\WINDOWS\system32\delahiru.dll
C:\WINDOWS\system32\zodabuma.dll
C:\WINDOWS\system32\murewozi.dll
C:\WINDOWS\system32\yuhasifo.dll
C:\WINDOWS\system32\kiligefu.dll
C:\WINDOWS\system32\lugibifi.dll
C:\WINDOWS\system32\vic_setup.exe
C:\WINDOWS\system32\bqcsgzcx32.dll
C:\WINDOWS\system32\bqcsgzcx.dll
C:\WINDOWS\system32\jbnmcd.dll
C:\WINDOWS\system32\jbnmck.dll

:Reg
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Diagnostic Manager"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Resurections"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=""
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bqcsgzcx]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\AshEvtSvc.exe"=-

:commands
[emptytemp]
[start explorer]

---> Colle (Ctrl+V) le texte précédemment copié dans le cadre Paste Instructions for Items to be Moved.

---> Clique maintenant sur le bouton MoveIt! puis ferme OTMoveIt3.

Si un fichier ou dossier ne peut pas être supprimé immédiatement, le logiciel te demandera de redémarrer.
Accepte en cliquant sur YES.

---> Poste le rapport situé dans ce dossier : C:\_OTMoveIt\MovedFiles\
Le nom du rapport correspond au moment de sa création : date_heure.log

Réponse 10 / 23

Glux

Bonjour V-X. Voilà le rapport d'OTM :

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder c:\windows\temp\981759230.exe not found.
File/Folder c:\windows\temp\ujfkwkwe9.exe not found.
File/Folder c:\windows\system32\gumiviho.dll not found.
File/Folder c:\windows\system32\ashevtsvc.exe not found.
c:\windows\system32\lklf32.dll unregistered successfully.
c:\windows\system32\lklf32.dll moved successfully.
c:\windows\system32\jhxm32.dll unregistered successfully.
c:\windows\system32\jhxm32.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\kesezila.dll
c:\windows\system32\kesezila.dll NOT unregistered.
c:\windows\system32\kesezila.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\gunowini.dll
c:\windows\system32\gunowini.dll NOT unregistered.
c:\windows\system32\gunowini.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\helileve.dll
c:\windows\system32\helileve.dll NOT unregistered.
c:\windows\system32\helileve.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\kidohili.dll
c:\windows\system32\kidohili.dll NOT unregistered.
c:\windows\system32\kidohili.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\hifofiga.dll
c:\windows\system32\hifofiga.dll NOT unregistered.
c:\windows\system32\hifofiga.dll moved successfully.
c:\windows\system32\zemupalu.exe moved successfully.
C:\WINDOWS\system32\jbnmcd.dll unregistered successfully.
C:\WINDOWS\system32\jbnmcd.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\delahiru.dll
C:\WINDOWS\system32\delahiru.dll NOT unregistered.
C:\WINDOWS\system32\delahiru.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\zodabuma.dll
C:\WINDOWS\system32\zodabuma.dll NOT unregistered.
C:\WINDOWS\system32\zodabuma.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\murewozi.dll
C:\WINDOWS\system32\murewozi.dll NOT unregistered.
C:\WINDOWS\system32\murewozi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\yuhasifo.dll
C:\WINDOWS\system32\yuhasifo.dll NOT unregistered.
C:\WINDOWS\system32\yuhasifo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\kiligefu.dll
C:\WINDOWS\system32\kiligefu.dll NOT unregistered.
C:\WINDOWS\system32\kiligefu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\lugibifi.dll
C:\WINDOWS\system32\lugibifi.dll NOT unregistered.
C:\WINDOWS\system32\lugibifi.dll moved successfully.
C:\WINDOWS\system32\vic_setup.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\bqcsgzcx32.dll
C:\WINDOWS\system32\bqcsgzcx32.dll NOT unregistered.
C:\WINDOWS\system32\bqcsgzcx32.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\bqcsgzcx.dll
C:\WINDOWS\system32\bqcsgzcx.dll NOT unregistered.
C:\WINDOWS\system32\bqcsgzcx.dll moved successfully.
File/Folder C:\WINDOWS\system32\jbnmcd.dll not found.
C:\WINDOWS\system32\jbnmck.dll unregistered successfully.
C:\WINDOWS\system32\jbnmck.dll moved successfully.
========== REGISTRY ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Diagnostic Manager deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Resurections deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLS"|"" /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bqcsgzcx\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\system32\AshEvtSvc.exe deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF6502.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF9312.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF9317.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFD5D4.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\Content.IE5\Y2QYL5R9\ads[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\Content.IE5\Y2QYL5R9\ads[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\Content.IE5\32G2PZ6E\write_js[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Fichiers Internet temporaires\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\cto5.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_68c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully

