infection de mon PC G!rly aide moi Fermé

Question

Bonjour, mon PC  est infecté par plusieurs virus un ver  nommé allaple et un autre BAT/Fake.Privdanger
ma config c windows XP avec avira et kerio pour la défense mais bon apparement ca passe 
que faire G!rly aide moi ou quelqu'un d'autre
merci d'avance

Pi_Xi · Answer

Bonjour,

pour faire avancer le schmillblick:

télécharge HiJackThis: http://www.commentcamarche.net/telecharger/telecharger 159 hijackthis

* Dézippe-le dans un dossier prévu à cet effet. Par exemple C:\hijackthis
* Exécute-le puis clic sur "Do a system scan and save a logfile"
* Copie-colle le rapport sur le forum

g!rly · Answer

bonsoir a vous deux...

pour suivre...

@+

g!rly · Answer

salut pi_xi, 

ok on fait comme ca alors, tu regarde ;-) mais tu peux aussi intervenir, on fais comme ca?! oui !

papasiam bonsoir, 

post un rapport hijack this comme te l´as demandé pi_xi stp

et post aussi le rapport que va générer smitfraudfix :

télécharges smitfraudfix :

En image :
http://siri.urz.free.fr/Fix/SmitfraudFix.php

tu doubles cliques sur smitfraudfix.cmd et tu choisi l option 1
cela vas générer un rapport.

Copie/colle le rapport sur le forum stp.

@+

papasiam · Answer

et voila
hijack


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:52:13, on 17/01/2008
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet	ools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: The enqvwkp - {CC4B2067-D903-427A-854B-632735A570D9} - C:\DOCUME~1\ZITUN~1\LOCALS~1\Temp\ac8zt2\enqvwkp.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\c_1tat.dll (file missing)
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\c_1tat.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O21 - SSODL: agrlmvp - {4141128B-10DF-49B0-9553-F6E7DAEC7174} - C:\WINDOWS\agrlmvp.dll
O21 - SSODL: bmlvqkn - {C816A9F0-F9D8-47AB-8CEA-C29103575CC8} - C:\WINDOWS\bmlvqkn.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

g!rly · Answer

re,

meilleurs voeux ;-)

l´infection a été détécté par smitfraudfix.

la suite :

Redémarre le PC en mode sans échec : tu tapotes sur la touche F8 de ton clavier (ou F5 ) dès le démarrage et tu choisis le mode sans échec)

- Ouvre le dossier "SmitfraudFix" et double clique sur "Smitfraudfix.cmd", choisit l 'option 2 et tu réponds oui à tout.

Enregistre le rapport puis Copie/colle le rapport sur le forum stp.

et post aussi un nouveau hijack this 

@+

papasiam · Answer

et voila tes demandes sont des ordres

SmitFraudFix v2.240

Rapport fait à  9:30:04,06, 17/01/2008
Executé à partir de C:\Documents and Settings\Zit”uN\Bureau\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est NTFS
Fix executé en mode sans echec

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Arret des processus


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1       localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés

C:\DOCUME~1\ZITUN~1\Bureau\Error Cleaner.url supprimé
C:\DOCUME~1\ZITUN~1\Bureau\Privacy Protector.url supprimé
C:\DOCUME~1\ZITUN~1\Bureau\Spyware?Malware Protection.url supprimé
C:\DOCUME~1\ZITUN~1\Favoris\Error Cleaner.url supprimé
C:\DOCUME~1\ZITUN~1\Favoris\Privacy Protector.url supprimé

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F6F54D28-7516-4FAD-A1FC-61212F6DF7E8}: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F6F54D28-7516-4FAD-A1FC-61212F6DF7E8}: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F6F54D28-7516-4FAD-A1FC-61212F6DF7E8}: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252


»»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre
 
Nettoyage terminé. 
 
