Rootkit comment fair pour s'en débarasser ? Fermé

Question

Bonjour,  


Configuration: Windows XP / Firefox 3.6.3


Bonjour a tous , j'ai depuis quelque jour un rootkit qui ce promene sur mon PC et me fou un bazard pas possible ...  


voici le raport derreur que me donne Combofix cependant je ne suis pas assez callé pour analyser cela tout seul , pouriez vous me venir en aide ? comment et ou es-je pu chopper ce virus ?  



Voici le raport d'erreur de combofix , cordialement a tous .. merci davance je suis perdu  




EDITE voici le raport en entier


ComboFix 10-05-16.06 - Seb 18/05/2010  19:04:09.6.2 - x86
Microsoft Windows XP Édition familiale  5.1.2600.3.1252.33.1036.18.2047.1464 [GMT 2:00]
Lancé depuis: c:\documents and settings\Seb\Mes documents\Téléchargements\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((   Fichiers créés du 2010-04-18 au 2010-05-18  ))))))))))))))))))))))))))))))))))))
.

2010-05-18 10:19 . 2010-05-18 10:19	--------	d-----w-	c:\documents and settings\Seb\Local Settings\Application Data\PCHealth
2010-05-18 06:53 . 2010-05-18 10:13	536064	----a-w-	c:\windows\system32\drivers\uzylhbb.sys
2010-05-18 06:45 . 2010-05-18 06:46	--------	d-----w-	C:sit
2010-05-15 22:14 . 2008-04-13 09:40	34688	-c--a-w-	c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-15 22:14 . 2008-04-13 09:40	34688	----a-w-	c:\windows\system32\drivers\lbrtfdc.sys
2010-05-15 22:13 . 2008-04-13 09:41	8576	-c--a-w-	c:\windows\system32\dllcache\i2omgmt.sys
2010-05-15 22:12 . 2008-04-13 09:41	8192	-c--a-w-	c:\windows\system32\dllcache\changer.sys
2010-05-15 22:12 . 2008-04-13 09:41	8192	----a-w-	c:\windows\system32\drivers\Changer.sys
2010-05-02 18:47 . 2006-11-29 11:06	3426072	----a-w-	c:\windows\system32\d3dx9_32.dll
2010-05-02 18:47 . 2010-05-02 18:47	--------	d-----w-	c:\program files\Microsoft SQL Server Compact Edition
2010-05-02 18:42 . 2010-05-02 18:42	86576	----a-w-	c:\documents and settings\Seb\Application Data\Microsoft\Services Windows Live\Raccourci Galerie de Photos Windows Live.exe
2010-05-02 18:42 . 2010-05-02 18:42	392728	----a-w-	c:\documents and settings\Seb\Application Data\Microsoft\Services Windows Live\Services Windows Live.dll
2010-05-02 18:42 . 2010-05-02 18:42	135680	----a-w-	c:\documents and settings\Seb\Application Data\Microsoft\Notification de cadeaux MSN\lsnfier.exe
2010-05-02 18:42 . 2010-05-02 18:42	132672	----a-w-	c:\documents and settings\Seb\Application Data\Microsoft\Services Windows Live\Raccourci Windows Live Messenger.exe
2010-05-02 18:38 . 2010-05-04 04:38	--------	d-----w-	c:\program files\Microsoft Silverlight
2010-04-20 16:11 . 2010-05-15 23:32	69392	----a-w-	c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-20 11:27 . 2010-04-20 11:27	--------	d-----w-	c:\documents and settings\Seb\Application Data\AskToolbar

