Outerinfo est-il bien désinstallé?

Question

Bonjour à tous, je me présente, Alex91150, mais vous pouvez m'appeler Alex ou Alexandre, c'est plus court ;).

Voila mon problème: en fouinant dans la partie Ajout/Suppression de programmes, j'ai remarqué un logiciel appelé Outerinfo. Après recherche chez Google, j'ai découvert qu'il s'agissait d'un spyware, sans doute responsable de mon problème (fenêtres pub pour WinANtiVirus 2006 ou Ultimate Defender). Je l'ai donc désinstallé par Ajout/Suppression de programmes. Mais j'ai l'impression que ça n'a pas suffi car j'ai encore les pop-up Ultimate Defender. Que faire?

Voila mon log HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 20:00:35, on 05/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\hspuvety.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hspuvety.exe] C:\Documents and Settings\All Users\Application Data\hspuvety.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\ghsgcumg.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1014020
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=5600,0,61228,0055
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://www.trendmicro.com/en_us/forHome/products/housecall.html
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=5,2,3790,0
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=5600,0,61017,0703
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=5600,0,61228,0050
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


Vous en pensez quoi?

Merci!

rudyrital · Answer

Tout d'abord Bonjour et bienvenue sur le forum d'entraide COMMENT CA MARCHE 

Télécharge « clean.zip » 
http://www.malekal.com/download/clean.zip 
•- Décompresse-le sur ton bureau (clic droit / extraire tout), tu dois obtenir un dossier dénommé "clean ". 

•- Redémarre en mode sans échec. ( note bien ce que tu as à faire ). 
•- Ouvre le dossier « clean » qui se trouve sur ton bureau. 
•- Double-clic sur « clean.cmd ». 
Une fenêtre noire va apparaître, choisis l’option 1. 

Clean va travailler. 
•- Redémarre normalement 
•- Poste qui se trouve ici C:\rapport_clean.txt.


(- Où est le rapport clean ? : « Poste de travail » / double clic sur disque « C / » double-clic sur « rapport_clean.txt » et « copier/coller le contenu » sur le forum. )

Alex91150 · Answer

Bonsoir, j'ai fait ce que tu m'as demandé.

Voici le rapport Clean

 06/06/2007 a 18:56:00,51 
 
*** Recherche des fichiers dans C: 
 
*** Recherche des fichiers dans C:\WINDOWS\ 
 
*** Recherche des fichiers dans C:\WINDOWS\system32 
C:\WINDOWS\system32\mcrh.tmp FOUND 
"C:\WINDOWS\Downloaded Program Files\CONFLICT.1" FOUND 
 
*** Recherche des fichiers dans C:\Program Files 
*** Fin du rapport ! 

Apparemment, il y a encore du grabuge dans le dossier System 32...

rudyrital · Answer

refait la procedure Clean mais tu tapes option 2

poste le rapport

Alex91150 · Answer

Bonjour, j'ai fait ce que tu m'as demandé.

Voilà le rapport Clean:

Script execute en mode sans echec 
Rapport clean par Malekal_morte - http://www.malekal.com 
Script execute en mode sans echec 07/06/2007 a  9:08:22,30 

Microsoft Windows XP [version 5.1.2600]
 
*** Suppression des fichiers dans C: 
 
*** Suppression des fichiers dans C:\WINDOWS\ 
 
*** Suppression des fichiers dans C:\WINDOWS\system32 
tentative de suppression de C:\WINDOWS\system32\mcrh.tmp 
tentative de suppression de "C:\WINDOWS\Downloaded Program Files\CONFLICT.1" 
 
*** Suppression des fichiers dans C:\Program Files 
 
*** Suppression des clefs du registre effectuee.. 
*** Fin du rapport ! 


Et j'ai aussi fait un rapport HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 09:28:45, on 07/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\hspuvety.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hspuvety.exe] C:\Documents and Settings\All Users\Application Data\hspuvety.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\ghsgcumg.dll",realset
O4 - HKLM\..\Run: [j7281634] rundll32 C:\WINDOWS\system32\j7281634.dll sook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=5600,0,61228,0055
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://www.trendmicro.com/en_us/forHome/products/housecall.html
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=5,2,3790,0
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=5600,0,61017,0703
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=5600,0,61228,0050
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

rudyrital · Answer

* télécharge AVG Anti-Spyware 

avg antispyware
http://www.infos-du-net.com/telecharger/Ewido-Security-Suite,0301-734.html


Tuto : http://www.kachouri.com/tuto/tuto-161-avg-anti-spyware-75-pour-votre-securite.html

* tu l'installes 

Démarrer AVG antispyware. Cliquer sur "mise à jour", cliquer sur le bouton "Commencer la mise à jour" et attendre la fin de cette mise à jour puis, fermer le programme. 

si tu n'arrives pas à le mettre à jour prends ici les Mise à jour:

http://downloads.ewido.net/avgas-signatures-full-current.exe 



Démarre en mode sans échec : 
Pour cela, tu tapotes la touche F8 dès le début de l’allumage du pc sans t’arrêter 
Une fenêtre va s’ouvrir tu te déplaces avec les flèches du clavier sur démarrer en mode sans échec puis tape entrée. 
Une fois sur le bureau s’il n’y a pas toutes les couleurs et autres c’est normal ! 
(Si F8 ne marche pas utilise la touche F5). 

 relancer AVG AS et cliquer sur l'onglet "scanner" puis sur "Analyse complète du système". 
Une fois le scan terminé, il t'affiche un rapport. Cliquer sur "configurer..." en bas a gauche et choisir "supprimer". Ensuite cliquer sur "Appliquer toutes les actions ", ca va supprimer toutes les infections détectées. 
Ensuite cliquer sur "Enregistrer le rapport d'analyse" -> "enregistrer sous" et enregistrer le rapport où bon te semble, afin de me l'envoyer dans ta prochaine réponse. 


