Sujet Précédent Sujet Suivant

Analyse log Hijackthis

Résolu/Fermé
Alex - 9 juin 2007 à 00:19
 riri94 - 22 janv. 2008 à 18:46
Bonjour.

Alors voila, j'ai hier télécharger un fichier qui s'est revélé dangereux et a apparement infecté mon ordinateur. Fichier que j'ai de suite supprimé.

Toutefois, mon ordinateur semble depuis en subir les conséquences, avec l'affichage de pub, plusieurs attaques de Trojan/virus ainsi que des erreurs avec IE qui ferme mes fenetres (oui je sais je devrais mettre firefox). De plus, mon ordinateur semble plus lent depuis.

Je suis donc passé en mode sans echec ce matin afinde pratiquer un scan avec spybot et ad aware. Toutefois le probleme persiste.

J'ai aussi essayé de faire une restauration systeme mais cela me signal que l'a restauration n'a pas marché aprés le redémarrage. J'ai aussi voulu passé en sans echec pour en faire une mais la c'est carrement le mod qui a du buggé puisque l'écran resté noir et je n'ai pas osé y retourné.

J'ai donc fais un scan Hijack mais je ne m'y connais pas vraiment, si quelqu'un pouvait me conseiller.


Logfile of HijackThis v1.99.1
Scan saved at 00:18:08, on 09/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 82.231.144.169 apogee.lineage2.com
O1 - Hosts: 91.121.8.140 L2authd.lineage2.com
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Raccourci vers la page des propriétés de High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\orkvienh.dll",realset
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Tout télécharger avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe



Merci
A voir également:

36 réponses

  • 1
  • 2
Réponse 1 / 36
moK´s@ Messages postés 4399 Date d'inscription mardi 18 octobre 2005 Statut Membre Dernière intervention 2 novembre 2007 89
9 juin 2007 à 05:25
salut Alex,

1
avec hijack this coche ceci :

O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\orkvienh.dll",realset
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

quitte tes applications et navigateur et fix/check les lignes ci dessus.


2
Télécharge Pocket KillBox sur ton bureau.
http://www.downloads.subratam.org/KillBox.exe


Double-clique sur le fichier Killbox.exe, et coche la case "Delete on reboot".
copie la ligne ci dessous :

c:\windows\system32\orkvienh.dll",realset

Sur PocketKillBox --> menu "File" --> "Paste from Clipboard"

Tu peux vérifier dans le menu déroulant que le fichier est bien présent.
- coche la case "Unregister dll before deleting" (si tu en as la possibilité)
- clique sur le bouton "All files"
- clique ensuite sur la croix rouge

Au deux messages qui vont s'afficher, tu réponds par "YES"
L'ordinateur doit redémarrer, sinon, fais le toi-même, quoiqu'il arrive.

Après redémarrage, relance Killbox puis clic sur l'onglet "fichier" -> Log -> Actions History Log
Poste le rapport ici

3
Fais un clic droit sur ce lien :
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe
Enregistrer la cible (du lien) sous... et enregistre-le sur ton bureau.
Ensuite double clique sur navilog1.exe pour lancer l'installation.
Une fois l'installation terminée, le fix s'exécutera automatiquement.
(Si ce n'est pas le cas, double-clique sur le raccourci Navilog1 présent sur le bureau).

Laisse-toi guider. Au menu principal, choisis 1 et valides.
(ne fais pas le choix 2,3 ou 4 sans notre avis/accord)

Patiente jusqu'au message :
*** Analyse Termine le ..... ***
Appuie sur une touche comme demandé, le blocnote va s'ouvrir.
Copie-colle l'intégralité dans une réponse. Referme le blocnote.
Le rapport est en outre sauvegardé à la racine du disque (fixnavi.txt)

3
Télécharge VundoFix.exe (par Atribune) sur ton Bureau.
http://www.atribune.org/ccount/click.php?id=4
* Double-clique VundoFix.exe afin de le lancer
* Clique sur le bouton Scan for Vundo
* Lorsque le scan est complété, clique sur le bouton Remove Vundo
* Une invite te demandera si tu veux supprimer les fichiers, clique YES
* Après avoir cliqué "Yes", le Bureau disparaîtra un moment lors de la suppression des fichiers
* Tu verras une invite qui t'annonce que ton PC va redémarrer; clique OK
* Copie/colle le contenu du rapport situé dans C:\vundofix.txt ainsi qu'un nouveau rapport HijackThis! dans ta prochaine réponse

Note: Il est possible que VundoFix soit confronté à un fichier qu'il ne peut supprimer. Si tel est le cas, l'outil se lancera au prochain redémarrage; il faut simplement suivre les instructions ci-haut, à partir de "clique sur le bouton Scan for Vundo".

et repost un log hijackthis ,

@+
0
Réponse 2 / 36
Alex
9 juin 2007 à 12:43
Tout d'abord je tiens a te remercié grandement pour ton aide car j'ai conscience du travail que cela implique.

Rapport Kill box

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 11:43 AM

Killbox Closed(Exit) @ 11:44:10 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 11:44 AM

# 1 [Delete on Reboot]
Path = c:\windows\system32\orkvienh.dll",realset


I Rebooted @ 11:45:39 AM
Killbox Closed(Exit) @ 11:45:41 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 11:51 AM

Ps: lorsque j'ai fais le "Paste from Clipboard" , le fichier n'apparaissait pas dans le menu déroulant, je l'ai donc remit et ait continué la manipulation, sans pouvoir coché "Unregister dll before deleting".



Rapport Navilog

search Navipromo version 2.0.3 commencé le 09/06/2007 à 11:53:54,25

!!! Attention,ce rapport peut indiquer des fichiers/programmes légitimes!!!
!!! Poster ce rapport sur le forum pour le faire analyser !!!
!!! Ne pas lancer la partie désinfection sans l'avis d'un spécialiste !!!

Fix lancé depuis C:\Program Files\navilog1
Mise a jour le 08.06.2007 a 17h00 by IL-MAFIOSO

Executé en mode normal

*** Recherche Programmes installes ***




*** Recherche dossiers dans C:\WINDOWS ***




*** Recherche dossiers dans C:\Program Files ***




*** Recherche dossiers dans C:\Documents and Settings\All Users\Application Data ***




*** Recherche dossiers dans C:\Documents and Settings\Eric\Application Data ***



*** Recherche avec BlackLight Engine/F-secure ***
BlackLight Engine est un produit de F-secure, pour + d'infos :
https://www.f-secure.com/en


F-SECURE BLACKLIGHT ROOTKIT ELIMINATOR
======================================

Copyright 2005-2006 F-Secure Corporation. All rights reserved.
This is a beta version. It will expire on 1st of April, 2007.
Version information: 2.2.1061.

[+] Started on 06/09/07 at 11:53:57.
[-] ERROR: F-Secure BlackLight could not acquire debug privileges.
[+] Exited on 06/09/07 at 11:53:57 (return code = 3).


*** Recherche fichiers ***




*** Recherche cles registre ***


Recherche dans [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]



Recherche dans [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]



Recherche Clé Magic Control



*** Module de Recherche complémentaire ***
(Recherche fichiers spécifiques)

1)Recherche fichiers connus:

C:\WINDOWS\system32\ijkkj.ini2 trouvé ! infection Vundo possible non traité par cet outil !
C:\WINDOWS\system32\ijkkj.bak1 trouvé ! infection Vundo possible non traité par cet outil !
C:\WINDOWS\system32\ijkkj.bak2 trouvé ! infection Vundo possible non traité par cet outil !

2)Recherche Heuristique :
*
**
***
****
*****
******
*******
********


*** Analyse Terminé le 09/06/2007 à 11:55:01,43 ***



Rapport Vundofix


VundoFix V6.4.2

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:56:38 09/06/2007

Listing files found while scanning....

