win32:agent-oli need help Résolu

Question

Bonjour,

Voilà un amis avai pas mal de soucis récement, j'ai du changer quelques périphériques de son pc.
Enfaite un trojan a été detecté, 5 minutes après son alimentation lache, sen suit sa carte mère.
Je change le matos remonte la tour(je passe les quelques prooblèmes), une fois tous monté je formate, lui rend la tour, il réinstalle les drivers ensuite l'antivirus, et la paf il lui detect un trojan qui coupe sa connection et qui n'est pas supprimable.
Je reprend la tour, je reformate et la je lui installe l'antivirus directement avant tous drivers.
Il install les drivers un à un, aucun trojan niquel et en allant chercher le service pack2 , dès qu'il a commencé à surfer sur le site télécharger01.net, l'antivirus à annoncé encore le trojan win32:agent-oli qui étais présent sur le site et qui verollai ses fichiés dans local setting.
Je vais devoir repartir formater et faire une à une les isntallations voir si c'est pas un des nouveaux cd drivers qui serais vérollé, ce qui métonnerai mais bon.
Voilà donc j'aimerais savoir si c'est possbile que le trojan après un formatage reste sur le pc, puis deux formatages je dirai même, et si ce trojan et connu, car impossible de le supprimer avec nod32, avast, kapersky, ad aware....

Merci d'avance,

g!rly · Answer

salut, 

fais voir un rapport hijacjk this 

Télécharge HijackThis ici : 

-> http://www.commentcamarche.net/telecharger/telecharger 159 hijackthis

Tutoriel d´utilisation (video) :

-> http://pageperso.aol.fr/balltrap34/demohijack.htm

Post le rapport généré ici stp...

@+

zuigick · Answer

Salut, 

Voilà le rapport :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:22, on 19/01/2008
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\spool.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\Elporto\Local Settings\Application Data\cftmon.exe
C:\WINDOWS\system32\drivers\spool.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Elporto\Local Settings\Application Data\cftmon.exe
C:\WINDOWS\system32\drivers\spool.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllcache\mravsc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\drivers\spool.exe C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} - C:\Program Files\Helper\superfindout.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Elporto\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Elporto\Local Settings\Application Data\cftmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINDOWS\system32\dllcache\mravsc32.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Planificateur de tâches (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spool.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SSScsiSV.exe

g!rly · Answer

re,

Télécharge combofix.exe (par sUBs) sur ton Bureau.

-> http://download.bleepingcomputer.com/sUBs/ComboFix.exe      

-> Double clique combofix.exe.
-> Tape sur la touche 1 (Yes) pour démarrer le scan.
-> Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse. 

NOTE : Le rapport se trouve également ici : C:\Combofix.txt

+

un nouveau hijack this (apres avoir passé hijack this).

@+

zuigick · Answer

Re,

Rapport combo :

ComboFix 08-01-18.5 - Elporto 2008-01-19 13:33:52.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.0.1252.1.1036.18.764 [GMT 1:00]
Running from: E:\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Helper
C:\Program Files\Helper\superfindout.dll
C:\WINDOWS\system32\6_exception.nls
C:\WINDOWS\Temp\140484.exe
C:\WINDOWS\Temp\289562.exe
C:\WINDOWS\Temp\348765.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\runtime

((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-12-19 to 2008-01-19 ))))))))))))))))))))))))))))))))))))
.