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Fin

merci

g!rly · Answer

papasiam,

bien joué, tu peux supprimer smitfraudfix.

peux tu poster un nouveau hijack this stp

@+

papasiam · Answer

et voila


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:33:21, on 17/01/2008
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\update.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet	ools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: The enqvwkp - {CC4B2067-D903-427A-854B-632735A570D9} - C:\DOCUME~1\ZITUN~1\LOCALS~1\Temp\ac8zt2\enqvwkp.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\c_1tat.dll (file missing)
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\c_1tat.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O21 - SSODL: agrlmvp - {4141128B-10DF-49B0-9553-F6E7DAEC7174} - C:\WINDOWS\agrlmvp.dll
O21 - SSODL: bmlvqkn - {C816A9F0-F9D8-47AB-8CEA-C29103575CC8} - C:\WINDOWS\bmlvqkn.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

g!rly · Answer

re,

on continue :

Télécharge combofix.exe (par sUBs) sur ton Bureau.

-> http://download.bleepingcomputer.com/sUBs/ComboFix.exe      

-> Double clique combofix.exe.
-> Tape sur la touche 1 (Yes) pour démarrer le scan.
-> Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse. 

NOTE : Le rapport se trouve également ici : C:\Combofix.txt

@+

papasiam · Answer

et voilou ComboFix 08-01-17.5 - ZitöuN 2008-01-17 19:48:52.2 - NTFSx86 Microsoft Windows XP Professionnel 5.1.2600.0.1252.1.1036.18.731 [GMT 1:00] Running from: C:\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Menu Démarrer\Live Safety Center.lnk C:\Documents and Settings\All Users\Menu Démarrer\Online Security Guide.lnk C:\Documents and Settings\ZitöuN\Bureau\Live Safety Center.lnk C:\Documents and Settings\ZitöuN\Bureau\Online Security Guide.lnk C:\Documents and Settings\ZitöuN\Bureau\Spyware&Malware Protection.url C:\Documents and Settings\ZitöuN\Favoris\Error Cleaner.url C:\Documents and Settings\ZitöuN\Favoris\Online Security Guide.lnk C:\Documents and Settings\ZitöuN\Favoris\Privacy Protector.url C:\Documents and Settings\ZitöuN\Favoris\Spyware&Malware Protection.url C:\Documents and Settings\Zit”uN\Bureau\Error Cleaner.url C:\Documents and Settings\Zit”uN\Bureau\Privacy Protector.url C:\Program Files\Hammer.dll C:\WINDOWS\cookies.ini C:\WINDOWS\enqvwkp.dll C:\WINDOWS\system32\idqbtedn.exe C:\WINDOWS\system32\iikemcij.dllbox C:\WINDOWS\system32\iymtmrdm.dllbox C:\WINDOWS\system32\pqtss.bak1 C:\WINDOWS\system32\pqtss.bak2 C:\WINDOWS\system32\pqtss.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\poof ((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))))))) . 2008-01-17 19:47 . 2008-01-17 19:46 1,552,034 --a------ C:\ComboFix.exe 2008-01-17 09:29 . 2008-01-17 09:29 165 --a------ C:\WINDOWS\system32\drivers\fwdrv.err 2008-01-17 00:54 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-01-17 00:54 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-01-17 00:54 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-01-17 00:54 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-01-17 00:54 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2008-01-15 14:10 . 2008-01-15 10:55 229,376 --a------ C:\WINDOWS\bmlvqkn.dll 2008-01-15 14:10 . 2008-01-15 10:55 217,088 --a------ C:\WINDOWS\agrlmvp.dll 2008-01-15 14:10 . 2008-01-15 10:55 81,920 --a------ C:\WINDOWS\fxtqdrl.exe 2008-01-15 13:38 . 