C:\WINDOWS\system32\hggghhf.dll
C:\WINDOWS\system32\ijkkj.bak1
C:\WINDOWS\system32\ijkkj.bak2
C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.ini2
C:\WINDOWS\system32\ijkkj.tmp
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\ljjiigd.dll
C:\WINDOWS\system32\nnnnlkl.dll
C:\WINDOWS\system32\tndvqmkv.dll
C:\WINDOWS\system32\vkmqvdnt.ini
C:\WINDOWS\system32\xxyyvsr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hggghhf.dll
C:\WINDOWS\system32\hggghhf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijkkj.bak1
C:\WINDOWS\system32\ijkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijkkj.bak2
C:\WINDOWS\system32\ijkkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijkkj.ini2
C:\WINDOWS\system32\ijkkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijkkj.tmp
C:\WINDOWS\system32\ijkkj.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\jkkji.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjiigd.dll
C:\WINDOWS\system32\ljjiigd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnnlkl.dll
C:\WINDOWS\system32\nnnnlkl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tndvqmkv.dll
C:\WINDOWS\system32\tndvqmkv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vkmqvdnt.ini
C:\WINDOWS\system32\vkmqvdnt.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyyvsr.dll
C:\WINDOWS\system32\xxyyvsr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\xxyyvsr.dll
C:\WINDOWS\system32\xxyyvsr.dll Has been deleted!

Performing Repairs to the registry.



Log Hijackthis


Logfile of HijackThis v1.99.1
Scan saved at 12:42:30, on 09/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\DAEMON Tools\daemon.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 82.231.144.169 apogee.lineage2.com
O1 - Hosts: 91.121.8.140 L2authd.lineage2.com
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Raccourci vers la page des propriétés de High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\tndvqmkv.dll",realset
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Tout télécharger avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
0
Réponse 3 / 36
moK´s@ Messages postés 4399 Date d'inscription mardi 18 octobre 2005 Statut Membre Dernière intervention 2 novembre 2007 89
9 juin 2007 à 12:53
ok

fais ceci :

tu n´as pas de par feux??!!

0
Télécgharge Kerio et installe le :

https://kerio.probb.fr/t1-tuto-pour-kerio-4-2

Merci a boulepate pour le site!!!

1
Double-clique sur le fichier Killbox.exe, et coche la case "Delete on reboot".
copie la ligne ci dessous :

c:\windows\system32\tndvqmkv.dll",realset

Sur PocketKillBox --> menu "File" --> "Paste from Clipboard"

Tu peux vérifier dans le menu déroulant que le fichier est bien présent.
- coche la case "Unregister dll before deleting" (si tu en as la possibilité)
- clique sur le bouton "All files"
- clique ensuite sur la croix rouge

Au deux messages qui vont s'afficher, tu réponds par "YES"
L'ordinateur doit redémarrer, sinon, fais le toi-même, quoiqu'il arrive.

Après redémarrage, relance Killbox puis clic sur l'onglet "fichier" -> Log -> Actions History Log
Poste le rapport ici

2
Télécharge VirtumundoBegone sur le bureau:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Double clique ensuite sur VirtumundoBeGone.exe et suis les instructions.
Une fois terminé, redémarre et poste le rapport VBG.TXT créé sur le bureau dans ta prochaine réponse avec un nouveau rapport HijackThis.
Ne t'inquiète pas si tu vois un message Ecran bleu "Erreur fatale", c'est normal et attendu

3
Télécharge SDFix (créé par AndyManchesta) et sauvegarde le sur ton Bureau.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
• Redémarre ton ordinateur
• Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde).
• A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
• Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
• Choisis ton compte.
Déroule la liste des instructions ci-dessous :
• Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
• Appuie sur Y pour commencer le processus de nettoyage.
• Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
• Appuie sur une touche pour redémarrer le PC.
• Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
• Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
• Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
• Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
• Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum, avec un nouveau log Hijackthis !
0
Alex
9 juin 2007 à 14:28
Rapport Killbox

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 11:43 AM

Killbox Closed(Exit) @ 11:44:10 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 11:44 AM

# 1 [Delete on Reboot]
Path = c:\windows\system32\orkvienh.dll",realset


I Rebooted @ 11:45:39 AM
Killbox Closed(Exit) @ 11:45:41 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 11:51 AM

Killbox Closed(Exit) @ 11:56:15 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 1:01 PM

# 1 [Delete on Reboot]
Path = c:\windows\system32\tndvqmkv.dll",realset


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 1:04:43 PM
Killbox Closed(Exit) @ 1:04:47 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 1:09 PM


Rapport VGB

[06/09/2007, 13:11:22] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Eric\Bureau\VirtumundoBeGone.exe" )
[06/09/2007, 13:11:30] - Detected System Information:
[06/09/2007, 13:11:30] - Windows Version: 5.1.2600, Service Pack 2
[06/09/2007, 13:11:30] - Current Username: Eric (Admin)
[06/09/2007, 13:11:30] - Windows is in NORMAL mode.
[06/09/2007, 13:11:30] - Searching for Browser Helper Objects:
[06/09/2007, 13:11:30] - BHO 1: {27A508E5-7A04-4C3C-9858-46D3E6282CEE} ()
[06/09/2007, 13:11:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2007, 13:11:30] - Checking for HKLM\...\Winlogon\Notify\jkhhe
[06/09/2007, 13:11:30] - Found: HKLM\...\Winlogon\Notify\jkhhe - This is probably Virtumundo.
[06/09/2007, 13:11:30] - Assigning {27A508E5-7A04-4C3C-9858-46D3E6282CEE} MSEvents Object
[06/09/2007, 13:11:30] - BHO list has been changed! Starting over...
[06/09/2007, 13:11:30] - BHO 1: {27A508E5-7A04-4C3C-9858-46D3E6282CEE} (MSEvents Object)
[06/09/2007, 13:11:30] - ALERT: Found MSEvents Object!
[06/09/2007, 13:11:30] - BHO 2: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (Flashget Catch Url Class)
[06/09/2007, 13:11:30] - BHO 3: {5F53B0C0-665C-4F79-A3FA-192AFB3009E7} ()
[06/09/2007, 13:11:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2007, 13:11:30] - Checking for HKLM\...\Winlogon\Notify\jkkji
[06/09/2007, 13:11:30] - Key not found: HKLM\...\Winlogon\Notify\jkkji, continuing.
[06/09/2007, 13:11:30] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/09/2007, 13:11:30] - BHO 5: {8A61098D-612B-4EF2-943D-64E920684061} ()
[06/09/2007, 13:11:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2007, 13:11:30] - Checking for HKLM\...\Winlogon\Notify\xxyyvsr
[06/09/2007, 13:11:30] - Key not found: HKLM\...\Winlogon\Notify\xxyyvsr, continuing.
[06/09/2007, 13:11:31] - BHO 6: {92A444D2-F945-4dd9-89A1-896A6C2D8D22} ()
[06/09/2007, 13:11:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2007, 13:11:31] - Checking for HKLM\...\Winlogon\Notify\airoiuqw
[06/09/2007, 13:11:31] - Key not found: HKLM\...\Winlogon\Notify\airoiuqw, continuing.
[06/09/2007, 13:11:31] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/09/2007, 13:11:31] - BHO 8: {E12BFF69-38A7-406e-A8EF-2738107A7831} ()
[06/09/2007, 13:11:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2007, 13:11:31] - Checking for HKLM\...\Winlogon\Notify\bemafpru
[06/09/2007, 13:11:31] - Key not found: HKLM\...\Winlogon\Notify\bemafpru, continuing.
[06/09/2007, 13:11:31] - BHO 9: {F156768E-81EF-470C-9057-481BA8380DBA} (gFlash Class)
[06/09/2007, 13:11:31] - Finished Searching Browser Helper Objects
[06/09/2007, 13:11:31] - *** Detected MSEvents Object
[06/09/2007, 13:11:31] - Trying to remove MSEvents Object...
[06/09/2007, 13:11:32] - Terminating Process: IEXPLORE.EXE
[06/09/2007, 13:11:32] - Terminating Process: RUNDLL32.EXE
[06/09/2007, 13:11:32] - Disabling Automatic Shell Restart
[06/09/2007, 13:11:32] - Terminating Process: EXPLORER.EXE
[06/09/2007, 13:11:33] - Suspending the NT Session Manager System Service
[06/09/2007, 13:11:33] - Terminating Windows NT Logon/Logoff Manager
[06/09/2007, 13:11:33] - Re-enabling Automatic Shell Restart
[06/09/2007, 13:11:33] - File to disable: C:\WINDOWS\system32\jkhhe.dll
[06/09/2007, 13:11:33] - Renaming C:\WINDOWS\system32\jkhhe.dll -> C:\WINDOWS\system32\jkhhe.dll.vir
[06/09/2007, 13:11:33] - ! File rename was unsucessful.
[06/09/2007, 13:11:33] - Attempting to Deny Access to C:\WINDOWS\system32\jkhhe.dll
[06/09/2007, 13:11:34] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[06/09/2007, 13:11:34] - ERROR: Le mappage entre les noms de compte et les ID de sécurité n'a pas été effectué.

