trojans Worms/ntech et TR/pandex Résolu/Fermé

Question

Bonjour,

J'utilise antivir + Avast (uniquement pour le courrier)  et je n'arrive pas à me débarasser de ces trojans. J'ai lancer l'antivirus (avast, antivir, bit defender) plusieurs fois  , il me trouve à chaque fois des virus que je mets en quarantaine et pourtant chaque fois que je me cconnecte au réseau je les retrouve (il prenne mon PC pour un emetteur de mail et j'ai gardé Avast, car il detecte l'émission anormal de mail => j'espere que cela evite à certaines personnes d'être pollués)

la derniere manip en date : 
J'ai arrete le restore system, booté en mode sans echec , passer antivir, puis rebooté normal et remise en place du restore system. Et dès que je connecte sur internet , badaboom ca recommence.

J'ai le log du scan antivir (passé en mode sans echec), du hijackthis que j'ai passé après. Je peux les poster si quelqu'un peut m'aider.

Je vois dans les autres sujets, que je ne suis pas seul dans ce cas, par contre, je ne suis pas sur que je puisse réutiliser tel quel les procedures decrites. Donc d'avance, grand merci à un petit coup de main.

les derniers virus detect&é par antivir sont TR/Pandex.L.2  et WORM/Ntech.Z.4

g!rly · Answer

salut,

Télécharge combofix.exe (par sUBs) sur ton Bureau.

-> http://download.bleepingcomputer.com/sUBs/ComboFix.exe      

-> Double clique combofix.exe.
-> Tape sur la touche 1 (Yes) pour démarrer le scan.
-> Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse. 

NOTE : Le rapport se trouve également ici : C:\Combofix.txt

et

Télécharge HijackThis ici : 

-> http://www.commentcamarche.net/telecharger/telecharger 159 hijackthis

Tutoriel d´utilisation (video) :

-> http://pageperso.aol.fr/balltrap34/demohijack.htm

Post le rapport généré ici stp...