2008-01-19 13:35 . 2008-01-19 13:36 14,080 --a------ C:\WINDOWS\system32\drivers\sysproc.sys
2008-01-19 13:31 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 12:45 . 2008-01-19 12:45 <REP> d-------- C:\Program Files\Trend Micro
2008-01-19 11:31 . 2008-01-19 11:31 25,984 --a------ C:\WINDOWS\system32\drivers\Taf73.sys
2008-01-19 11:30 . 2008-01-19 11:30 81,656 --a------ C:\wjdv.exe
2008-01-19 11:30 . 2008-01-19 11:30 28,180 --a------ C:\jxbytp.exe
2008-01-19 11:30 . 2008-01-19 11:30 2 --a------ C:\-1401089874
2008-01-19 11:09 . 2008-01-19 11:09 <REP> d-------- C:\Documents and Settings\Elporto\Application Data\MSN6
2008-01-19 11:09 . 2008-01-19 11:09 <REP> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-01-18 22:49 . 2008-01-18 22:49 <REP> d---s---- C:\WINDOWS\system32\Microsoft
2008-01-18 22:38 . 2008-01-18 22:38 25,984 --a------ C:\WINDOWS\system32\drivers\Afk51.sys
2008-01-18 22:28 . 2008-01-18 22:28 <REP> d-------- C:\WINDOWS\system32\bits
2008-01-18 22:27 . 2004-07-01 23:08 360,960 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-01-18 22:27 . 2004-07-01 23:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-01-18 22:27 . 2004-07-01 23:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-01-18 22:27 . 2004-07-01 23:08 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-01-18 22:27 . 2004-07-01 23:08 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-01-18 22:27 . 2004-07-01 23:08 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-01-18 22:27 . 2004-07-01 23:08 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-01-18 22:27 . 2004-07-01 23:08 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-01-18 22:25 . 2008-01-18 22:28 <REP> d-------- C:\WINDOWS\LastGood.Tmp
2008-01-18 22:25 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-01-18 22:25 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-01-18 22:25 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-01-18 22:25 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-01-18 22:25 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-18 22:25 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-01-18 22:25 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-18 22:25 . 2007-07-30 19:19 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-18 22:25 . 2007-07-30 19:18 21,336 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-18 22:23 . 2008-01-18 22:48 <REP> d---s---- C:\Documents and Settings\Elporto\UserData
2008-01-18 21:36 . 2008-01-18 21:36 6,656 ---hs---- C:\Documents and Settings\Elporto\msftp.dll
2008-01-18 21:32 . 2008-01-18 21:32 <REP> dr------- C:\Documents and Settings\LocalService\Favoris
2008-01-18 21:32 . 2008-01-18 21:32 54,764 --a------ C:\WINDOWS\system32\dxdss.sys
2008-01-18 21:32 . 2008-01-18 21:32 22,528 --a------ C:\WINDOWS\system32\drivers\spool.exe
2008-01-18 21:32 . 2008-01-18 21:32 6,656 ---hs---- C:\WINDOWS\system32\msftp.dll
2008-01-18 21:32 . 2008-01-18 21:32 6,656 ---hs---- C:\Documents and Settings\LocalService\msftp.dll
2008-01-18 21:30 . 2008-01-18 21:30 <REP> d-------- C:\Documents and Settings\Elporto\Contacts
2008-01-18 21:30 . 2008-01-18 21:30 268 --ah----- C:\sqmdata01.sqm
2008-01-18 21:30 . 2008-01-18 21:30 244 --ah----- C:\sqmnoopt01.sqm
2008-01-18 21:26 . 2008-01-18 21:26 435,200 -r-hsc--- C:\WINDOWS\system32\dllcache\mravsc32.exe
2008-01-18 21:26 . 2008-01-18 21:26 268 --ah----- C:\sqmdata00.sqm
2008-01-18 21:26 . 2008-01-18 21:26 244 --ah----- C:\sqmnoopt00.sqm
2008-01-18 21:25 . 2008-01-18 21:26 435,200 --a------ C:\WINDOWS\system32\amp.exe
2008-01-18 21:25 . 2008-01-18 21:25 58 --a------ C:\WINDOWS\system32\i
2008-01-18 21:24 . 2008-01-18 21:24 <REP> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-18 21:21 . 2008-01-18 21:21 12,980 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-18 21:05 . 2008-01-18 22:18 <REP> d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-18 21:05 . 2007-12-13 19:27 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-18 21:05 . 2008-01-18 22:18 353,206 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-01-18 21:04 . 2008-01-18 22:18 <REP> d-------- C:\WINDOWS\Internet Logs
2008-01-18 21:01 . 2008-01-18 21:01 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-18 20:48 . 2002-05-09 15:12 155,648 --a------ C:\WINDOWS\system32\adadix32.dll
2008-01-18 20:48 . 2003-03-27 13:38 127,145 --a------ C:\WINDOWS\system32\drivers\adiusbaw.sys
2008-01-18 20:48 . 2003-04-30 08:40 11,965 --a------ C:\WINDOWS\system32\drivers\adiusbaw.cat
2008-01-18 20:48 . 2003-02-17 11:36 342 --a------ C:\WINDOWS\adiras.ini
2008-01-18 20:48 . 2008-01-18 20:48 154 --a------ C:\WINDOWS\adidsl.ini
2008-01-18 20:48 . 2008-01-18 20:48 21 --a------ C:\WINDOWS\Fast800.ini
2008-01-18 20:47 . 2008-01-18 20:47 <REP> d-------- C:\Program Files\SAGEM
2008-01-18 20:46 . 2008-01-18 20:47 <REP> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-18 20:45 . 2008-01-18 20:45 <REP> d-------- C:\WINDOWS\Historique
2008-01-18 20:45 . 2008-01-18 20:45 <REP> d-------- C:\WINDOWS\Cegetel
2008-01-18 20:45 . 2008-01-18 20:45 <REP> d-------- C:\Program Files\Cegetel
2008-01-18 20:45 . 1997-03-05 08:53 48,128 --a------ C:\WINDOWS\system32\SMMSCRPT.DLL
2008-01-18 20:45 . 1996-10-15 08:40 9,728 --a------ C:\WINDOWS\system32\RNAPH.DLL
2008-01-18 20:25 . 2008-01-18 20:25 <REP> d-------- C:\Program Files\Alwil Software
2008-01-18 20:25 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-18 20:25 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-18 20:25 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-18 20:25 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-18 20:25 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-18 20:25 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-18 20:25 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-18 20:25 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-18 20:25 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-18 20:23 . 2001-08-17 22:03 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-18 20:21 . 2008-01-18 20:21 <REP> d-------- C:\WINDOWS\system32\Attansic
2008-01-18 20:21 . 2008-01-18 20:21 <REP> d-------- C:\Program Files\Attansic
2008-01-18 20:21 . 2007-03-15 07:12 38,656 -ra------ C:\WINDOWS\system32\drivers\atl01_xp.sys
2008-01-18 20:20 . 2008-01-18 20:20 8,917 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-01-18 19:52 . 2008-01-18 19:52 <REP> d-------- C:\Program Files\Fichiers communs\Adobe
2008-01-18 19:51 . 2006-10-11 04:33 10,288 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-01-18 19:51 . 2004-08-12 09:00 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2008-01-18 19:49 . 2003-06-19 01:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-18 19:49 . 2008-01-18 19:49 385 --a------ C:\WINDOWS\ODBC.INI
2008-01-18 19:48 . 2008-01-18 19:48 <REP> d-------- C:\WINDOWS\SHELLNEW
2008-01-18 19:48 . 2008-01-18 19:48 <REP> d-------- C:\Program Files\Microsoft.NET
2008-01-18 19:45 . 2008-01-18 19:45 <REP> dr-h----- C:\MSOCache
2008-01-18 19:40 . 2008-01-18 19:42 <REP> d-------- C:\Program Files\Microsoft Works
2008-01-18 19:37 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-18 19:36 . 2008-01-18 19:36 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-01-18 19:36 . 2004-07-26 18:09 2,023,424 --------- C:\WINDOWS\UNNeroVision.exe
2008-01-18 19:36 . 2004-07-30 15:00 90,707 --------- C:\WINDOWS\UNNeroVision.cfg
2008-01-18 19:36 . 2001-03-08 19:30 24,064 --------- C:\WINDOWS\system32\msxml3a.dll
2008-01-18 19:35 . 2008-01-18 19:36 <REP> d-------- C:\Program Files\Fichiers communs\Ahead
2008-01-18 19:35 . 2008-01-18 19:37 <REP> d-------- C:\Program Files\Ahead
2008-01-18 19:35 . 2004-07-20 17:24 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-01-18 19:35 . 2004-07-20 17:24 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-01-18 19:35 . 2004-07-20 17:24 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-01-18 19:35 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 19:48 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2008-01-18 15:53 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-18 15:50 --------- d-----w C:\Program Files\Services en ligne
2008-01-18 15:50 --------- d-----w C:\Program Files\Fichiers communs\MSSoap
2008-01-18 15:43 --------- d-----w C:\Program Files\Fichiers communs\SpeechEngines
2008-01-18 15:43 --------- d-----w C:\Program Files\Fichiers communs\ODBC
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-28 13:00 13312]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"ntuser"="C:\WINDOWS\system32\drivers\spool.exe" [2008-01-18 21:32 22528]
"autoload"="C:\Documents and Settings\Elporto\Local Settings\Application Data\cftmon.exe" [2008-01-18 21:32 22528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"adiras"="adiras.exe" []
"autoload"="C:\Documents and Settings\Elporto\Local Settings\Application Data\cftmon.exe" [2008-01-18 21:32 22528]
"ntuser"="C:\WINDOWS\system32\drivers\spool.exe" [2008-01-18 21:32 22528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-08-28 13:00 13312]
"ntuser"="C:\WINDOWS\system32\drivers\spool.exe" [2008-01-18 21:32 22528]
"autoload"="C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe" [2008-01-18 21:32 22528]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Afk51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Taf73.sys]
@="Driver"

*Newly Created Service* - ALG
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 13:36:14
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 13:36:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 12:36:38

Nouveau rapport hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:43:29, on 19/01/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\spool.exe
C:\WINDOWS\system32\drivers\spool.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
C:\WINDOWS\system32\drivers\spool.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\drivers\spool.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllcache\mravsc32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Elporto\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINDOWS\system32\dllcache\mravsc32.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Planificateur de tâches (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spool.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SSScsiSV.exe

g!rly · Answer

re,

Copie le texte ci-dessous :

File::
C:\wjdv.exe
C:\jxbytp.exe
C:\-1401089874
C:\Documents and Settings\Elporto\Local Settings\Application Data\cftmon.exe
C:\WINDOWS\system32\drivers\spool.exe
C:\WINDOWS\system32\dllcache\mravsc32.exe
C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
adiras.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"autoload"=-
"ntuser"=-
"adiras"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"autoload"=-

Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix, 

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.