[06/09/2007, 13:11:34] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[06/09/2007, 13:11:34] - Removing HKLM\...\Browser Helper Objects\{27A508E5-7A04-4C3C-9858-46D3E6282CEE}
[06/09/2007, 13:11:34] - Removing HKCR\CLSID\{27A508E5-7A04-4C3C-9858-46D3E6282CEE}
[06/09/2007, 13:11:34] - Adding Kill Bit for ActiveX for GUID: {27A508E5-7A04-4C3C-9858-46D3E6282CEE}
[06/09/2007, 13:11:34] - Deleting ATLEvents/MSEvents Registry entries
[06/09/2007, 13:11:34] - Removing HKLM\...\Winlogon\Notify\jkhhe
[06/09/2007, 13:11:34] - Searching for Browser Helper Objects:
[06/09/2007, 13:11:34] - BHO 1: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (Flashget Catch Url Class)
[06/09/2007, 13:11:34] - BHO 2: {5F53B0C0-665C-4F79-A3FA-192AFB3009E7} ()
[06/09/2007, 13:11:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2007, 13:11:34] - Checking for HKLM\...\Winlogon\Notify\jkkji
[06/09/2007, 13:11:34] - Key not found: HKLM\...\Winlogon\Notify\jkkji, continuing.
[06/09/2007, 13:11:34] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/09/2007, 13:11:34] - BHO 4: {8A61098D-612B-4EF2-943D-64E920684061} ()
[06/09/2007, 13:11:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2007, 13:11:34] - Checking for HKLM\...\Winlogon\Notify\xxyyvsr
[06/09/2007, 13:11:34] - Key not found: HKLM\...\Winlogon\Notify\xxyyvsr, continuing.
[06/09/2007, 13:11:34] - BHO 5: {92A444D2-F945-4dd9-89A1-896A6C2D8D22} ()
[06/09/2007, 13:11:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2007, 13:11:34] - Checking for HKLM\...\Winlogon\Notify\airoiuqw
[06/09/2007, 13:11:34] - Key not found: HKLM\...\Winlogon\Notify\airoiuqw, continuing.
[06/09/2007, 13:11:34] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/09/2007, 13:11:34] - BHO 7: {E12BFF69-38A7-406e-A8EF-2738107A7831} ()
[06/09/2007, 13:11:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2007, 13:11:34] - Checking for HKLM\...\Winlogon\Notify\bemafpru
[06/09/2007, 13:11:35] - Key not found: HKLM\...\Winlogon\Notify\bemafpru, continuing.
[06/09/2007, 13:11:35] - BHO 8: {E12BFF69-38A7-406e-A8EF-2738107A7831} ()
[06/09/2007, 13:11:35] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2007, 13:11:35] - Checking for HKLM\...\Winlogon\Notify\bemafpru
[06/09/2007, 13:11:35] - Key not found: HKLM\...\Winlogon\Notify\bemafpru, continuing.
[06/09/2007, 13:11:35] - BHO 9: {F156768E-81EF-470C-9057-481BA8380DBA} (gFlash Class)
[06/09/2007, 13:11:35] - Finished Searching Browser Helper Objects
[06/09/2007, 13:11:35] - Finishing up...
[06/09/2007, 13:11:35] - A restart is needed.
[06/09/2007, 13:11:35] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[06/09/2007, 13:11:45] - Attempting to Restart via STOP error (Blue Screen!)


Rapport Hijackthis


Logfile of HijackThis v1.99.1
Scan saved at 13:17:10, on 09/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 82.231.144.169 apogee.lineage2.com
O1 - Hosts: 91.121.8.140 L2authd.lineage2.com
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Raccourci vers la page des propriétés de High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\tndvqmkv.dll",realset
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Tout télécharger avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


Report SDfix

SDFix: Version 1.86

Run by Eric - 09/06/2007 - 13:49:23,43

Microsoft Windows XP [version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...