2008-01-15 13:39 d-------- C:\Program Files\MediaStarCodec 2008-01-11 18:04 . 2008-01-11 19:27 d-------- C:\Program Files\Nouveau dossier 2007-12-30 17:03 . 2007-12-30 17:03 d-------- C:\Program Files\iTunes 2007-12-30 17:03 . 2007-12-30 17:03 d-------- C:\Program Files\iPod 2007-12-30 17:02 . 2007-12-30 17:02 d-------- C:\Program Files\Apple Software Update 2007-12-30 17:02 . 2007-12-30 17:02 d-------- C:\Documents and Settings\All Users\Application Data\Apple 2007-12-22 14:38 . 2001-08-17 21:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS 2007-12-22 14:38 . 2001-08-17 21:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-16 13:58 --------- d-----w C:\Program Files\PokerStars 2008-01-15 09:08 --------- d-----w C:\Program Files\mIRC 2007-12-30 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2007-12-30 16:02 --------- d-----w C:\Program Files\QuickTime 2007-12-12 15:01 --------- d-----w C:\Program Files\bwin 2007-12-06 22:34 --------- d-----w C:\Program Files\DivX 2007-12-01 14:39 --------- d-----w C:\Program Files\PKR 2007-11-26 20:58 --------- d-----w C:\Program Files\BitComet 2007-11-25 21:04 --------- d-----w C:\Program Files\MaxTV 2007-11-25 21:03 --------- d-----w C:\Program Files\MaxSoftware 2007-10-28 20:25 192,240 ----a-w C:\WINDOWS\system32\wins.exe 2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-10-18 19:43 8,674,195 ----a-w C:\Program Files\dxnt.cab 2007-10-17 18:52 50,688 ----a-w C:\ATF-Cleaner.exe 2007-07-19 23:19 855,886 ----a-w C:\Program Files\AUG2007_d3dx10_35_x64.cab 2007-07-19 23:19 800,467 ----a-w C:\Program Files\AUG2007_d3dx10_35_x86.cab 2007-07-19 23:19 1,803,760 ----a-w C:\Program Files\AUG2007_d3dx9_35_x64.cab 2007-07-19 23:18 44,684 ----a-w C:\Program Files\dxdllreg_x86.cab 2007-07-19 23:18 201,696 ----a-w C:\Program Files\AUG2007_XACT_x64.cab 2007-07-19 23:18 156,612 ----a-w C:\Program Files\AUG2007_XACT_x86.cab 2007-07-19 23:18 1,711,752 ----a-w C:\Program Files\AUG2007_d3dx9_35_x86.cab 2007-07-19 22:48 976,020 ------w C:\Program Files\BDAXP.cab 2007-07-19 22:48 917,318 ------w C:\Program Files\Apr2006_MDX1_x86.cab 2007-07-19 22:48 88,102 ------w C:\Program Files\AUG2006_xinput_x64.cab 2007-07-19 22:48 87,989 ------w C:\Program Files\Apr2006_xinput_x64.cab 2007-07-19 22:48 77,160 ----a-w C:\Program Files\DSETUP.dll 2007-07-19 22:48 702,212 ------w C:\Program Files\APR2007_d3dx10_33_x64.cab 2007-07-19 22:48 699,465 ------w C:\Program Files\APR2007_d3dx10_33_x86.cab 2007-07-19 22:48 56,902 ------w C:\Program Files\APR2007_xinput_x86.cab 2007-07-19 22:48 47,018 ------w C:\Program Files\AUG2006_xinput_x86.cab 2007-07-19 22:48 46,898 ------w C:\Program Files\Apr2006_xinput_x86.cab 2007-07-19 22:48 4,163,518 ------w C:\Program Files\Apr2006_MDX1_x86_Archive.cab 2007-07-19 22:48 213,767 ------w C:\Program Files\DEC2006_d3dx10_00_x64.cab 2007-07-19 22:48 199,366 ------w C:\Program Files\APR2007_XACT_x64.cab 2007-07-19 22:48 193,435 ------w C:\Program Files\DEC2006_XACT_x64.cab 2007-07-19 22:48 192,680 ------w C:\Program Files\DEC2006_d3dx10_00_x86.cab 2007-07-19 22:48 183,863 ------w C:\Program Files\AUG2006_XACT_x64.cab 2007-07-19 22:48 180,021 ------w C:\Program Files\Apr2006_XACT_x64.cab 2007-07-19 22:48 154,825 ------w C:\Program Files\APR2007_XACT_x86.cab 2007-07-19 22:48 146,559 ------w C:\Program Files\DEC2006_XACT_x86.cab 2007-07-19 22:48 138,195 ------w C:\Program Files\AUG2006_XACT_x86.cab 2007-07-19 22:48 133,991 ------w