OTM by OldTimer - Version 2.1.0.0 log created on 06032009_231150

Files moved on Reboot...
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpodvd09.log moved successfully.
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF6502.tmp not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF9312.tmp not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF9317.tmp not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFD5D4.tmp not found!
C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\Content.IE5\Y2QYL5R9\ads[1].htm moved successfully.
C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\Content.IE5\Y2QYL5R9\ads[2].htm moved successfully.
C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\Content.IE5\32G2PZ6E\write_js[1].htm moved successfully.
C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\cto5.tmp moved successfully.
C:\WINDOWS\temp\Perflib_Perfdata_68c.dat moved successfully.

Registry entries deleted on Reboot...

Réponse 11 / 23

Utilisateur anonyme

Re,

▶ Télécharge ComboFix (de sUBs) sur ton Bureau.

/!\Désactive temporairement toute protection résidente /!\ (Antivirus, antispywares..)
▶ Double clique sur ComboFix.exe.
▶ Accepte la licence en cliquant sur Oui.
▶ Le programme va te demander si tu souhaites installer la Console de Récupération. C'est une précaution, au cas où l'ordinateur tomberait en panne. Je te conseille donc de l'installer, ça ne coûte rien, et ça pourrait potentiellement servir !
▶ Lorsque l'opération sera terminée, un rapport apparaîtra. Poste ce rapport dans ta prochaine réponse.

▶Le rapport se trouve ici : %SystemDrive%\ComboFix.txt (%systemdrive% étant la partition où est installée Windows; C:\ en général)

Aide :Comment utiliser ComboFix.

Si un rapport ne passe pas faire une alerte à la conciergerie avec le /!\ jaune.

Réponse 12 / 23

Glux

Voilà le log :

ComboFix 09-06-03.04 - Administrateur 04/06/2009 9:48.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1022.699 [GMT 2:00]
Lancé depuis: c:\documents and settings\Administrateur\Bureau\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090603-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1528442063
C:\autorun.inf
c:\documents and settings\Administrateur\Local Settings\Application Data\ovedzaclfg.dat
c:\documents and settings\Administrateur\Local Settings\Application Data\ovedzaclfg_nav.dat
c:\documents and settings\Administrateur\Local Settings\Application Data\ovedzaclfg_navps.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\documents and settings\LocalService\Application Data\1458931097.exe
c:\documents and settings\LocalService\Application Data\691447002.exe
c:\documents and settings\LocalService\Application Data\916653139.exe
c:\windows\pack.epk
c:\windows\system32\drivers\8a883e9e.sys
c:\windows\system32\drivers\ovfsthboykmpuiwsrbylqjmhfmtnrusciloeua.sys
c:\windows\system32\ekuligav.ini
c:\windows\system32\ovfsthfbirduuxbjbyxxdrhihrtetpqwxflfbx.dll
c:\windows\system32\ovfsthhxilgyjxirujstvujnthpjrhljgolobf.dll
c:\windows\system32\ovfsthmbroscprqpvknbhkhdnoxvcuyjlkbbwc.dat
c:\windows\system32\ovfsthmiebilxmimswtngoxqjdkcvnvkudlqjv.dat
c:\windows\system32\ovfsthrbiseqnbortkqurcqqpbtajdfoqetuhi.dll
c:\windows\system32\ozerusob.ini
c:\windows\system32\tmp.reg
c:\windows\system32\ulifahom.ini
c:\windows\system32\uniq.tll
C:\xcrashdump.dat
D:\Autorun.inf
E:\Autorun.inf
E:\desktop.ini

----- BITS: Il y a peut-être des sites infectés -----

hxxp://62.4.83.201
Une copie infectée de c:\windows\system32\drivers\ndis.sys a été trouvée et désinfectée
Copie restaurée à partir de - The cat ate it :)
.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthvhopxmplhrrovdbcrvhlyfwadskkwpdq
-------\Legacy_ashevtsvc
-------\Legacy_avast!antivirus
-------\Legacy_fci
-------\Service_8a883e9e

((((((((((((((((((((((((((((( Fichiers créés du 2009-05-04 au 2009-06-04 ))))))))))))))))))))))))))))))))))))
.