S'il n'y a pas de rédémarrage, poste quand même les rapports.

@+

zuigick · Answer

Re,

Ok tous c'est bien passé, au moment du scan de combo avast a ouvert une fenêtre en signalant le trojan en question, je sais pas si c'est normal enfin le reste c'est bien passé, sa a redémarré.

Donc rapport Combo :

ComboFix 08-01-18.5 - Elporto 2008-01-19 14:19:50.2 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.0.1252.1.1036.18.736 [GMT 1:00]
Running from: E:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Elporto\Bureau\CFScript.txt..txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE
C:\-1401089874
C:\Documents and Settings\Elporto\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
C:\jxbytp.exe
C:\WINDOWS\system32\dllcache\mravsc32.exe
C:\WINDOWS\system32\drivers\spool.exe
C:\wjdv.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1401089874
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Elporto\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
C:\jxbytp.exe
C:\WINDOWS\system32\dllcache\mravsc32.exe
C:\WINDOWS\system32\drivers\spool.exe
C:\wjdv.exe

.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-12-19 to 2008-01-19 ))))))))))))))))))))))))))))))))))))
.

2008-01-19 13:35 . 2008-01-19 14:20 14,080 --a------ C:\WINDOWS\system32\drivers\sysproc.sys
2008-01-19 13:31 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 12:45 . 2008-01-19 12:45 <REP> d-------- C:\Program Files\Trend Micro
2008-01-19 11:31 . 2008-01-19 11:31 25,984 --a------ C:\WINDOWS\system32\drivers\Taf73.sys
2008-01-19 11:09 . 2008-01-19 11:09 <REP> d-------- C:\Documents and Settings\Elporto\Application Data\MSN6
2008-01-19 11:09 . 2008-01-19 11:09 <REP> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-01-18 22:49 . 2008-01-18 22:49 <REP> d---s---- C:\WINDOWS\system32\Microsoft
2008-01-18 22:38 . 2008-01-18 22:38 25,984 --a------ C:\WINDOWS\system32\drivers\Afk51.sys
2008-01-18 22:28 . 2008-01-18 22:28 <REP> d-------- C:\WINDOWS\system32\bits
2008-01-18 22:27 . 2004-07-01 23:08 360,960 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-01-18 22:27 . 2004-07-01 23:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-01-18 22:27 . 2004-07-01 23:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-01-18 22:27 . 2004-07-01 23:08 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-01-18 22:27 . 2004-07-01 23:08 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-01-18 22:27 . 2004-07-01 23:08 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-01-18 22:27 . 2004-07-01 23:08 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-01-18 22:27 . 2004-07-01 23:08 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-01-18 22:25 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-01-18 22:25 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-01-18 22:25 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-01-18 22:25 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-01-18 22:25 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-18 22:25 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-01-18 22:25 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-18 22:25 . 2007-07-30 19:19 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-18 22:25 . 2007-07-30 19:18 21,336 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-18 22:23 . 2008-01-18 22:48 <REP> d---s---- C:\Documents and Settings\Elporto\UserData
2008-01-18 21:36 . 2008-01-18 21:36 6,656 ---hs---- C:\Documents and Settings\Elporto\msftp.dll
2008-01-18 21:32 . 2008-01-18 21:32 <REP> dr------- C:\Documents and Settings\LocalService\Favoris
2008-01-18 21:32 . 2008-01-18 21:32 54,764 --a------ C:\WINDOWS\system32\dxdss.sys
2008-01-18 21:32 . 2008-01-18 21:32 6,656 ---hs---- C:\WINDOWS\system32\msftp.dll
2008-01-18 21:32 . 2008-01-18 21:32 6,656 ---hs---- C:\Documents and Settings\LocalService\msftp.dll
2008-01-18 21:30 . 2008-01-18 21:30 <REP> d-------- C:\Documents and Settings\Elporto\Contacts
2008-01-18 21:30 . 2008-01-18 21:30 268 --ah----- C:\sqmdata01.sqm
2008-01-18 21:30 . 2008-01-18 21:30 244 --ah----- C:\sqmnoopt01.sqm
2008-01-18 21:26 . 2008-01-18 21:26 268 --ah----- C:\sqmdata00.sqm
2008-01-18 21:26 . 2008-01-18 21:26 244 --ah----- C:\sqmnoopt00.sqm
2008-01-18 21:25 . 2008-01-18 21:26 435,200 --a------ C:\WINDOWS\system32\amp.exe
2008-01-18 21:25 . 2008-01-18 21:25 58 --a------ C:\WINDOWS\system32\i
2008-01-18 21:24 . 2008-01-18 21:24 <REP> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-18 21:21 . 2008-01-18 21:21 12,980 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-18 21:05 . 2008-01-18 22:18 <REP> d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-18 21:05 . 2007-12-13 19:27 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-18 21:05 . 2008-01-18 22:18 353,206 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-01-18 21:04 . 2008-01-18 22:18 <REP> d-------- C:\WINDOWS\Internet Logs
2008-01-18 21:01 . 2008-01-18 21:01 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-18 20:48 . 2002-05-09 15:12 155,648 --a------ C:\WINDOWS\system32\adadix32.dll
2008-01-18 20:48 . 2003-03-27 13:38 127,145 --a------ C:\WINDOWS\system32\drivers\adiusbaw.sys
2008-01-18 20:48 . 2003-04-30 08:40 11,965 --a------ C:\WINDOWS\system32\drivers\adiusbaw.cat
2008-01-18 20:48 . 2003-02-17 11:36 342 --a------ C:\WINDOWS\adiras.ini
2008-01-18 20:48 . 2008-01-18 20:48 154 --a------ C:\WINDOWS\adidsl.ini
2008-01-18 20:48 . 2008-01-18 20:48 21 --a------ C:\WINDOWS\Fast800.ini
2008-01-18 20:47 . 2008-01-18 20:47 <REP> d-------- C:\Program Files\SAGEM
2008-01-18 20:46 . 2008-01-18 20:47 <REP> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-18 20:45 . 2008-01-18 20:45 <REP> d-------- C:\WINDOWS\Historique
2008-01-18 20:45 . 2008-01-18 20:45 <REP> d-------- C:\WINDOWS\Cegetel
2008-01-18 20:45 . 2008-01-18 20:45 <REP> d-------- C:\Program Files\Cegetel
2008-01-18 20:45 . 1997-03-05 08:53 48,128 --a------ C:\WINDOWS\system32\SMMSCRPT.DLL
2008-01-18 20:45 . 1996-10-15 08:40 9,728 --a------ C:\WINDOWS\system32\RNAPH.DLL
2008-01-18 20:25 . 2008-01-18 20:25 <REP> d-------- C:\Program Files\Alwil Software
2008-01-18 20:25 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-18 20:25 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-18 20:25 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-18 20:25 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-18 20:25 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-18 20:25 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-18 20:25 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-18 20:25 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-18 20:25 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-18 20:23 . 2001-08-17 22:03 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-18 20:21 . 2008-01-18 20:21 <REP> d-------- C:\WINDOWS\system32\Attansic
2008-01-18 20:21 . 2008-01-18 20:21 <REP> d-------- C:\Program Files\Attansic
2008-01-18 20:21 . 2007-03-15 07:12 38,656 -ra------ C:\WINDOWS\system32\drivers\atl01_xp.sys
2008-01-18 20:20 . 2008-01-18 20:20 8,917 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-01-18 19:52 . 2008-01-18 19:52 <REP> d-------- C:\Program Files\Fichiers communs\Adobe
2008-01-18 19:51 . 2006-10-11 04:33 10,288 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-01-18 19:51 . 2004-08-12 09:00 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2008-01-18 19:49 . 2003-06-19 01:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-18 19:49 . 2008-01-18 19:49 385 --a------ C:\WINDOWS\ODBC.INI
2008-01-18 19:48 . 2008-01-18 19:48 <REP> d-------- C:\WINDOWS\SHELLNEW
2008-01-18 19:48 . 2008-01-18 19:48 <REP> d-------- C:\Program Files\Microsoft.NET
2008-01-18 19:45 . 2008-01-18 19:45 <REP> dr-h----- C:\MSOCache
2008-01-18 19:40 . 2008-01-18 19:42 <REP> d-------- C:\Program Files\Microsoft Works
2008-01-18 19:37 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-18 19:36 . 2008-01-18 19:36 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-01-18 19:36 . 2004-07-26 18:09 2,023,424 --------- C:\WINDOWS\UNNeroVision.exe
2008-01-18 19:36 . 2004-07-30 15:00 90,707 --------- C:\WINDOWS\UNNeroVision.cfg
2008-01-18 19:36 . 2001-03-08 19:30 24,064 --------- C:\WINDOWS\system32\msxml3a.dll
2008-01-18 19:35 . 2008-01-18 19:36 <REP> d-------- C:\Program Files\Fichiers communs\Ahead
2008-01-18 19:35 . 2008-01-18 19:37 <REP> d-------- C:\Program Files\Ahead
2008-01-18 19:35 . 2004-07-20 17:24 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-01-18 19:35 . 2004-07-20 17:24 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-01-18 19:35 . 2004-07-20 17:24 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-01-18 19:35 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-01-18 19:35 . 2004-07-20 17:24 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-01-18 19:35 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-01-18 19:35 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
2008-01-18 19:32 . 2001-08-31 15:07 27,255 --------- C:\WINDOWS\system32\drivers\NWWMUSB.sys
2008-01-18 19:31 . 2008-01-18 19:31 <REP> d-------- C:\Program Files\Sony Corporation
2008-01-18 19:31 . 2008-01-18 19:31 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Sony Corporation

