Virus thawla_lachatahane

Résolu
Nymphea -  
 kouye -
coucou
mon probleme c'est le virus AVSEQ01 et THAWLA, à chaque fois que j'ouvre un fichier il s'y instale automatiquement et si je le suprime il revien 2 secondes plus tard
j'ai avast comme antivirus, j'ai tout scané et suprimé les fichiers infectés (win32) mais ça revien au meme
et j'arrive pas à accéder a mes disques durs
que faire????
Configuration: Windows XP
Internet Explorer 6.0

44 réponses

  • 1
  • 2
  • 3
Résumé de la discussion

Plusieurs messages décrivent une infection par AVSEQ01 et THAWLA qui se réinstalle dès l'ouverture d'un fichier, rendant les disques durs inaccessibles sur Windows XP avec Avast installé. Des propositions privilégient le passage d'Avast à Avira, l'accès au mode sans échec et l'utilisation d'outils de désinfection comme Avira Antivir, avec gestion de la quarantine et mise à jour des signatures. D'autres interventions décrivent des procédures avancées avec ComboFix, SDFix, OTMoveIt et ToolsCleaner, puis des scans en ligne (Bitdefender) et la collecte de rapports pour suivre l'infection. Enfin, le dialogue s'enrichit de retours pratiques et d'une remarque sur la désactivation d'une fonction d'un site pour accéder au contenu, point utile pour comprendre les limites des solutions techniques.

Généré automatiquement par IA
sur la base des meilleures réponses
  1. Le sioux Messages postés 4907 Statut Contributeur sécurité 496
     
    Bonjour Nymphéa

    D'après Hacene63 ce que j'ai lu ici http://www.commentcamarche.net/forum/affich 3834335 virus thawla ou tu as postée hier soir toi aussi, Antivir le supprimerai contrairement a Avast

    Sache qu avec Avast, tu n es pas très bien protégé:

    Comparatif avast VS Antivir : http://forum.malekal.com/ftopic3528.php

    Je te conseille d'enregistrer la page en sélectionnant toutes les lignes puis de copier cette sélection dans un fichier texte sur ton PC pour pouvoir appliquer la procédure correctement.
    (Note: tu n'auras pas accès à Internet à partir du moment ou te redémarreras en mode sans échec)
    Il faut exécuter toutes les étapes, sans interruption, dans l'ordre exact indiqué ci-dessous.
    Si un élément te paraît obscur, demande des explications avant de commencer la désinfection


    1)Télécharge Avira antivir

    -- Télécharge Avira antivir PersonalEdition Classic a partir de ce lien :
    https://www.avira.com/ sur ton bureau.

    -- Télécharge le désinstalleur d Avast sur ton Bureau https://www.avast.com/fr-fr/uninstall-utility

    2) Désinstallation d avast

    Mets toi hors connexion , puis désinstalle Avast via démarrer /panneau de config/ ajout et suppression de programmes , redémarre ton pc comme demandé et supprime le dossier C:\Program Files\Alwils Software

    Ou bien tu peux aussi utiliser le désinstalleur d Avast si tu préfères

    3) Installe et paramètre puis mets a jour Antivir

    Double clique sur son set up sur ton bureau pour lancer l’installation.

    Paramètre le comme indiqué ici :
    http://speedweb1.free.fr/frames2.php?page=tuto5
    ou la : https://www.malekal.com/avira-free-security-antivirus-gratuit/

    Effectue sa mise a jour puis ferme ce programme pour l’instant.

    4) Redémarre en mode sans échec

    Au redémarrage de l'ordinateur, une fois le chargement du BIOS terminé, il y a un écran noir qui apparaît rapidement, appuyer sur la touche [F8] (ou [F5] sur certains pc) jusqu'à l'affichage du menu des options avancées de Windows.
    Sélectionner "Mode sans échec" et appuyer sur [Entrée]
    Il te faudra choisir ta session habituelle, pas le compte "Administrateur" ou une autre.

    Voir si besoin C) https://forum.pcastuces.com/sujet.asp?f=25&s=3902

    5) Scan Antivirus et nettoyage avec Avira Antivir


    Lance Avira antivir en faisant un double-clique sur le raccourci d’Antivir sur ton Bureau (ou via Démarrer /tous les programmes /Antivir) puis « start Antivir »
    Clique sur l’onglet « scanner » puis vérifie a RootKit search et Manuelle détection (en développant avec la petite croix devant chacun d'eux) que tous tes disques durs soient bien cochés, puis clique sur la loupe (en dessous de statut)
    Une fenêtre va s’ouvrir « Luke Filewalker » .. le scan va démarrer.
    Mets tout ce qu il trouve en "quarantine"
    Une fois le scan achevé, ferme les deux fenêtres d'Antivir et sauvegarde le rapport qui vient d'apparaître sur ton bureau..

    6) Rapport

    Redémarre en mode normal puis poste le rapport d'Antivir (que tu as sauvegardé sur ton bureau). en précisant ce qu'il en est du probleme initial.

    Tuto http://www.malekal.com/tutorial_antivir.html et/ou http://www.libellules.ch/tuto_antivir.php

    @ suivre
    1
  2. Nymphea
     
    merci le sioux je vais tout de suite le faire
    0
  3. Le sioux Messages postés 4907 Statut Contributeur sécurité 496
     
    Re

    Ok, bon courage , a bientot
    0
  4. Nymphea
     
    voila tout est fait, je peux desormais acceder à mes DD, le virus à été mit en quarentaine, j'ai trouver que le fichier THAWLA (vide) que j'ai supprimé UN GRAND MERCI 0 TOI SIOUX je te suis vraiment reconnaissante
    pour le raport au fait j'ai oublié un DD(lecteur de CD ROM) donc je l'ai scané tout seul du coup je vais coller ici 2 raports
    le premier:

    AntiVir PersonalEdition Classic
    Report file date: 30 ذو القعدة, 1428 16:37

    Scanning for 963523 virus strains and unwanted programs.

    Licensed to: Avira AntiVir PersonalEdition Classic
    Serial number: 0000149996-ADJIE-0001
    Platform: Windows XP
    Windows version: (Service Pack 2) [5.1.2600]
    Username: xp
    Computer name: XP-5D0757329AF2

    Version information:
    BUILD.DAT : 270 15603 Bytes 08/09/1428 13:32:00
    AVSCAN.EXE : 7.0.6.1 290856 Bytes 10/08/1428 11:16:29
    AVSCAN.DLL : 7.0.6.0 49192 Bytes 03/08/1428 10:23:51
    LUKE.DLL : 7.0.5.3 147496 Bytes 01/08/1428 13:32:47
    LUKERES.DLL : 7.0.6.1 10280 Bytes 08/08/1428 10:35:20
    ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 04/07/1428 12:27:15
    ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 02/09/1428 12:26:55
    ANTIVIR2.VDF : 7.0.1.30 1575424 Bytes 21/11/1428 13:02:36
    ANTIVIR3.VDF : 7.0.1.60 112128 Bytes 28/11/1428 13:02:36
    AVEWIN32.DLL : 7.6.0.40 3064320 Bytes 30/11/1428 13:02:38
    AVWINLL.DLL : 1.0.0.7 14376 Bytes 09/02/1428 08:36:26
    AVPREF.DLL : 7.0.2.2 25640 Bytes 04/07/1428 05:39:17
    AVREP.DLL : 7.0.0.1 155688 Bytes 29/03/1428 11:16:24
    AVPACK32.DLL : 7.3.0.15 360488 Bytes 20/07/1428 06:46:00
    AVREG.DLL : 7.0.1.6 30760 Bytes 04/07/1428 05:17:06
    AVARKT.DLL : 1.0.0.20 278568 Bytes 15/08/1428 10:26:33
    AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 04/07/1428 05:10:18
    NETNT.DLL : 7.0.0.0 7720 Bytes 19/02/1428 09:09:42
    RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 24/07/1428 10:38:13
    RCTEXT.DLL : 7.0.62.0 86056 Bytes 08/08/1428 10:50:37
    SQLITE3.DLL : 3.3.17.1 339968 Bytes 09/07/1428 07:37:21