@+

fch22 · Answer

Voici le rapport (j'ai eu un stack overflow au début, mais bon il a quand même été jusqu'au bout ComboFix 08-01-29.3 - parents 2008-01-29 19:57:42.1 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.110 [GMT 1:00]Endroit: C:\Documents and Settings\parents\Bureau\ComboFix.exe * Création d'un nouveau point de restauration . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Helper C:\Program Files\Helper\superfindout.dll C:\Program Files\Temporary C:\WINDOWS\system32\5_exception.nls C:\WINDOWS\system32\sft.res . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\runtime -------\smtpdrv ((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))))))) . 2008-01-27 13:43 . 2008-01-27 13:43 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus! 2008-01-24 22:05 . 2008-01-29 20:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-24 22:05 . 2008-01-24 22:05 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-23 23:30 . 2008-01-23 23:30 d-------- C:\Program Files\Avira 2008-01-23 23:30 . 2008-01-23 23:30 d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-01-23 19:10 . 2008-01-27 13:47 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2008-01-23 19:04 . 2008-01-27 13:48 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2008-01-22 19:40 . 2008-01-22 19:40 d-------- C:\Program Files\Trend Micro 2008-01-21 12:14 . 2008-01-24 01:34 25,984 --a------ C:\WINDOWS\system32\drivers\Nru68.sys 2008-01-21 12:13 . 2008-01-21 12:14 2 --a------ C:\-1596445751 2008-01-01 23:43 . 2008-01-01 23:43 d-------- C:\Documents and Settings\parents\Application Data\Skyline 2008-01-01 11:47 . 2008-01-01 11:47 d-------- C:\Program Files\Intuisphere . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-29 18:24 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-01-28 11:18 --------- d-----w C:\Documents and Settings\parents\Application Data\Canon 2008-01-27 12:44 --------- d-----w C:\Program Files\Neuf 2008-01-27 12:37 --------- d-----w C:\Program Files\Mindscape 2008-01-27 12:35 --------- d-----w C:\Program Files\Audio MP3 Converter 2008-01-27 11:58 --------- d-----w C:\Program Files\Fichiers communs\Adobe 2008-01-27 09:57 --------- d-----w C:\Program Files\SuperCopier2 2008-01-27 09:45 --------- d-----w C:\Program Files\AtomixMP3 2008-01-07 17:24 --------- d-----w C:\Documents and Settings\parents\Application Data\OpenOffice.org2 2007-12-14 16:18 --------- d-----w C:\Documents and Settings\ronan\Application Data\OpenOffice.org2 2007-12-13 15:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\pixelStorm 2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-03 11:29 --------- d-----w C:\Program Files\BoontyGames 2007-12-03 11:26 --------- d-----w C:\Program Files\Boonty 2007-12-02 19:45 --------- d-----w C:\Program Files\HP 2007-12-02 19:45 --------- d-----w C:\Program Files\Hewlett-Packard 2005-06-25 08:20 8,192 --sha-w C:\WINDOWS\o2cLicStore.bin 2004-08-05 13:00 65,024 --sha-w C:\WINDOWS\system32\asycfilt.dll 2004-08-05 13:00 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll 2004-08-05 13:00 57,344 --sha-w C:\WINDOWS\system32\mfc42loc.dll 2004-08-05 13:00 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll 2004-08-05 13:00 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll 2004-08-05 13:00 253,952 --sha-w C:\WINDOWS\system32\msvcrt20.dll 2007-05-17 11:29 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll 2004-08-05 13:00 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll 2004-08-05 13:00 30,749 --sha-w C:\WINDOWS\system32\vbajet32.dll . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{4E7BD74F-2B8D-469E-A0E8-ED6AB685FA7D}"= C:\WINDOWS\system32\pbfrv2.dll [ ] [HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-ed6ab685fa7d}] [HKEY_CLASSES_ROOT\pbfrv2.PBFRV2] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Configuration de la C-BOX"="C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe" [2004-12-21 18:17 395264] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 10:57 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 14:00 208952] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 14:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 14:00 455168] "ATIPTA"="C:\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 21:10 339968] "PCMService"="c:\Apps\Powercinema\PCMService.exe" [2004-10-08 03:14 81920] "ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 10:31 24576] "Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 10:38 49152] "TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2005-01-20 08:52 180269] "PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016] "WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2005-08-31 14:41 222784] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18 270648] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-23 23:37 249896] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 14:00 15360] "DWQueuedReporting"="C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [ ] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe" [ ] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 02:17 443968] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nru68.sys] @="Driver" R0 Nru68;Nru68;C:\WINDOWS\system32\Drivers\Nru68.sys [2008-01-24 01:34] R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-10-18 16:36] R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [1998-08-22 11:00] R3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58] R3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08] S1 astq;astq;C:\WINDOWS\system32\drivers\astq.tga [] S2 ssoftnt4;ssoftnt4;C:\WINDOWS\system32\Drivers\ssoftnt4.sys [] S3 38a530a3-8412-4567-b27d-ba7003797791;38a530a3-8412-4567-b27d-ba7003797791;D:\Player\cds300.dll [] S3 jatmlano;jatmlano;C:\DOCUME~1\parents\LOCALS~1\Temp\jatmlano.sys [] S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-05-11 12:12] S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-05-11 12:12] S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-05-11 12:12] S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-05-11 12:12] S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-05-11 12:12] S3 ovt530;Webcam Classic;C:\WINDOWS\system32\Drivers\ov530vid.sys [2005-03-15 16:04] S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 21:41] S3 VRETRACE;VRETRACE;C:\DOCUME~1\parents\LOCALS~1\Temp\VRETRACE.sys [] S4 FFI;FFI;C:\WINDOWS\system32\svchost.exe:exm.exe [] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-29 20:06:26 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cach‚s ... Balayage cach‚ autostart entries ... Balayage des fichiers cach‚s ... Scan termin‚ avec succŠs Les fichiers cach‚s: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FFI] "ImagePath"="C:\WINDOWS\system32\svchost.exe:exm.exe" . --------------------- DLLs a charg‚ sous des processus courants --------------------- PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156] -> C:\Program Files\Hercules\WebCam Station\PhotoImpression\share\pihook.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\slrundll.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Apps\Powercinema\PCMService.exe C:\apps\ABoard\ABoard.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\apps\ABoard\AOSD.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\microsoft office\Office\FINDFAST.EXE C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************** . Temps d'accomplissement: 2008-01-29 20:11:20 - machine was rebooted [parents] ComboFix-quarantined-files.txt 2008-01-29 19:11:16 . 2008-01-27 09:13:26 --- E O F ---

g!rly · Answer

ok

peux tu poster le hijack this stp

@+

fch22 · Answer

et voici le rapport hijackThis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:22:03, on 29/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\slrundll.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Fichiers communs\Real\Update_OBealsched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\microsoft office\Office\FINDFAST.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32
otepad.exe
C:\Program Files\Mozilla Thunderbird	hunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OBealsched.exe"  -osboot
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Configuration de la C-BOX] C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\microsoft office\Office\FINDFAST.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin
pjpi150_06.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin
pjpi150_06.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {42E1F024-ECC3-456F-B98A-4CE5ACDBF25C} (ActiveFormX Contrôle) - http://ssl-tb.sitadelle.com/...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MysqlInventime - Unknown owner - c:\mysql\bin\mysqld-nt.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe

g!rly · Answer

re,

Copie le texte ci-dessous :

File::
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for 
C:\-1596445751

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-A0E8-ED6AB685FA7D}"=-
[-HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-ed6ab685fa7d}]
[-HKEY_CLASSES_ROOT\pbfrv2.PBFRV2]

Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix, 

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.

S'il n'y a pas de rédémarrage, poste quand même les rapports.

fais analyser ceci sur virus total :

C:\WINDOWS\system32\Drivers\Nru68.sys

https://www.virustotal.com/gui/

puis regarde ceci :

A propos de Boonty games

Utilises tu des jeux de boonty games depuis longtemps ?