.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-18 14:29 . 2010-02-06 17:08	--------	d-----w-	c:\documents and settings\Seb\Application Data\Mumble
2010-05-18 06:46 . 2010-03-10 11:16	--------	d-----w-	c:\program files\Trend Micro
2010-05-18 06:40 . 2010-02-21 15:36	--------	d-----w-	c:\program files\Anti Keylogger Elite
2010-05-17 21:56 . 2008-04-14 12:00	81134	----a-w-	c:\windows\system32\perfc00C.dat
2010-05-17 21:56 . 2008-04-14 12:00	501206	----a-w-	c:\windows\system32\perfh00C.dat
2010-05-16 13:44 . 2009-09-22 08:35	--------	d-----w-	c:\documents and settings\Seb\Application Data	eamspeak2
2010-05-15 22:11 . 2010-05-15 22:11	16	----a-w-	c:\documents and settings\LocalService\Application Data\qvjsge.dat
2010-05-15 21:47 . 2009-09-14 17:53	1	----a-w-	c:\documents and settings\Seb\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-02 18:47 . 2009-09-15 11:43	--------	d-----w-	c:\program files\Windows Live
2010-04-30 20:03 . 2009-09-15 11:23	--------	d-----w-	c:\documents and settings\Seb\Application Data\vlc
2010-04-17 22:22 . 2009-09-17 23:49	--------	d-----w-	c:\documents and settings\Seb\Application Data\dvdcss
2010-04-16 15:47 . 2010-04-16 15:47	--------	d-----w-	c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-16 08:41 . 2010-04-16 08:41	--------	d-----w-	c:\documents and settings\All Users\Application Data\DVD Shrink
2010-04-15 20:26 . 2010-04-15 20:26	--------	d-----w-	c:\program files\Ask.com
2010-04-15 20:25 . 2010-04-15 20:25	--------	d-----w-	c:\program files\Microsoft.NET
2010-04-15 19:55 . 2010-04-15 19:55	--------	d-----w-	c:\program files\Yahoo!
2010-04-09 20:14 . 2009-09-17 08:51	--------	d-----w-	c:\program files\World of Warcraft
2010-03-26 20:43 . 2009-11-23 17:14	--------	d-----w-	c:\documents and settings\Seb\Application Data\Ventrilo
2010-03-24 15:22 . 2010-03-24 15:22	--------	d-----w-	c:\documents and settings\Seb\Application Data\Western Digital
2010-03-24 15:22 . 2010-03-24 15:22	--------	d-----w-	c:\documents and settings\All Users\Application Data\Western Digital
2010-03-24 15:21 . 2010-03-24 15:21	--------	d-----w-	c:\program files\Western Digital
2010-03-10 11:04 . 2009-09-15 11:39	17472	----a-w-	c:\documents and settings\Seb\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 06:16 . 2008-04-14 12:00	420352	----a-w-	c:\windows\system32\vbscript.dll
2010-02-25 06:17 . 2008-04-14 12:00	916480	----a-w-	c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00	455680	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
.

(((((((((((((((((((((((((((((   SnapShot_2010-05-18_06.52.19   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-18 10:15 . 2010-05-18 10:15	16384              c:\windows\Temp\Perflib_Perfdata_284.dat
.
(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 14:50	1197448	----a-w-	c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-04 18085888]
"ASUS Update Checker"="c:\program files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe" [2008-12-11 114688]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-14 149280]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\Seb\Menu D'marrer\Programmes\D'marrage\
CurseClientStartup.ccip [2009-12-15 0]
Notification de cadeaux MSN.lnk - c:\documents and settings\Seb\Application Data\Microsoft\Notification de cadeaux MSN\lsnfier.exe [2010-5-2 135680]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
wwwzuc32.exe [2008-4-14 31744]