    Configuration settings for the scan:
    Jobname..........................: Manual Selection
    Configuration file...............: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\PROFILES\folder.avp
    Logging..........................: low
    Primary action...................: interactive
    Secondary action.................: ignore
    Scan master boot sector..........: on
    Scan boot sector.................: on
    Boot sectors.....................: J:,
    Scan memory......................: on
    Process scan.....................: on
    Scan registry....................: on
    Search for rootkits..............: off
    Scan all files...................: All files
    Scan archives....................: on
    Recursion depth..................: 20
    Smart extensions.................: on
    Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox,
    Macro heuristic..................: on
    File heuristic...................: medium
    Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,

    Start of the scan: 30 ذو القعدة, 1428 16:37

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    11 processes with 11 modules were scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [NOTE] No virus was found!
    Master boot sector HD1
    [NOTE] No virus was found!
    [WARNING] The boot sector file could not be read!
    [WARNING] Error code: 0x0057

    Start scanning boot sectors:
    Boot sector 'C:\'
    [NOTE] No virus was found!
    Boot sector 'D:\'
    [NOTE] No virus was found!
    Boot sector 'E:\'
    [NOTE] No virus was found!
    Boot sector 'F:\'
    [NOTE] No virus was found!
    Boot sector 'J:\'
    [NOTE] No virus was found!

    Starting to scan the registry.
    The registry was scanned ( '24' files ).

    Starting the file scan:

    Begin scan in 'C:\'
    C:\autorun.inf
    [DETECTION] Is the Trojan horse TR/Agent.Abt.34
    [INFO] The file was moved to '47cff01d.qua'!
    C:\pagefile.sys
    [WARNING] The file could not be opened!
    C:\Documents and Settings\All Users\Documents\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef007.qua'!
    C:\Documents and Settings\All Users\Documents\My Music\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef00c.qua'!
    C:\Documents and Settings\All Users\Documents\My Music\My Playlists\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef00f.qua'!
    C:\Documents and Settings\All Users\Documents\My Music\My Playlists\Thawla_Ichatahane\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef011.qua'!
    C:\Documents and Settings\All Users\Documents\My Music\Sample Music\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef013.qua'!
    C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Thawla_Ichatahane\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef015.qua'!
    C:\Documents and Settings\All Users\Documents\My Pictures\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef018.qua'!
    C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef01b.qua'!
    C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thawla_Ichatahane\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef01e.qua'!
    C:\Documents and Settings\All Users\Documents\My Pictures\Thawla_Ichatahane\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef022.qua'!
    C:\Documents and Settings\All Users\Documents\My Videos\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef024.qua'!
    C:\Documents and Settings\All Users\Documents\My Videos\Thawla_Ichatahane\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef025.qua'!
    C:\Documents and Settings\All Users\Documents\My Videos\Thawla_Ichatahane\Thawla_Ichatahane\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef027.qua'!
    C:\Documents and Settings\All Users\Documents\Thawla_Ichatahane\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef028.qua'!
    C:\Documents and Settings\All Users\Documents\حقيبة الملفات جديد\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef02a.qua'!
    C:\Documents and Settings\All Users\Documents\حقيبة الملفات جديد\Thawla_Ichatahane\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef02c.qua'!
    C:\Documents and Settings\All Users\قائمة ابدأ\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef02d.qua'!
    C:\Documents and Settings\All Users\قائمة ابدأ\البرامج\Eidos Interactive\Project IGI\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef02f.qua'!
    C:\Documents and Settings\All Users\قائمة ابدأ\البرامج\Kaspersky Anti-Virus 2006\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef031.qua'!
    C:\Documents and Settings\All Users\قائمة ابدأ\البرامج\القرآن الكريم\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef035.qua'!
    C:\Documents and Settings\All Users\قائمة ابدأ\البرامج\تسالي\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef036.qua'!
    C:\Documents and Settings\xp\My Documents\100CAMEA\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef042.qua'!
    C:\Documents and Settings\xp\My Documents\102CAMEA\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef04b.qua'!
    C:\Documents and Settings\xp\My Documents\My Music\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef054.qua'!
    C:\Documents and Settings\xp\My Documents\My Music\My Playlists\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef056.qua'!
    C:\Documents and Settings\xp\My Documents\My Music\My Playlists\Thawla_Ichatahane\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef057.qua'!
    C:\Documents and Settings\xp\My Documents\My Pictures\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef059.qua'!
    C:\Documents and Settings\xp\My Documents\My Pictures\Thawla_Ichatahane\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef05a.qua'!
    C:\Documents and Settings\xp\My Documents\NeroVision\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef05c.qua'!
    C:\Documents and Settings\xp\My Documents\NeroVision\CapturedVideo\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef05f.qua'!
    C:\Documents and Settings\xp\My Documents\NeroVision\ExportedAudio\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef061.qua'!
    C:\Documents and Settings\xp\My Documents\NeroVision\ExportedAudio\Thawla_Ichatahane\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef062.qua'!
    C:\Documents and Settings\xp\My Documents\NeroVision\ExportedVideo\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef064.qua'!
    C:\Documents and Settings\xp\My Documents\Nouveau dossier\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef066.qua'!
    C:\Documents and Settings\xp\My Documents\Nouveau dossier\Thawla_Ichatahane\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef074.qua'!
    C:\Documents and Settings\xp\My Documents\Nouveau dossier\Thawla_Ichatahane\Thawla_Ichatahane\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef07b.qua'!
    C:\Documents and Settings\xp\My Documents\Unknown Artist\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef07c.qua'!
    C:\Documents and Settings\xp\My Documents\Unknown Artist\Unknown Album\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '46323d3d.qua'!
    C:\Documents and Settings\xp\سطح المكتب\اختصارات سطح المكتب غير المستخدمة\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef089.qua'!
    C:\Documents and Settings\xp\قائمة ابدأ\البرامج\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef08a.qua'!
    C:\Program Files\Ahead\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef195.qua'!
    C:\Program Files\رجال حول رسول الله صلى الله عليه وسلام\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef413.qua'!
    C:\Program Files\رجال حول رسول الله صلى الله عليه وسلام\Data\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef418.qua'!
    C:\Program Files\رجال حول رسول الله صلى الله عليه وسلام\Data\men\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef429.qua'!
    C:\WINDOWS\system32\Tools\Restart.exe
    [DETECTION] Contains detection pattern of the SPR/Destart.A program
    [INFO] The file was moved to '47cef665.qua'!
    Begin scan in 'D:\'
    D:\autorun.inf
    [DETECTION] Is the Trojan horse TR/Agent.Abt.34
    [INFO] The file was moved to '47cff685.qua'!
    D:\AVSEQ011.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef667.qua'!
    D:\avast Antivirus et clés\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef668.qua'!
    D:\Nouveau dossier\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef6d5.qua'!
    Begin scan in 'E:\' <‎>
    E:\autorun.inf
    [DETECTION] Is the Trojan horse TR/Agent.Abt.34
    [INFO] The file was moved to '47cff706.qua'!
    E:\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef6e7.qua'!
    E:\AVSEQ011.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '46389318.qua'!
    E:\Petit Larousse 2007 ‏(G‎)\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef78b.qua'!
    Begin scan in 'F:\'
    F:\autorun.inf
    [DETECTION] Is the Trojan horse TR/Agent.Abt.34
    [INFO] The file was moved to '47cff7ca.qua'!
    F:\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef7ac.qua'!
    F:\AVSEQ011.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '4638925d.qua'!
    F:\Collection Microsoft Encarta 2006\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef7af.qua'!
    F:\Collection Microsoft Encarta 2006\EDICT\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef7b4.qua'!
    F:\Collection Microsoft Encarta 2006\EDICT\Thawla_Ichatahane\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '463455bd.qua'!
    F:\Collection Microsoft Encarta 2006\EDICT\Thawla_Ichatahane\Thawla_Ichatahane\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '4635493d.qua'!
    Begin scan in 'J:\'
    J:\AVSEQ01.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef811.qua'!
    J:\AVSEQ011.exe
    [DETECTION] Contains detection pattern of the worm WORM/VB.DelFile.A.2
    [INFO] The file was moved to '47aef812.qua'!
    J:\autorun.inf
    [DETECTION] Is the Trojan horse TR/Agent.Abt.34
    [INFO] The file was moved to '47cff831.qua'!
    J:\RavMon.exe
    [DETECTION] Is the Trojan horse TR/Agent.Abt.3
    [INFO] The file was moved to '47d1f81e.qua'!