C:\Program Files\Apr2006_XACT_x86.cab 2007-07-19 22:48 100,417 ------w C:\Program Files\APR2007_xinput_x64.cab 2007-07-19 22:48 1,673,576 ----a-w C:\Program Files\dsetup32.dll 2007-07-19 22:48 1,610,958 ------w C:\Program Files\APR2007_d3dx9_33_x64.cab 2007-07-19 22:48 1,609,639 ------w C:\Program Files\APR2007_d3dx9_33_x86.cab 2007-07-19 22:48 1,575,336 ------w C:\Program Files\DEC2006_d3dx9_32_x86.cab 2007-07-19 22:48 1,572,114 ------w C:\Program Files\DEC2006_d3dx9_32_x64.cab 2007-07-19 22:48 1,398,718 ------w C:\Program Files\Apr2006_d3dx9_30_x64.cab 2007-07-19 22:48 1,358,864 ------w C:\Program Files\Dec2005_d3dx9_28_x64.cab 2007-07-19 22:48 1,351,430 ------w C:\Program Files\Aug2005_d3dx9_27_x64.cab 2007-07-19 22:48 1,348,242 ------w C:\Program Files\Apr2005_d3dx9_25_x64.cab 2007-07-19 22:48 1,156,363 ------w C:\Program Files\BDANT.cab 2007-07-19 22:48 1,116,109 ------w C:\Program Files\Apr2006_d3dx9_30_x86.cab 2007-07-19 22:48 1,080,344 ------w C:\Program Files\Dec2005_d3dx9_28_x86.cab 2007-07-19 22:48 1,079,850 ------w C:\Program Files\Apr2005_d3dx9_25_x86.cab 2007-07-19 22:48 1,078,532 ------w C:\Program Files\Aug2005_d3dx9_27_x86.cab 2005-03-18 16:31 7,479 ----a-w C:\Program Files\d3dx9_25_x64.cat 2005-03-18 16:25 806 ----a-w C:\Program Files\apr2005_d3dx9_25_x64.inf 2005-03-18 16:25 667 ----a-w C:\Program Files\d3dx9_25_x64.inf 2005-03-18 16:19 3,823,312 ----a-w C:\Program Files\d3dx9_25.dll 2005-03-18 16:18 58,064 ----a-w C:\Program Files\infinst.exe . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-28 13:00 13312] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 06:14 1077277] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-19 20:31 68856] "SuperCopier2.exe"="C:\Program Files\SuperCopier2\SuperCopier2.exe" [2006-07-07 17:45 1052672] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-05 11:35 335872] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-17 20:13 249896] "nForce Tray Options"="sstray.exe" [2003-08-13 05:25 73728 C:\WINDOWS\system32\sstray.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-08-28 13:00 13312] "HOT FIX"="Gothic.exe" [] "Windows Insecure"="ccwd.exe" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "agrlmvp"= {4141128B-10DF-49B0-9553-F6E7DAEC7174} - C:\WINDOWS\agrlmvp.dll [2008-01-15 10:55 217088] "bmlvqkn"= {C816A9F0-F9D8-47AB-8CEA-C29103575CC8} - C:\WINDOWS\bmlvqkn.dll [2008-01-15 10:55 229376] R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2007-07-18 13:22] R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\System32\drivers\si3112r.sys [2003-05-30 11:05] R0 SiWinAcc;SiWinAcc;C:\WINDOWS\System32\drivers\SiWinAcc.sys [2003-02-12 07:37] R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2007-08-09 12:04] R1 fwdrv;Firewall Driver;C:\WINDOWS\System32\drivers\fwdrv.sys [2005-09-26 10:05] R1 khips;Kerio HIPS Driver;C:\WINDOWS\System32\drivers\khips.sys [2005-09-26 10:05] S4 NOTEPAD;NOTEPAD;"C:\WINDOWS\system\NOTEPAD.exe" [] S4 windowsys;system32 master;"C:\WINDOWS\windowsys.com" [] . Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es' "2007-12-30 16:02:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-17 19:54:31 Windows 5.1.2600 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2600.0000] -> C:\WINDOWS\bmlvqkn.dll . Completion time: 2008-01-17 19:55:59 - machine was rebooted [Zit”uN] ComboFix-quarantined-files.txt 2008-01-17 18:55:53 ComboFix2.txt 2007-10-14 19:11:00 thanks you