2009-06-03 21:11 . 2009-06-03 21:11 -------- d-----w- C:\_OTM
2009-06-03 20:51 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-03 20:51 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-03 20:51 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-03 20:51 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-03 20:51 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-03 20:51 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-03 20:51 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-03 20:51 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-03 20:51 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-03 20:51 . 2009-06-03 20:51 -------- d-----w- c:\program files\Alwil Software
2009-06-03 19:58 . 2009-06-03 19:59 -------- d-----w- c:\program files\CCleaner
2009-06-03 18:56 . 2009-06-03 18:56 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Malwarebytes
2009-06-03 18:55 . 2009-06-03 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-03 11:40 . 2009-06-03 11:40 124416 ----a-w- c:\windows\system32\avast!AVSControlService.exe
2009-06-03 05:52 . 2009-06-03 20:04 -------- d-----w- c:\program files\trend micro
2009-05-31 07:24 . 2009-06-04 08:00 99422 ----a-w- c:\windows\system32\drivers\e0baeba5.sys
2009-05-30 07:54 . 2009-05-26 02:18 105 ----a-w- C:\tj.vbs
2009-05-29 19:50 . 2009-06-04 08:00 99422 ----a-w- c:\windows\system32\drivers\cf906936.sys
2009-05-06 16:20 . 2009-05-06 16:20 0 ----a-w- C:\rsdxy.exe

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 08:00 . 2009-05-04 18:54 116476 ----a-w- c:\windows\system32\drivers\667b841d.sys
2009-06-04 08:00 . 2009-05-03 16:00 118268 ----a-w- c:\windows\system32\drivers\3bc06180.sys
2009-06-04 07:51 . 2004-08-03 21:14 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-03 21:05 . 2007-03-03 17:21 -------- d-----w- c:\program files\Wanadoo
2009-06-03 20:17 . 2006-05-05 22:02 -------- d-----w- c:\program files\Fichiers communs\Symantec Shared
2009-06-03 20:16 . 2006-05-05 22:03 -------- d-----w- c:\program files\Symantec
2009-06-03 20:15 . 2006-05-05 22:02 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-03 20:15 . 2006-05-05 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-03 19:31 . 2009-03-11 10:49 -------- d-----w- c:\program files\Gulliland
2009-06-03 05:10 . 2008-12-25 18:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 04:53 . 2006-05-05 10:24 19192 ----a-w- c:\documents and settings\Administrateur\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-29 19:53 . 2009-05-31 07:26 58880 ----a-w- c:\windows\system32\46.tmp
2009-05-06 16:58 . 2009-04-26 06:13 2923 ----a-w- c:\windows\system32\cecyooc.dat
2009-05-06 16:19 . 2004-08-19 14:10 14336 ----a-w- c:\windows\system32\svchost.exe
2009-05-03 15:59 . 2009-02-03 15:59 51200 --sha-w- c:\windows\system32\risowupa.exe
2009-05-02 18:08 . 2009-02-02 18:08 51200 --sha-w- c:\windows\system32\wijuhalu.exe
2009-05-02 17:30 . 2009-05-02 17:30 162 ---ha-w- c:\windows\system32\~$prnet.tmp
2009-05-02 06:08 . 2009-02-02 06:08 51200 --sha-w- c:\windows\system32\hawivobi.exe
2009-05-01 06:13 . 2009-02-01 06:13 50688 --sha-w- c:\windows\system32\tenugizu.exe
2009-04-30 06:42 . 2009-01-30 06:42 51200 --sha-w- c:\windows\system32\kozafuli.exe
2009-04-28 18:52 . 2008-12-25 18:06 -------- d-----w- c:\program files\Google
2009-04-28 18:00 . 2009-01-28 18:00 88576 --sha-w- c:\windows\system32\wimesabi.dll
2009-04-27 18:50 . 2009-01-27 18:49 48640 --sha-w- c:\windows\system32\hagijifa.dll
2009-04-27 18:49 . 2009-01-27 18:49 50688 --sha-w- c:\windows\system32\keyiguvu.exe
2009-04-27 18:49 . 2009-01-27 18:49 88576 --sha-w- c:\windows\system32\tohagugu.dll
2009-04-27 06:54 . 2009-04-27 06:49 49152 ----a-w- c:\windows\system32\bigitita.dll
2009-04-27 06:49 . 2009-01-27 06:49 51712 --sha-w- c:\windows\system32\yivilaje.exe
2009-04-27 06:49 . 2009-01-27 06:49 87552 --sha-w- c:\windows\system32\kuzokutu.dll
2009-04-26 09:47 . 2009-01-26 09:47 88576 --sha-w- c:\windows\system32\penigusa.dll
2009-04-26 09:47 . 2009-01-26 09:47 51712 --sha-w- c:\windows\system32\pegatijo.exe
2009-04-26 06:13 . 2009-04-26 06:13 315392 ----a-w- c:\windows\system32\cecyooc.exe
2009-03-29 06:31 . 2002-08-30 12:00 64492 ----a-w- c:\windows\system32\perfc00C.dat
2009-03-29 06:31 . 2002-08-30 12:00 447772 ----a-w- c:\windows\system32\perfh00C.dat
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrateur\Menu D‚marrer\Programmes\D‚marrage\
Adobe Gamma.lnk - c:\program files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2004-8-19 33792]
Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2003-7-15 196152]