c:\documents and settings\All Users\Menu D'marrer\Programmes\D'marrage\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-10-14 9085760]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe"=
"%windir%\system32\sessmgr.exe"=
"c:\Program Files\Messenger\msmsgs.exe"=
"c:\Program Files\Windows Live\Messenger\wlcsdk.exe"=
"c:\Program Files\Windows Live\Messenger\msnmsgr.exe"=
"c:\Program Files\eMule\emule.exe"=
"c:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"=
"c:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"=
"c:\Program Files\HP\Digital Imaging\bin\hposid01.exe"=
"c:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"=
"c:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"=
"c:\Program Files\Ventrilo\Ventrilo.exe"=
"c:\Program Files\World of Warcraft\Launcher.exe"=
"c:\Program Files\VideoLAN\VLC\vlc.exe"=
"c:\Program Files\VentSrv\ventrilo_srv.exe"=
"c:\WINDOWS\system32\dpvsetup.exe"=
"c:\Program Files\World of Warcraft\BackgroundDownloader.exe"=
"c:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"=
"c:\Documents and Settings\Seb\Local Settings\Apps\2.0\53C0AWC8.Q69\C7WP3G4J.KEP\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [14/09/2009 19:33 108289]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [14/10/2009 15:31 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [16/06/2009 10:58 20480]
S2 AKEProtect;AKEProtect;\??\c:\program files\Anti Keylogger Elite\AKEProtect.sys --> c:\program files\Anti Keylogger Elite\AKEProtect.sys [?]
S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [08/02/2010 22:41 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [14/09/2009 17:43 1684736]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [26/01/2010 18:45 243056]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [24/03/2010 17:22 11520]
S4 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist.exe [23/02/2009 00:21 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
Contenu du dossier 'Tâches planifiées'

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 20:41]

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 20:41]

2010-05-18 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 14:50]

2010-05-18 c:\windows\Tasks\User_Feed_Synchronization-{A188F064-0446-4706-B40A-61A107A4F262}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Examen supplémentaire -------
.
FF - ProfilePath - c:\documents and settings\Seb\Application Data\Mozilla\Firefox\Profiles\0yjf6z7x.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://google.fr
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={1ED82761-22CD-DDF8-9932-E1B233D2591C}&q=
FF - plugin: c:\program files\Google\Update\1.2.183.23
pGoogleOneClick8.dll
FF - plugin: c:\program files\ma-config.com
phardwaredetection.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins
p-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-18 19:06
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ... 

Recherche d'éléments en démarrage automatique cachés ... 

Recherche de fichiers cachés ... 

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services
pggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2540)
c:\windows\system32\msi.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Heure de fin: 2010-05-18  19:07:11
ComboFix-quarantined-files.txt  2010-05-18 17:07
ComboFix2.txt  2010-05-18 10:25
ComboFix3.txt  2010-05-18 06:53
ComboFix4.txt  2010-05-15 23:16
ComboFix5.txt  2010-05-18 17:03

Avant-CF: 2 520 567 808 octets libres
Après-CF: 2 508 656 640 octets libres

- - End Of File - - 07E964E799EFF1ABE361A1D78924813B

archet9 · Answer

Bonjour

Ton rapport n'est pas complet...Il manque le début !

==> Reposte le stp

a+

michlarich · Answer

Voila , j'ai edité mon post voici le vrai raport ci dessu .

archet9 · Answer

Télécharge The Avenger par Swandog46 sur ton Bureau: 

http://www.geekstogo.com/forum/files/file/393-the-avenger-by-swandog46/ 

Click sur Avenger.zip pour ouvrir le fichier 
Extraire avenger.exe sur votre bureau 

  
. Maintenant, lance The Avenger en cliquant sur son icône du bureau.
. Copie tout le texte en gras ci-dessous : mettre en surbrillance et appuyer sur les touches(Ctrl+C): 


Drivers to disable: 
npggsvc 
Drivers to delete: 
npggsvc 
Files to delete: 
c:\windows\system32\GameMon.des -service
c:\program files\ask.com\genericasktoolbar.dll
c:\program files\ask.com\updatetask.exe
Registry keys to delete:   
HKEY_LOCAL_MACHINE\System\ControlSet002\Services
pggsvc 
HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd



. Colle ce texte (Ctrl+V) dans le cadre :

Input script here 

. Appuie sur Execute

. Le pc va redémarrer

. Colle le rapport qui aparaitra.