Copie Et colle le rapport ici

Alex91150 · Answer

Bonjour,

Voilà le rapport AVG:

EDIT: J'ai fait un rapport avant de supprimer les fichiers. Je vais recommencer l'analyse.

rudyrital · Answer

ok, poste le rapport

Alex91150 · Answer

Catégorie boulet: moi! J'ai supprimé les fichiers mais j'ai pas fait de rapport...

rudyrital · Answer

hihi ;)

ca arrive, mais ca m'aurai donné des indications !

rudyrital · Answer

Fais un clic droit sur ce lien :
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip
Enregistrer la cible (du lien) sous... et enregistre-le sur ton bureau.
Fais un clic droit sur navilog1.zip et choisis "tout extraire"
Ensuite double clique sur navilog1.exe pour lancer l'installation.
Une fois l'installation terminée, le fix s'exécutera automatiquement.
(Si ce n'est pas le cas, double-clique sur le raccourci Navilog1 présent sur le bureau).

Laisse-toi guider. Au menu principal, choisis 1 et valides.
(ne fais pas le choix 2,3 ou 4 sans notre avis/accord)

Patiente jusqu'au message :
*** Analyse Termine le ..... ***
Appuie sur une touche comme demandé, le blocnote va s'ouvrir.
Copie-colle l'intégralité dans une réponse. Referme le blocnote.
Le rapport est en outre sauvegardé à la racine du disque (fixnavi.txt)

Alex91150 · Answer

Bonjour,
Voila le rapport Navilog1:


Search Navipromo version 2.0.3 commencé le 13/06/2007 à 15:36:58,52
 
!!! Attention,ce rapport peut indiquer des fichiers/programmes légitimes!!!
!!! Poster ce rapport sur le forum pour le faire analyser !!!
!!! Ne pas lancer la partie désinfection sans l'avis d'un spécialiste !!!

Fix lancé depuis C:\Program Files
avilog1
Mise a jour le 08.06.2007 a 17h00 by IL-MAFIOSO

Executé en mode normal

*** Recherche Programmes installes *** 

 


*** Recherche dossiers dans C:\WINDOWS ***




*** Recherche dossiers dans C:\Program Files ***




*** Recherche dossiers dans C:\Documents and Settings\All Users\Application Data ***




*** Recherche dossiers dans C:\Documents and Settings\papa\Application Data ***



*** Recherche avec BlackLight Engine/F-secure ***
BlackLight Engine est un produit de F-secure, pour + d'infos :
https://www.f-secure.com/en


F-SECURE BLACKLIGHT ROOTKIT ELIMINATOR
======================================

Copyright 2005-2006 F-Secure Corporation. All rights reserved.
This is a beta version. It will expire on 1st of April, 2007.
Version information: 2.2.1061.

[+] Started on 06/13/07 at 15:37:02.
[+] Initializing ...
[+] Starting scan, press Ctrl-C to abort.
[+] Scanning for hidden items ..........................................................
[+] Scan complete.
[+] Summary: 0 hidden item(s) found, 0 scheduled for renaming.
[+] Exited on 06/13/07 at 15:43:06 (return code = 0).


*** Recherche fichiers *** 




*** Recherche cles registre ***


Recherche dans [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs] 
 
 

Recherche dans [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage] 
 
 

Recherche Clé Magic Control 
 
 
 
*** Module de Recherche complémentaire *** 
(Recherche fichiers spécifiques) 
 
1)Recherche fichiers connus:

C:\WINDOWS\system32\iihjl.ini2 trouvé ! infection Vundo possible non traité par cet outil !
C:\WINDOWS\system32\iihjl.bak1 trouvé ! infection Vundo possible non traité par cet outil !
C:\WINDOWS\system32\iihjl.bak2 trouvé ! infection Vundo possible non traité par cet outil !

2)Recherche Heuristique :
* 
** 
*** 
**** 
***** 
****** 
******* 
******** 
 
 
*** Analyse Terminé le 13/06/2007 à 15:44:21,19 *** 


Tiens, des Vundo! Je suis sur que je vais devoir utiliser VundoFix...

rudyrital · Answer

Télécharge VirtumundoBegone sur le bureau: 
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe 

Double clique ensuite sur VirtumundoBeGone.exe et suis les instructions. 
Une fois terminé, redémarre et poste le rapport VBG.TXT créé sur le bureau dans ta prochaine réponse avec un nouveau rapport HijackThis. 
Ne t'inquiète pas si tu vois un message Ecran bleu "Erreur fatale", c'est normal et attendu

Alex91150 · Answer

Salut, 
Voila le contenu du fichier vbg.txt:

[06/15/2007, 19:42:12] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\papa\Bureau\VirtumundoBeGone.exe" )
[06/15/2007, 19:42:33] - Detected System Information:
[06/15/2007, 19:42:33] -  Windows Version: 5.1.2600, Service Pack 2
[06/15/2007, 19:42:33] -  Current Username: papa (Admin)
[06/15/2007, 19:42:33] -  Windows is in NORMAL mode.
[06/15/2007, 19:42:33] - Searching for Browser Helper Objects:
[06/15/2007, 19:42:33] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[06/15/2007, 19:42:33] -  BHO 2: {6454E594-3815-4F56-90DB-EE6595BC6BFF} ()
[06/15/2007, 19:42:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:33] -  Checking for HKLM\...\Winlogon\Notify\gebaa
[06/15/2007, 19:42:33] -  Key not found: HKLM\...\Winlogon\Notify\gebaa, continuing.
[06/15/2007, 19:42:34] -  BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/15/2007, 19:42:34] -  BHO 4: {7CB53B95-F8A8-440B-9DA7-091C9616E391} ()
[06/15/2007, 19:42:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:34] -  Checking for HKLM\...\Winlogon\Notify\wvuvstu
[06/15/2007, 19:42:34] -  Found: HKLM\...\Winlogon\Notify\wvuvstu - This is probably Virtumundo.
[06/15/2007, 19:42:34] -  Assigning {7CB53B95-F8A8-440B-9DA7-091C9616E391} MSEvents Object
[06/15/2007, 19:42:34] - BHO list has been changed! Starting over...
[06/15/2007, 19:42:34] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[06/15/2007, 19:42:34] -  BHO 2: {6454E594-3815-4F56-90DB-EE6595BC6BFF} ()
[06/15/2007, 19:42:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:34] -  Checking for HKLM\...\Winlogon\Notify\gebaa
[06/15/2007, 19:42:34] -  Key not found: HKLM\...\Winlogon\Notify\gebaa, continuing.
[06/15/2007, 19:42:34] -  BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/15/2007, 19:42:34] -  BHO 4: {7CB53B95-F8A8-440B-9DA7-091C9616E391} (MSEvents Object)
[06/15/2007, 19:42:34] - ALERT: Found MSEvents Object!
[06/15/2007, 19:42:34] -  BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/15/2007, 19:42:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:34] -  No filename found. Continuing.
[06/15/2007, 19:42:34] -  BHO 6: {AC1DF12F-9F5D-41F4-B039-4A206583F430} ()
[06/15/2007, 19:42:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:35] -  Checking for HKLM\...\Winlogon\Notify\ljhii
[06/15/2007, 19:42:35] -  Found: HKLM\...\Winlogon\Notify\ljhii - This is probably Virtumundo.
[06/15/2007, 19:42:35] -  Assigning {AC1DF12F-9F5D-41F4-B039-4A206583F430} MSEvents Object
[06/15/2007, 19:42:35] - BHO list has been changed! Starting over...
[06/15/2007, 19:42:35] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[06/15/2007, 19:42:35] -  BHO 2: {6454E594-3815-4F56-90DB-EE6595BC6BFF} ()
[06/15/2007, 19:42:35] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:35] -  Checking for HKLM\...\Winlogon\Notify\gebaa
[06/15/2007, 19:42:35] -  Key not found: HKLM\...\Winlogon\Notify\gebaa, continuing.
[06/15/2007, 19:42:35] -  BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/15/2007, 19:42:35] -  BHO 4: {7CB53B95-F8A8-440B-9DA7-091C9616E391} (MSEvents Object)
[06/15/2007, 19:42:35] - ALERT: Found MSEvents Object!
[06/15/2007, 19:42:35] -  BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/15/2007, 19:42:35] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:35] -  No filename found. Continuing.
[06/15/2007, 19:42:35] -  BHO 6: {AC1DF12F-9F5D-41F4-B039-4A206583F430} (MSEvents Object)
[06/15/2007, 19:42:35] - ALERT: Found MSEvents Object!
[06/15/2007, 19:42:35] -  BHO 7: {B2030C9A-DE59-457D-A042-D827AD69C8F3} ()
[06/15/2007, 19:42:35] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:36] -  Checking for HKLM\...\Winlogon\Notify\ddcawww
[06/15/2007, 19:42:36] -  Key not found: HKLM\...\Winlogon\Notify\ddcawww, continuing.
[06/15/2007, 19:42:36] -  BHO 8: {BEDF30ED-41B2-4CDC-875A-ED063C81AF7B} ()
[06/15/2007, 19:42:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:36] -  Checking for HKLM\...\Winlogon\Notify\yaywxut
[06/15/2007, 19:42:36] -  Found: HKLM\...\Winlogon\Notify\yaywxut - This is probably Virtumundo.
[06/15/2007, 19:42:36] -  Assigning {BEDF30ED-41B2-4CDC-875A-ED063C81AF7B} MSEvents Object
[06/15/2007, 19:42:36] - BHO list has been changed! Starting over...
[06/15/2007, 19:42:36] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[06/15/2007, 19:42:36] -  BHO 2: {6454E594-3815-4F56-90DB-EE6595BC6BFF} ()
[06/15/2007, 19:42:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:36] -  Checking for HKLM\...\Winlogon\Notify\gebaa
[06/15/2007, 19:42:36] -  Key not found: HKLM\...\Winlogon\Notify\gebaa, continuing.
[06/15/2007, 19:42:36] -  BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/15/2007, 19:42:36] -  BHO 4: {7CB53B95-F8A8-440B-9DA7-091C9616E391} (MSEvents Object)
[06/15/2007, 19:42:36] - ALERT: Found MSEvents Object!
[06/15/2007, 19:42:36] -  BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/15/2007, 19:42:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:36] -  No filename found. Continuing.
[06/15/2007, 19:42:36] -  BHO 6: {AC1DF12F-9F5D-41F4-B039-4A206583F430} (MSEvents Object)
[06/15/2007, 19:42:37] - ALERT: Found MSEvents Object!
[06/15/2007, 19:42:37] -  BHO 7: {B2030C9A-DE59-457D-A042-D827AD69C8F3} ()
[06/15/2007, 19:42:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:37] -  Checking for HKLM\...\Winlogon\Notify\ddcawww
[06/15/2007, 19:42:37] -  Key not found: HKLM\...\Winlogon\Notify\ddcawww, continuing.
[06/15/2007, 19:42:37] -  BHO 8: {BEDF30ED-41B2-4CDC-875A-ED063C81AF7B} (MSEvents Object)
[06/15/2007, 19:42:37] - ALERT: Found MSEvents Object!
[06/15/2007, 19:42:37] -  BHO 9: {E12BFF69-38A7-406e-A8EF-2738107A7831} ()
[06/15/2007, 19:42:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:37] -  Checking for HKLM\...\Winlogon\Notify\htkunsij
[06/15/2007, 19:42:37] -  Key not found: HKLM\...\Winlogon\Notify\htkunsij, continuing.
[06/15/2007, 19:42:37] - Finished Searching Browser Helper Objects
[06/15/2007, 19:42:37] - *** Detected MSEvents Object
[06/15/2007, 19:42:37] - Trying to remove MSEvents Object...
[06/15/2007, 19:42:38] -    Terminating Process: IEXPLORE.EXE
[06/15/2007, 19:42:39] -    Terminating Process: RUNDLL32.EXE
[06/15/2007, 19:42:39] -    Disabling Automatic Shell Restart
[06/15/2007, 19:42:39] -    Terminating Process: EXPLORER.EXE
[06/15/2007, 19:42:39] -    Suspending the NT Session Manager System Service
[06/15/2007, 19:42:39] -    Terminating Windows NT Logon/Logoff Manager
[06/15/2007, 19:42:43] -    Re-enabling Automatic Shell Restart
[06/15/2007, 19:42:43] -   File to disable: C:\WINDOWS\system32\wvuvstu.dll
[06/15/2007, 19:42:43] -   Removing HKLM\...\Browser Helper Objects\{7CB53B95-F8A8-440B-9DA7-091C9616E391}
[06/15/2007, 19:42:43] -   Removing HKCR\CLSID\{7CB53B95-F8A8-440B-9DA7-091C9616E391}
[06/15/2007, 19:42:43] -   Adding Kill Bit for ActiveX for GUID: {7CB53B95-F8A8-440B-9DA7-091C9616E391}
[06/15/2007, 19:42:43] -   Deleting ATLEvents/MSEvents Registry entries