Voici une petite information sur Boonty games

Leur politique :

"Il se peut que nous partageons aussi des informations payantes avec des tiers
qui fournissent des services payants et partage des données regroupées montrant le type
et le nombre de jeux vidéos que vous téléchargez, votre age, votre sexe, vos occupations,
niveau d'éducation, localité géographique, données sur l'équipement de votre ordinateur,
internet et intérêts pour les jeux vidéos, activités et entraînement des jeux édités.
De plus, nous partageons les adresses email avec des tiers fournisseurs de compte mails
qui nous assistent en envoyant nos mails a de nombreux clients en même temps..."

Si tu es d'accord avec eux, pas de problèmes sinon, il faut désinstaller le service 

dis moi quoi pour boonty et post les rapports demandés

@+

fch22 · Answer

Voici le rapport Combo Ensuite quand je clique sur le lien https://www.virustotal.com/gui/ et que je fournit le fichier, il me repond "0 bytes size received / Se ha recibido un archivo vacio",normal? et enfin , je n'ai pas compris ton message sur Boonty games, c'est quoi ? de toutes facons, pas au courant , donc je desinstalle, mais si tu peux m'indiquer la procédure (tu sais d'ou ca vient ces jeux?), merci d'avance ComboFix 08-01-29.3 - parents 2008-01-29 20:55:49.2 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.103 [GMT 1:00] Endroit: C:\Documents and Settings\parents\Bureau\ComboFix.exe Command switches used :: C:\Documents and Settings\parents\Bureau\CFScript.txt * Création d'un nouveau point de restauration FILE C:\-1596445751 C:\WINDOWS\QTFont.for C:\WINDOWS\QTFont.qfn . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\-1596445751 C:\Documents and Settings onan\Mes documents\musike\musique diam s ronan\Bonus\Album\_desktop.ini C:\Documents and Settings onan\Mes documents\musike\musique diam s ronan\Bonus\Live\_desktop.ini C:\WINDOWS\QTFont.for C:\WINDOWS\QTFont.qfn . ((((((((((((((((((((((((((((( Fichiers créés 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))))))) . 2008-01-27 13:43 . 2008-01-27 13:43 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus! 2008-01-23 23:30 . 2008-01-23 23:30 d-------- C:\Program Files\Avira 2008-01-23 23:30 . 2008-01-23 23:30 d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-01-23 19:10 . 2008-01-27 13:47 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2008-01-23 19:04 . 2008-01-27 13:48 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2008-01-22 19:40 . 2008-01-22 19:40 d-------- C:\Program Files\Trend Micro 2008-01-21 12:14 . 2008-01-24 01:34 25,984 --a------ C:\WINDOWS\system32\drivers\Nru68.sys 2008-01-01 23:43 . 2008-01-01 23:43 d-------- C:\Documents and Settings\parents\Application Data\Skyline 2008-01-01 11:47 . 2008-01-01 11:47 d-------- C:\Program Files\Intuisphere . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-29 19:12 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-01-28 11:18 --------- d-----w C:\Documents and Settings\parents\Application Data\Canon 2008-01-27 12:44 --------- d-----w C:\Program Files\Neuf 2008-01-27 12:37 --------- d-----w C:\Program Files\Mindscape 2008-01-27 12:35 --------- d-----w C:\Program Files\Audio MP3 Converter 2008-01-27 11:58 --------- d-----w C:\Program Files\Fichiers communs\Adobe 2008-01-27 09:57 --------- d-----w C:\Program Files\SuperCopier2 2008-01-27 09:45 --------- d-----w C:\Program Files\AtomixMP3 2008-01-21 18:39 14,336 ----a-w C:\WINDOWS\system32\svchost.exe 2008-01-21 18:39 14,336 ----a-w C:\WINDOWS\system32\svchost(2).exe 2008-01-21 18:39 14,336 ----a-w C:\WINDOWS\system32\dllcache\svchost.exe 2008-01-07 17:24 --------- d-----w C:\Documents and Settings\parents\Application Data\OpenOffice.org2 2007-12-14 16:18 --------- d-----w C:\Documents and Settings onan\Application Data\OpenOffice.org2 2007-12-13 15:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\pixelStorm 2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-12-03 11:29 --------- d-----w C:\Program Files\BoontyGames 2007-12-03 11:26 --------- d-----w C:\Program Files\Boonty 2007-12-02 19:45 --------- d-----w C:\Program Files\HP 2007-12-02 19:45 --------- d-----w C:\Program Files\Hewlett-Packard 2007-11-07 09:28 728,576 ----a-w C:\WINDOWS\system32\lsasrv.dll 2007-11-07 09:28 728,576 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll 2007-10-30 23:23 