    End of the scan: 30 ذو القعدة, 1428 17:12
    Used time: 34:41 min

    The scan has been done completely.

    1904 Scanning directories
    131685 Files were scanned
    65 viruses and/or unwanted programs were found
    0 Files were classified as suspicious:
    0 files were deleted
    0 files were repaired
    65 files were moved to quarantine
    0 files were renamed
    1 Files cannot be scanned
    131620 Files not concerned
    778 Archives were scanned
    1 Warnings
    10 Notes

    le deuxieme:

    AntiVir PersonalEdition Classic
    Report file date: 30 ذو القعدة, 1428 17:38

    Scanning for 963523 virus strains and unwanted programs.

    Licensed to: Avira AntiVir PersonalEdition Classic
    Serial number: 0000149996-ADJIE-0001
    Platform: Windows XP
    Windows version: (Service Pack 2) [5.1.2600]
    Username: xp
    Computer name: XP-5D0757329AF2

    Version information:
    BUILD.DAT : 270 15603 Bytes 08/09/1428 13:32:00
    AVSCAN.EXE : 7.0.6.1 290856 Bytes 10/08/1428 11:16:29
    AVSCAN.DLL : 7.0.6.0 49192 Bytes 03/08/1428 10:23:51
    LUKE.DLL : 7.0.5.3 147496 Bytes 01/08/1428 13:32:47
    LUKERES.DLL : 7.0.6.1 10280 Bytes 08/08/1428 10:35:20
    ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 04/07/1428 12:27:15
    ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 02/09/1428 12:26:55
    ANTIVIR2.VDF : 7.0.1.30 1575424 Bytes 21/11/1428 13:02:36
    ANTIVIR3.VDF : 7.0.1.60 112128 Bytes 28/11/1428 13:02:36
    AVEWIN32.DLL : 7.6.0.40 3064320 Bytes 30/11/1428 13:02:38
    AVWINLL.DLL : 1.0.0.7 14376 Bytes 09/02/1428 08:36:26
    AVPREF.DLL : 7.0.2.2 25640 Bytes 04/07/1428 05:39:17
    AVREP.DLL : 7.0.0.1 155688 Bytes 29/03/1428 11:16:24
    AVPACK32.DLL : 7.3.0.15 360488 Bytes 20/07/1428 06:46:00
    AVREG.DLL : 7.0.1.6 30760 Bytes 04/07/1428 05:17:06
    AVARKT.DLL : 1.0.0.20 278568 Bytes 15/08/1428 10:26:33
    AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 04/07/1428 05:10:18
    NETNT.DLL : 7.0.0.0 7720 Bytes 19/02/1428 09:09:42
    RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 24/07/1428 10:38:13
    RCTEXT.DLL : 7.0.62.0 86056 Bytes 08/08/1428 10:50:37
    SQLITE3.DLL : 3.3.17.1 339968 Bytes 09/07/1428 07:37:21

    Configuration settings for the scan:
    Jobname..........................: ShlExt
    Configuration file...............: C:\DOCUME~1\xp\LOCALS~1\Temp\2015a145.avp
    Logging..........................: low
    Primary action...................: interactive
    Secondary action.................: ignore
    Scan master boot sector..........: on
    Scan boot sector.................: on
    Boot sectors.....................: H:,
    Scan memory......................: on
    Process scan.....................: off
    Scan registry....................: off
    Search for rootkits..............: off
    Scan all files...................: All files
    Scan archives....................: on
    Recursion depth..................: 20
    Smart extensions.................: on
    Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox,
    Macro heuristic..................: on
    File heuristic...................: medium
    Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,

    Start of the scan: 30 ذو القعدة, 1428 17:38

    Starting the file scan:

    Begin scan in 'H:\' <My Disc>
    H:\TOOLS\Microsoft License Generator\MS.LiCENSE.exe
    [DETECTION] Contains detection pattern of the dropper DR/PSW.RAS.A.19
    [WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
    [WARNING] The file could not be deleted!
    H:\TOOLS\Microsoft License Generator\MS.LiCENSE.exe
    [0] Archive type: ZIP SFX (self extracting)
    --> AutoPlay/Docs/Magical.Jelly.Bean.Keyfinder.v1.53/keyfinder.exe
    [DETECTION] Contains detection pattern of the application APPL/PSW.XPKeyfinder.A
    [1] Archive type: RAR SFX (self extracting)
    --> findkey.exe
    [DETECTION] Contains detection pattern of the application APPL/PassRoc
    --> xpkey.exe
    [DETECTION] Contains detection pattern of the SPR/Tool.XPKey program
    --> officekey.exe
    [DETECTION] Contains detection pattern of the SPR/PSW.RAS.A.3 program
    --> AutoPlay/Docs/RockXP.v.3/RockXP3.exe
    [DETECTION] Contains detection pattern of the SPR/PSW.RAS.A.4 program
    [1] Archive type: RAR SFX (self extracting)
    --> xpkey.exe
    [DETECTION] Contains detection pattern of the SPR/PSW.RAS.A.7 program
    --> keyms.exe
    [DETECTION] Contains detection pattern of the SPR/PSW.RAS.A.3 program
    --> RAS.exe
    [DETECTION] Contains detection pattern of the SPR/PSW.RAS.A.5 program
    --> RockXp_.exe
    [DETECTION] Contains detection pattern of the SPR/PSW.RAS.A.6 program
    [WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
    [WARNING] The file could not be deleted!

    End of the scan: 30 ذو القعدة, 1428 17:42
    Used time: 04:52 min

    The scan has been done completely.

    157 Scanning directories
    6872 Files were scanned
    10 viruses and/or unwanted programs were found
    0 Files were classified as suspicious:
    0 files were deleted
    0 files were repaired
    0 files were moved to quarantine
    0 files were renamed
    0 Files cannot be scanned
    6862 Files not concerned
    62 Archives were scanned
    2 Warnings
    1 Notes

    bon courage à vous
    0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. Le sioux Messages postés 4907 Statut Contributeur sécurité 496
     
    Bonsoir Nymphéa

    Bien jouée .

    On va vider la "quarantine" d'Antivir :

    Clique droit sur Antivir dans la barre des taches (en bas a droite) puis "Start Antivir", clique sur l'onglet "Quarantine", clique sur une des lignes des détections qui y sont présentes puis ctrl-a afin de sélectionner l'ensemble du contenu de la quarantaine puis clique sur le symbole poubelle, une fenêtre va s'ouvrir "Are you sure you want to delete the selected object(s) from quarantine". Confirme la suppression par oui.
    Ferme Antivir.

    Je te dirais quoi faire d'autre plus tard.

    @ +
    0
  7. Nymphea
     
    bonjour le siouxdésolée du retard
    bon voila c'est fait j'ai vidé la zone de quarantaine, j'attend d'autre instructions :)
    0
  8. Le sioux Messages postés 4907 Statut Contributeur sécurité 496
     
    Bonsoir Nymphéa

    On va faire une petite vérification :

    Commence par m envoyer un rapport HijackThis, fais ce qui suit :

    Télécharge hijackthis sur ton Bureau.


    Ferme toutes les autres fenêtres, tous les autres programmes. Pas de connexion Internet.


    Double clique dessus pour lancer l installation . Accepte la licence qui va apparaître par " I agree" .

    Puis clique sur "Do a system scan and save a logfile"

    Ferme hijackThis et fait un copier-coller du log entier et poste le ici en réponse.