c:\documents and settings\Invit‚\Menu D‚marrer\Programmes\D‚marrage\
ChkDisk.dll [2009-5-30 40960]
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2004-8-19 33792]

c:\documents and settings\Administrateur\Menu D‚marrer\Programmes\D‚marrage\
Adobe Gamma.lnk - c:\program files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2004-8-19 33792]
Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2003-7-15 196152]

c:\documents and settings\Administrateur\Menu D‚marrer\Programmes\D‚marrage\
Adobe Gamma.lnk - c:\program files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2004-8-19 33792]
Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2003-7-15 196152]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-5-7 25214]
D‚marrage rapide du logiciel HP Image Zone.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\HPZipm12.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\avast!AVSControlService.exe"=

R1 aswsp;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [03/06/2009 22:51 114768]
R2 aswfsblk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [03/06/2009 22:51 20560]
R2 avast!avscontrolservice;avast!avscontrolservice;c:\windows\System32\avast!AVSControlService.exe -k netsvcs --> c:\windows\System32\avast!AVSControlService.exe -k netsvcs [?]
S3 PAC7311;VGA SoC PC-Camer@;c:\windows\system32\drivers\PA707UCM.SYS [16/02/2005 10:15 144768]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" --> c:\program files\Symantec AntiVirus\SavRoam.exe [?]
.
Contenu du dossier 'Tâches planifiées'

2009-06-03 c:\windows\Tasks\HPpromotions journeysoftware.job
- c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 15:36]
.
- - - - ORPHELINS SUPPRIMES - - - -

HKLM-Run-CPMa7d6e002 - c:\windows\system32\lugibifi.dll
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lugibifi.dll
Notify-NavLogon - (no file)
SafeBoot-procexp90.sys

.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
uInternet Connection Wizard,ShellNext = iexplore
IE: { - c:\program files\Messenger\msmsgs.exe
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-04 09:58
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\3bc06180]
"ImagePath"="\SystemRoot\System32\drivers\3bc06180.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\667b841d]
"ImagePath"="\SystemRoot\System32\drivers\667b841d.sys"

Réponse 13 / 23

Utilisateur anonyme

Re,

DESINSTALLER COMBOFIX

ComboFix /u

* Clique sur Démarrer, puis sur Exécuter: une fenêtre d'invite s'ouvre.
* Colle la ligne que tu as préalablement copiée dans la fenêtre d'invite

http://img362.imageshack.us/img362/4190/20080629180121lz8.jpg

Appuie sur OK pour valider
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Nettoie ton PC avec Ccleaner.

Redémarre le et refait un log avec RSIT.

Poste moi le LOG.

Met à jour malwarebyte , et refait un scan complet avec.

++

Réponse 14 / 23

Glux

Re. Voilà le log :

Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrateur at 2009-06-04 11:20:20
Microsoft Windows XP Professionnel Service Pack 3
System drive C: has 6 GB (30%) free of 20 GB
Total RAM: 1022 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:32, on 04/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\avast!AVSControlService.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Administrateur\Bureau\RSIT.exe
C:\Program Files\trend micro\Administrateur.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Démarrage rapide du logiciel HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: avast!avscontrolservice - Unknown owner - C:\WINDOWS\System32\avast!AVSControlService.exe
O23 - Service: Service de transfert intelligent en arrière-plan (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)

Réponse 15 / 23

Glux

Super. Juste un mot pour te remercier de ton aide, vraiment. Le pc a l'air clean maintenant. Juste un truc, les mises à jour windows ont l'air désactivées (ce qui n'est pas forcément un mal :)) et il semble impossible de les réactiver. Bref. Merci encore ++

Réponse 16 / 23

Utilisateur anonyme

Re,

Ce n'est pas fini ....