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 19:48 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2008-01-18 15:53 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-18 15:50 --------- d-----w C:\Program Files\Services en ligne
2008-01-18 15:50 --------- d-----w C:\Program Files\Fichiers communs\MSSoap
2008-01-18 15:43 --------- d-----w C:\Program Files\Fichiers communs\SpeechEngines
2008-01-18 15:43 --------- d-----w C:\Program Files\Fichiers communs\ODBC
.

((((((((((((((((((((((((((((( snapshot@2008-01-19_13.36.23.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 12:33:47 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-19 13:19:46 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-19 12:33:47 811,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\NTUSER.DAT
+ 2008-01-19 13:19:46 811,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\NTUSER.DAT
- 2008-01-19 12:33:47 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\UsrClass.dat
+ 2008-01-19 13:19:46 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\UsrClass.dat
- 2008-01-19 12:33:47 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-19 13:19:46 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-19 12:33:47 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-19 13:19:47 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-19 12:33:47 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-19 13:19:47 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
- 2008-01-18 22:02:10 40,972 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-19 12:37:53 40,972 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-18 22:02:10 49,734 ----a-w C:\WINDOWS\system32\perfc00C.dat
+ 2008-01-19 12:37:53 49,734 ----a-w C:\WINDOWS\system32\perfc00C.dat
- 2008-01-18 22:02:10 314,644 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-19 12:37:53 314,644 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-01-18 22:02:10 370,832 ----a-w C:\WINDOWS\system32\perfh00C.dat
+ 2008-01-19 12:37:53 370,832 ----a-w C:\WINDOWS\system32\perfh00C.dat
+ 2008-01-19 13:21:33 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_524.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-28 13:00 13312]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"ntuser"="C:\WINDOWS\system32\drivers\spool.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"adiras"="adiras.exe" []
"ntuser"="C:\WINDOWS\system32\drivers\spool.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-08-28 13:00 13312]
"ntuser"="C:\WINDOWS\system32\drivers\spool.exe" [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Afk51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Taf73.sys]
@="Driver"

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\System32\DRIVERS\atl01_xp.sys [2007-03-15 07:12]
S3 Afk51;Afk51;C:\WINDOWS\System32\drivers\Afk51.sys [2008-01-18 22:38]
S3 Taf73;Taf73;C:\WINDOWS\System32\drivers\Taf73.sys [2008-01-19 11:31]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 14:21:45
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 14:22:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 13:22:04
ComboFix2.txt 2008-01-19 12:36:53

Rapport hijackthis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:23:21, on 19/01/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINDOWS\system32\dllcache\mravsc32.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Planificateur de tâches (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spool.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SSScsiSV.exe

g!rly · Answer

tu peux reposter un hijack this stp<´juste pour etre sur...

zuigick · Answer

Re,


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:02:27, on 19/01/2008
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINDOWS\system32\dllcache\mravsc32.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Planificateur de tâches (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spool.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SSScsiSV.exe

g!rly · Answer

re,

j´ai manqué le tir tout a l´heure, on va le refaire :

click sur demarrer > execute > dans la boite de dialogue tape ceci : services.msc et valid par ok
dans la fenetre des services cherche ceci :

Planificateur de tâches (Schedule)
Distributed Allocated Memory Unit

et regle les sur arreter, en clickant droit dessus et "arreter"

puis :

Copie le texte ci-dessous :

File::
C:\WINDOWS\system32\drivers\spool.exe
C:\WINDOWS\system32\dllcache\mravsc32.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ntuser"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ntuser"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ntuser"=-

Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix, 

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.