    Note : le rapport se trouve dans c:\Program Files\Trend Micro\HijackThis

    Tuto : "générer un rapport"

    http://pageperso.aol.fr/balltrap34/demohijack.htm

    @+
    0
  9. Nymphea
     
    bonjour bonjour
    je vais coller le rapport mais juste avant je voudrai signaler des messages que je reçois dés l'ouverture de windows:
    windows n'a pas trouver c\windows\svchost.exe
    c\windows\svchost.exe verfiez la presence du fichier sur l'ordinateur ou supprimez le
    windows n'a pas trouver c\windows\systeme32\svchost.com

    (ce sont mes mots car j'ai dù traduire)

    le rapport:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:50:40 م, on 11/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Common File
    0
  10. Nymphea
     
    bonjour bonjour
    je vais coller le rapport mais juste avant je voudrai signaler des messages que je reçois dés l'ouverture de windows:
    windows n'a pas trouver c\windows\svchost.exe
    c\windows\svchost.exe verfiez la presence du fichier sur l'ordinateur ou supprimez le
    windows n'a pas trouver c\windows\systeme32\svchost.com

    (ce sont mes mots car j'ai dù traduire)

    le rapport:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:50:40 م, on 11/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\svchost.com
    F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
    O2 - BHO: BHO pour Compagnon Web Encarta - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O3 - Toolbar: Compagnon Web Encarta - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O4 - HKLM\..\Run: [antihost] C:\WINDOWS\system32\ahr.exe
    O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\MDM.EXE
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &تصدير إلى Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: بحث - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
    0
  11. Le sioux Messages postés 4907 Statut Contributeur sécurité 496
     
    Re

    C est message sont du aux cochonneries qu'il reste et aux lignes F1 et F2

    On va essayer ce qui suit :

    Je te conseille d'enregistrer la page en sélectionnant toutes les lignes puis de copier cette sélection dans un fichier texte sur ton PC pour pouvoir appliquer la procédure correctement.
    (Note: tu n'auras pas accès à Internet à partir du moment ou te redémarreras en mode sans échec)
    Il faut exécuter toutes les étapes, sans interruption, dans l'ordre exact indiqué ci-dessous.
    Si un élément te paraît obscur, demande des explications avant de commencer la désinfection


    1) Télécharge

    OTMoveIt (de Old_Timer) sur ton Bureau.
    http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
    N'y touche pas pour le moment.

    2) Redémarre en mode sans échec

    Regarde ici si besoin avant ici : http://pageperso.aol.fr/loraline60/mode_sans_echec.htm
    Au redémarrage de l'ordinateur, une fois le chargement du BIOS terminé, il y a un écran noir qui apparaît rapidement, appuie sur la touche [F8] (ou [F5] sur certains pc) jusqu'à l'affichage du menu des options avancées de Windows.
    Sélectionner "Mode sans échec" et appuie sur [Entrée]
    Il faudra choisir ta session habituelle, pas le compte "Administrateur" ou une autre.

    Ouvre le fichier texte sauvegardé sur le Bureau afin de suivre les instructions comme il faut.

    3) Lance HijackThis.

    Je te conseille d'enregistrer toutes les lignes a fixer puis de copier cette sélection dans un fichier texte sur ton PC pour pouvoir appliquer la procédure correctement.

    Lance Hijackthis en double cliquant sur son raccourci sur le Bureau.
    Clique sur Scan Only et coche les lignes suivantes :

    O4 - HKLM\..\Run: [antihost] C:\WINDOWS\system32\ahr.exe
    O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\MDM.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &تصدير إلى Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: بحث - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


    Ferme toutes les autres fenêtres, tous les autres programmes. Pas de connections Internet.
    Clique sur Fix Checked puis clique sur OK
    Puis ferme hijackthis.

    4) OTMoveIt (de Old_Timer)

    Double clique sur OTMoveIt.exe pour le lancer.
    Copie la liste qui se trouve en citation ci-dessous,
    et colle-la dans le cadre de gauche de OTMoveIt :
    Paste List of Files/Folders to be moved.


    C:\WINDOWS\system32\svchost.com
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\system32\ahr.exe
    C:\WINDOWS\MDM.EXE


    Clique sur MoveIt! pour lancer la suppression.
    Le résultat apparaîtra dans le cadre Results.
    Clique sur Exit pour fermer.

    Il te sera peut-être demander de redémarrer lePC pour achever la suppression.
    si c'est le cas accepte par Yes.


    5) Rapports

    Fais redémarrer ton PC en mode normal puis poste en réponse :

    * Le rapport d’OTMoveIt situé dans C:\_OTMoveIt\MovedFiles (contenu du fichier C:\_OTMoveIt\MovedFiles\********_******.log - les *** sont des chiffres représentant la date et l'heure)
    * Un nouveau rapport HijackThis.

    @ suivre
    0
  12. Nymphea
     
    je vais appeliquer les instructions tout de suite
    @+
    0
  13. Nymphea
     
    pour le Le rapport d’OTMoveIt ben après avoir lancer la suppression j'ai reçu un message disant que OTMoveIt ne peux pas creer le fichier C:\_OTMoveIt\MovedFiles !!

    on redemarant j'ai eu les memes messages (windows n'a pas trouver c\windows\svchost.exe
    c\windows\svchost.exe verfiez la presence du fichier sur l'ordinateur ou supprimez le
    windows n'a pas trouver c\windows\systeme32\svchost.com )

    mais voici celui de HijackThis
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:50:40 م, on 11/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\svchost.com
    F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
    O2 - BHO: BHO pour Compagnon Web Encarta - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O3 - Toolbar: Compagnon Web Encarta - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O4 - HKLM\..\Run: [antihost] C:\WINDOWS\system32\ahr.exe
    O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\MDM.EXE
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &تصدير إلى Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: بحث - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
    0
  14. Le sioux Messages postés 4907 Statut Contributeur sécurité 496
     
    BonsoirNymphea

    OTMoveIt n'a pas fonctionné ... damned

    On va essayer autrement :

    1) Télécharge

    * SDFix d' AndyManchesta

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe sur ton Bureau.

    Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. N y touche pas pour l instant.

    2) Redemarre en mode sans echec

    Au redémarrage de l'ordinateur, une fois le chargement du BIOS terminé, il y a un écran noir qui apparaît rapidement, appuyer sur la touche [F8] ou [F5] jusqu'à l'affichage du menu des options avancées de Windows.
    Sélectionner "Mode sans échec" et appuyer sur [Entrée]
    Il te faudra choisir ta session habituelle, pas le compte "Administrateur" ou une autre.


    3) SDFix

    * Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
    * Appuie sur Y pour commencer le processus de nettoyage.
    * Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
    * Appuie sur une touche pour redémarrer le PC.
    * Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
    * Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
    * Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
    * Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.

    Poste moi ce rapport en réponse stp ainsi qu' un nouveau rapport HijackThis.

    @ plus
    0
  15. Nympheato Messages postés 13 Statut Membre
     
    bien le bonjour le sioux

    voici le rapport de SDFix :

    SDFix: Version 1.118

    Run by xp on Wed 12/12/2007 at 01:20 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...

    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\autorun.inf - Deleted
    C:\WINDOWS\svchost.ini - Deleted

    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.

    Final Check:

    catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-12 13:24:51
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
    "E\6-\6H\6D\6 ?V?I?A? ?P?C?I? ?1?0?/?1?0?0?M?b? ?F?a?s?t? ?E?t?h?e?r?n?e?t?"=str(7):"1\0"
    "E\6-\6H\6D\6 ?R?A?S? ?A?s?y?n?c?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6,\6/\6H\6D\6)\6 ?'\6D\6-\0062\6E\6"=str(7):"1\0002\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ? ?(?L?2?T?P?)?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ?(?P?P?T?P?)?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ?(?P?P?P?O?E?)?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ?(?I?P?)?"=str(7):"1\0"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\.\6/\6E\6)\6 ]
    "EventMessageFile"=str(2):"%SystemRoot%\System32\NTMSEVT.DLL"
    "TypesSupported"=dword:00000007
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
    "E\6-\6H\6D\6 ?V?I?A? ?P?C?I? ?1?0?/?1?0?0?M?b? ?F?a?s?t? ?E?t?h?e?r?n?e?t?"=str(7):"1\0"
    "E\6-\6H\6D\6 ?R?A?S? ?A?s?y?n?c?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6,\6/\6H\6D\6)\6 ?'\6D\6-\0062\6E\6"=str(7):"1\0002\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ? ?(?L?2?T?P?)?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ?(?P?P?T?P?)?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ?(?P?P?P?O?E?)?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ?(?I?P?)?"=str(7):"1\0"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\.\6/\6E\6)\6 ]
    "EventMessageFile"=str(2):"%SystemRoot%\System32\NTMSEVT.DLL"
    "TypesSupported"=dword:00000007

    scanning hidden registry entries ...