Ensuite:

Malwarebytes étant présent sur ton pc

==> Mets le à jour (Important)
et choisis "Executer un examen rapide"

Colle le rapport qui sera généré.
a+

michlarich · Answer

//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed May 19 13:51:47 2010

13:51:42: Error: Invalid registry syntax in command:
"HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line.  (Registry key deletion mode)  


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "npggsvc" disabled successfully.
Driver "npggsvc" deleted successfully.

Error:  file "c:\windows\system32\GameMon.des -service" not found!
Deletion of file "c:\windows\system32\GameMon.des -service" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "c:\program files\ask.com\genericasktoolbar.dll" deleted successfully.
File "c:\program files\ask.com\updatetask.exe" deleted successfully.

Error:  registry key "HKEY_LOCAL_MACHINE\System\ControlSet002\Services
pggsvc" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\System\ControlSet002\Services
pggsvc" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.





voila le rapport .

archet9 · Answer

La suite avec MBAM stp....

a+

michlarich · Answer

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Version de la base de données: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

19/05/2010 16:35:31
mbam-log-2010-05-19 (16-35-31).txt

Type d'examen: Examen rapide
Elément(s) analysé(s): 117549
Temps écoulé: 3 minute(s), 12 seconde(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)

archet9 · Answer

Télécharge de AD-Remover sur ton Bureau. (Merci à C_XX)
http://pagesperso-orange.fr/NosTools/C_XX/AD-R.exe

Miroir: 

https://www.androidworld.fr/

/!\ Ferme toutes applications en cours /!\ 

/!\ Désactive provisoirement et seulement le temps de l'utilisation de AD-Remover, la protection en temps réel de ton Antivirus et de tes Antispywares, qui peuvent gêner fortement la procédure de recherche et de nettoyage de l'outil. 
 
- Double-clique sur l'icône Ad-remover située sur ton Bureau. 
- Sur la page, clique sur le bouton « Nettoyer »
- Confirme lancement du scan
- Laisse travailler l'outil.
- Poste le rapport qui apparaît à la fin. 

(Le rapport est sauvegardé aussi sous C:\Ad-report(Scan/clean).Txt) 

(CTRL+A pour tout sélectionner, CTRL+C pour copier et CTRL+V pour coller)