Tu as deux antivirus : => AVAST et NORON .

Tu doit n'avoir qu'un antivirus.

Désinstalles deux et installe antivir .

fait ce qui suit dans l'ordre:

Désinstalle NORTON:

Comment supprimer correctement les produits SYMANTEC
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
▶ Je te conseil de désinstaller AVAST comment le faire proprement

▶ D'installer cet Antivirus:

ANTIVIR

AIDE:
comment bien configurer antivir

Avast et Antivir : comparaisons, et passage à Antivir.

▶ Fait la mise à jour d'antivir .

Une fois cela fait fait ce qui suit:

---> Télécharge OTM (D'OldTimer) sur ton Bureau :

---> Double-clique sur OTMoveIt3.exe afin de le lancer.

---> Copie (Ctrl+C) le texte suivant en gras ci-dessous :

:processes
explorer.exe

:files
C:\WINDOWS\system32\tmp.txt

:commands
[emptytemp]
[start explorer]

---> Colle (Ctrl+V) le texte précédemment copié dans le cadre Paste Instructions for Items to be Moved.

---> Clique maintenant sur le bouton MoveIt! puis ferme OTMoveIt3.

Si un fichier ou dossier ne peut pas être supprimé immédiatement, le logiciel te demandera de redémarrer.
Accepte en cliquant sur YES.

---> Poste le rapport situé dans ce dossier : C:\_OTMoveIt\MovedFiles\
Le nom du rapport correspond au moment de sa création : date_heure.log

Réponse 17 / 23

Glux

Salut. Alors j'ai bien désinstallé les deux anti-virus et installé Antivir. Par contre, impossible de lancer OTM. Il est bien présent en tâche de fond mais impossible d'accéder au programme. Dans le doute j'ai essayé de le lancer en mode sans échec. Même chose.

Réponse 18 / 23

Utilisateur anonyme

Re,

▶ Telecharge et install UsbFix de C_XX & Chiquitine29

▶ Branche tes sources de données externes à ton PC, (clé USB, disque dur externe, etc...) susceptible d avoir été infectés sans les ouvrir

▶ Double clic sur le raccourci UsbFix présent sur ton bureau .

▶ Choisi l option 1 ( Recherche )

▶ Laisse travailler l outil.

▶ Ensuite post le rapport UsbFix.txt qui apparaitra.

▶ Note : Le rapport UsbFix.txt est sauvegardé a la racine du disque. ( C:\UsbFix.txt )

( CTRL+A Pour tout selectionner , CTRL+C pour copier et CTRL+V pour coller )

Note : "Process.exe", une composante de l'outil, est détecté par certains antivirus (AntiVir, Dr.Web, Kaspersky Anti-Virus) comme étant un RiskTool.
Il ne s'agit pas d'un virus, mais d'un utilitaire destiné à mettre fin à des processus.
Mis entre de mauvaises mains, cet utilitaire pourrait arrêter des logiciels de sécurité (Antivirus, Firewall...) d'où l'alerte émise par ces antivirus.

Si un rapport ne passe pas faire une alerte à la conciergerie avec le /!\ jaune.

Réponse 19 / 23

Glux

Voilà le rapport qu'a généré UsbFix :

############################## [ UsbFix V3.029 | Scan ]

# User : Administrateur (Administrateurs) # DIMENSION-5150
# Update on 05/06/09 by Chiquitine29, C_XX & Chimay8
# WebSite : http://pagesperso-orange.fr/NosTools/usbfix.html
# Start at: 12:10:20 | 05/06/2009

# Intel(R) Pentium(R) D CPU 2.80GHz
# Microsoft Windows XP Professionnel (5.1.2600 32-bit) # Service Pack 3
# Internet Explorer 7.0.5730.13
# Windows Firewall Status : Enabled
# AV : AntiVir Desktop 9.0.1.26 [ Enabled | Updated ]