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\'\6D\0063\6J\0061\6)\6 ]
    "SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,76,d4,69,18,51,..
    "Changed"=dword:00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\'\6D\6B\0061\6"\6F\6 ]
    "SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,10,2f,0e,00,00,00,00,64,8f,89,a3,5b,..
    "Changed"=dword:00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\1\6,\6'\6D\6 ]
    "SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,60,aa,00,00,00,00,00,8a,bb,15,63,50,..
    "Changed"=dword:00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\A\6F\6 ]
    "SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,1c,ba,cd,99,32,..
    "Changed"=dword:00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\E\6H\0063\6H\69\6)\6 ]
    "SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,f0,41,01,00,00,00,00,fa,27,96,42,68,..
    "Changed"=dword:00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\Publishers\F\6'\0064\0061\6 ]
    @="{CFCCC7A0-A282-11D1-9082-006008059382}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
    "4\69\6'\0061\6'\6*\6 ?W?i?n?d?o?w?s? ?'\6D\6E\6*\6-\0061\6C\6)\6"=""C:\WINDOWS\Cursors\rainbow.ani,,C:\WINDOWS\Cursors\appstart.ani,C:\WINDOWS\Cursors\hourglas.ani,C:\WINDOWS\Cursors\cross.cur,,,,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,,""
    "#\6(\6J\0066\6 ?+\6D\6'\6+\6J\6 ?'\6D\6#\6(\69\6'\6/\6"=""C:\WINDOWS\Cursors\3dwarro.cur,,C:\WINDOWS\Cursors\appstar3.ani,C:\WINDOWS\Cursors\hourgla3.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dwno.cur,C:\WINDOWS\Cursors\3dwns.cur,C:\WINDOWS\Cursors\3dwwe.cur,C:\WINDOWS\Cursors\3dwnwse.cur,C:\WINDOWS\Cursors\3dwnesw.cur,C:\WINDOWS\Cursors\3dwmove.cur,""
    "#\6J\6/\6J\6 ?1?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
    "#\6J\6/\6J\6 ?2?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,""
    "/\6J\6F\0065\6H\0061\6"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur,""
    "7\0061\6'\0062\6 ?B\6/\6J\6E\6"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
    "E\6H\0065\6D\6"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
    "E\6C\6(\0061\6"=""C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,""
    "*\6A\6'\6H\6*\6'\6*\6"=""C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,""
    "(\0061\6H\6F\0062\6 ?+\6D\6'\6+\6J\6 ?'\6D\6#\6(\69\6'\6/\6"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\appstar2.ani,C:\WINDOWS\Cursors\hourgla2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dgno.cur,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\%\6D\6:\6'\6!\6 ]
    @="{67cf8cbd-e5c0-44f7-9de5-e1d599d626d8}"
    "Description"="\x200f\x200f\x644\x64a\x633 \x647\x646\x627\x643 \x62d\x627\x62c\x629 \x625\x644\x649 \x647\x630\x647 \x627\x644\x645\x644\x641\x627\x62a \x625\x630\x627 \x623\x631\x62f\x62a \x625\x644\x63a\x627\x621 \x62a\x62b\x628\x64a\x62a \x647\x630\x627 \x627\x644\x625\x635\x62f\x627\x631 \x645\x646 Windows \x648\x627\x644\x639\x648\x62f\x629 \x625\x644\x649 \x646\x638\x627\x645 \x627\x644\x62a\x634\x63a\x64a\x644 \x627\x644\x633\x627\x628\x642."
    "Display"="\x645\x644\x641\x627\x62a \x627\x644\x646\x633\x62e \x627\x644\x627\x62d\x62a\x64a\x627\x637\x64a \x644\x646\x638\x627\x645 \x627\x644\x62a\x634\x63a\x64a\x644 \x627\x644\x633\x627\x628\x642"
    "IconPath"=str(2):"%SystemRoot%\system32\osuninst.EXE,0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\'\6D\0063\6J\0061\6)\6 ]
    "DisplayName"="\x627\x644\x633\x64a\x631\x629 \x627\x644\x646\x628\x648\x64a\x629"
    "UninstallString"="C:\Program Files\Serah\Uninstal.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\'\6D\6B\0061\6"\6F\6 ]
    "Inno Setup: Setup Version"="5.0.8"
    "Inno Setup: App Path"="C:\Program Files\\x627\x644\x642\x631\x622\x646 \x627\x644\x643\x631\x64a\x645"
    "InstallLocation"="C:\Program Files\\x627\x644\x642\x631\x622\x646 \x627\x644\x643\x631\x64a\x645\"
    "Inno Setup: Icon Group"="\x627\x644\x642\x631\x622\x646 \x627\x644\x643\x631\x64a\x645"
    "Inno Setup: User"="xp"
    "Inno Setup: Selected Tasks"=""
    "Inno Setup: Deselected Tasks"="desktopicon"
    "DisplayName"="\x627\x644\x642\x631\x622\x646 -\x62c\x627\x645\x639 \x637\x644\x62d\x629"
    "UninstallString"=""C:\Program Files\\x627\x644\x642\x631\x622\x646 \x627\x644\x643\x631\x64a\x645\unins000.exe""
    "QuietUninstallString"=""C:\Program Files\\x627\x644\x642\x631\x622\x646 \x627\x644\x643\x631\x64a\x645\unins000.exe" /SILENT"
    "Publisher"="\x62c\x645\x627\x639\x629 \x62c\x627\x645\x639 \x637\x644\x62d\x629"
    "URLInfoAbout"="dhaher95@hotmail.com"
    "HelpLink"="dhaher95@hotmail.com"
    "URLUpdateInfo"="dhaher95@hotmail.com"
    "NoModify"=dword:00000001
    "NoRepair"=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1\6,\6'\6D\6 ]
    "Inno Setup: Setup Version"="5.1.5"
    "Inno Setup: App Path"="C:\Program Files\\x631\x62c\x627\x644 \x62d\x648\x644 \x631\x633\x648\x644 \x627\x644\x644\x647 \x635\x644\x649 \x627\x644\x644\x647 \x639\x644\x64a\x647 \x648\x633\x644\x627\x645"
    "InstallLocation"="C:\Program Files\\x631\x62c\x627\x644 \x62d\x648\x644 \x631\x633\x648\x644 \x627\x644\x644\x647 \x635\x644\x649 \x627\x644\x644\x647 \x639\x644\x64a\x647 \x648\x633\x644\x627\x645\"
    "Inno Setup: Icon Group"="\x631\x62c\x627\x644 \x62d\x648\x644 \x631\x633\x648\x644 \x627\x644\x644\x647 \x635\x644\x649 \x627\x644\x644\x647 \x639\x644\x64a\x647 \x648\x633\x644\x627\x645"
    "Inno Setup: User"="xp"
    "Inno Setup: Selected Tasks"=""
    "Inno Setup: Deselected Tasks"="desktopicon,quicklaunchicon"
    "DisplayName"="\x631\x62c\x627\x644 \x62d\x648\x644 \x631\x633\x648\x644 \x627\x644\x644\x647 \x635\x644\x649 \x627\x644\x644\x647 \x639\x644\x64a\x647 \x648\x633\x644\x627\x645"
    "UninstallString"=""C:\Program Files\\x631\x62c\x627\x644 \x62d\x648\x644 \x631\x633\x648\x644 \x627\x644\x644\x647 \x635\x644\x649 \x627\x644\x644\x647 \x639\x644\x64a\x647 \x648\x633\x644\x627\x645\unins000.exe""
    "QuietUninstallString"=""C:\Program Files\\x631\x62c\x627\x644 \x62d\x648\x644 \x631\x633\x648\x644 \x627\x644\x644\x647 \x635\x644\x649 \x627\x644\x644\x647 \x639\x644\x64a\x647 \x648\x633\x644\x627\x645\unins000.exe" /SILENT"
    "Publisher"="Arafasoft, Inc."
    "URLInfoAbout"="https://www.arafasoft.com/"
    "HelpLink"="https://www.arafasoft.com/"
    "URLUpdateInfo"="https://www.arafasoft.com/"
    "NoModify"=dword:00000001
    "NoRepair"=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\A\6F\6 ]
    "DisplayName"="\x641\x646 \x627\x644\x62a\x639\x627\x645\x644 \x645\x639 \x627\x644\x646\x627\x633"
    "UninstallString"="C:\WINDOWS\iun6002.exe "C:\Program Files\Ariss\Encyclopedias\How to act with people\irunin.ini""
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\Realtek AC97 Audio\'\6D\6*\6-\6C\6E\6 ]
    "LineStates"=hex:00,00,00,00,27,06,44,06,2a,06,2d,06,43,06,45,06,20,00,28,06,2d,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\Realtek AC97 Audio\9\6F\0065\0061\6 ]
    "LineStates"=hex:04,00,00,00,39,06,46,06,35,06,31,06,20,00,2a,06,2d,06,43,06,45,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\6(\0061\6'\6E\6,\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,90,08,00,00,01,00,00,00,0e,00,00,00,7e,..