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache cpip.sys 2007-10-29 22:43 1,293,824 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-29 22:43 1,293,824 ------w C:\WINDOWS\system32\dllcache\quartz.dll 2005-06-25 08:20 8,192 --sha-w C:\WINDOWS\o2cLicStore.bin 2004-08-05 13:00 65,024 --sha-w C:\WINDOWS\system32\asycfilt.dll 2004-08-05 13:00 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll 2004-08-05 13:00 57,344 --sha-w C:\WINDOWS\system32\mfc42loc.dll 2004-08-05 13:00 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll 2004-08-05 13:00 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll 2004-08-05 13:00 253,952 --sha-w C:\WINDOWS\system32\msvcrt20.dll 2007-05-17 11:29 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll 2004-08-05 13:00 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll 2004-08-05 13:00 30,749 --sha-w C:\WINDOWS\system32\vbajet32.dll . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Configuration de la C-BOX"="C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe" [2004-12-21 18:17 395264] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 10:57 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 14:00 208952] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 14:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 14:00 455168] "ATIPTA"="C:\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 21:10 339968] "PCMService"="c:\Apps\Powercinema\PCMService.exe" [2004-10-08 03:14 81920] "ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 10:31 24576] "Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 10:38 49152] "TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB ealsched.exe" [2005-01-20 08:52 180269] "PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016] "WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2005-08-31 14:41 222784] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18 270648] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-23 23:37 249896] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 14:00 15360] "DWQueuedReporting"="C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [ ] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe" [ ] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 02:17 443968] C:\Documents and Settings\arnaud\Menu D‚marrer\Programmes\D‚marrage\ OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-01-25 18:42:22 61440] C:\Documents and Settings onan\Menu D‚marrer\Programmes\D‚marrage\ OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-01-25 18:42:22 61440] C:\Documents and Settings\parents\Menu D‚marrer\Programmes\D‚marrage\ Microsoft Recherche acc‚l‚r‚e.lnk - C:\Program Files\microsoft office\Office\FINDFAST.EXE [1996-12-16 23:00:00 111376] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nru68.sys] @="Driver" R0 Nru68;Nru68;C:\WINDOWS\system32\Drivers\Nru68.sys [2008-01-24 01:34] R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-10-18 16:36] R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [1998-08-22 11:00] R3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58] R3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08] S1 astq;astq;C:\WINDOWS\system32\drivers\astq.tga [] S2 ssoftnt4;ssoftnt4;C:\WINDOWS\system32\Drivers\ssoftnt4.sys [] S3 38a530a3-8412-4567-b27d-ba7003797791;38a530a3-8412-4567-b27d-ba7003797791;D:\Player\cds300.dll [] S3 jatmlano;jatmlano;C:\DOCUME~1\parents\LOCALS~1\Temp\jatmlano.sys [] S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-05-11 12:12] S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-05-11 12:12] S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-05-11 12:12] S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-05-11 12:12] S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-05-11 12:12] S3 ovt530;Webcam Classic;C:\WINDOWS\system32\Drivers\ov530vid.sys [2005-03-15 16:04] S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 21:41] S3 VRETRACE;VRETRACE;C:\DOCUME~1\parents\LOCALS~1\Temp\VRETRACE.sys [] S4 FFI;FFI;C:\WINDOWS\system32\svchost.exe:exm.exe [] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-29 21:00:26 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FFI] "ImagePath"="C:\WINDOWS\system32\svchost.exe:exm.exe" . Temps d'accomplissement: 2008-01-29 21:02:27 ComboFix-quarantined-files.txt 2008-01-29 20:02:18 ComboFix2.txt 2008-01-29 19:11:20 . 2008-01-27 09:13:26 --- E O F ---