Service xpdx - Deleted after Reboot

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\Temp\win31.tmp.exe - Deleted
C:\WINDOWS\Temp\win8A.tmp.exe - Deleted
C:\WINDOWS\Temp\win8F.tmp.exe - Deleted
C:\WINDOWS\Temp\win31.tmp.exe - Deleted
C:\WINDOWS\Temp\win8A.tmp.exe - Deleted
C:\WINDOWS\Temp\win8F.tmp.exe - Deleted
C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00001.dll - Deleted
C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00002.dll - Deleted
C:\WINDOWS\Temp\$_2341233.TMP - Deleted
C:\WINDOWS\Temp\$_2341234.TMP - Deleted
C:\WINDOWS\Temp\$b17a2e8.tmp - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\system32\xpdx.sys - Deleted
C:\WINDOWS\Temp\win*.tmp - Deleted
C:\DOCUME~1\Eric\LOCALS~1\Temp\win*.tmp - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%ProgramFiles%\\AOL 9.0\\aol.exe"="%ProgramFiles%\\AOL 9.0\\aol.exe:*:Enabled:AOL"
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"="%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe:*:Enabled:SPLINTER CELL PANDORA"
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"="%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe:*:Enabled:PANDORA"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\APPS\\Inventime\\my.exe"="C:\\APPS\\Inventime\\my.exe:*:Enabled:INVENTIME"
"C:\\Program Files\\Starcraft\\starcraft.exe"="C:\\Program Files\\Starcraft\\starcraft.exe:*:Enabled:Starcraft - Brood War"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa Media Desktop"
"C:\\APPS\\skype\\phone\\Skype.exe"="C:\\APPS\\skype\\phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Reality Pump\\Earth 2160\\Earth2160_NO_SSE.exe"="C:\\Program Files\\Reality Pump\\Earth 2160\\Earth2160_NO_SSE.exe:*:Enabled:Earth 2160"
"C:\\Program Files\\Reality Pump\\Earth 2160\\Earth2160_SSE.exe"="C:\\Program Files\\Reality Pump\\Earth 2160\\Earth2160_SSE.exe:*:Enabled:Earth 2160"
"C:\\Program Files\\Cyanide\\Pro Cycling Manager\\Cym2005.exe"="C:\\Program Files\\Cyanide\\Pro Cycling Manager\\Cym2005.exe:*:Enabled:Pro Cycling Manager"
"C:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe"="C:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe:*:Enabled:GameCenter"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\kaiba62@hotmail.com\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\kaiba62@hotmail.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Ex‚cuter une DLL en tant qu'application"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Phantasy Star Online\\Pso.exe"="C:\\Program Files\\Phantasy Star Online\\Pso.exe:*:Enabled:Pso"
"C:\\Program Files\\Sports Interactive\\Football Manager 2006\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2006\\fm.exe:*:Enabled:Football Manager 2006"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\kaiba62@hotmail.com\\day of defeat\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\kaiba62@hotmail.com\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"
"D:\\hl2.exe"="D:\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\HL2\\hl2.exe"="C:\\Program Files\\HL2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"="C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe:*:Enabled:ET"
"C:\\Program Files\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza"
"C:\\Program Files\\Xolox\\XoloxEXE.exe"="C:\\Program Files\\Xolox\\XoloxEXE.exe:*:Enabled:Xolox"
"C:\\Program Files\\Xolox\\mldonkey\\mlnet.exe"="C:\\Program Files\\Xolox\\mldonkey\\mlnet.exe:*:Enabled:MLdonkey - multiuser P2P daemon"
"C:\\Documents and Settings\\Eric\\Local Settings\\Temp\\powerfootball\\PowerFootball-D3D9.exe"="C:\\Documents and Settings\\Eric\\Local Settings\\Temp\\powerfootball\\PowerFootball-D3D9.exe:*:Enabled:PowerFootball-D3D9"
"C:\\Documents and Settings\\Eric\\Local Settings\\Temp\\powerfootball\\PowerFootball-OpenGL.exe"="C:\\Documents and Settings\\Eric\\Local Settings\\Temp\\powerfootball\\PowerFootball-OpenGL.exe:*:Enabled:PowerFootball-OpenGL"
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.EXE"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.EXE:*:Enabled:Age of Empires II"
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"="C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe:*:Enabled:Football Manager 2007"
"C:\\Program Files\\Lineage II\\Lineage II Apog‚e.exe"="C:\\Program Files\\Lineage II\\Lineage II Apog‚e.exe:*:Enabled:Lineage II Apog‚e"
"C:\\Program Files\\Lineage II\\system\\l2.exe"="C:\\Program Files\\Lineage II\\system\\l2.exe:*:Enabled:l2"
"C:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"="C:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe:*:Enabled:DarkCrusade"
"C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe"="C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe:*:Enabled:P2P Networking"
"C:\\Program Files\\UT2004\\System\\UT2004.exe"="C:\\Program Files\\UT2004\\System\\UT2004.exe:*:Enabled:UT2004"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Documents and Settings\\Eric\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\Eric\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\F-IRC\\f-irc.exe"="C:\\Program Files\\F-IRC\\f-irc.exe:*:Enabled:Client IRC"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\EA SPORTS\\NBA LIVE 07\\nbalive07.exe"="C:\\Program Files\\EA SPORTS\\NBA LIVE 07\\nbalive07.exe:*:Enabled:NBA LIVE 07"
"C:\\DOCUME~1\\Eric\\LOCALS~1\\Temp\\win8.tmp.exe"="C:\\DOCUME~1\\Eric\\LOCALS~1\\Temp\\win8.tmp.exe:*:Enabled:win8.tmp"
"C:\\WINDOWS\\TEMP\\win17.tmp.exe"="C:\\WINDOWS\\TEMP\\win17.tmp.exe:*:Enabled:win17.tmp"
"C:\\WINDOWS\\TEMP\\win83.tmp.exe"="C:\\WINDOWS\\TEMP\\win83.tmp.exe:*:Enabled:win83.tmp"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Program Files\FlashGet\Torrent\Virtua Tennis 3 [English][PCDVD][WwW.GamesTorrents.CoM].torrent.bits
C:\Program Files\FlashGet\Torrent\Virtua Tennis 3 [English][PCDVD][WwW.GamesTorrents.CoM].torrent.filelist
C:\Program Files\FlashGet\Torrent\Virtua Tennis 3 [English][PCDVD][WwW.GamesTorrents.CoM].torrent.seeds
C:\Program Files\FlashGet\Torrent\Virtua Tennis 3 [English][PCDVD][WwW.GamesTorrents.CoM].torrent.~tmp
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\AS_Skins\boutons\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\AS_Skins\fond\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\AS_Skins\Form\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\AS_Skins\Form\Bg\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\AS_Skins\Form\Bouton\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\BG\Actuel\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\BG\Default\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\BG\RS\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\BG\Temp\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\BG\Temp2\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\cstrike\radial.cdb
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\cstrike\Addons\amxmodx\configs\Bleach\1\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\cstrike\Addons\amxmodx\configs\Bleach\2\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\cstrike\Addons\amxmodx\configs\Bleach\3\dbx-sweety-draws\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\cstrike\Addons\amxmodx\configs\Bleach\4\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\cstrike\Addons\amxmodx\configs\Bleach\5\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\cstrike\Addons\amxmodx\configs\Bleach\6\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\cstrike\Addons\amxmodx\configs\DBZ\C18 et le ruban rouge\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\cstrike\Addons\amxmodx\configs\DBZ\Entrainement sp‚cial\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\cstrike\Addons\amxmodx\configs\DBZ\La dette\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\cstrike\Addons\amxmodx\configs\DBZ\Le jour d avant\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\cstrike\Addons\amxmodx\configs\Slurt Girl\1\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\cstrike\Addons\amxmodx\configs\Slurt Girl\3\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\cstrike_french\models\player\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\overviews\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\RS_Skins\Default\Controls\Bouton_About\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\RS_Skins\Default\Controls\Bouton_Exit\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\RS_Skins\Default\Controls\Bouton_Exit_2\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\RS_Skins\Default\Controls\Bouton_Main_Opt\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\RS_Skins\Default\Controls\Bouton_Minimize\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\RS_Skins\Default\Controls\Bouton_misc_partie_droite\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\RS_Skins\Default\Controls\Bouton_misc_partie_gauche\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\RS_Skins\Default\Controls\Bouton_radio\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\RS_Skins\Default\Controls\Cases … cocher\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\RS_Skins\Default\Form\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\RS_Skins\Default\Form\Bg\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\RS_Skins\Default\Form\Bouton\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\RS_Skins\Default\Form1\Thumbs.db
C:\Program Files\Valve\Steam\SteamApps\kaiba62@hotmail.com\counter-strike\RS_Skins\FormAuthorInfos\!! -- PRIVATE -- !!\Thumbs.db
C:\Program Files\Fichiers communs\aolshare\shell\fr\shellext.dll
C:\WINDOWS\system32\jkhhe.dll
C:\Program Files\AOL 9.0\aolphx.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\AOL 9.0\RBM.exe
C:\Program Files\Fichiers communs\Yazzle1162OinUninstaller.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

Listing User Accounts:

comptes d'utilisateurs de \\PORTABLE

Administrateur ASPNET Eric
HelpAssistant Invit‚ SUPPORT_388945a0
La commande s'est termin‚e correctement.


Finished


Rapport Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 14:23:53, on 09/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Raccourci vers la page des propriétés de High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\tndvqmkv.dll",realset
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Tout télécharger avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


Voila, alors apparement les pubs ont disparues, ainsi que le bug qui me coupé IE. De plus, l'ordinateur semble avoir retrouvé de sa rapidité.
Merci encore une fois pour le travail ainsi que pour la rapidité.
0
Alex > Alex
9 juin 2007 à 16:23
J'ai peut etre parlé un peus trop vite, j'ai eu depuis quelque pubs :x
0
Réponse 4 / 36
moK´s@ Messages postés 4399 Date d'inscription mardi 18 octobre 2005 Statut Membre Dernière intervention 2 novembre 2007 89
9 juin 2007 à 20:58
re,

avec hijack this coche ceci :

O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\tndvqmkv.dll",realset

quitte tes applications et fix/check la ligne ci dessous...

Double-clique sur le fichier Killbox.exe, et coche la case "Delete on reboot".
copie la ligne ci dessous :

c:\windows\system32\tndvqmkv.dll",realset

Sur PocketKillBox --> menu "File" --> "Paste from Clipboard"

Tu peux vérifier dans le menu déroulant que le fichier est bien présent.
- coche la case "Unregister dll before deleting" (si tu en as la possibilité)
- clique sur le bouton "All files"
- clique ensuite sur la croix rouge

Au deux messages qui vont s'afficher, tu réponds par "YES"
L'ordinateur doit redémarrer, sinon, fais le toi-même, quoiqu'il arrive.

Après redémarrage, relance Killbox puis clic sur l'onglet "fichier" -> Log -> Actions History Log
Poste le rapport ici

Va sur ce lien et télécharge Blacklight(de F-Secure) :
< https://www.f-secure.com/en > et sauvegarde le sur ton Bureau
Consulte le tuto de Malekal_morte ici :
< https://www.malekal.com/tutorial-f-secure-blacklight/ >
Tu suis le tuto pour la phase 1 (scan) et tu postes le rapport de blacklight dans ta réponse.

@+
0
Alex
10 juin 2007 à 00:24
Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 11:43 AM

Killbox Closed(Exit) @ 11:44:10 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 11:44 AM

# 1 [Delete on Reboot]
Path = c:\windows\system32\orkvienh.dll",realset


I Rebooted @ 11:45:39 AM
Killbox Closed(Exit) @ 11:45:41 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 11:51 AM

Killbox Closed(Exit) @ 11:56:15 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 1:01 PM

# 1 [Delete on Reboot]
Path = c:\windows\system32\tndvqmkv.dll",realset


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 1:04:43 PM
Killbox Closed(Exit) @ 1:04:47 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 1:09 PM

Killbox Closed(Exit) @ 1:10:19 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ dimanche, juin 10, 2007, 12:10 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\tndvqmkv.dll",realset


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 12:11:40 AM
Killbox Closed(Exit) @ 12:12:02 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ dimanche, juin 10, 2007, 12:18 AM

Par contre, impossible d'éffectuer le deuxieme scan, lorsque je lance le programme, j'ai ce message d'érreur: F-Secure Blacklight could not acquire necessary privileges (SeDebugPrivilege)
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 5 / 36
moK´s@ Messages postés 4399 Date d'inscription mardi 18 octobre 2005 Statut Membre Dernière intervention 2 novembre 2007 89
10 juin 2007 à 00:28
re,

c´est quel genre de pubs?