[06/15/2007, 19:42:43] -   Removing HKLM\...\Winlogon\Notify\wvuvstu
[06/15/2007, 19:42:43] - Searching for Browser Helper Objects:
[06/15/2007, 19:42:43] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[06/15/2007, 19:42:43] -  BHO 2: {6454E594-3815-4F56-90DB-EE6595BC6BFF} ()
[06/15/2007, 19:42:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:43] -  Checking for HKLM\...\Winlogon\Notify\gebaa
[06/15/2007, 19:42:43] -  Key not found: HKLM\...\Winlogon\Notify\gebaa, continuing.
[06/15/2007, 19:42:44] -  BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/15/2007, 19:42:44] -  BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/15/2007, 19:42:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:44] -  No filename found. Continuing.
[06/15/2007, 19:42:44] -  BHO 5: {AC1DF12F-9F5D-41F4-B039-4A206583F430} (MSEvents Object)
[06/15/2007, 19:42:44] - ALERT: Found MSEvents Object!
[06/15/2007, 19:42:44] -  BHO 6: {B2030C9A-DE59-457D-A042-D827AD69C8F3} ()
[06/15/2007, 19:42:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:44] -  Checking for HKLM\...\Winlogon\Notify\ddcawww
[06/15/2007, 19:42:44] -  Key not found: HKLM\...\Winlogon\Notify\ddcawww, continuing.
[06/15/2007, 19:42:44] -  BHO 7: {BEDF30ED-41B2-4CDC-875A-ED063C81AF7B} (MSEvents Object)
[06/15/2007, 19:42:44] - ALERT: Found MSEvents Object!
[06/15/2007, 19:42:44] -  BHO 8: {E12BFF69-38A7-406e-A8EF-2738107A7831} ()
[06/15/2007, 19:42:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:44] -  Checking for HKLM\...\Winlogon\Notify\htkunsij
[06/15/2007, 19:42:44] -  Key not found: HKLM\...\Winlogon\Notify\htkunsij, continuing.
[06/15/2007, 19:42:44] - Finished Searching Browser Helper Objects
[06/15/2007, 19:42:44] - *** Detected MSEvents Object
[06/15/2007, 19:42:44] - Trying to remove MSEvents Object...
[06/15/2007, 19:42:45] -    Terminating Process: IEXPLORE.EXE
[06/15/2007, 19:42:46] -    Terminating Process: RUNDLL32.EXE
[06/15/2007, 19:42:46] -    Disabling Automatic Shell Restart
[06/15/2007, 19:42:46] -    Terminating Process: EXPLORER.EXE
[06/15/2007, 19:42:46] -    Suspending the NT Session Manager System Service
[06/15/2007, 19:42:46] -    Terminating Windows NT Logon/Logoff Manager
[06/15/2007, 19:42:46] -    Re-enabling Automatic Shell Restart
[06/15/2007, 19:42:46] -   File to disable: C:\WINDOWS\system32\ljhii.dll
[06/15/2007, 19:42:46] -   Removing HKLM\...\Browser Helper Objects\{AC1DF12F-9F5D-41F4-B039-4A206583F430}
[06/15/2007, 19:42:46] -   Removing HKCR\CLSID\{AC1DF12F-9F5D-41F4-B039-4A206583F430}
[06/15/2007, 19:42:46] -   Adding Kill Bit for ActiveX for GUID: {AC1DF12F-9F5D-41F4-B039-4A206583F430}
[06/15/2007, 19:42:46] -   Deleting ATLEvents/MSEvents Registry entries
[06/15/2007, 19:42:46] -   Removing HKLM\...\Winlogon\Notify\ljhii
[06/15/2007, 19:42:46] - Searching for Browser Helper Objects:
[06/15/2007, 19:42:46] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[06/15/2007, 19:42:46] -  BHO 2: {6454E594-3815-4F56-90DB-EE6595BC6BFF} ()
[06/15/2007, 19:42:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:47] -  Checking for HKLM\...\Winlogon\Notify\gebaa
[06/15/2007, 19:42:47] -  Key not found: HKLM\...\Winlogon\Notify\gebaa, continuing.
[06/15/2007, 19:42:47] -  BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/15/2007, 19:42:47] -  BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/15/2007, 19:42:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:47] -  No filename found. Continuing.
[06/15/2007, 19:42:47] -  BHO 5: {B2030C9A-DE59-457D-A042-D827AD69C8F3} ()
[06/15/2007, 19:42:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:47] -  Checking for HKLM\...\Winlogon\Notify\ddcawww
[06/15/2007, 19:42:47] -  Key not found: HKLM\...\Winlogon\Notify\ddcawww, continuing.
[06/15/2007, 19:42:47] -  BHO 6: {BEDF30ED-41B2-4CDC-875A-ED063C81AF7B} (MSEvents Object)
[06/15/2007, 19:42:47] - ALERT: Found MSEvents Object!
[06/15/2007, 19:42:47] -  BHO 7: {E12BFF69-38A7-406e-A8EF-2738107A7831} ()
[06/15/2007, 19:42:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:47] -  Checking for HKLM\...\Winlogon\Notify\htkunsij
[06/15/2007, 19:42:47] -  Key not found: HKLM\...\Winlogon\Notify\htkunsij, continuing.
[06/15/2007, 19:42:47] - Finished Searching Browser Helper Objects
[06/15/2007, 19:42:47] - *** Detected MSEvents Object
[06/15/2007, 19:42:47] - Trying to remove MSEvents Object...
[06/15/2007, 19:42:48] -    Terminating Process: IEXPLORE.EXE
[06/15/2007, 19:42:48] -    Terminating Process: RUNDLL32.EXE
[06/15/2007, 19:42:49] -    Disabling Automatic Shell Restart
[06/15/2007, 19:42:49] -    Terminating Process: EXPLORER.EXE
[06/15/2007, 19:42:49] -    Suspending the NT Session Manager System Service
[06/15/2007, 19:42:49] -    Terminating Windows NT Logon/Logoff Manager
[06/15/2007, 19:42:49] -    Re-enabling Automatic Shell Restart
[06/15/2007, 19:42:49] -   File to disable: C:\WINDOWS\system32\yaywxut.dll
[06/15/2007, 19:42:49] -   Removing HKLM\...\Browser Helper Objects\{BEDF30ED-41B2-4CDC-875A-ED063C81AF7B}
[06/15/2007, 19:42:49] -   Removing HKCR\CLSID\{BEDF30ED-41B2-4CDC-875A-ED063C81AF7B}
[06/15/2007, 19:42:49] -   Adding Kill Bit for ActiveX for GUID: {BEDF30ED-41B2-4CDC-875A-ED063C81AF7B}
[06/15/2007, 19:42:49] -   Deleting ATLEvents/MSEvents Registry entries
[06/15/2007, 19:42:49] -   Removing HKLM\...\Winlogon\Notify\yaywxut
[06/15/2007, 19:42:49] - Searching for Browser Helper Objects:
[06/15/2007, 19:42:49] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[06/15/2007, 19:42:49] -  BHO 2: {6454E594-3815-4F56-90DB-EE6595BC6BFF} ()
[06/15/2007, 19:42:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:49] -  Checking for HKLM\...\Winlogon\Notify\gebaa
[06/15/2007, 19:42:50] -  Key not found: HKLM\...\Winlogon\Notify\gebaa, continuing.
[06/15/2007, 19:42:50] -  BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/15/2007, 19:42:50] -  BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/15/2007, 19:42:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:50] -  No filename found. Continuing.
[06/15/2007, 19:42:50] -  BHO 5: {B2030C9A-DE59-457D-A042-D827AD69C8F3} ()
[06/15/2007, 19:42:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:50] -  Checking for HKLM\...\Winlogon\Notify\ddcawww
[06/15/2007, 19:42:50] -  Key not found: HKLM\...\Winlogon\Notify\ddcawww, continuing.
[06/15/2007, 19:42:50] -  BHO 6: {E12BFF69-38A7-406e-A8EF-2738107A7831} ()
[06/15/2007, 19:42:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/15/2007, 19:42:50] -  Checking for HKLM\...\Winlogon\Notify\htkunsij
[06/15/2007, 19:42:50] -  Key not found: HKLM\...\Winlogon\Notify\htkunsij, continuing.
[06/15/2007, 19:42:50] - Finished Searching Browser Helper Objects
[06/15/2007, 19:42:50] - Finishing up...
[06/15/2007, 19:42:50] - A restart is needed.
[06/15/2007, 19:42:57] - Attempting to Restart via STOP error (Blue Screen!)