g!rly · Answer

ok,

pour bounty

Copie le texte ci-dessous :

Folder::
C:\Program Files\BoontyGames
C:\Program Files\Boonty

Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix, 

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.

S'il n'y a pas de rédémarrage, poste quand même les rapports.

et 

Télécharge SDFix (créé par AndyManchesta) et sauvegarde le sur ton Bureau.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
• Redémarre ton ordinateur
• Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde).
• A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
• Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
• Choisis ton compte.
Déroule la liste des instructions ci-dessous :
• Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
• Appuie sur Y pour commencer le processus de nettoyage.
• Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
• Appuie sur une touche pour redémarrer le PC.
• Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
• Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
• Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
• Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
• Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum

post les rapports stp

@+

fch22 · Answer

Salut, un vrai parcours du combattant ! voila déja le comb, puis le hijack, après je m'attaque au SDFIX. ComboFix 08-01-29.3 - parents 2008-01-29 22:46:15.3 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.215 [GMT 1:00] Endroit: C:\Documents and Settings\parents\Bureau\ComboFix.exe Command switches used :: C:\Documents and Settings\parents\Bureau\CFScript.txt * Création d'un nouveau point de restauration . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Boonty C:\Program Files\BoontyGames C:\Program Files\BoontyGames hunderbolt2{221667}.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\smtpdrv ((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))))))) . 2008-01-29 21:49 . 2008-01-29 21:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-29 21:49 . 2008-01-29 21:49 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-27 13:43 . 2008-01-27 13:43 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus! 2008-01-23 23:30 . 2008-01-23 23:30 d-------- C:\Program Files\Avira 2008-01-23 23:30 . 2008-01-23 23:30 d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-01-23 19:10 . 2008-01-27 13:47 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2008-01-23 19:04 . 2008-01-27 13:48 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2008-01-22 19:40 . 2008-01-22 19:40 d-------- C:\Program Files\Trend Micro 2008-01-21 12:14 . 2008-01-24 01:34 25,984 --a------ C:\WINDOWS\system32\drivers\Nru68.sys 2008-01-01 23:43 . 2008-01-01 23:43 d-------- C:\Documents and Settings\parents\Application Data\Skyline 2008-01-01 11:47 . 2008-01-01 11:47 d-------- C:\Program Files\Intuisphere . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-29 21:07 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-01-28 11:18 --------- d-----w C:\Documents and Settings\parents\Application Data\Canon 2008-01-27 12:44 --------- d-----w C:\Program Files\Neuf 2008-01-27 12:37 --------- d-----w C:\Program Files\Mindscape 2008-01-27 12:35 --------- d-----w C:\Program Files\Audio MP3 Converter 2008-01-27 11:58 --------- d-----w C:\Program Files\Fichiers communs\Adobe 2008-01-27 09:57 --------- d-----w C:\Program Files\SuperCopier2 2008-01-27 09:45 --------- d-----w C:\Program Files\AtomixMP3 2008-01-07 17:24 --------- d-----w C:\Documents and Settings\parents\Application Data\OpenOffice.org2 2007-12-14 16:18 --------- d-----w C:\Documents and Settings onan\Application Data\OpenOffice.org2 2007-12-13 15:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\pixelStorm 2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-02 19:45 --------- d-----w C:\Program Files\HP 2007-12-02 19:45 --------- d-----w C:\Program Files\Hewlett-Packard 2005-06-25 08:20 8,192 --sha-w C:\WINDOWS\o2cLicStore.bin 2004-08-05 13:00 65,024 --sha-w C:\WINDOWS\system32\asycfilt.dll 2004-08-05 13:00 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll 2004-08-05 13:00 57,344 --sha-w C:\WINDOWS\system32\mfc42loc.dll 2004-08-05 13:00 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll 2004-08-05 13:00 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll 2004-08-05 13:00 253,952 --sha-w C:\WINDOWS\system32\msvcrt20.dll 2007-05-17 11:29 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll 2004-08-05 13:00 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll 2004-08-05 13:00 30,749 --sha-w C:\WINDOWS\system32\vbajet32.dll . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Configuration de la C-BOX"="C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe" [2004-12-21 18:17 395264] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 10:57 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 14:00 208952] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 14:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 14:00 455168] "ATIPTA"="C:\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 21:10 339968] "PCMService"="c:\Apps\Powercinema\PCMService.exe" [2004-10-08 03:14 81920] "ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 10:31 24576] "Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 10:38 49152] "TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB ealsched.exe" [2005-01-20 08:52 180269] "PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016] "WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2005-08-31 14:41 222784] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18 270648] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-23 23:37 249896] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 14:00 15360] "DWQueuedReporting"="C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [ ] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe" [ ] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 02:17 443968] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nru68.sys] @="Driver" R0 Nru68;Nru68;C:\WINDOWS\system32\Drivers\Nru68.sys [2008-01-24 01:34] R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-10-18 16:36] R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [1998-08-22 11:00] R3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58] R3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08] S1 astq;astq;C:\WINDOWS\system32\drivers\astq.tga [] S2 ssoftnt4;ssoftnt4;C:\WINDOWS\system32\Drivers\ssoftnt4.sys [] S3 38a530a3-8412-4567-b27d-ba7003797791;38a530a3-8412-4567-b27d-ba7003797791;D:\Player\cds300.dll [] S3 jatmlano;jatmlano;C:\DOCUME~1\parents\LOCALS~1\Temp\jatmlano.sys [] S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-05-11 12:12] S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-05-11 12:12] S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-05-11 12:12] S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-05-11 12:12] S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-05-11 12:12] S3 ovt530;Webcam Classic;C:\WINDOWS\system32\Drivers\ov530vid.sys [2005-03-15 16:04] S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 21:41] S3 VRETRACE;VRETRACE;C:\DOCUME~1\parents\LOCALS~1\Temp\VRETRACE.sys [] S4 FFI;FFI;C:\WINDOWS\system32\svchost.exe:exm.exe [] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-29 22:53:29 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cach‚s ... Balayage cach‚ autostart entries ... Balayage des fichiers cach‚s ... Scan termin‚ avec succŠs Les fichiers cach‚s: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FFI] "ImagePath"="C:\WINDOWS\system32\svchost.exe:exm.exe" . --------------------- DLLs a charg‚ sous des processus courants --------------------- PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156] -> C:\Program Files\Hercules\WebCam Station\PhotoImpression\share\pihook.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system32\slrundll.exe C:\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Apps\Powercinema\PCMService.exe C:\apps\ABoard\ABoard.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Fichiers communs\Real\Update_OB ealsched.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\apps\ABoard\AOSD.exe C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\microsoft office\Office\FINDFAST.EXE C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************** . Temps d'accomplissement: 2008-01-29 22:58:05 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-29 21:58:01 ComboFix2.txt 2008-01-29 20:47:34 ComboFix3.txt 2008-01-29 19:11:20 . 2008-01-27 09:13:26 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:07:32, on 29/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\slrundll.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Apps\Powercinema\PCMService.exe C:\apps\ABoard\ABoard.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Fichiers communs\Real\Update_OB ealsched.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\apps\ABoard\AOSD.exe C:\Program Files\microsoft office\Office\FINDFAST.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe" O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB ealsched.exe" -osboot O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [Configuration de la C-BOX] C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\microsoft office\Office\FINDFAST.EXE O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin pjpi150_06.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin pjpi150_06.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB O16 - DPF: {42E1F024-ECC3-456F-B98A-4CE5ACDBF25C} (ActiveFormX Contrôle) - http://ssl-tb.sitadelle.com/... O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MysqlInventime - Unknown owner - c:\mysql\bin\mysqld-nt.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