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\6(\0061\6'\6E\6,\6 \#\6/\6H\6'\6*\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,c4,05,00,00,01,00,00,00,09,00,00,00,9e,..

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\6(\0061\6'\6E\6,\6 \'\6*\0065\6'\6D\6'\6*\6]
    "Order"=hex:08,00,00,00,02,00,00,00,58,04,00,00,01,00,00,00,06,00,00,00,98,..

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\6(\0061\6'\6E\6,\6 \'\6D\6H\0065\6H\6D\6]
    "Order"=hex:08,00,00,00,02,00,00,00,78,02,00,00,01,00,00,00,04,00,00,00,a8,..

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\6(\0061\6'\6E\6,\6 \*\0061\6A\6J\6G\6]
    "Order"=hex:08,00,00,00,02,00,00,00,cc,01,00,00,01,00,00,00,03,00,00,00,92,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\0063\6J\0061\6)\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,20,01,00,00,01,00,00,00,02,00,00,00,90,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\69\0061\6J\0063\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,26,01,00,00,01,00,00,00,02,00,00,00,92,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\6B\0061\6"\6F\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,84,01,00,00,01,00,00,00,03,00,00,00,80,..

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\6B\0061\6"\6F\6 \Thawla_Ichatahane]
    "Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\(\6/\6!\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\(\0061\6'\6E\6,\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,9a,00,00,00,01,00,00,00,01,00,00,00,8e,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\*\0063\6'\6D\6J\6]
    "Order"=hex:08,00,00,00,02,00,00,00,3c,08,00,00,01,00,00,00,0d,00,00,00,80,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\1\6,\6'\6D\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,56,02,00,00,01,00,00,00,03,00,00,00,ca,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\E\6H\0063\6H\69\6)\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups]
    "*\0063\6'\6D\6J\6"="\x627\x644\x628\x631\x627\x645\x62c \x627\x644\x645\x644\x62d\x642\x629\\x62a\x633\x627\x644\x64a"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Network\9\6'\0061\0066\6 ]
    "SaveSettings"="1"

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    Remaining Services:
    ------------------

    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

    Remaining Files:
    ---------------

    Files with Hidden Attributes:

    Mon 22 Jul 2002 418,816 ...HR --- "C:\WINDOWS\system32\Tools\All.exe"
    Fri 19 Jul 2002 390,144 ...HR --- "C:\WINDOWS\system32\Tools\Change.exe"
    Fri 19 Jul 2002 574,464 ...HR --- "C:\WINDOWS\system32\Tools\CheckPath.exe"
    Tue 20 Aug 2002 430,592 ...HR --- "C:\WINDOWS\system32\Tools\Counter.exe"
    Tue 23 Jul 2002 390,656 ...HR --- "C:\WINDOWS\system32\Tools\DelFolders.exe"
    Fri 22 Nov 2002 399,872 ...HR --- "C:\WINDOWS\system32\Tools\DirectSetup.exe"
    Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RegClean.exe"
    Fri 19 Jul 2002 388,608 ...HR --- "C:\WINDOWS\system32\Tools\Regexe.exe"
    Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RunRegexe.exe"

    Finished!

    rapport de hijackthis

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 01:30:37 م, on 12/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\svchost.com
    F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
    O2 - BHO: BHO pour Compagnon Web Encarta - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O3 - Toolbar: Compagnon Web Encarta - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795
    0
  16. Nympheato Messages postés 13 Statut Membre
     
    bien le bonjour le sioux

    voici le rapport de SDFix :

    SDFix: Version 1.118

    Run by xp on Wed 12/12/2007 at 01:20 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...

    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\autorun.inf - Deleted
    C:\WINDOWS\svchost.ini - Deleted

    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.

    Final Check:

    catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-12 13:24:51
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
    "E\6-\6H\6D\6 ?V?I?A? ?P?C?I? ?1?0?/?1?0?0?M?b? ?F?a?s?t? ?E?t?h?e?r?n?e?t?"=str(7):"1\0"
    "E\6-\6H\6D\6 ?R?A?S? ?A?s?y?n?c?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6,\6/\6H\6D\6)\6 ?'\6D\6-\0062\6E\6"=str(7):"1\0002\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ? ?(?L?2?T?P?)?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ?(?P?P?T?P?)?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ?(?P?P?P?O?E?)?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ?(?I?P?)?"=str(7):"1\0"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\.\6/\6E\6)\6 ]
    "EventMessageFile"=str(2):"%SystemRoot%\System32\NTMSEVT.DLL"
    "TypesSupported"=dword:00000007
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
    "E\6-\6H\6D\6 ?V?I?A? ?P?C?I? ?1?0?/?1?0?0?M?b? ?F?a?s?t? ?E?t?h?e?r?n?e?t?"=str(7):"1\0"
    "E\6-\6H\6D\6 ?R?A?S? ?A?s?y?n?c?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6,\6/\6H\6D\6)\6 ?'\6D\6-\0062\6E\6"=str(7):"1\0002\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ? ?(?L?2?T?P?)?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ?(?P?P?T?P?)?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ?(?P?P?P?O?E?)?"=str(7):"1\0"
    "E\6F\6A\0060\6 ?E\0065\6:\0061\6 ?D\6@\6 ?W?A?N? ?(?I?P?)?"=str(7):"1\0"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\.\6/\6E\6)\6 ]
    "EventMessageFile"=str(2):"%SystemRoot%\System32\NTMSEVT.DLL"
    "TypesSupported"=dword:00000007

    scanning hidden registry entries ...