# C:\ # Disque fixe local # 19,53 Go (5,68 Go free) [System] # NTFS
# D:\ # Disque fixe local # 25,66 Go (25,56 Go free) [Documents de Travail] # NTFS
# E:\ # Disque fixe local # 29,3 Go (13 Go free) [Multimédia] # NTFS
# F:\ # Disque CD-ROM
# G:\ # Disque fixe local # 251,97 Mo (190,93 Mo free) [USB_DISK] # FAT
# H:\ # Disque amovible

############################## [ Processus actifs ]

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\CTFMON.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\scrnsave.scr
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

################## [ Registre Startup ]

HKCU_Main: "Local Page"="C:\\windows\\system32\\blank.htm"
HKCU_Main: "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
HKCU_Main: "Start Page"="https://www.google.fr/?gws_rd=ssl"
HKLM_logon: "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
HKLM_logon: "DefaultUserName"="Administrateur"
HKLM_logon: "AltDefaultUserName"="Administrateur"
HKLM_logon: "LegalNoticeCaption"=""
HKLM_logon: "LegalNoticeText"=""
HKLM_Run: avgnt="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
HKLM_Run: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents=
HKCU_Run: ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe

################## [ Fichiers # Dossiers infectieux ]

################## [ Registre # Clés Run infectieuses ]

Found ! HKLM\software\microsoft\security center "AntiVirusOverride" ( 0x1 )

################## [ Registre # Mountpoints2 ]

################## [ ! Fin du rapport # UsbFix V3.029 ! ]

Réponse 20 / 23

Utilisateur anonyme

Re,

Branche tes sources de données externes à ton PC, (clé USB, disque dur externe, etc...) susceptible d avoir été infectés sans les ouvrir

▶ Double clic sur le raccourci UsbFix présent sur ton bureau

▶ Choisi l option 2 ( Suppression )

▶ Ton bureau disparaitra et le pc redémarrera .

▶ Au redémarrage , UsbFix scannera ton pc , laisse travailler l outil.

▶ Ensuite post le rapport UsbFix.txt qui apparaitra avec le bureau .

▶ Note : Le rapport UsbFix.txt est sauvegardé a la racine du disque.( C:\UsbFix.txt )

( CTRL+A Pour tout selectionner , CTRL+C pour copier et CTRL+V pour coller )

Glux

Salut. Voilà le dernier rapport UsbFix. Chose curieuse, lors du redémarrage, des fichiers microsoft office ont du être effacé car Outllook a disparu, ainsi que certains fichiers word et Excel... Bref, pas grave, je réinstallerai office.

############################## [ UsbFix V3.029 | Cleaning ]

# User : ADMIN (Administrateurs) # DIMENSION-5150
# Update on 05/06/09 by Chiquitine29, C_XX & Chimay8
# WebSite : http://pagesperso-orange.fr/NosTools/usbfix.html
# Start at: 18:44:32 | 05/06/2009

# Intel(R) Pentium(R) D CPU 2.80GHz
# Microsoft Windows XP Professionnel (5.1.2600 32-bit) # Service Pack 3
# Internet Explorer 7.0.5730.13
# Windows Firewall Status : Enabled
# AV : AntiVir Desktop 9.0.1.26 [ Enabled | Updated ]

# C:\ # Disque fixe local # 19,53 Go (5,67 Go free) [System] # NTFS
# D:\ # Disque fixe local # 25,66 Go (25,56 Go free) [Documents de Travail] # NTFS
# E:\ # Disque fixe local # 29,3 Go (12,94 Go free) [Multimédia] # NTFS
# F:\ # Disque CD-ROM
# G:\ # Disque fixe local # 251,97 Mo (248,14 Mo free) [USB_DISK] # FAT
# H:\ # Disque amovible

############################## [ Processus actifs ]

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe

################## [ Fichiers # Dossiers infectieux ]

################## [ Registre # Clés Run infectieuses ]

# HKLM\software\microsoft\security center\\ "AntiVirusOverride" # -> Reset sucessfully !

################## [ Registre # Mountpoints2 ]

################## [ Listing des fichiers présent ]