g!rly · Answer

re,

c´est pas encore fini...

j´ai vu que tu as installé antivir, c´est bien ;-)  mais il faut desinstaller avast !!!

instales aussi 

par feu : kerio

http://www.malekal.com/kerio_firewall.php#mozTocId721480

https://www.vulgarisation-informatique.com/kerio.php

https://kerio.probb.fr/f2-sunbelt-kerio-personal-firewall

ou zone alarm plus facil a configurer mais moins performant

https://www.malekal.com/tutoriel-zonealarm-firewall/

puis fais ceci : sdfix : que je t´avais demandé de faire plus haut :

Télécharge SDFix (créé par AndyManchesta) et sauvegarde le sur ton Bureau.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
• Redémarre ton ordinateur
• Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde).
• A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
• Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
• Choisis ton compte.
Déroule la liste des instructions ci-dessous :
• Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
• Appuie sur Y pour commencer le processus de nettoyage.
• Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
• Appuie sur une touche pour redémarrer le PC.
• Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
• Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
• Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
• Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
• Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum

@+

fch22 · Answer

Voici le rapport de SDFix. Le probleme , c'est que après le dernier reboot, dès que j'ai remis internet, Antivir m'a de nouveau détecté WORM/Ntech et TR/pandex. Quelle est la suite ?



SDFix: Version 1.133

Run by parents on 29/01/2008 at 23:20

Microsoft Windows XP [version 5.1.2600]

Running From: C:\DOCUME~1\parents\Bureau\SDFix

Safe Mode:
Checking Services: 

Name:
astq
FFI
smtpdrv

Path:
\??\C:\WINDOWS\system32\drivers\astq.tga 
C:\WINDOWS\system32\svchost.exe:exm.exe 
System32\DRIVERS\smtpdrv.sys 

astq - Deleted
FFI - Deleted
smtpdrv - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files: 

No Trojan Files Found






Removing Temp Files...

ADS Check:

 


                                 Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 23:28:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:74,a7,b5,1c,d5,a6,4b,eb,49,c8,ec,d6,93,2f,35,bc,1c,7c,21,25,f6,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:b9,e5,c1,4c,dc,9e,bc,71,b0,0f,9f,ff,58,83,f5,79,ba,24,76,a6,3f,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:01,c7,3b,da,ec,ce,11,6a,6d,ca,ba,c0,89,7c,46,00,a0,d3,40,0a,65,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:74,a7,b5,1c,d5,a6,4b,eb,49,c8,ec,d6,93,2f,35,bc,1c,7c,21,25,f6,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:b9,e5,c1,4c,dc,9e,bc,71,b0,0f,9f,ff,58,83,f5,79,ba,24,76,a6,3f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:01,c7,3b,da,ec,ce,11,6a,6d,ca,ba,c0,89,7c,46,00,a0,d3,40,0a,65,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Thu 20 Jan 2005           215 A.SHR --- "C:\BOOT.BAK"
Fri 12 Mar 2004        54,384 A..H. --- "C:\Program Files\AOL 9.0\aolphx.exe"
Fri 12 Mar 2004       156,784 A..H. --- "C:\Program Files\AOL 9.0\aoltray.exe"
Fri 12 Mar 2004        31,344 A..H. --- "C:\Program Files\AOL 9.0\RBM.exe"
Sun 14 Oct 2007     5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Thu  5 Aug 2004        65,024 A.SH. --- "C:\WINDOWS\system32\asycfilt.dll"
Thu  5 Aug 2004     1,028,096 A.SH. --- "C:\WINDOWS\system32\mfc42.dll"
Thu  5 Aug 2004        57,344 A.SH. --- "C:\WINDOWS\system32\mfc42loc.dll"
Thu  5 Aug 2004       413,696 A.SH. --- "C:\WINDOWS\system32\msvcp60.dll"
Thu  5 Aug 2004       343,040 A.SH. --- "C:\WINDOWS\system32\msvcrt.dll"
Thu  5 Aug 2004       253,952 A.SH. --- "C:\WINDOWS\system32\msvcrt20.dll"
Thu 17 May 2007       549,376 A.SH. --- "C:\WINDOWS\system32\oleaut32.dll"
Thu  5 Aug 2004        83,456 A.SH. --- "C:\WINDOWS\system32\olepro32.dll"
Thu  5 Aug 2004        30,749 A.SH. --- "C:\WINDOWS\system32\vbajet32.dll"
Sun 31 Dec 2006             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 29 May 2006        61,440 A..H. --- "C:\Documents and Settings\ronan\Mes documents\‚xpos‚ guyane\~WRL0004.tmp"
Mon  5 Jun 2006        19,456 A..H. --- "C:\Documents and Settings\ronan\Mes documents\‚xpos‚ guyane\~WRL3681.tmp"
Tue 10 May 2005        10,198 A..H. --- "C:\Program Files\microsoft office\Office\Gestionnaire Office\Off2.tmp"
Wed 16 Nov 2005        10,198 A..H. --- "C:\Program Files\microsoft office\Office\Gestionnaire Office\Off3.tmp"
Thu 19 Jan 2006         2,030 A..H. --- "C:\Documents and Settings\arnaud\Mes documents\arnaud\inconnues\~WRL0001.tmp"
Thu 19 Jan 2006         4,616 A..H. --- "C:\Documents and Settings\arnaud\Mes documents\arnaud\inconnues\~WRL0002.tmp"
Thu 19 Jan 2006         5,019 A..H. --- "C:\Documents and Settings\arnaud\Mes documents\arnaud\inconnues\~WRL0003.tmp"
Mon  9 Jan 2006           581 A..H. --- "C:\Documents and Settings\arnaud\Mes documents\arnaud\inconnues\~WRL0182.tmp"
Fri 12 Mar 2004       106,496 A..H. --- "C:\Program Files\Fichiers communs\aolshare\shell\fr\shellext.dll"