Et maintenant, le rapport HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 19:54:51, on 15/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\hspuvety.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6454E594-3815-4F56-90DB-EE6595BC6BFF} - C:\WINDOWS\system32\gebaa.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B2030C9A-DE59-457D-A042-D827AD69C8F3} - C:\WINDOWS\system32\ddcawww.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\htkunsij.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hspuvety.exe] C:\Documents and Settings\All Users\Application Data\hspuvety.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\ghsgcumg.dll",realset
O4 - HKLM\..\Run: [j7281634] rundll32 C:\WINDOWS\system32\j7281634.dll sook
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=6010,2007,0223,0314
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://www.trendmicro.com/en_us/forHome/products/housecall.html
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=5,2,3790,0
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=5600,0,61017,0703
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=6010,2007,0223,0312
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: wincjw32 - wincjw32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Alors, qu'est-ce que ça donne?

rudyrital · Answer

Télécharge SDFix (créé par AndyManchesta) et sauvegarde le sur ton Bureau.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
• Redémarre ton ordinateur
• Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde).
• A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
• Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
• Choisis ton compte.
Déroule la liste des instructions ci-dessous :
• Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le scrïpt.
• Appuie sur Y pour commencer le processus de nettoyage.
• Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
• Appuie sur une touche pour redémarrer le PC.
• Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
• Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
• Appuie sur une touche pour finir l'exécution du scrïpt et charger les icônes de ton Bureau.
• Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
• Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum, avec un nouveau log Hijackthis !

Alex91150 · Answer

Salut, j'ai fait ce que tu m'as demandé.

Voila le fichier Report.txt:

SDFix: Version 1.87

Run by papa on 16/06/2007 at 16:55

Microsoft Windows XP [version 5.1.2600]

Running From: C:\DOCUME~1\papa\Bureau\SDFix\SDFix

Safe Mode:
Checking Services: 






Restoring Windows Registry Values
Restoring Windows Default Hosts File 

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\wr.txt  - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS\
C:\WINDOWS
No streams found. 

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found. 

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
 
Checking C:\WINDOWS\system32
toskrnl.exe
C:\WINDOWS\system32
toskrnl.exe
No streams found.
 


                                 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe"="C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"="C:\Program Files\FileZilla Server\FileZilla Server Interface.exe:*:Enabled:FileZilla Server Interface"
"D:\enfants\FlashGet\flashget.exe"="D:\enfants\FlashGet\flashget.exe:*:Enabled:Flashget"
"C:\DOCUME~1\papa\LOCALS~1\Temp\win8.tmp.exe"="C:\DOCUME~1\papa\LOCALS~1\Temp\win8.tmp.exe:*:Enabled:win8.tmp"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\TEMP\win47CD.tmp.exe"="C:\WINDOWS\TEMP\win47CD.tmp.exe:*:Enabled:win47CD.tmp"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\papa\Bureau\SDFix\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Program Files\CDBurnerXP\libs\NCTAudioCompress3.dll
C:\Program Files\CDBurnerXP\libs\NCTAudioFormatSettings3.dll
C:\WINDOWS\system32\B8FDBAD9B9.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\papa\Mes documents\Stage Alex\~WRL0005.tmp
C:\WINDOWS\system32\iihjl.tmp

Listing User Accounts:

comptes d'utilisateurs de xxxxxx

Administrateur           ASPNET                   HelpAssistant            
Invit‚                   papa                     SUPPORT_388945a0         
La commande s'est termin‚e correctement.