S'il n'y a pas de rédémarrage, poste quand même les rapports.

@+

zuigick · Answer

Re,

Cette fois il n'y a pas u de redémarrage.

Rapport Combo :

ComboFix 08-01-18.5 - Elporto 2008-01-19 20:38:13.3 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.0.1252.1.1036.18.797 [GMT 1:00]
Running from: E:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Elporto\Bureau\CFScript.txt.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE
C:\WINDOWS\system32\dllcache\mravsc32.exe
C:\WINDOWS\system32\drivers\spool.exe
.

((((((((((((((((((((((((((((( Fichiers créés 2007-12-19 to 2008-01-19 ))))))))))))))))))))))))))))))))))))
.

2008-01-19 13:35 . 2008-01-19 14:20 14,080 --a------ C:\WINDOWS\system32\drivers\sysproc.sys
2008-01-19 13:31 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 12:45 . 2008-01-19 12:45 <REP> d-------- C:\Program Files\Trend Micro
2008-01-19 11:31 . 2008-01-19 11:31 25,984 --a------ C:\WINDOWS\system32\drivers\Taf73.sys
2008-01-19 11:09 . 2008-01-19 11:09 <REP> d-------- C:\Documents and Settings\Elporto\Application Data\MSN6
2008-01-19 11:09 . 2008-01-19 11:09 <REP> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-01-18 22:49 . 2008-01-18 22:49 <REP> d---s---- C:\WINDOWS\system32\Microsoft
2008-01-18 22:38 . 2008-01-18 22:38 25,984 --a------ C:\WINDOWS\system32\drivers\Afk51.sys
2008-01-18 22:28 . 2008-01-18 22:28 <REP> d-------- C:\WINDOWS\system32\bits
2008-01-18 22:27 . 2004-07-01 23:08 360,960 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-01-18 22:27 . 2004-07-01 23:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-01-18 22:27 . 2004-07-01 23:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-01-18 22:27 . 2004-07-01 23:08 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-01-18 22:27 . 2004-07-01 23:08 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-01-18 22:27 . 2004-07-01 23:08 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-01-18 22:27 . 2004-07-01 23:08 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-01-18 22:27 . 2004-07-01 23:08 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-01-18 22:25 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-01-18 22:25 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-01-18 22:25 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-01-18 22:25 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-01-18 22:25 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-18 22:25 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-01-18 22:25 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-18 22:25 . 2007-07-30 19:19 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-18 22:25 . 2007-07-30 19:18 21,336 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-18 22:23 . 2008-01-18 22:48 <REP> d---s---- C:\Documents and Settings\Elporto\UserData
2008-01-18 21:36 . 2008-01-18 21:36 6,656 ---hs---- C:\Documents and Settings\Elporto\msftp.dll
2008-01-18 21:32 . 2008-01-18 21:32 <REP> dr------- C:\Documents and Settings\LocalService\Favoris
2008-01-18 21:32 . 2008-01-18 21:32 54,764 --a------ C:\WINDOWS\system32\dxdss.sys
2008-01-18 21:32 . 2008-01-18 21:32 6,656 ---hs---- C:\WINDOWS\system32\msftp.dll
2008-01-18 21:32 . 2008-01-18 21:32 6,656 ---hs---- C:\Documents and Settings\LocalService\msftp.dll
2008-01-18 21:30 . 2008-01-18 21:30 <REP> d-------- C:\Documents and Settings\Elporto\Contacts
2008-01-18 21:30 . 2008-01-18 21:30 268 --ah----- C:\sqmdata01.sqm
2008-01-18 21:30 . 2008-01-18 21:30 244 --ah----- C:\sqmnoopt01.sqm
2008-01-18 21:26 . 2008-01-18 21:26 268 --ah----- C:\sqmdata00.sqm
2008-01-18 21:26 . 2008-01-18 21:26 244 --ah----- C:\sqmnoopt00.sqm
2008-01-18 21:25 . 2008-01-18 21:26 435,200 --a------ C:\WINDOWS\system32\amp.exe
2008-01-18 21:25 . 2008-01-18 21:25 58 --a------ C:\WINDOWS\system32\i
2008-01-18 21:24 . 2008-01-18 21:24 <REP> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-18 21:21 . 2008-01-18 21:21 12,980 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-18 21:05 . 2008-01-18 22:18 <REP> d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-18 21:05 . 2007-12-13 19:27 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-18 21:05 . 2008-01-18 22:18 353,206 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-01-18 21:04 . 2008-01-18 22:18 <REP> d-------- C:\WINDOWS\Internet Logs
2008-01-18 21:01 . 2008-01-18 21:01 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-18 20:48 . 2002-05-09 15:12 155,648 --a------ C:\WINDOWS\system32\adadix32.dll
2008-01-18 20:48 . 2003-03-27 13:38 127,145 --a------ C:\WINDOWS\system32\drivers\adiusbaw.sys
2008-01-18 20:48 . 2003-04-30 08:40 11,965 --a------ C:\WINDOWS\system32\drivers\adiusbaw.cat
2008-01-18 20:48 . 2003-02-17 11:36 342 --a------ C:\WINDOWS\adiras.ini
2008-01-18 20:48 . 2008-01-18 20:48 154 --a------ C:\WINDOWS\adidsl.ini
2008-01-18 20:48 . 2008-01-18 20:48 21 --a------ C:\WINDOWS\Fast800.ini
2008-01-18 20:47 . 2008-01-18 20:47 <REP> d-------- C:\Program Files\SAGEM
2008-01-18 20:46 . 2008-01-18 20:47 <REP> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-18 20:45 . 2008-01-18 20:45 <REP> d-------- C:\WINDOWS\Historique
2008-01-18 20:45 . 2008-01-18 20:45 <REP> d-------- C:\WINDOWS\Cegetel
2008-01-18 20:45 . 2008-01-18 20:45 <REP> d-------- C:\Program Files\Cegetel
2008-01-18 20:45 . 1997-03-05 08:53 48,128 --a------ C:\WINDOWS\system32\SMMSCRPT.DLL
2008-01-18 20:45 . 1996-10-15 08:40 9,728 --a------ C:\WINDOWS\system32\RNAPH.DLL
2008-01-18 20:25 . 2008-01-18 20:25 <REP> d-------- C:\Program Files\Alwil Software
2008-01-18 20:25 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-18 20:25 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-18 20:25 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-18 20:25 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-18 20:25 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-18 20:25 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-18 20:25 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-18 20:25 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-18 20:25 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-18 20:23 . 2001-08-17 22:03 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-18 20:21 . 2008-01-18 20:21 <REP> d-------- C:\WINDOWS\system32\Attansic
2008-01-18 20:21 . 2008-01-18 20:21 <REP> d-------- C:\Program Files\Attansic
2008-01-18 20:21 . 2007-03-15 07:12 38,656 -ra------ C:\WINDOWS\system32\drivers\atl01_xp.sys
2008-01-18 20:20 . 2008-01-18 20:20 8,917 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-01-18 19:52 . 2008-01-18 19:52 <REP> d-------- C:\Program Files\Fichiers communs\Adobe
2008-01-18 19:51 . 2006-10-11 04:33 10,288 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-01-18 19:51 . 2004-08-12 09:00 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2008-01-18 19:49 . 2003-06-19 01:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-18 19:49 . 2008-01-18 19:49 385 --a------ C:\WINDOWS\ODBC.INI
2008-01-18 19:48 . 2008-01-18 19:48 <REP> d-------- C:\WINDOWS\SHELLNEW
2008-01-18 19:48 . 2008-01-18 19:48 <REP> d-------- C:\Program Files\Microsoft.NET
2008-01-18 19:45 . 2008-01-18 19:45 <REP> dr-h----- C:\MSOCache
2008-01-18 19:40 . 2008-01-18 19:42 <REP> d-------- C:\Program Files\Microsoft Works
2008-01-18 19:37 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-18 19:36 . 2008-01-18 19:36 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-01-18 19:36 . 2004-07-26 18:09 2,023,424 --------- C:\WINDOWS\UNNeroVision.exe
2008-01-18 19:36 . 2004-07-30 15:00 90,707 --------- C:\WINDOWS\UNNeroVision.cfg
2008-01-18 19:36 . 2001-03-08 19:30 24,064 --------- C:\WINDOWS\system32\msxml3a.dll
2008-01-18 19:35 . 2008-01-18 19:36 <REP> d-------- C:\Program Files\Fichiers communs\Ahead
2008-01-18 19:35 . 2008-01-18 19:37 <REP> d-------- C:\Program Files\Ahead
2008-01-18 19:35 . 2004-07-20 17:24 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-01-18 19:35 . 2004-07-20 17:24 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-01-18 19:35 . 2004-07-20 17:24 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-01-18 19:35 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-01-18 19:35 . 2004-07-20 17:24 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-01-18 19:35 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-01-18 19:35 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
2008-01-18 19:32 . 2001-08-31 15:07 27,255 --------- C:\WINDOWS\system32\drivers\NWWMUSB.sys
2008-01-18 19:31 . 2008-01-18 19:31 <REP> d-------- C:\Program Files\Sony Corporation
2008-01-18 19:31 . 2008-01-18 19:31 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Sony Corporation