Télécharge ceci:
http://sosvirus.changelog.fr/Green_day/Lopxp.exe

Lance Lopxp.bat.
Au menu, choisis l'option 1 "Rechercher / Générer un rapport"
Patiente et lorsque l'on te demande d'appuyer sur une touche, appuie.
Ensuite, le rapport s'ouvre, copie colle le en entier sur le forum.

@+
0
Alex
10 juin 2007 à 01:02
Des pubs pour des des antivirus ou firewall je sais pas trop, celles qui disent qu'on est infecté par je ne sais combien de virus/spyware...

Pour lopxp, lorsque je lance la recherche, celle ci démarre puis s'arrete en affichant l'erreur: "le systeme n'a pas pu trouver la clef ou la valeur de registre spécifiée"
0
Réponse 6 / 36
moK´s@ Messages postés 4399 Date d'inscription mardi 18 octobre 2005 Statut Membre Dernière intervention 2 novembre 2007 89
10 juin 2007 à 01:05
re,

et bien on est bien avancé avec ca...

est- ce que tu as messenger plus?

fais celui la :

"Silent Runners.vbs", revision 36, https://www.silentrunners.org/
0
Réponse 7 / 36
Alex
10 juin 2007 à 20:24
Oui j'ai messenger plus.

Voila le rapport:
"Silent Runners.vbs", revision R50, https://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Steam" = "(empty string)" [file not found]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"Raccourci vers la page des propriétés de High Definition Audio" = "HDAShCut.exe" ["Windows (R) Server 2003 DDK provider"]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"AzMixerSel" = "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" ["Realtek Semiconductor Corp."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"PCMService" = ""c:\Apps\Powercinema\PCMService.exe"" ["CyberLink Corp."]
"REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"NeroFilterCheck" = "C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe" ["Nero AG"]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"DiskeeperSystray" = ""C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"" ["Diskeeper Corporation"]
"PWRISOVM.EXE" = "C:\Program Files\PowerISO\PWRISOVM.EXE" ["PowerISO Computing, Inc."]
"vajmfsjo.exe" = "C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe" [null data]
"ApachInc" = "rundll32.exe "C:\WINDOWS\system32\opfenvqs.dll",realset" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Flashget Catch Url Class"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\jccatch.dll" ["www.flashget.com"]
{5F53B0C0-665C-4F79-A3FA-192AFB3009E7}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\jkkji.dll" [file not found]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
{85C13756-4EA6-45A2-9ACA-725257F66315}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\jkhhe.dll" [null data]
{8A61098D-612B-4EF2-943D-64E920684061}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\hggfedd.dll" [null data]
{92A444D2-F945-4dd9-89A1-896A6C2D8D22}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\airoiuqw.dll" [null data]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{E12BFF69-38A7-406e-A8EF-2738107A7831}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\bemafpru.dll" [null data]
{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "gFlash Class"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\getflash.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Apps\RecordNow\shlext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{9175A08B-AF17-4DD6-B7D2-3FE73734DA28}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\my3216.dll" [file not found]
"{19583F4F-2D2A-43AF-8773-153434029D9F}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\bwotvid.dll" [file not found]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{2BB59FC0-31E8-42DA-9D3C-E9A52953853B}" = "ImageResizer Shell Extension"
-> {HKLM...CLSID} = "ImageResizer Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\VSO\IMAGER~1\RSZShell.dll" ["VSO Software"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Mes dossiers de partage"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{8A61098D-612B-4EF2-943D-64E920684061}" = "*Z" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\hggfedd.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> hggfedd\DLLName = "hggfedd.dll" [null data]
<<!>> jkhhe\DLLName = "C:\WINDOWS\system32\jkhhe.dll" [null data]
<<!>> winrkp32\DLLName = "winrkp32.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ImageResizer\(Default) = "{2BB59FC0-31E8-42DA-9D3C-E9A52953853B}"
-> {HKLM...CLSID} = "ImageResizer Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\VSO\IMAGER~1\RSZShell.dll" ["VSO Software"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\RESIDE~1.SCR" (Resident Evil 4.scr) ["Comis"]


Startup items in "Eric" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\Eric\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma" -> shortcut to: "C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet"
-> {HKLM...CLSID} = "FlashGet"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\fgiebar.dll" ["Amaze Soft"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Rechercher"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Console Java (Sun)"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherche"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "FlashGet"
"Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["FlashGet.com"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
(unwritable string)

Missing lines (compared with English-language version):
[Version]: 2 lines
[RestoreHomePage]: 1 line
[RestoreHomePage.reg]: 1 line
[RestoreBrowserSettings.reg]: 12 lines
[DeleteTemplates.reg]: 5 lines
[DeleteAutosearch.reg]: 1 line
[Strings]: 1 line
[RestoreBrowserSettings]: 2 lines
[Strings]: 3 lines


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe" ["America Online, Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Carte de performance WMI, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]
CyberLink Background Capture Service (CBCS), CLCapSvc, ""c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe"" [empty string]
CyberLink Task Scheduler (CTS), CLSched, ""c:\APPS\Powercinema\Kernel\TV\CLSched.exe"" [empty string]
Diskeeper, Diskeeper, ""C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe"" ["Diskeeper Corporation"]
iPAHelper.exe, iPAHelper.exe, "C:\Program Files\iPod Access for Windows\iPAHelper.exe" ["Findley Designs, Inc."]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SmartLinkService, SLService, "slserv.exe" [" "]
StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 45 seconds, including 19 seconds for message boxes)
0
Réponse 8 / 36
moK´s@ Messages postés 4399 Date d'inscription mardi 18 octobre 2005 Statut Membre Dernière intervention 2 novembre 2007 89
10 juin 2007 à 20:47
re,

ok c´est messenger plus qui te pourrie la vie avec des pubs...

lis ce qui suit et desinstale messenger plus..

Messenger plus est un add-on non officiel à "Messenger MSN", gratuit grâce à la sponsorisation. Malheureusement ils ont choisi comme sponsor, ni plus ni moins, LOP.COM !!!

On le voit à un bouton installé dans la barre et qui porte un nom quelconque, généré aléatoirement, à la volée, de manière à empêcher les anti-spywares de le détecter par la méthode des signatures.

Lop.com est une des pire cochonneries qui s'installent sournoisement sur nos machines, furtif et très difficile à retirer. Son installation se fait en utilisant des noms et des clés de registres générées aléatoirement. Il s'installe, du point de vue technique, partiellement sous la forme d'un Bho hostile dont le nom et la clé de registre sont générés aléatoirement ce qui fait des billions (milliers de millions) de combinaisons possibles. Impossible d'en faire une liste ce qui rend le travail des anti-spywares basés sur des scanners et des listes de signatures, totalement impossible.

Pour éradiquer Messenger Plus, il suffit de passer par le classique panneau de configuration de Windows et, dans ajout/suppression de programmes, il suffit de supprimer (désinstaller)

* Messenger Plus
* Messenger Plus Random Quote Addon


Mais ceci ne supprime pas lop.com.

Il existe un outil pour retirer lop.com, qui traîne encore sur l'ordinateur après éradication de Messenger Plus:

* http://lop.com/toolbar_uninstall.exe


Toutefois il s'agit d'un programme exécutable, qui plus est sur le site de lop.com, ce qui, comme d'habitude, succite un peu de méfiance.

Vous pouvez, ensuite, réinstaller "Messenger Plus" - mais en DECOCHANT la case "sponsor" puisque vous avez le choix.