                                 Finished 

Et voila le log HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 17:11:00, on 16/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\hspuvety.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\scchk32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Adobe\Reader 8.0\Readereader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6454E594-3815-4F56-90DB-EE6595BC6BFF} - C:\WINDOWS\system32\gebaa.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B2030C9A-DE59-457D-A042-D827AD69C8F3} - C:\WINDOWS\system32\ddcawww.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\htkunsij.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hspuvety.exe] C:\Documents and Settings\All Users\Application Data\hspuvety.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\ghsgcumg.dll",realset
O4 - HKLM\..\Run: [j7281634] rundll32 C:\WINDOWS\system32\j7281634.dll sook
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Readereader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=6010,2007,0223,0314
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://www.trendmicro.com/en_us/forHome/products/housecall.html
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=5,2,3790,0
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=5600,0,61017,0703
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=6010,2007,0223,0312
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: wincjw32 - wincjw32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe



Tu me dis dès qu'il y a plus d'infection.

rudyrital · Answer

Télécharge VundoFix.exe (par Atribune) sur ton Bureau. 
http://www.atribune.org/ccount/click.php?id=4 

* Double-clique VundoFix.exe afin de le lancer. 
* Lorsque l'outil se lance à nouveau, clique sur le bouton Scan for Vundo 
* Clique sur le bouton Scan for Vundo. 
* Lorsque le scan est complété, clique sur le bouton Remove Vundo 
* Une invite te demandera si tu veux supprimer les fichiers, clique YES 
* Après avoir cliqué "Yes", le Bureau disparaîtra un moment lors de la suppression des fichiers. 
* Tu verras une invite qui t'annonce que ton PC va s'éteindre ("shutdown"); clique OK 
* Démarre ton PC à nouveau. 
* Copie/colle le contenu du rapport situé dans C:\vundofix.txt ainsi qu'un nouveau rapport HijackThis! dans ta prochaine réponse. 

Note Il est possible que VundoFix soit confronté à un fichier qu'il ne peut supprimer. Si tel est le cas, l'outil se lancera au prochain redémarrage; il faut simplement suivre les instructions ci-haut, à partir de "clique sur le bouton Scan for Vundo".

Alex91150 · Answer

Salut,

Voila le rapport VundoFix:

VundoFix V6.5.1

Checking Java version...

Java version is 1.5.0.11

Scan started at 07:12:07 19/06/2007

Listing files found while scanning....

C:\WINDOWS\system32\agaeoond.dll
C:\WINDOWS\system32\ddcawww.dll
C:\windows\system32\ebprpdkj.exe
C:\WINDOWS\system32\ghsgcumg.dll
C:\WINDOWS\system32\gmucgshg.ini
C:\WINDOWS\system32\htkunsij.dll
C:\WINDOWS\system32\lcillxhw.dll
C:\WINDOWS\system32
adwanpq.dll
C:\windows\system32\qxywafqa.dll
C:\windows\system32\vpuvvnem.dll

Beginning removal...

 Attempting to delete C:\windows\system32\ebprpdkj.exe
C:\windows\system32\ebprpdkj.exe Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ghsgcumg.dll
C:\WINDOWS\system32\ghsgcumg.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\gmucgshg.ini
C:\WINDOWS\system32\gmucgshg.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\htkunsij.dll
C:\WINDOWS\system32\htkunsij.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\lcillxhw.dll
C:\WINDOWS\system32\lcillxhw.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32
adwanpq.dll
C:\WINDOWS\system32
adwanpq.dll Has been deleted!

 Attempting to delete C:\windows\system32\qxywafqa.dll
C:\windows\system32\qxywafqa.dll Has been deleted!

 Attempting to delete C:\windows\system32\vpuvvnem.dll
C:\windows\system32\vpuvvnem.dll Has been deleted!

Performing Repairs to the registry.
Done!

Et le rapport HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 16:59:06, on 19/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\hspuvety.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6454E594-3815-4F56-90DB-EE6595BC6BFF} - C:\WINDOWS\system32\gebaa.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hspuvety.exe] C:\Documents and Settings\All Users\Application Data\hspuvety.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [j7281634] rundll32 C:\WINDOWS\system32\j7281634.dll sook
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Readereader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=6010,2007,0223,0314
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://www.trendmicro.com/en_us/forHome/products/housecall.html
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=5,2,3790,0
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=5600,0,61017,0703
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=6010,2007,0223,0312
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: wincjw32 - wincjw32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

rudyrital · Answer

relance hijackthis puis clic sur "do a system scan only"

apres le scan coche ces lignes et seulement celles ci !!

O2 - BHO: (no name) - {6454E594-3815-4F56-90DB-EE6595BC6BFF} - C:\WINDOWS\system32\gebaa.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi#version=5,2,3790,0
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://extranet.mousquetaires.com/dana-na/auth/url_1/welcome.cgi
O20 - Winlogon Notify: wincjw32 - wincjw32.dll (file missing)

referme ton navigateur (internet explorer ) puis clic sur " fix check"


Rends toi sur ce site :
http://www.virustotal.com/xhtml/virustotal_en.html

Clique sur parcourir et cherche ce fichier :

C:\Documents and Settings\All Users\Application Data\hspuvety.exe


Clique sur send.

Un rapport va s'élaborer ligne à ligne.

Attends la fin. Il doit comprendre la taille du fichier envoyé.

Sauvegarde le rapport avec le bloc-note.

fait de meme avec celle ci :
C:\WINDOWS\system32\j7281634.dll

Copie le dans ta réponse.