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 19:48 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2008-01-18 15:53 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-18 15:50 --------- d-----w C:\Program Files\Services en ligne
2008-01-18 15:50 --------- d-----w C:\Program Files\Fichiers communs\MSSoap
2008-01-18 15:43 --------- d-----w C:\Program Files\Fichiers communs\SpeechEngines
2008-01-18 15:43 --------- d-----w C:\Program Files\Fichiers communs\ODBC
.

((((((((((((((((((((((((((((( snapshot@2008-01-19_13.36.23.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 12:33:47 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-19 19:38:10 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-19 12:33:47 811,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\NTUSER.DAT
+ 2008-01-19 19:38:10 811,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\NTUSER.DAT
- 2008-01-19 12:33:47 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\UsrClass.dat
+ 2008-01-19 19:38:10 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\UsrClass.dat
- 2008-01-19 12:33:47 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-19 19:38:10 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-19 12:33:47 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-19 19:38:10 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-19 12:33:47 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-19 19:38:10 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
- 2008-01-18 22:02:10 40,972 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-19 13:22:39 40,972 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-18 22:02:10 49,734 ----a-w C:\WINDOWS\system32\perfc00C.dat
+ 2008-01-19 13:22:39 49,734 ----a-w C:\WINDOWS\system32\perfc00C.dat
- 2008-01-18 22:02:10 314,644 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-19 13:22:39 314,644 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-01-18 22:02:10 370,832 ----a-w C:\WINDOWS\system32\perfh00C.dat
+ 2008-01-19 13:22:39 370,832 ----a-w C:\WINDOWS\system32\perfh00C.dat
+ 2008-01-19 19:27:23 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_52c.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-28 13:00 13312]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"adiras"="adiras.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-08-28 13:00 13312]

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2008-01-18 20:47:58]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Afk51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Taf73.sys]
@="Driver"

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\System32\DRIVERS\atl01_xp.sys [2007-03-15 07:12]
S2 Distributed Allocated Memory Unit;Distributed Allocated Memory Unit;"C:\WINDOWS\system32\dllcache\mravsc32.exe" []
S3 Afk51;Afk51;C:\WINDOWS\System32\drivers\Afk51.sys [2008-01-18 22:38]
S3 Taf73;Taf73;C:\WINDOWS\System32\drivers\Taf73.sys [2008-01-19 11:31]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 20:38:48
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 20:39:07
ComboFix-quarantined-files.txt 2008-01-19 19:38:59
ComboFix2.txt 2008-01-19 13:22:14
ComboFix3.txt 2008-01-19 12:36:53

Rapport hijackthis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:39:52, on 19/01/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINDOWS\system32\dllcache\mravsc32.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Planificateur de tâches (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spool.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SSScsiSV.exe

zuigick · Answer

Ptit up

g!rly · Answer

salut  zuigick,

fais ceci :

tu surf avec internet explorer 6.0 = failles de securitées importantes

alors fais les mises a jour windows : tu veux la version 7.0 

et pourquoi ne pas surfer avec firefox? = plus sur,  tout en gardant ie 7.0 pour les mises a jour windows car impossible a effectuer sous firefox

http://www.firefox.fr/ 

ta version de acrobat reader n´est pas a jour, tu veux la version 8.1 derniere en date alors desinstale ta version par le panneau de configuration / ajoue et suppression de programme

et instale la derniere :

https://get2.adobe.com/reader/otherversions/

ou foxit plus léger :

https://www.clubic.com/telecharger-fiche13808-foxit-reader.html

instale un par feu :

par feu : kerio

http://www.malekal.com/kerio_firewall.php#mozTocId721480

https://www.vulgarisation-informatique.com/kerio.php

ou zone alarm plus facil a configurer mais moins performant

http://www.kachouri.com/tuto/tuto-143-zonealarm-installation-du-firewall--pare-feu.html

regarde ceci concernant avast :

antivir vs avast :