Finished!

fch22 · Answer

question par rapport à ton dernier post: je desinstall AVAST , j'install Kerio et je relance SDFIX ? ou le dernier rapport SDFIX suffit ?

en tout cas , je tiens à te remercier pour ton aide

fch22 · Answer

Bon voila, j'ai desinstalle avast, et installé Kerio .
Faut-il relancer SDFIX ? (antivir m'a encore detecte mes 2 virus au redemarrage)

g!rly · Answer

re,

peux tu reposter un rapport hijack this et un combofix

@+

fch22 · Answer

c'est parti je te poste cela tout de suite

g!rly · Answer

ok

fch22 · Answer

et voila

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:20:26, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Fichiers communs\Real\Update_OBealsched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\microsoft office\Office\FINDFAST.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\slrundll.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Thunderbird	hunderbird.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OBealsched.exe"  -osboot
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Configuration de la C-BOX] C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\microsoft office\Office\FINDFAST.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin
pjpi150_06.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin
pjpi150_06.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {42E1F024-ECC3-456F-B98A-4CE5ACDBF25C} (ActiveFormX Contrôle) - http://ssl-tb.sitadelle.com/...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: MysqlInventime - Unknown owner - c:\mysql\bin\mysqld-nt.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe

g!rly · Answer

re,

fais ceci et posat le rapport ici :

A.V.G :

-> Télécharger AVG Anti-Spyware (ewido)

   http://www.commentcamarche.net/telecharger/telecharger 218 avg anti spyware

-> L´installer.

-> lancer AVG Anti-Spyware et clicker sur le bouton Mise à jour. Patienter...
   
   p.s : si les mises a jours ne se font pas, elles sont telechargable ici :

   http://downloads.ewido.net/avgas-signatures-full-current.exe

-> Sur la page "analyse":

   choisir d´abord l'onglet "paramètres".
   
   sous « Comment réagir » clicker sur « Actions recommandées » et dans le menu déroulant, choisir « Supprimer ».

-> Lancer le scan, (c´est long...).

-> A la fin du scan copier Et coller le rapport ici. 

-> Une aide en image au cas ou :

   Tutoriel d´installation et de parametrages :

   http://www.kachouri.com/tuto/tuto-161-avg-anti-spyware-75-pour-votre-securite.html   

note : supprime bien tout ce qu´il a trouvé a la fin et post le rapport.

@demain...

fch22 · Answer

ok, je lance cela demain, bonne nuit et merci

g!rly · Answer

ok
merci toi aussi 
@+

fch22 · Answer

Bonjour,

voici le rapport AVG (PS, j'ai toujours AD-aware d'installé, faut-il le desinstaller pour le remplacer par AVG?). 
Quelle est l'étape suivante ?