g!rly · Answer

re,

post un rapport hijack this tout frais stp

@+

papasiam · Answer

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:11:42, on 17/01/2008
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32
otepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet	ools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O21 - SSODL: agrlmvp - {4141128B-10DF-49B0-9553-F6E7DAEC7174} - C:\WINDOWS\agrlmvp.dll
O21 - SSODL: bmlvqkn - {C816A9F0-F9D8-47AB-8CEA-C29103575CC8} - C:\WINDOWS\bmlvqkn.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

g!rly · Answer

re,

a l´aide de hijack this coche les lignes suivantes :
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O21 - SSODL: agrlmvp - {4141128B-10DF-49B0-9553-F6E7DAEC7174} - C:\WINDOWS\agrlmvp.dll
O21 - SSODL: bmlvqkn - {C816A9F0-F9D8-47AB-8CEA-C29103575CC8} - C:\WINDOWS\bmlvqkn.dll

comment fixer :

Tutoriel d´utilisation (video) :

-> http://pageperso.aol.fr/balltrap34/demohijack.htm

puis

Copie le texte ci-dessous :

File::
C:\WINDOWS\agrlmvp.dll
C:\WINDOWS\bmlvqkn.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"agrlmvp"=-
"bmlvqkn"=-

Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix, 

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.

S'il n'y a pas de rédémarrage, poste quand même les rapports.

@+

papasiam · Answer

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19:47, on 17/01/2008
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet	ools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

g!rly · Answer

re,

c´est mieux ;-)

ta version de acrobat reader n´est pas a jour, tu veux la version 8.1 derniere en date alors desinstale ta version par le panneau de configuration / ajoue et suppression de programme

et instale la derniere :

https://get2.adobe.com/reader/otherversions/

ou foxit plus léger :

https://www.clubic.com/telecharger-fiche13808-foxit-reader.html

puis 

tu surf avec internet explorer 6.0 = failles de securitées importantes

alors fais les mises a jour windows : tu veux la version 7.0 

et pourquoi ne pas surfer avec firefox? = plus sur,  tout en gardant ie 7.0 pour les mises a jour windows car impossible a effectuer sous firefox

http://www.firefox.fr/ 

puis

j´aimerais que tu effectue un scan complet de ta machine avec antivir et quye tu posdt le rapport ici 

@+

papasiam · Answer

AntiVir PersonalEdition Classic
Report file date: jeudi 17 janvier 2008  21:44

Scanning for 1033339 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version:  (plain)  [5.1.2600]
Username:         ZitöuN
Computer name:    HOMESWEETHOME

Version information:
BUILD.DAT    : 270           15603 Bytes  19/09/2007 13:32:00
AVSCAN.EXE   : 7.0.6.1      290856 Bytes  23/08/2007 12:16:29
AVSCAN.DLL   : 7.0.6.0       49192 Bytes  16/08/2007 11:23:51
LUKE.DLL     : 7.0.5.3      147496 Bytes  14/08/2007 14:32:47
LUKERES.DLL  : 7.0.6.1       10280 Bytes  21/08/2007 11:35:20
ANTIVIR0.VDF : 6.40.0.0    11030528 Bytes  18/07/2007 13:27:15
ANTIVIR1.VDF : 7.0.1.95    3367424 Bytes  14/12/2007 00:29:23
ANTIVIR2.VDF : 7.0.1.205    620544 Bytes  08/01/2008 01:20:42
ANTIVIR3.VDF : 7.0.1.237    235008 Bytes  15/01/2008 08:22:43
AVEWIN32.DLL : 7.6.0.46    3084800 Bytes  19/12/2007 22:56:15
AVWINLL.DLL  : 1.0.0.7       14376 Bytes  26/02/2007 09:36:26
AVPREF.DLL   : 7.0.2.2       25640 Bytes  18/07/2007 06:39:17
AVREP.DLL    : 7.0.0.1      155688 Bytes  16/04/2007 12:16:24
AVPACK32.DLL : 7.6.0.2      360488 Bytes  19/12/2007 22:56:15
AVREG.DLL    : 7.0.1.6       30760 Bytes  18/07/2007 06:17:06
AVARKT.DLL   : 1.0.0.20     278568 Bytes  28/08/2007 11:26:33
AVEVTLOG.DLL : 7.0.0.20      86056 Bytes  18/07/2007 06:10:18
NETNT.DLL    : 7.0.0.0        7720 Bytes  08/03/2007 10:09:42
RCIMAGE.DLL  : 7.0.1.30    2342952 Bytes  07/08/2007 11:38:13
RCTEXT.DLL   : 7.0.62.0      86056 Bytes  21/08/2007 11:50:37
SQLITE3.DLL  : 3.3.17.1     339968 Bytes  23/07/2007 08:37:21