[05/05/2006 11:23|--a------|0] - C:\AUTOEXEC.BAT
[05/05/2006 11:17|--a------|212] - C:\Boot.bak
[04/06/2009 09:37|-rahs----|282] - C:\boot.ini
[30/08/2002 14:00|-rahs----|4952] - C:\Bootfont.bin
[03/08/2004 23:00|--a------|263488] - C:\cmldr
[04/06/2009 10:02|--a------|14410] - C:\ComboFix.txt
[05/05/2006 11:23|--a------|0] - C:\CONFIG.SYS
[05/05/2006 11:23|-rahs----|0] - C:\IO.SYS
[05/05/2006 11:23|-rahs----|0] - C:\MSDOS.SYS
[03/08/2004 22:38|-rahs----|47564] - C:\NTDETECT.COM
[10/11/2008 14:55|-rahs----|252240] - C:\ntldr
[?|?|?] - C:\pagefile.sys
[06/05/2009 18:20|--a------|0] - C:\rsdxy.exe
[24/05/2007 22:57|--ah-----|268] - C:\sqmdata00.sqm
[30/09/2007 21:37|--ah-----|268] - C:\sqmdata01.sqm
[19/12/2007 14:35|--ah-----|268] - C:\sqmdata02.sqm
[19/12/2007 14:52|--ah-----|172] - C:\sqmdata03.sqm
[22/02/2008 00:28|--ah-----|232] - C:\sqmdata04.sqm
[19/03/2008 13:42|--ah-----|268] - C:\sqmdata05.sqm
[02/04/2008 09:03|--ah-----|232] - C:\sqmdata06.sqm
[25/05/2008 09:54|--ah-----|268] - C:\sqmdata07.sqm
[25/06/2008 14:06|--ah-----|232] - C:\sqmdata08.sqm
[08/10/2008 13:21|--ah-----|232] - C:\sqmdata09.sqm
[08/10/2008 13:28|--ah-----|268] - C:\sqmdata10.sqm
[22/10/2008 21:04|--ah-----|268] - C:\sqmdata11.sqm
[09/01/2009 18:18|--ah-----|232] - C:\sqmdata12.sqm
[13/01/2009 23:08|--ah-----|268] - C:\sqmdata13.sqm
[12/05/2009 08:40|--ah-----|232] - C:\sqmdata14.sqm
[24/05/2007 22:57|--ah-----|244] - C:\sqmnoopt00.sqm
[30/09/2007 21:37|--ah-----|244] - C:\sqmnoopt01.sqm
[19/12/2007 14:35|--ah-----|244] - C:\sqmnoopt02.sqm
[19/12/2007 14:52|--ah-----|172] - C:\sqmnoopt03.sqm
[22/02/2008 00:28|--ah-----|244] - C:\sqmnoopt04.sqm
[19/03/2008 13:42|--ah-----|244] - C:\sqmnoopt05.sqm
[02/04/2008 09:03|--ah-----|244] - C:\sqmnoopt06.sqm
[25/05/2008 09:54|--ah-----|244] - C:\sqmnoopt07.sqm
[25/06/2008 14:06|--ah-----|244] - C:\sqmnoopt08.sqm
[08/10/2008 13:21|--ah-----|244] - C:\sqmnoopt09.sqm
[08/10/2008 13:28|--ah-----|244] - C:\sqmnoopt10.sqm
[22/10/2008 21:04|--ah-----|244] - C:\sqmnoopt11.sqm
[09/01/2009 18:18|--ah-----|244] - C:\sqmnoopt12.sqm
[13/01/2009 23:08|--ah-----|244] - C:\sqmnoopt13.sqm
[12/05/2009 08:40|--ah-----|244] - C:\sqmnoopt14.sqm
[26/05/2009 04:18|--a------|105] - C:\tj.vbs
[05/06/2009 18:45|--a------|4362] - C:\UsbFix.txt
[20/01/2009 14:53|--a------|24064] - D:\attestation sur l(honneur.doc
[16/04/2008 23:03|--a------|26624] - D:\Discour m‚daille.doc
[17/01/2009 17:05|--ahs----|549376] - E:\Thumbs.db
[18/01/2009 20:07|--ahs----|3866624] - G:\Thumbs.db

################## [ Vaccination ]

# C:\autorun.inf ( # Not infected ) -> Folder created by UsbFix.
# D:\autorun.inf ( # Not infected ) -> Folder created by UsbFix.
# E:\autorun.inf ( # Not infected ) -> Folder created by UsbFix.
# G:\autorun.inf ( # Not infected ) -> Folder created by UsbFix.

################## [ ! Fin du rapport # UsbFix V3.029 ! ]

Discussions similaires

supprimer tor.jack android

Tor.Jack.Malware

je n'arrive pas a supprimer un virus sur mon téléphone

Discussions similaires

Newsletters