2
rends toi sur ce site :

http://www.virustotal.com/en/virustotalx.html

et fais analyser ceci :

C:\WINDOWS\system32\opfenvqs.dll

tu l´upload dans la case en haut a droite en fesant parcourir.

poste le rapport ici


mets aussi un nouveau hijack this


@+
0
Réponse 9 / 36
Alex
10 juin 2007 à 21:15
Pour msn plus je l'ai désinstallé, meme si je pense que j'avais refusé le sponsor.

Voila le rapport.

STATUS: FINISHEDComplete scanning result of "opfenvqs.dll", received in VirusTotal at 06.10.2007, 21:08:08 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.9.0 05.09.2007 no virus found
AntiVir 7.4.0.32 06.09.2007 ADSPY/Virtumonde.AR.10
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.09.2007 no virus found
AVG 7.5.0.467 05.08.2007 no virus found
BitDefender 7.2 06.10.2007 GenPack:Trojan.Vundo.DLZ
CAT-QuickHeal 9.00 06.09.2007 Adware.Virtumonde.gen (Not a Virus)
ClamAV devel-20070416 05.09.2007 Trojan.Packed-7
DrWeb 4.33 06.10.2007 Trojan.Virtumod
eSafe 7.0.15.0 05.08.2007 no virus found
eTrust-Vet 30.7.3707 06.09.2007 no virus found
FileAdvisor 1 06.10.2007 no virus found
Fortinet 2.85.0.0 06.10.2007 suspicious
F-Prot 4.3.2.48 05.08.2007 no virus found
F-Secure 6.70.13030.0 05.09.2007 no virus found
Ikarus T3.1.1.7 05.09.2007 no virus found
Kaspersky 4.0.2.24 06.10.2007 not-a-virus:AdWare.Win32.Virtumonde.ar
McAfee 5049 06.08.2007 no virus found
Microsoft 1.2503 06.10.2007 no virus found
NOD32v2 2321 06.10.2007 Win32/Adware.Virtumonde
Norman 5.80.02 06.08.2007 Vundo.gen25
Panda 9.0.0.4 06.10.2007 Spyware/Virtumonde
Prevx1 V2 06.10.2007 no virus found
Sophos 4.18.0 06.01.2007 Virtumundo
Sunbelt 2.2.907.0 05.05.2007 VIPRE.Suspicious
Symantec 10 05.09.2007 no virus found
TheHacker 6.1.6.131 06.08.2007 Adware/Virtumonde.ar
VBA32 3.12.0 06.10.2007 Application.Win32.Adware.Virtumonde
VirusBuster 4.3.23:9 06.10.2007 Adware.Vundo.Gen!Pac.14
Webwasher-Gateway 6.0.1 05.09.2007 Worm.Win32.Malware.gen (suspicious)


Aditional Information
File size: 131124 bytes
MD5: 311ba1e49008162c2494f00a8dda4fd8
SHA1: a5fcbf23e08a629b04f684e78c6f1ba97b9454b0
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
0
Réponse 10 / 36
moK´s@ Messages postés 4399 Date d'inscription mardi 18 octobre 2005 Statut Membre Dernière intervention 2 novembre 2007 89
10 juin 2007 à 21:22
re,

Double-clique sur le fichier Killbox.exe, et coche la case "Delete on reboot".
copie la ligne ci dessous :

c:\windows\system32\opfenvqs.dll

Sur PocketKillBox --> menu "File" --> "Paste from Clipboard"

Tu peux vérifier dans le menu déroulant que le fichier est bien présent.
- coche la case "Unregister dll before deleting" (si tu en as la possibilité)
- clique sur le bouton "All files"
- clique ensuite sur la croix rouge

Au deux messages qui vont s'afficher, tu réponds par "YES"
L'ordinateur doit redémarrer, sinon, fais le toi-même, quoiqu'il arrive.

Après redémarrage, relance Killbox puis clic sur l'onglet "fichier" -> Log -> Actions History Log
Poste le rapport ici

refais un vundofix et post le rapport ici,

post aussi un hijack this


tu as encore des pubs?


@+
0
Réponse 11 / 36
Alex
12 juin 2007 à 16:22
Désolé pour l'attente.

Voila KillBox

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 11:43 AM
a
Killbox Closed(Exit) @ 11:44:10 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 11:44 AM

# 1 [Delete on Reboot]
Path = c:\windows\system32\orkvienh.dll",realset


I Rebooted @ 11:45:39 AM
Killbox Closed(Exit) @ 11:45:41 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 11:51 AM

Killbox Closed(Exit) @ 11:56:15 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 1:01 PM

# 1 [Delete on Reboot]
Path = c:\windows\system32\tndvqmkv.dll",realset


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 1:04:43 PM
Killbox Closed(Exit) @ 1:04:47 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 1:09 PM

Killbox Closed(Exit) @ 1:10:19 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ dimanche, juin 10, 2007, 12:10 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\tndvqmkv.dll",realset


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 12:11:40 AM
Killbox Closed(Exit) @ 12:12:02 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ dimanche, juin 10, 2007, 12:18 AM

Killbox Closed(Exit) @ 12:21:01 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ mardi, juin 12, 2007, 3:53 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\opfenvqs.dll


I Rebooted @ 3:55:38 PM
Killbox Closed(Exit) @ 3:55:41 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ mardi, juin 12, 2007, 4:03 PM


J'ai aussi fais vundo et voila le rapport Hijackthis

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:21:48, on 12/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5861ABCC-1CF6-44D5-8B9A-1912E92D0B0E} - C:\WINDOWS\system32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {5F53B0C0-665C-4F79-A3FA-192AFB3009E7} - C:\WINDOWS\system32\jkkji.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {77C5EF32-88D6-40AA-AA80-82ED38D52EE0} - C:\WINDOWS\system32\codfrebr.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\hggfedd.dll (file missing)
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\airoiuqw.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\bemafpru.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Raccourci vers la page des propriétés de High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [vajmfsjo.exe] C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\gbaqeocs.dll",realset
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Tout télécharger avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\SYSTEM32\winrkp32.dll
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe (file missing)
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O24 - Desktop Component 0: (no name) - (no file)
0
Réponse 12 / 36
Alex
12 juin 2007 à 16:25
Oui j'ai toujours des pubs.
0
Réponse 13 / 36
moK´s@ Messages postés 4399 Date d'inscription mardi 18 octobre 2005 Statut Membre Dernière intervention 2 novembre 2007 89
12 juin 2007 à 16:38
salut alex,

telecharge :

http://www.techsupportforum.com/sectools/combofix.exe

tu le télécharge sur ton bureau.

desactive ton anti virus et autre protection pas le par feu.

click sur combofix.exe et suis les instructions a l´ecran.

quand il aura terminé il va produire un log, poste le dans ta prochaine reponse.

ps : ne click pas avec ta sourie pendant qu´il effectue le scan et les réparations...

@+
0
Alex
14 juin 2007 à 00:53
Voici le rapport:


ComboFix 07-06-11.3
"xtrx" - 2007-06-14 0:27:27 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{9175A08B-AF17-4DD6-B7D2-3FE73734DA28}]
@=""

[HKEY_CLASSES_ROOT\clsid\{9175A08B-AF17-4DD6-B7D2-3FE73734DA28}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{9175A08B-AF17-4DD6-B7D2-3FE73734DA28}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{9175A08B-AF17-4DD6-B7D2-3FE73734DA28}\InprocServer32]
@="C:\\WINDOWS\\system32\\my3216.dll"
"ThreadingModel"="Apartment"


[HKEY_CLASSES_ROOT\clsid\{19583F4F-2D2A-43AF-8773-153434029D9F}]
@=""

[HKEY_CLASSES_ROOT\clsid\{19583F4F-2D2A-43AF-8773-153434029D9F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{19583F4F-2D2A-43AF-8773-153434029D9F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{19583F4F-2D2A-43AF-8773-153434029D9F}\InprocServer32]
@="C:\\WINDOWS\\system32\\bwotvid.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting SeDebugPrivilege to Administrateurs ... successful


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bemafpru.dll
C:\WINDOWS\system32\codfrebr.dll
C:\WINDOWS\system32\iibkwiuq.dll
C:\WINDOWS\system32\ijrbnewu.dll
C:\WINDOWS\system32\winrkp32.dll
C:\WINDOWS\system32\quiwkbii.ini
C:\WINDOWS\system32\orutv.bak1
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\orutv.bak1
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\iifdbyv.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Fichiers communs\Yazzle1162OinAdmin.exe
C:\Program Files\Fichiers communs\Yazzle1162OinUninstaller.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))