-> http://forum.malekal.com/ftopic3528.php

alors je te conseille de le desinstaller et d´installer antivir a la place

Telecharge et instal l'antivirus Antivir Personal Edition Classic :

->https://www.malekal.com/avira-free-security-antivirus-gratuit/

https://www.avira.com/en/prime

http://mickael.barroux.free.fr/securite/antivir.php <- tutoriel configuration du scanner...

une fois antivir ouvert click surconfiguration et coche la case "expert mode" puis sur l´onglet scanner dans la fenetre du dessous tu va voir : rootkit search click sur le petit + pour deployer et coche la case a coté de ton disk dur
puis click sur configuration en haut a droite puis dans la nouvelle fenetre a gauche >scanner > scan all files et en dessous >scanner priority = High
toujours a gauche > scan > deploie > heuristique > macrovirus heuristic = coché et en dessous > win32 heuristic la case coché et high detection level

et effectue un scan complet a l´aide d´antir et post le rapport ici avec un nouveau hijack this stp

@+

zuigick · Answer

Re G!rly


- Adobe reader 8.1 installé.
- Kerio, antivir installé.
- Service pack 2 et internet explorer 7 installés.




Rapport antivir :



AntiVir PersonalEdition Classic
Report file date: dimanche 20 janvier 2008  20:47

Scanning for 835736 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version:  (Service Pack 2)  [5.1.2600]
Username:         SYSTEM
Computer name:    ELPORTO-A95CWCE

Version information:
BUILD.DAT    : 270           15603 Bytes  19/09/2007 13:32:00
AVSCAN.EXE   : 7.0.6.1      290856 Bytes  23/08/2007 13:16:29
AVSCAN.DLL   : 7.0.6.0       49192 Bytes  16/08/2007 12:23:51
LUKE.DLL     : 7.0.5.3      147496 Bytes  14/08/2007 15:32:47
LUKERES.DLL  : 7.0.6.1       10280 Bytes  21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0    11030528 Bytes  18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.0.0     1640448 Bytes  13/09/2007 14:26:55
ANTIVIR2.VDF : 7.0.0.1        2048 Bytes  13/09/2007 14:27:04
ANTIVIR3.VDF : 7.0.0.2        2048 Bytes  13/09/2007 14:27:13
AVEWIN32.DLL : 7.6.0.15    2806272 Bytes  17/09/2007 17:43:56
AVWINLL.DLL  : 1.0.0.7       14376 Bytes  26/02/2007 10:36:26
AVPREF.DLL   : 7.0.2.2       25640 Bytes  18/07/2007 07:39:17
AVREP.DLL    : 7.0.0.1      155688 Bytes  16/04/2007 13:16:24
AVPACK32.DLL : 7.3.0.15     360488 Bytes  03/08/2007 08:46:00
AVREG.DLL    : 7.0.1.6       30760 Bytes  18/07/2007 07:17:06
AVARKT.DLL   : 1.0.0.20     278568 Bytes  28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20      86056 Bytes  18/07/2007 07:10:18
NETNT.DLL    : 7.0.0.0        7720 Bytes  08/03/2007 11:09:42
RCIMAGE.DLL  : 7.0.1.30    2342952 Bytes  07/08/2007 12:38:13
RCTEXT.DLL   : 7.0.62.0      86056 Bytes  21/08/2007 12:50:37
SQLITE3.DLL  : 3.3.17.1     339968 Bytes  23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, 
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: high
Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: dimanche 20 janvier 2008  20:47

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'dslmon.exe' - '1' Module(s) have been scanned
Scan process 'kpf4ss.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'SMax4.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
27 processes with 27 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
      [NOTE]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
      [NOTE]      No virus was found!