Alex91150 · Answer

Salut,

Alors, il y a un petit problème, j'ai pas trouvé j7281634.dll dans system32. J'ai fait que pour hspuvety.exe:

Antivirus	Version	Update	Result
AhnLab-V3	2007.6.16.0	06.19.2007	no virus found
AntiVir	7.4.0.34	06.19.2007	TR/Crypt.XPACK.Gen
Authentium	4.93.8	06.19.2007	Possibly a new variant of W32/new-malware!Maximus
Avast	4.7.997.0	06.20.2007	no virus found
AVG	7.5.0.467	06.19.2007	no virus found
BitDefender	7.2	06.20.2007	no virus found
CAT-QuickHeal	9.00	06.19.2007	no virus found
ClamAV	devel-20070416	06.20.2007	no virus found
DrWeb	4.33	06.19.2007	no virus found
eSafe	7.0.15.0	06.19.2007	suspicious Trojan/Worm
eTrust-Vet	30.7.3727	06.19.2007	no virus found
Ewido	4.0	06.19.2007	no virus found
FileAdvisor	1	06.20.2007	no virus found
Fortinet	2.91.0.0	06.19.2007	no virus found
F-Prot	4.3.2.48	06.19.2007	W32/new-malware!Maximus
F-Secure	6.70.13030.0	06.19.2007	no virus found
Ikarus	T3.1.1.8	06.20.2007	Dialer
Kaspersky	4.0.2.24	06.19.2007	no virus found
McAfee	5056	06.19.2007	no virus found
Microsoft	1.2607	06.19.2007	no virus found
NOD32v2	2340	06.20.2007	no virus found
Norman	5.80.02	06.19.2007	no virus found
Panda	9.0.0.4	06.20.2007	Trj/Downloader.OQW
Prevx1	V2	06.20.2007	Generic.Malware
Sophos	4.18.0	06.12.2007	no virus found
Sunbelt	2.2.907.0	06.16.2007	no virus found
Symantec	10	06.20.2007	no virus found
TheHacker	6.1.6.136	06.20.2007	no virus found
VBA32	3.12.0.2	06.20.2007	no virus found
VirusBuster	4.3.23:9	06.19.2007	no virus found
Webwasher-Gateway	6.0.1	06.19.2007	Trojan.Crypt.XPACK.Gen

Aditional Information
File size: 57344 bytes
MD5: 9e49cc69e44a49451b4ab28f53d519be
SHA1: b8f64eaa52b777ccf5e755a10a260dbe67b76cf8
packers: UPX
packers: UPX
packers: UPX
Prevx info: http://fileinfo.prevx.com/...

PS: quand je démarre, j'ai une erreur RunDLL qui dit que j7281634.dll est introuvable. Ceci explique cela...

rudyrital · Answer

Ouvre ce lien (merci a S!RI pour ce programme). http://siri.urz.free.fr/Fix/SmitfraudFix.php 
et télécharge SmitfraudFix.exe.

Regarde le tuto
Exécute le en choisissant l’option 1, il va générer un rapport
Copie/colle le sur le poste stp.

Alex91150 · Answer

Salut,

Voila le rapport SmitFraudFix:

SmitFraudFix v2.195

Rapport fait à  7:41:08,90, 22/06/2007
Executé à partir de D:\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est NTFS
Fix executé en mode normal

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\hspuvety.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\papa


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\papa\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\papa\Favoris


»»»»»»»»»»»»»»»»»»»»»»»» Bureau


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files 


»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues


»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"
 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Carte réseau 3Com EtherLink XL 10/100 PCI TX (3C905B-TX) - Miniport d'ordonnancement de paquets
DNS Server Search Order: 212.27.53.252
DNS Server Search Order: 212.27.54.252

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E7E94806-205E-4367-9CD0-9F916B1A6FFC}: DhcpNameServer=212.27.53.252 212.27.54.252
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E7E94806-205E-4367-9CD0-9F916B1A6FFC}: DhcpNameServer=212.27.53.252 212.27.54.252
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E7E94806-205E-4367-9CD0-9F916B1A6FFC}: DhcpNameServer=212.27.53.252 212.27.54.252
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=212.27.53.252 212.27.54.252
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=212.27.53.252 212.27.54.252
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=212.27.53.252 212.27.54.252


»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll


»»»»»»»»»»»»»»»»»»»»»»»» Fin

EDIT: Récemment, j'ai découvert à la racine du disque système, 3 fichiers: hcojjefh1.exe, hcojjefh2.exe, hcojjefh3.exe. J'ai fait un rapport Virus Total sur le premier fichier. Le voilà:

Antivirus	Version	Update	Result
AhnLab-V3	2007.6.21.1	06.22.2007	no virus found
AntiVir	7.4.0.34	06.21.2007	no virus found
Authentium	4.93.8	06.22.2007	Possibly a new variant of W32/SelfStarterInternetTrojan!Maximus
Avast	4.7.997.0	06.21.2007	no virus found
AVG	7.5.0.467	06.20.2007	no virus found
BitDefender	7.2	06.22.2007	no virus found
CAT-QuickHeal	9.00	06.21.2007	no virus found
ClamAV	devel-20070416	06.22.2007	no virus found
DrWeb	4.33	06.21.2007	no virus found
eSafe	7.0.15.0	06.21.2007	Downloader.MisleadAp
eTrust-Vet	30.8.3733	06.22.2007	no virus found
Ewido	4.0	06.21.2007	no virus found
FileAdvisor	1	06.22.2007	No threat detected
Fortinet	2.91.0.0	06.22.2007	Misc/Ultimate
F-Prot	4.3.2.48	06.21.2007	W32/SelfStarterInternetTrojan!Maximus
F-Secure	6.70.13030.0	06.22.2007	no virus found
Ikarus	T3.1.1.8	06.22.2007	not-a-virus:.FraudTool.Win32.UltimateDefender.a
Kaspersky	4.0.2.24	06.22.2007	no virus found
McAfee	5058	06.21.2007	New Malware.ca
Microsoft	1.2701	06.22.2007	no virus found
NOD32v2	2343	06.21.2007	probably a variant of Win32/Adware.UltimateDefender
Norman	5.80.02	06.21.2007	no virus found
Panda	9.0.0.4	06.22.2007	Application/UltimateCleaner
Sophos	4.18.0	06.21.2007	no virus found
Sunbelt	2.2.907.0	06.21.2007	Trojan-Downloader.MisleadApp
Symantec	10	06.22.2007	Downloader.MisleadApp
TheHacker	6.1.6.136	06.20.2007	no virus found
VBA32	3.12.0.2	06.21.2007	no virus found
VirusBuster	4.3.23:9	06.21.2007	no virus found
Webwasher-Gateway	6.0.1	06.21.2007	Worm.Win32.ModifiedUPX.gen!90 (suspicious)