2007-06-13 12:20 122,900 --a------ C:\WINDOWS\system32\yxkdtejg.exe
2007-06-12 18:14 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-12 18:09 <REP> d-------- C:\Program Files\Windows Live
2007-06-12 18:07 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2007-06-12 12:46 <REP> d-------- C:\Program Files\Messenger Plus! Live
2007-06-09 15:55 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\vajmfsjo.exe
2007-06-09 11:56 <REP> d-------- C:\VundoFix Backups
2007-06-09 11:53 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-09 11:52 <REP> d-------- C:\Program Files\Navilog1
2007-06-09 11:43 <REP> d-------- C:\!KillBox
2007-06-08 21:56 55,316 --a------ C:\WINDOWS\system32\airoiuqw.dll
2007-06-07 18:03 967 --a------ C:\WINDOWS\SCUnin.pif
2007-06-07 18:03 70,656 --a------ C:\WINDOWS\SCUnin.exe
2007-06-07 18:03 35,041 --a------ C:\WINDOWS\scunin.dat
2007-06-07 17:15 <REP> d-------- C:\Program Files\PowerISO
2007-06-07 16:55 55,316 --a------ C:\WINDOWS\system32\usygbnmi.dll
2007-06-07 16:54 2,580 --a------ C:\WINDOWS\system32\htafokya.exe
2007-06-07 16:49 1,536 --a------ C:\wyjgsa.exe
2007-06-06 17:42 <REP> d-------- C:\SIERRA
2007-06-06 17:31 <REP> d-------- C:\WINDOWS\PSOFT
2007-06-05 12:48 <REP> d-------- C:\Program Files\Fichiers communs\Blizzard Entertainment
2007-06-04 15:44 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Aspyr
2007-06-04 15:43 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-04 15:32 <REP> d-------- C:\Program Files\Aspyr


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-13 22:29:05 -------- d-----w C:\Program Files\FlashGet
2007-06-12 16:09:40 -------- d-----w C:\Program Files\MSN Messenger
2007-06-11 17:52:30 -------- d-----w C:\Program Files\LimeWire
2007-06-11 08:03:10 -------- d-----w C:\Program Files\MessengerPlus! 3
2007-06-09 18:27:27 -------- d-----w C:\Program Files\HT Ratings
2007-06-08 20:44:07 -------- d-----w C:\Program Files\mIRC
2007-06-08 19:39:09 -------- d-----w C:\Program Files\Starcraft
2007-06-08 09:59:56 72,954 ----a-w C:\WINDOWS\system32\perfc00C.dat
2007-06-08 09:59:56 462,210 ----a-w C:\WINDOWS\system32\perfh00C.dat
2007-05-17 20:07:36 -------- d-----w C:\Program Files\eMule
2007-05-17 16:44:36 -------- d-----w C:\Program Files\Voyage Century Online
2007-05-16 15:13:53 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 12:48:23 -------- d-----w C:\DOCUME~1\Eric\APPLIC~1\SopCast
2007-05-12 15:14:34 -------- d-----w C:\Program Files\Maxis
2007-05-07 20:03:38 2,481,067 ----a-w C:\WINDOWS\Resident Evil 4.scr
2007-05-06 17:01:09 -------- d-----w C:\DOCUME~1\Eric\APPLIC~1\TransRender
2007-05-04 21:29:56 -------- d-----w C:\DOCUME~1\Eric\APPLIC~1\Temporary
2007-05-04 21:29:56 -------- d-----w C:\DOCUME~1\Eric\APPLIC~1\ConvertTemp
2007-05-04 21:29:55 -------- d-----w C:\DOCUME~1\Eric\APPLIC~1\Samsung
2007-05-04 17:17:38 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-04 17:17:38 -------- d-----w C:\Program Files\Samsung
2007-04-29 19:50:47 -------- d-----w C:\Program Files\MessengerDiscovery
2007-04-29 19:50:33 -------- d-----w C:\Program Files\MSXML 4.0
2007-04-29 19:50:32 -------- d-----w C:\Program Files\Google
2007-04-29 19:50:31 -------- d-----w C:\Program Files\RegCleaner
2007-04-25 19:01:25 -------- d-----w C:\Program Files\SopCast
2007-04-25 14:22:35 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-22 18:04:19 -------- d-----w C:\Program Files\F-IRC
2007-04-22 12:40:21 -------- d-----w C:\Program Files\DAEMON Tools
2007-04-22 12:33:37 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-04-18 16:14:18 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-31 17:26:24 249,856 ------w C:\WINDOWS\Setup1.exe
2007-03-31 17:26:22 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-03-17 13:44:47 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\Program Files\FlashGet\jccatch.dll [2006-12-11 19:35]
{5861ABCC-1CF6-44D5-8B9A-1912E92D0B0E}=C:\WINDOWS\system32\jkhhe.dll []
{5F53B0C0-665C-4F79-A3FA-192AFB3009E7}=C:\WINDOWS\system32\jkkji.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-02-03 13:04]
{F156768E-81EF-470C-9057-481BA8380DBA}=C:\Program Files\FlashGet\getflash.dll [2006-11-06 17:09]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-03-10 18:44]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-03-10 18:43]
"Raccourci vers la page des propriétés de High Definition Audio"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 17:28 C:\WINDOWS\RTHDCPL.EXE]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-26 10:08]
"nwiz"="nwiz.exe" [2005-07-01 23:40 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2005-05-11 13:48]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2005-09-16 12:03]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 19:28]
"NeroFilterCheck"="C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 13:38]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 14:23]
"vajmfsjo.exe"="C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe" [2007-06-09 15:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe" [2006-04-21 17:03]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 00:29]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\progra~1\valve\steam\steam.ex" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
NtmlSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{983eee70-b74d-11db-a29d-00038a000015}]
AutoRun\command- setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c29a8b6a-a3a7-11da-a0b9-00038a000015}]
AutoRun\command- F:\autorun.exe


Contents of the 'Scheduled Tasks' folder
2007-06-09 13:42:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-14 00:35:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-14 0:36:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-14 00:36

--- E O F ---
0
Réponse 14 / 36
moK´s@ Messages postés 4399 Date d'inscription mardi 18 octobre 2005 Statut Membre Dernière intervention 2 novembre 2007 89
14 juin 2007 à 15:39
salut alex,

1
¤ Télécharge Clean
----> http://www.malekal.com/download/clean.zip

Dézippe tout le contenu dans le même dossier. Double clic sur clean ou clean.cmd choisissez l'option 1.
Un rapport va s'ouvrir, copie et colle le contenu ici

2
fait quand meme ceci pour messenger plus :

http://lop.com/toolbar_uninstall.exe

3
essait de voire si tu arrive a faire le balck light maintenant...

Va sur ce lien et télécharge Blacklight(de F-Secure) :
< https://www.f-secure.com/en > et sauvegarde le sur ton Bureau
Consulte le tuto de Malekal_morte ici :
< https://www.malekal.com/tutorial-f-secure-blacklight/ >
Tu suis le tuto pour la phase 1 (scan) et tu postes le rapport de blacklight dans ta réponse.


@+
0
Alex
14 juin 2007 à 17:54
Voila le rapport de Clean:

14/06/2007 a 17:37:08,53

*** Recherche des fichiers dans C:
C:\StubInstaller.exe FOUND

*** Recherche des fichiers dans C:\WINDOWS\

*** Recherche des fichiers dans C:\WINDOWS\system32
"C:\WINDOWS\Downloaded Program Files\CONFLICT.1" FOUND
"C:\Documents and Settings\Eric\Application Data\ezpinst.exe" FOUND

*** Recherche des fichiers dans C:\Program Files
"C:\Program Files\Need2Find\" FOUND
"C:\Program Files\Viewpoint\" FOUND
*** Fin du rapport !


Et le rapport de Blacklight, qui n'a rien trouvé.