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\'\6D\0063\6J\0061\6)\6 ]
    "SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,76,d4,69,18,51,..
    "Changed"=dword:00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\'\6D\6B\0061\6"\6F\6 ]
    "SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,10,2f,0e,00,00,00,00,64,8f,89,a3,5b,..
    "Changed"=dword:00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\1\6,\6'\6D\6 ]
    "SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,60,aa,00,00,00,00,00,8a,bb,15,63,50,..
    "Changed"=dword:00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\A\6F\6 ]
    "SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,1c,ba,cd,99,32,..
    "Changed"=dword:00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\E\6H\0063\6H\69\6)\6 ]
    "SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,f0,41,01,00,00,00,00,fa,27,96,42,68,..
    "Changed"=dword:00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\Publishers\F\6'\0064\0061\6 ]
    @="{CFCCC7A0-A282-11D1-9082-006008059382}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
    "4\69\6'\0061\6'\6*\6 ?W?i?n?d?o?w?s? ?'\6D\6E\6*\6-\0061\6C\6)\6"=""C:\WINDOWS\Cursors\rainbow.ani,,C:\WINDOWS\Cursors\appstart.ani,C:\WINDOWS\Cursors\hourglas.ani,C:\WINDOWS\Cursors\cross.cur,,,,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,,""
    "#\6(\6J\0066\6 ?+\6D\6'\6+\6J\6 ?'\6D\6#\6(\69\6'\6/\6"=""C:\WINDOWS\Cursors\3dwarro.cur,,C:\WINDOWS\Cursors\appstar3.ani,C:\WINDOWS\Cursors\hourgla3.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dwno.cur,C:\WINDOWS\Cursors\3dwns.cur,C:\WINDOWS\Cursors\3dwwe.cur,C:\WINDOWS\Cursors\3dwnwse.cur,C:\WINDOWS\Cursors\3dwnesw.cur,C:\WINDOWS\Cursors\3dwmove.cur,""
    "#\6J\6/\6J\6 ?1?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
    "#\6J\6/\6J\6 ?2?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,""
    "/\6J\6F\0065\6H\0061\6"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur,""
    "7\0061\6'\0062\6 ?B\6/\6J\6E\6"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
    "E\6H\0065\6D\6"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
    "E\6C\6(\0061\6"=""C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,""
    "*\6A\6'\6H\6*\6'\6*\6"=""C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,""
    "(\0061\6H\6F\0062\6 ?+\6D\6'\6+\6J\6 ?'\6D\6#\6(\69\6'\6/\6"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\appstar2.ani,C:\WINDOWS\Cursors\hourgla2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dgno.cur,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\%\6D\6:\6'\6!\6 ]
    @="{67cf8cbd-e5c0-44f7-9de5-e1d599d626d8}"
    "Description"="\x200f\x200f\x644\x64a\x633 \x647\x646\x627\x643 \x62d\x627\x62c\x629 \x625\x644\x649 \x647\x630\x647 \x627\x644\x645\x644\x641\x627\x62a \x625\x630\x627 \x623\x631\x62f\x62a \x625\x644\x63a\x627\x621 \x62a\x62b\x628\x64a\x62a \x647\x630\x627 \x627\x644\x625\x635\x62f\x627\x631 \x645\x646 Windows \x648\x627\x644\x639\x648\x62f\x629 \x625\x644\x649 \x646\x638\x627\x645 \x627\x644\x62a\x634\x63a\x64a\x644 \x627\x644\x633\x627\x628\x642."
    "Display"="\x645\x644\x641\x627\x62a \x627\x644\x646\x633\x62e \x627\x644\x627\x62d\x62a\x64a\x627\x637\x64a \x644\x646\x638\x627\x645 \x627\x644\x62a\x634\x63a\x64a\x644 \x627\x644\x633\x627\x628\x642"
    "IconPath"=str(2):"%SystemRoot%\system32\osuninst.EXE,0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\'\6D\0063\6J\0061\6)\6 ]
    "DisplayName"="\x627\x644\x633\x64a\x631\x629 \x627\x644\x646\x628\x648\x64a\x629"
    "UninstallString"="C:\Program Files\Serah\Uninstal.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\'\6D\6B\0061\6"\6F\6 ]
    "Inno Setup: Setup Version"="5.0.8"
    "Inno Setup: App Path"="C:\Program Files\\x627\x644\x642\x631\x622\x646 \x627\x644\x643\x631\x64a\x645"
    "InstallLocation"="C:\Program Files\\x627\x644\x642\x631\x622\x646 \x627\x644\x643\x631\x64a\x645\"
    "Inno Setup: Icon Group"="\x627\x644\x642\x631\x622\x646 \x627\x644\x643\x631\x64a\x645"
    "Inno Setup: User"="xp"
    "Inno Setup: Selected Tasks"=""
    "Inno Setup: Deselected Tasks"="desktopicon"
    "DisplayName"="\x627\x644\x642\x631\x622\x646 -\x62c\x627\x645\x639 \x637\x644\x62d\x629"
    "UninstallString"=""C:\Program Files\\x627\x644\x642\x631\x622\x646 \x627\x644\x643\x631\x64a\x645\unins000.exe""
    "QuietUninstallString"=""C:\Program Files\\x627\x644\x642\x631\x622\x646 \x627\x644\x643\x631\x64a\x645\unins000.exe" /SILENT"
    "Publisher"="\x62c\x645\x627\x639\x629 \x62c\x627\x645\x639 \x637\x644\x62d\x629"
    "URLInfoAbout"="dhaher95@hotmail.com"
    "HelpLink"="dhaher95@hotmail.com"
    "URLUpdateInfo"="dhaher95@hotmail.com"
    "NoModify"=dword:00000001
    "NoRepair"=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1\6,\6'\6D\6 ]
    "Inno Setup: Setup Version"="5.1.5"
    "Inno Setup: App Path"="C:\Program Files\\x631\x62c\x627\x644 \x62d\x648\x644 \x631\x633\x648\x644 \x627\x644\x644\x647 \x635\x644\x649 \x627\x644\x644\x647 \x639\x644\x64a\x647 \x648\x633\x644\x627\x645"
    "InstallLocation"="C:\Program Files\\x631\x62c\x627\x644 \x62d\x648\x644 \x631\x633\x648\x644 \x627\x644\x644\x647 \x635\x644\x649 \x627\x644\x644\x647 \x639\x644\x64a\x647 \x648\x633\x644\x627\x645\"
    "Inno Setup: Icon Group"="\x631\x62c\x627\x644 \x62d\x648\x644 \x631\x633\x648\x644 \x627\x644\x644\x647 \x635\x644\x649 \x627\x644\x644\x647 \x639\x644\x64a\x647 \x648\x633\x644\x627\x645"
    "Inno Setup: User"="xp"
    "Inno Setup: Selected Tasks"=""
    "Inno Setup: Deselected Tasks"="desktopicon,quicklaunchicon"
    "DisplayName"="\x631\x62c\x627\x644 \x62d\x648\x644 \x631\x633\x648\x644 \x627\x644\x644\x647 \x635\x644\x649 \x627\x644\x644\x647 \x639\x644\x64a\x647 \x648\x633\x644\x627\x645"
    "UninstallString"=""C:\Program Files\\x631\x62c\x627\x644 \x62d\x648\x644 \x631\x633\x648\x644 \x627\x644\x644\x647 \x635\x644\x649 \x627\x644\x644\x647 \x639\x644\x64a\x647 \x648\x633\x644\x627\x645\unins000.exe""
    "QuietUninstallString"=""C:\Program Files\\x631\x62c\x627\x644 \x62d\x648\x644 \x631\x633\x648\x644 \x627\x644\x644\x647 \x635\x644\x649 \x627\x644\x644\x647 \x639\x644\x64a\x647 \x648\x633\x644\x627\x645\unins000.exe" /SILENT"
    "Publisher"="Arafasoft, Inc."
    "URLInfoAbout"="https://www.arafasoft.com/"
    "HelpLink"="https://www.arafasoft.com/"
    "URLUpdateInfo"="https://www.arafasoft.com/"
    "NoModify"=dword:00000001
    "NoRepair"=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\A\6F\6 ]
    "DisplayName"="\x641\x646 \x627\x644\x62a\x639\x627\x645\x644 \x645\x639 \x627\x644\x646\x627\x633"
    "UninstallString"="C:\WINDOWS\iun6002.exe "C:\Program Files\Ariss\Encyclopedias\How to act with people\irunin.ini""
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\Realtek AC97 Audio\'\6D\6*\6-\6C\6E\6 ]
    "LineStates"=hex:00,00,00,00,27,06,44,06,2a,06,2d,06,43,06,45,06,20,00,28,06,2d,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\Realtek AC97 Audio\9\6F\0065\0061\6 ]
    "LineStates"=hex:04,00,00,00,39,06,46,06,35,06,31,06,20,00,2a,06,2d,06,43,06,45,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\6(\0061\6'\6E\6,\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,90,08,00,00,01,00,00,00,0e,00,00,00,7e,..