Aditional Information
File size: 99072 bytes
MD5: 711d6a7b5bb4a9ee0ec162a948f76b2f
SHA1: 9ec63ea5dc46aca749f48bc0fd296fcf17be6c41
packers: UPX
packers: UPX
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=711d6a7b5bb4a9ee0ec162a948f76b2f
packers: UPX

EDIT2: Le rapport VT du 2e fichier, hcojjefh2.exe:

AhnLab-V3	2007.6.21.1	06.22.2007	no virus found
AntiVir	7.4.0.34	06.21.2007	ADSPY/Udefender.1
Authentium	4.93.8	06.22.2007	Possibly a new variant of W32/SelfStarterInternetTrojan!Maximus
Avast	4.7.997.0	06.21.2007	Win32:Adware-gen.
AVG	7.5.0.467	06.20.2007	no virus found
BitDefender	7.2	06.22.2007	no virus found
CAT-QuickHeal	9.00	06.21.2007	no virus found
ClamAV	devel-20070416	06.22.2007	no virus found
DrWeb	4.33	06.21.2007	no virus found
eSafe	7.0.15.0	06.21.2007	Downloader.MisleadAp
eTrust-Vet	30.8.3733	06.22.2007	no virus found
Ewido	4.0	06.21.2007	no virus found
FileAdvisor	1	06.22.2007	no virus found
Fortinet	2.91.0.0	06.22.2007	Misc/Ultimate
F-Prot	4.3.2.48	06.21.2007	W32/SelfStarterInternetTrojan!Maximus
F-Secure	6.70.13030.0	06.22.2007	no virus found
Ikarus	T3.1.1.8	06.22.2007	not-a-virus:.FraudTool.Win32.UltimateDefender.a
Kaspersky	4.0.2.24	06.22.2007	no virus found
McAfee	5058	06.21.2007	New Malware.ca
Microsoft	1.2701	06.22.2007	no virus found
NOD32v2	2343	06.21.2007	a variant of Win32/Adware.UltimateDefender
Norman	5.80.02	06.21.2007	no virus found
Panda	9.0.0.4	06.22.2007	Application/UltimateCleaner
Prevx1	V2	06.22.2007	Spyware.UltimateDefender
Sophos	4.18.0	06.21.2007	no virus found
Sunbelt	2.2.907.0	06.21.2007	Trojan-Downloader.MisleadApp
Symantec	10	06.22.2007	Downloader.MisleadApp
TheHacker	6.1.6.136	06.20.2007	no virus found
VBA32	3.12.0.2	06.21.2007	no virus found
VirusBuster	4.3.23:9	06.21.2007	no virus found
Webwasher-Gateway	6.0.1	06.21.2007	Ad-Spyware.Udefender.1

Aditional Information
File size: 100096 bytes
MD5: d591294599c8e4c8ae5eaef45ee2075f
SHA1: 873566084ffab23aeb547f33e63d60b4bb0e3442
packers: UPX
packers: UPX
packers: UPX
Prevx info: http://fileinfo.prevx.com/...</code>



EDIT3: Et pour le dernier hcojjefh3.exe:

AhnLab-V3	2007.6.21.1	06.22.2007	no virus found
AntiVir	7.4.0.34	06.21.2007	ADSPY/Udefender.1
Authentium	4.93.8	06.22.2007	Possibly a new variant of W32/SelfStarterInternetTrojan!Maximus
Avast	4.7.997.0	06.21.2007	Win32:Adware-gen.
AVG	7.5.0.467	06.20.2007	no virus found
BitDefender	7.2	06.22.2007	no virus found
CAT-QuickHeal	9.00	06.21.2007	no virus found
ClamAV	devel-20070416	06.22.2007	no virus found
DrWeb	4.33	06.21.2007	no virus found
eSafe	7.0.15.0	06.21.2007	Downloader.MisleadAp
eTrust-Vet	30.8.3733	06.22.2007	no virus found
Ewido	4.0	06.21.2007	no virus found
FileAdvisor	1	06.22.2007	no virus found
Fortinet	2.91.0.0	06.22.2007	Misc/Ultimate
F-Prot	4.3.2.48	06.21.2007	W32/SelfStarterInternetTrojan!Maximus
F-Secure	6.70.13030.0	06.22.2007	no virus found
Ikarus	T3.1.1.8	06.22.2007	not-a-virus:.FraudTool.Win32.UltimateDefender.a
Kaspersky	4.0.2.24	06.22.2007	no virus found
McAfee	5058	06.21.2007	New Malware.ca
Microsoft	1.2701	06.22.2007	no virus found
NOD32v2	2343	06.21.2007	a variant of Win32/Adware.UltimateDefender
Norman	5.80.02	06.21.2007	no virus found
Panda	9.0.0.4	06.22.2007	Application/UltimateCleaner
Prevx1	V2	06.22.2007	Spyware.UltimateDefender
Sophos	4.18.0	06.21.2007	no virus found
Sunbelt	2.2.907.0	06.21.2007	Trojan-Downloader.MisleadApp
Symantec	10	06.22.2007	Downloader.MisleadApp
TheHacker	6.1.6.136	06.20.2007	no virus found
VBA32	3.12.0.2	06.21.2007	no virus found
VirusBuster	4.3.23:9	06.21.2007	no virus found
Webwasher-Gateway	6.0.1	06.21.2007	Ad-Spyware.Udefender.1

Aditional Information
File size: 100096 bytes
MD5: d591294599c8e4c8ae5eaef45ee2075f
SHA1: 873566084ffab23aeb547f33e63d60b4bb0e3442
packers: UPX
packers: UPX
packers: UPX
Prevx info: http://fileinfo.prevx.com/...

</pre>

rudyrital · Answer

fait un scan ici 
https://www.bitdefender.fr/ 
et copie colle le résultat ici 
* En bas, à gauche de la fenêtre, clique sur BitDefender SCAN ONLINE 
* Dans la nouvelle fenêtre, clique sur I agree 
* La fenêtre change encore, clique sur Click here to scan 
* Les signatures se chargent, etc. 

tuto en image 

http://pageperso.aol.fr/rginformatique/mapage/defender.htm

Séb08 · Answer

re,

Alex , évite de mettre tes rapports en bleu; ca rend la lisibilité difficile .

merci

Outerinfo est-il bien désinstallé? - Page 2

Discussions similaires

Newsletters