06/14/07 17:15:51 [Info]: BlackLight Engine 1.0.61 initialized
06/14/07 17:15:51 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/14/07 17:15:52 [Note]: 7019 4
06/14/07 17:15:52 [Note]: 7005 0
06/14/07 17:15:59 [Note]: 7007 0
0
Réponse 15 / 36
moK´s@ Messages postés 4399 Date d'inscription mardi 18 octobre 2005 Statut Membre Dernière intervention 2 novembre 2007 89
14 juin 2007 à 17:59
re,

Redémarre en mode sans échec :

¤Démarre en mode sans échec :
Pour cela, tu tapote la touche F8 des le début de l allumage du pc sans t arrêter
Une fenêtre va s’ouvrir tu te déplaces avec les flèches du clavier sur démarrer en mode sans échec puis tape entrée.
Une fois sur le bureau si il n y a pas toutes les couleurs et autres c est normal !
(Si F8 ne marche pas utilise la touche F5)

Puis ouvre le dossier clean et ouvre clean.cmd et choisis l'option 2.
Redémarre normalement et poste le log clean.

peux tu remettre un rapport hijack this aussi

@+
0
Réponse 16 / 36
Alex
16 juin 2007 à 21:36
Voici le rapport pour Clean:

Script execute en mode sans echec
Rapport clean par Malekal_morte - http://www.malekal.com
Script execute en mode sans echec 16/06/2007 a 21:08:38,93

Microsoft Windows XP [version 5.1.2600]

*** Suppression des fichiers dans C:
tentative de suppression de C:\StubInstaller.exe

*** Suppression des fichiers dans C:\WINDOWS\

*** Suppression des fichiers dans C:\WINDOWS\system32
tentative de suppression de "C:\WINDOWS\Downloaded Program Files\CONFLICT.1"
tentative de suppression de "C:\Documents and Settings\xtrx\Application Data\ezpinst.exe"

*** Suppression des fichiers dans C:\Program Files
tentative de suppression de "C:\Program Files\Need2Find\"
tentative de suppression de "C:\Program Files\Viewpoint\"

*** Suppression des clefs du registre effectuee..
*** Fin du rapport !


Ainsi qu'un nouveau Hijack

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:35:05, on 16/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
C:\WINDOWS\system32\scchk32.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\yxkdtejg.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5861ABCC-1CF6-44D5-8B9A-1912E92D0B0E} - C:\WINDOWS\system32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {5F53B0C0-665C-4F79-A3FA-192AFB3009E7} - C:\WINDOWS\system32\jkkji.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Raccourci vers la page des propriétés de High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [vajmfsjo.exe] C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Tout télécharger avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\yxkdtejg.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe (file missing)
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O24 - Desktop Component 0: (no name) - (no file)
0
Réponse 17 / 36
moK´s@ Messages postés 4399 Date d'inscription mardi 18 octobre 2005 Statut Membre Dernière intervention 2 novembre 2007 89
16 juin 2007 à 23:41
salut alex,

0
tu n´as pas de par feu :

Télécgharge Kerio et installe le :

https://kerio.probb.fr/t1-tuto-pour-kerio-4-2

Merci a boulepate pour le site!!!

1
avec hijack this coche ceci :

C:\WINDOWS\system32\yxkdtejg.exe
O2 - BHO: (no name) - {5861ABCC-1CF6-44D5-8B9A-1912E92D0B0E} - C:\WINDOWS\system32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {5F53B0C0-665C-4F79-A3FA-192AFB3009E7} - C:\WINDOWS\system32\jkkji.dll (file missing)
O4 - HKLM\..\Run: [vajmfsjo.exe] C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\yxkdtejg.exe
O24 - Desktop Component 0: (no name) - (no file)

quitte tes applications et navigateur et fix/ check les lignes ci dessus.

2

avec la killbox

Double-clique sur le fichier Killbox.exe, et coche la case "Delete on reboot".
copie la ligne ci dessous :

Double-clique sur le fichier Killbox.exe, et coche la case "Delete on reboot".
copie la ligne ci dessous :


C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe
C:\WINDOWS\system32\scchk32.exe
C:\WINDOWS\system32\yxkdtejg.exe


Sur PocketKillBox --> menu "File" --> "Paste from Clipboard"

Tu peux vérifier dans le menu déroulant que le fichier est bien présent.
- coche la case "Unregister dll before deleting" (si tu en as la possibilité)
- clique sur le bouton "All files"
- clique ensuite sur la croix rouge

Au deux messages qui vont s'afficher, tu réponds par "YES"
L'ordinateur doit redémarrer, sinon, fais le toi-même, quoiqu'il arrive.

Après redémarrage, relance Killbox puis clic sur l'onglet "fichier" -> Log -> Actions History Log
Poste le rapport ici

3

fais ceci : demarrer> exécute puis tape : "services.msc" sans les guillemets et arrete le service suivant :

Service: DomainService - - C:\WINDOWS\system32\yxkdtejg.exe

4
* télécharge AVG Anti-Spyware (ewido)

https://www.avg.com/en-ww/free-antivirus-download
http://www.infos-du-net.com/telecharger/Ewido-Security-Suite,0301-734.html
* tu l'installes

* lance AVG Anti-Spyware et clique sur le bouton Mise à jour. Patiente
si tu n'arrives pas à le mettre à jour prends ici les màj
http://downloads.ewido.net/avgas-signatures-full-current.exe

Sur la page "analyse":
•- tu choisis d'abord l'onglet "paramètres".
- sous « Comment réagir » clic sur « Actions recommandées » et dans le menu déroulant, choisir « Supprimer »

Copie Et colle le rapport ici

a la fin du scan tu supprime bien tout ce qu´il atrouvé...

@+


J´veux bien; et toi???
0
Réponse 18 / 36
Alex
19 juin 2007 à 21:06
Voila le rapport de killbox:

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 11:43 AM

Killbox Closed(Exit) @ 11:44:10 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 11:44 AM

# 1 [Delete on Reboot]
Path = c:\windows\system32\orkvienh.dll",realset


I Rebooted @ 11:45:39 AM
Killbox Closed(Exit) @ 11:45:41 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 11:51 AM

Killbox Closed(Exit) @ 11:56:15 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 1:01 PM

# 1 [Delete on Reboot]
Path = c:\windows\system32\tndvqmkv.dll",realset


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 1:04:43 PM
Killbox Closed(Exit) @ 1:04:47 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ samedi, juin 09, 2007, 1:09 PM

Killbox Closed(Exit) @ 1:10:19 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ dimanche, juin 10, 2007, 12:10 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\tndvqmkv.dll",realset


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 12:11:40 AM
Killbox Closed(Exit) @ 12:12:02 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ dimanche, juin 10, 2007, 12:18 AM

Killbox Closed(Exit) @ 12:21:01 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ mardi, juin 12, 2007, 3:53 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\opfenvqs.dll


I Rebooted @ 3:55:38 PM
Killbox Closed(Exit) @ 3:55:41 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ mardi, juin 12, 2007, 4:03 PM

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ lundi, juin 18, 2007, 11:31 PM

# 1 [Delete on Reboot]
Path = C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\scchk32.exe


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\yxkdtejg.exe


I Rebooted @ 11:34:19 PM
Killbox Closed(Exit) @ 11:34:22 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Eric(Administrator)
was started @ lundi, juin 18, 2007, 11:43 PM



J'ai aussi fait l'analyse AVG mais il n'a pas créé de rapport ?
0
Réponse 19 / 36
moK´s@ Messages postés 4399 Date d'inscription mardi 18 octobre 2005 Statut Membre Dernière intervention 2 novembre 2007 89
19 juin 2007 à 21:09
salut alex,

peux tu remettre un hijack this stp
0
Réponse 20 / 36
Alex
19 juin 2007 à 21:17
Désolé je l'ai oublié, le voici:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:09:04, on 19/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Downloads\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Raccourci vers la page des propriétés de High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Tout télécharger avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe (file missing)
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O24 - Desktop Component 0: (no name) - (no file)
0

Discussions similaires

Google Chrome "  Échec de l'analyse antivirus "
jmpower -
mysti -

17 réponses
TI college plus (calculatrice probleme)
help39 -
Whismeril -

3 réponses
Analyse et réparation du lecteur C
Fusco -
Malekal_morte- -

9 réponses
échec de l'analyse antivirus
StalkerShadows -
ness -

19 réponses