Configuration settings for the scan:
Jobname..........................: Local Drives
Configuration file...............: c:\program files\avira\antivir personaledition classic\alldrives.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: F:, 
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: jeudi 17 janvier 2008  21:44

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'kpf4ss.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'SATARaid.exe' - '1' Module(s) have been scanned
Scan process 'SuperCopier2.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'QTTask.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'sstray.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
33 processes with 33 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
      [NOTE]      No virus was found!
Boot sector 'D:\'
      [NOTE]      No virus was found!
Boot sector 'G:\'
      [NOTE]      No virus was found!
Boot sector 'A:\'
      [NOTE]      In the drive 'A:\' no data medium is inserted!

Starting to scan the registry.
The registry was scanned ( '34' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
      [WARNING]   The file could not be opened!
Begin scan in 'D:\'
Begin scan in 'G:\' <zitoun>
G:\xavier\Larousse.De.Cuisine.-.rip.Fr.par.eMule-Paradise.com.ace
  [0] Archive type: ACE
  --> Larousse de cuisine\system\Livres de Cuisine\D&#130;licieuses Confitures.mc2
      [WARNING]   Error creating the file
  --> Larousse de cuisine\system\Livres de Cuisine\D&#130;licieuses Compotes.mc2
      [WARNING]   No further files can be extracted from this archive. The archive will be closed
      [WARNING]   No further files can be extracted from this archive. The archive will be closed
Begin scan in 'A:\'
Search path A:\ could not be opened!
Le périphérique n'est pas prêt.

Begin scan in 'E:\'
Search path E:\ could not be opened!
Le périphérique n'est pas prêt.

Begin scan in 'F:\'
Search path F:\ could not be opened!
Fonction incorrecte.



End of the scan: jeudi 17 janvier 2008  22:16
Used time: 31:38 min

The scan has been done completely.

   3368 Scanning directories
 198430 Files were scanned
      0 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      1 Files cannot be scanned
 198430 Files not concerned
   1587 Archives were scanned
      4 Warnings
    129 Notes

j' utilise deja firefox pour le reste j'ai fais les MAJ

merci

g!rly · Answer

re,

antivir n´arrive pas a scanner le fichier : 

G:\xavier\Larousse.De.Cuisine.-.rip.Fr.par.eMule-Paradise.com.ace 

peux tu essayer de l´analyser ici :

https://www.virustotal.com/gui/

ou ici :

http://virusscan.jotti.org/de/

et poste le resultat ici stp

@+

papasiam · Answer

j' arrive pas a scamé le fichier larousse pour le premier lien le fichier est rop gros et pour le second le serveur est toujours trop occupé
sinon je le fous a la corbeille ce n'est pas un fichier primordial ???????????????????
merci

g!rly · Answer

salut xavier,

oui s´epare toi de ce fichier, ca serait ingénieux...

non ce n´est pas un fichier primordial, loin de la...

c´est des recettes de cuisine ;-)

@´+

papasiam · Answer

a yè supprimé le fichier mais je savais ce que c'etait des recettes 
j entendais primordiale si le fichier en question avit un rapport avec les virus

merci pour tout est surtout ta disponibilité

g!rly · Answer

ok cool ;-)

comment va ton pc maintnenant?

@+

Infection de mon PC G!rly aide moi

21 réponses