michlarich · Answer

.
======= RAPPORT D'AD-REMOVER 2.0.0.0,D | UNIQUEMENT XP/VISTA/7 =======
.
Mis à jour par C_XX le 07/05/10 à 16:50
Contact: AdRemover.contact@gmail.com
Site web: http://pagesperso-orange.fr/NosTools/ad_remover.html
.
Lancé à: 17:13:59 le 19/05/2010 | Mode normal | Option: SCAN
Exécuté de: C:\Ad-Remover\ADR.exe
SE: Microsoft® Windows XP(TM)  Service Pack 3 - X86
Nom du PC: PROPRI-435C9523
Utilisateur actuel: Seb
.
============== ÉLÉMENT(S) TROUVÉ(S) ==============
.
.
C:\Documents and Settings\Seb\Application Data\AskToolbar
C:\Documents and Settings\Seb\Application Data\Mozilla\FireFox\Profiles\0yjf6z7x.default\extensions	oolbar@ask.com
C:\Documents and Settings\Seb\Local Settings\Application Data\AskToolbar
C:\Program Files\Ask.com
C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
.
HKCU\Software\AppDataLow\AskToolbarInfo
HKCU\Software\Ask.com
HKCU\Software\AskToolbar
HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
HKLM\Software\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
HKLM\Software\Classes\AppID\GenericAskToolbar.DLL
HKLM\Software\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
HKLM\Software\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
HKLM\Software\Classes\GenericAskToolbar.ToolbarWnd
HKLM\Software\Classes\GenericAskToolbar.ToolbarWnd.1
HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
HKLM\Software\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
HKLM\Software\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
HKLM\Software\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
HKLM\Software\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
HKLM\Software\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}
HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BCA25126-2B55-437a-AA5B-F300D393654B}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Userdata\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser|{1BB22D38-A411-4B13-A746-C2A4F4EC7344}
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser|{D4027C7F-154A-4066-A1AD-4243D8127440}
HKLM\Software\Microsoft\Internet Explorer\Toolbar|{D4027C7F-154A-4066-A1AD-4243D8127440}
.
.
============== SCAN ADDITIONNEL ==============
.
* Mozilla FireFox Version 3.6.3 (fr) *
.
C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - browser.download.lastDir: C:\Documents and Settings\Seb\Mes documents\Mes images
C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - browser.search.defaultenginename: Fast Browser Search
C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - browser.search.defaulturl: hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - browser.search.selectedEngine: Fast Browser Search
C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - browser.startup.homepage: hxxp://google.fr
C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - browser.startup.homepage_override.mstone: rv:1.9.2.3
C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - keyword.URL: hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={1ED82761-22CD-DDF8-9932-E1B233D2591C}&q=
.
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("browser.search.defaultenginename", "Fast Browser Search");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("browser.search.defaulturl", "hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("browser.search.order.1", "Fast Browser Search");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("browser.search.selectedEngine", "Fast Browser Search");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("extensions.asktb.cbid", "EV");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("extensions.asktb.default-channel-url-mask", "hxxp://fr.ask.com/web?q={query}&qsrc={qsrc}&o={o}&l={l}&dm=lang");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("extensions.asktb.fresh-install", false);
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("extensions.asktb.l", "dis");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("extensions.asktb.last-config-req", "1274252461992");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("extensions.asktb.locale", "fr_FR");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("extensions.asktb.nero.userName", "");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("extensions.asktb.o", "101917");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("extensions.asktb.options-lang", "fr");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("extensions.asktb.options-locale", "UK");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("extensions.asktb.overlay-reloaded-using-restart", true);
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("extensions.asktb.qsrc", "2871");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("extensions.asktb.r", "2");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("extensions.enabledItems", "{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}:6.0.16,jqs@sun.com:1.0,{20a82645-c095-46ed-80e3-08825760534b}:1.1,{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3,toolbar@ask.com:3.6.6.117,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.3");
TROUVÉ: C:\Documents and Settings\Seb\..\0yjf6z7x.default\prefs.js - user_pref("keyword.URL", "hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={1ED82761-22CD-DDF8-9932-E1B233D2591C}&q=");
.
* Internet Explorer Version 8.0.6001.18702 *
.
[HKCU\Software\Microsoft\Internet Explorer\Main]
.
Do404Search: 0x01000000
Enable Browser Extensions: yes
Local Page: C:\WINDOWS\system32\blank.htm
Search Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Show_ToolBar: yes
Start Page: hxxp://fr.msn.com/
Use Custom Search URL: 1
.
[HKLM\Software\Microsoft\Internet Explorer\Main]
.
Default_Page_URL: hxxp://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL: hxxp://go.microsoft.com/fwlink/?LinkId=54896
Delete_Temp_Files_On_Exit: yes
Local Page: C:\WINDOWS\system32\blank.htm
Search Page: hxxp://go.microsoft.com/fwlink/?LinkId=54896
Start Page: hxxp://go.microsoft.com/fwlink/?LinkId=69157
.
[HKLM\Software\Microsoft\Internet Explorer\ABOUTURLS]
.
Tabs: res://ieframe.dll/tabswelcome.htm
Blank: res://mshtml.dll/blank.htm
.
========================================
.
C:\Ad-Remover\Quarantine: 0 Fichier(s)
C:\Ad-Remover\Backup: 0 Fichier(s)
.
C:\Ad-Report-SCAN[1].txt - 7706 Octet(s)
.
Fin à: 17:15:23, 19/05/2010
.
============== E.O.F - SCAN[1] ==============

archet9 · Answer

J'avais dit ceci:

- Double-clique sur l'icône Ad-remover située sur ton Bureau. 
- Sur la page, clique sur le bouton « Nettoyer » 

==> Donc recommence !

a+

Rootkit comment fair pour s'en débarasser ?

9 réponses

Discussions similaires

Newsletters