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\6(\0061\6'\6E\6,\6 \#\6/\6H\6'\6*\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,c4,05,00,00,01,00,00,00,09,00,00,00,9e,..

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\6(\0061\6'\6E\6,\6 \'\6*\0065\6'\6D\6'\6*\6]
    "Order"=hex:08,00,00,00,02,00,00,00,58,04,00,00,01,00,00,00,06,00,00,00,98,..

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\6(\0061\6'\6E\6,\6 \'\6D\6H\0065\6H\6D\6]
    "Order"=hex:08,00,00,00,02,00,00,00,78,02,00,00,01,00,00,00,04,00,00,00,a8,..

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\6(\0061\6'\6E\6,\6 \*\0061\6A\6J\6G\6]
    "Order"=hex:08,00,00,00,02,00,00,00,cc,01,00,00,01,00,00,00,03,00,00,00,92,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\0063\6J\0061\6)\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,20,01,00,00,01,00,00,00,02,00,00,00,90,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\69\0061\6J\0063\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,26,01,00,00,01,00,00,00,02,00,00,00,92,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\6B\0061\6"\6F\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,84,01,00,00,01,00,00,00,03,00,00,00,80,..

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\'\6D\6B\0061\6"\6F\6 \Thawla_Ichatahane]
    "Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\(\6/\6!\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\(\0061\6'\6E\6,\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,9a,00,00,00,01,00,00,00,01,00,00,00,8e,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\*\0063\6'\6D\6J\6]
    "Order"=hex:08,00,00,00,02,00,00,00,3c,08,00,00,01,00,00,00,0d,00,00,00,80,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\1\6,\6'\6D\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,56,02,00,00,01,00,00,00,03,00,00,00,ca,..
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\E\6H\0063\6H\69\6)\6 ]
    "Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups]
    "*\0063\6'\6D\6J\6"="\x627\x644\x628\x631\x627\x645\x62c \x627\x644\x645\x644\x62d\x642\x629\\x62a\x633\x627\x644\x64a"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Network\9\6'\0061\0066\6 ]
    "SaveSettings"="1"

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    Remaining Services:
    ------------------

    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

    Remaining Files:
    ---------------

    Files with Hidden Attributes:

    Mon 22 Jul 2002 418,816 ...HR --- "C:\WINDOWS\system32\Tools\All.exe"
    Fri 19 Jul 2002 390,144 ...HR --- "C:\WINDOWS\system32\Tools\Change.exe"
    Fri 19 Jul 2002 574,464 ...HR --- "C:\WINDOWS\system32\Tools\CheckPath.exe"
    Tue 20 Aug 2002 430,592 ...HR --- "C:\WINDOWS\system32\Tools\Counter.exe"
    Tue 23 Jul 2002 390,656 ...HR --- "C:\WINDOWS\system32\Tools\DelFolders.exe"
    Fri 22 Nov 2002 399,872 ...HR --- "C:\WINDOWS\system32\Tools\DirectSetup.exe"
    Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RegClean.exe"
    Fri 19 Jul 2002 388,608 ...HR --- "C:\WINDOWS\system32\Tools\Regexe.exe"
    Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RunRegexe.exe"

    Finished!

    rapport de hijackthis

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 01:30:37 م, on 12/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\svchost.com
    F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
    O2 - BHO: BHO pour Compagnon Web Encarta - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O3 - Toolbar: Compagnon Web Encarta - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
    0
  17. Nympheato Messages postés 13 Statut Membre
     
    j'ai oubliée
    les messages apparaissent toujours
    0
  18. Le sioux Messages postés 4907 Statut Contributeur sécurité 496
     
    Bonsoir Nymphéato

    On continu :

    Télécharge Combofix.exe de sUBs sur ton Bureau

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    Double clique combofix.exe et suis les invites.

    Lorsque le scan sera terminé, un rapport apparaîtra.

    --> Copie/colle ce rapport dans ta prochaine réponse avec un nouveau HijackThis.

    @ +
    0
  19. Le sioux Messages postés 4907 Statut Contributeur sécurité 496
     
    Rebonsoir Nymphéato

    Je t'ai donné des instructions au dessus , poste 17, je rajoute un "ptit truc rapide"

    Il reste un service de panda sur ton PC, on va le desactiver :

    * Démarrer / executer

    Tapes services .msc dans la fenetre qui s ouvre descends jusqu'a "Panda Process Protection Service "

    Clique droit</gras> sur la ligne du service en question puis arrêter
    Clique droit a nouveau puis propriétés et a type de démarrage mettre sur désactivé puis valider par appliquer et ok

    Ferme la fenetre des services et fais redemarrer ton PC puis poste un nouveau rapport HijackThis.

    @ suivre
    0
  20. Nympheato Messages postés 13 Statut Membre
     
    ComboFix 07-12-12.3 - xp 12/13/2007 13:15:37.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1256.1.1025.18.18 [GMT 3:00]
    Running from: C:\Documents and Settings\xp\سطح المكتب\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
    .

    No new files created in this timespan

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-11 09:50 --------- d-----w C:\Program Files\Trend Micro
    2007-12-10 14:44 --------- d-----w C:\Program Files\Ahead
    2007-12-10 14:42 --------- d-----w C:\Program Files\رجال حول رسول الله صلى الله عليه وسلام
    2007-12-09 12:28 --------- d-----w C:\Program Files\Avira
    2007-12-09 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
    2007-12-09 10:55 --------- d-----w C:\Program Files\CCleaner
    2007-12-08 14:03 --------- d-----w C:\Program Files\Waaz
    2007-11-20 18:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-14 13:53 --------- d-----w C:\Program Files\Common Files\Panda Software
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [12/09/2007 04:02 PM]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^قائمة ابدأ^البرامج^بدء التشغيل^Adobe Reader Speed Launch.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^قائمة ابدأ^البرامج^بدء التشغيل^Hyperappel du Petit Larousse 2007.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^قائمة ابدأ^البرامج^بدء التشغيل^Larousse Expression.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^xp^قائمة ابدأ^البرامج^بدء التشغيل^Ela-Salaty.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^xp^قائمة ابدأ^البرامج^بدء التشغيل^Reboot.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    08/04/2004 03:56 AM 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E06FDXRC_5089812]
    F:\Collection Microsoft Encarta 2006\EDICT.EXE -m

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E06FDXRC_874296]
    C:\Program Files\Microsoft Encarta\Collection Microsoft Encarta 2006\EDICT.EXE -m

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kaspersky Anti-Virus 2006]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
    C:\WINDOWS\svchost.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    07/09/2001 11:50 AM 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
    06/20/2005 01:53 PM 1056768 -ra------ C:\Program Files\VIA\RAID\raid_tool.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavTimeXP]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    SOUNDMAN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
    VTTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
    VTtrayp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    10/27/2005 02:01 AM 33792 --a------ C:\Program Files\Winamp\winampa.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "AVP"=2 (0x2)
    "AppMgmt"=3 (0x3)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65a0731f-104d-11dc-9f50-0016eca667ba}]
    \Shell\AutoRun\command - J:\RavMon.exe
    \Shell\explore\Command - J:\RavMon.exe -e
    \Shell\open\Command - J:\RavMon.exe

    *Newly Created Service* - PROCEXP90
    .
    **************************************************************************
    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    **************************************************************************
    .
    Completion time: 12/13/2007 13:18:03

    voila le 1er
    PS: je pense avoir reçu des virus avec ce téléchargement et que j'ai mis en quarantaine pour le moment
    maintenant je vais redémmarer et je t'envoy aussitôt le rapport hijackthis
    0
  21. Le sioux Messages postés 4907 Statut Contributeur sécurité 496
     
    Bonjour

    Antivir prends a tort ComboFix pour une cochonnerie, mais ne t inquietes pas , c est un outils sur.

    Je regarde ton rapport et dis quoi faire des que possible.
    @ +
    0
  • 1
  • 2
  • 3