Starting to scan the registry.
The registry was scanned ( '24' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
      [WARNING]   The file could not be opened!
C:\QooBox\Quarantine\C\jxbytp.exe.vir
      [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
      [INFO]      The file was moved to '47f5ae5a.qua'!
C:\QooBox\Quarantine\C\wjdv.exe.vir
      [DETECTION] Contains suspicious code HEUR/Crypted
      [INFO]      The file was moved to '47f7ae51.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\dllcache\mravsc32.exe.vir
      [DETECTION] Contains suspicious code HEUR/Crypted
      [INFO]      The file was moved to '47f4ae5e.qua'!
C:\QooBox\Quarantine\C\WINDOWS\Temp\348765.exe.vir
      [DETECTION] Contains suspicious code HEUR/Malware
      [INFO]      The file was moved to '47cbae23.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP17\snapshot\_REGISTRY_MACHINE_SYSTEM
      [DETECTION] Contains detection pattern of the Kinnison virus
      [INFO]      The file was moved to '47d8ae56.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP22\A0004626.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
      [INFO]      The file was moved to '47c3ae50.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP22\A0004628.exe
      [DETECTION] File has been compressed with an unusual runtime compression tool (PCK/FSG). Please verify the origin of the file
      [INFO]      The file was moved to '47c3ae54.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP22\A0005627.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
      [INFO]      The file was moved to '47c3ae57.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP22\A0005629.exe
      [DETECTION] File has been compressed with an unusual runtime compression tool (PCK/FSG). Please verify the origin of the file
      [INFO]      The file was moved to '47c3ae5a.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0006730.exe
      [DETECTION] Is the Trojan horse TR/Crypt.FSPM.Gen
      [INFO]      The file was moved to '47c3ae60.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0006731.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
      [INFO]      The file was moved to '47c3ae62.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0006733.exe
      [DETECTION] File has been compressed with an unusual runtime compression tool (PCK/FSG). Please verify the origin of the file
      [INFO]      The file was moved to '47c3ae64.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0006734.exe
      [DETECTION] Is the Trojan horse TR/Crypt.FSPM.Gen
      [INFO]      The file was moved to '47c3ae66.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0008731.exe
      [DETECTION] Is the Trojan horse TR/Crypt.FSPM.Gen
      [INFO]      The file was moved to '47c3ae68.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0008732.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
      [INFO]      The file was moved to '47c3ae6c.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0008733.exe
      [DETECTION] File has been compressed with an unusual runtime compression tool (PCK/FSG). Please verify the origin of the file
      [INFO]      The file was moved to '47c3ae6e.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0008734.exe
      [DETECTION] Is the Trojan horse TR/Crypt.FSPM.Gen
      [INFO]      The file was moved to '47c3ae71.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0009731.exe
      [DETECTION] Is the Trojan horse TR/Crypt.FSPM.Gen
      [INFO]      The file was moved to '47c3ae73.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0009732.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
      [INFO]      The file was moved to '47c3ae75.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0009733.exe
      [DETECTION] File has been compressed with an unusual runtime compression tool (PCK/FSG). Please verify the origin of the file
      [INFO]      The file was moved to '47c3ae78.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0009734.exe
      [DETECTION] Is the Trojan horse TR/Crypt.FSPM.Gen
      [INFO]      The file was moved to '47c3ae7c.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0010732.exe
      [DETECTION] Is the Trojan horse TR/Crypt.FSPM.Gen
      [INFO]      The file was moved to '47c3ae7e.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0010733.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
      [INFO]      The file was moved to '47c3ae81.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0010734.exe
      [DETECTION] File has been compressed with an unusual runtime compression tool (PCK/FSG). Please verify the origin of the file
      [INFO]      The file was moved to '47c3ae84.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0010735.exe
      [DETECTION] Is the Trojan horse TR/Crypt.FSPM.Gen
      [INFO]      The file was moved to '47c3ae85.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0010763.exe
      [DETECTION] Is the Trojan horse TR/Crypt.FSPM.Gen
      [INFO]      The file was moved to '47c3ae87.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0010764.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
      [INFO]      The file was moved to '47c3ae8a.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0010765.exe
      [DETECTION] File has been compressed with an unusual runtime compression tool (PCK/FSG). Please verify the origin of the file
      [INFO]      The file was moved to '47c3ae8c.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP25\A0010766.exe
      [DETECTION] Is the Trojan horse TR/Crypt.FSPM.Gen
      [INFO]      The file was moved to '47c3ae8f.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP26\A0011841.com
      [DETECTION] Contains detection pattern of the application APPL/NirCmd.1
      [INFO]      The file was moved to '47c3ae92.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP26\A0011858.exe
      [DETECTION] Contains detection pattern of the application APPL/NirCmd.1
      [INFO]      The file was moved to '47c3ae95.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP27\A0011865.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
      [INFO]      The file was moved to '47c3ae97.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP27\A0011866.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
      [INFO]      The file was moved to '47c3ae99.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP27\A0011868.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
      [INFO]      The file was moved to '47c3ae9b.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP27\A0011906.com
      [DETECTION] Contains detection pattern of the application APPL/NirCmd.1
      [INFO]      The file was moved to '47c3ae9e.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP27\A0011932.exe
      [DETECTION] Contains detection pattern of the application APPL/NirCmd.1
      [INFO]      The file was moved to '47c3aea2.qua'!
C:\System Volume Information\_restore{8B65584B-7EAE-4EB2-B6F3-603CD72A5F75}\RP28\A0011954.com
      [DETECTION] Contains detection pattern of the application APPL/NirCmd.1
      [INFO]      The file was moved to '47c3aea4.qua'!
C:\WINDOWS\NirCmd.exe
      [DETECTION] Contains detection pattern of the application APPL/NirCmd.1
      [INFO]      The file was moved to '4805af3a.qua'!
C:\WINDOWS\system32\amp.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
      [INFO]      The file was moved to '4803b02d.qua'!
C:\WINDOWS\system32\dxdss.sys
      [WARNING]   The file could not be opened!


End of the scan: dimanche 20 janvier 2008  21:33
Used time: 45:10 min

The scan has been done completely.

   1668 Scanning directories
 161121 Files were scanned
     26 viruses and/or unwanted programs were found
     13 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
     39 files were moved to quarantine
      0 files were renamed
      2 Files cannot be scanned
 161095 Files not concerned
    766 Archives were scanned
      2 Warnings
      0 Notes




Rapport hijackthis :




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:38:58, on 20/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.01net.com/telecharger/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.01net.com/telecharger/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.01net.com/telecharger/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINDOWS\system32\dllcache\mravsc32.exe (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Planificateur de tâches (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spool.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SSScsiSV.exe

g!rly · Answer

re,

ok tres bien,

fais ceci maintenant :

Click sur Démarrer puis sur Exécuter,  dans la boite de dialogue tape :

sc stop DistributedAllocatedMemoryUnit valide par ok.

Click sur Démarrer puis sur Exécuter,  dans la boite de dialogue tape :

sc delete DistributedAllocatedMemoryUnit valide par ok

et repost un hijack this

@+

zuigick · Answer

Re, :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:28:44, on 21/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.01net.com/telecharger/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.01net.com/telecharger/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.01net.com/telecharger/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOWS	emp\NavBrowser.exe" /r /i "C:\WINDOWS	emp\NavLoad.ini"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINDOWS\system32\dllcache\mravsc32.exe (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Planificateur de tâches (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spool.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SSScsiSV.exe

g!rly · Answer

re,

tu as bien respecté les espaces en fesant la commande par excecuté?

Click sur Démarrer puis sur Exécuter, dans la boite de dialogue tape :

sc(espace)stop(espace)DistributedAllocatedMemoryUnit valide par ok.

Click sur Démarrer puis sur Exécuter, dans la boite de dialogue tape :

sc(espace)delete(espace)DistributedAllocatedMemoryUnit valide par ok

@+

zuigick · Answer

Re,

Oui me semble que je l'avai tapé de cette manière un fenêtre bios c'etait ouverte, je l'ai refait au cas ou.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:55:18, on 21/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.01net.com/telecharger/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.01net.com/telecharger/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOWS	emp\NavBrowser.exe" /r /i "C:\WINDOWS	emp\NavLoad.ini"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINDOWS\system32\dllcache\mravsc32.exe (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Planificateur de tâches (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spool.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SSScsiSV.exe

g!rly · Answer

re,

je ne te cache pas que j´ai du mal pour supprimer les services, je vais essayer de me renseigner, et reviendrais...

@+

zuigick · Answer

D'accord je te remerci pour tous, à bientôt.

g!rly · Answer

salut zuigick,

Comme promis me revoila avec la solution apportée par un membre du forum, que je remercie encore une fois ;-)

voila comment procéder :

1°- « Démarrer » > « Executer » > taper cmd >

sc stop "Distributed Allocated Memory Unit" ==> [Enter]
sc config "Distributed Allocated Memory Unit" start= disabled ==> [Enter]

2°- Redémarre MSE (mode sans echec) .Choisis ton compte usuel, et non Administrateur.

3°- « Démarrer » > « Executer » > taper cmd >

sc delete "Distributed Allocated Memory Unit" ==> [Enter] 

ps : respecte bien les espace,  au besoin tu peux faire des copiers/collés pour etre sur...

repost un nouveau hijack this apres la manip`

@+

Win32:agent-oli need help

26 réponses

Votre réponse

Discussions similaires

Newsletters