---------------------------------------------------------
AVG Anti-Spyware - Rapport d'analyse
---------------------------------------------------------

 + Créé à:	12:32:34 30/01/2008

 + Résultat de l'analyse:	



HKU\S-1-5-21-1146773983-1092170388-2550932258-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-A0E8-ED6AB685FA7D} -> Adware.2020Search : Nettoyé.
C:\Documents and Settings\arnaud\Mes documents\arnaud\GTA.San. Andreas. JEUX PC COMPLET FR avec crack\Crack Sierra\crack\hlm-intro.exe -> Backdoor.Hupigon.kg : Nettoyé.
:mozilla.54:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.247realmedia : Nettoyé.
:mozilla.54:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.247realmedia : Nettoyé.
:mozilla.55:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.247realmedia : Nettoyé.
:mozilla.55:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.247realmedia : Nettoyé.
:mozilla.143:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.2o7 : Nettoyé.
:mozilla.45:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Adtech : Nettoyé.
:mozilla.45:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Adtech : Nettoyé.
:mozilla.46:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Adtech : Nettoyé.
:mozilla.46:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Adtech : Nettoyé.
:mozilla.95:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Adtech : Nettoyé.
:mozilla.96:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Adtech : Nettoyé.
:mozilla.126:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Advertising : Nettoyé.
:mozilla.59:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Atdmt : Nettoyé.
:mozilla.41:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Bluestreak : Nettoyé.
:mozilla.48:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Bluestreak : Nettoyé.
:mozilla.48:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Bluestreak : Nettoyé.
:mozilla.157:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Casalemedia : Nettoyé.
:mozilla.158:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Casalemedia : Nettoyé.
:mozilla.159:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Casalemedia : Nettoyé.
:mozilla.160:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Casalemedia : Nettoyé.
:mozilla.16:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Casalemedia : Nettoyé.
:mozilla.16:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Casalemedia : Nettoyé.
:mozilla.18:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Casalemedia : Nettoyé.
:mozilla.18:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Casalemedia : Nettoyé.
:mozilla.19:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Casalemedia : Nettoyé.
:mozilla.19:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Casalemedia : Nettoyé.
:mozilla.20:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Casalemedia : Nettoyé.
:mozilla.20:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Casalemedia : Nettoyé.
:mozilla.21:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Casalemedia : Nettoyé.
:mozilla.21:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Casalemedia : Nettoyé.
:mozilla.129:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Comclick : Nettoyé.
:mozilla.130:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Comclick : Nettoyé.
:mozilla.43:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Comclick : Nettoyé.
:mozilla.43:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Comclick : Nettoyé.
:mozilla.44:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Comclick : Nettoyé.
:mozilla.44:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Comclick : Nettoyé.
:mozilla.47:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Comclick : Nettoyé.
:mozilla.47:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Comclick : Nettoyé.
:mozilla.17:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Doubleclick : Nettoyé.
:mozilla.17:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Doubleclick : Nettoyé.
:mozilla.22:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookies.txt -> TrackingCookie.Doubleclick : Nettoyé.
:mozilla.22:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookiesnew.txt -> TrackingCookie.Doubleclick : Nettoyé.
:mozilla.24:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Doubleclick : Nettoyé.
C:\Documents and Settings\arnaud\Cookies\arnaud@ad.doubleclick[2].txt -> TrackingCookie.Doubleclick : Nettoyé.
:mozilla.113:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Estat : Nettoyé.
:mozilla.32:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookies.txt -> TrackingCookie.Estat : Nettoyé.
:mozilla.32:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookiesnew.txt -> TrackingCookie.Estat : Nettoyé.
:mozilla.50:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Estat : Nettoyé.
:mozilla.50:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Estat : Nettoyé.
:mozilla.14:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookies.txt -> TrackingCookie.Fastclick : Nettoyé.
:mozilla.14:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookiesnew.txt -> TrackingCookie.Fastclick : Nettoyé.
:mozilla.18:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookies.txt -> TrackingCookie.Fastclick : Nettoyé.
:mozilla.18:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookiesnew.txt -> TrackingCookie.Fastclick : Nettoyé.
:mozilla.20:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookies.txt -> TrackingCookie.Fastclick : Nettoyé.
:mozilla.20:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookiesnew.txt -> TrackingCookie.Fastclick : Nettoyé.
:mozilla.21:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Mediaplex : Nettoyé.
:mozilla.36:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Mediaplex : Nettoyé.
:mozilla.36:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Mediaplex : Nettoyé.
:mozilla.11:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Overture : Nettoyé.
:mozilla.11:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Overture : Nettoyé.
:mozilla.22:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Overture : Nettoyé.
:mozilla.23:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Overture : Nettoyé.
:mozilla.30:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookies.txt -> TrackingCookie.Overture : Nettoyé.
:mozilla.30:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookiesnew.txt -> TrackingCookie.Overture : Nettoyé.
:mozilla.97:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Realmedia : Nettoyé.
:mozilla.23:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Reliablestats : Nettoyé.
:mozilla.23:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Reliablestats : Nettoyé.
:mozilla.30:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Reliablestats : Nettoyé.
:mozilla.30:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Reliablestats : Nettoyé.
:mozilla.31:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Reliablestats : Nettoyé.
:mozilla.31:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Reliablestats : Nettoyé.
:mozilla.32:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Reliablestats : Nettoyé.
:mozilla.32:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Reliablestats : Nettoyé.
:mozilla.33:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Reliablestats : Nettoyé.
:mozilla.33:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Reliablestats : Nettoyé.
:mozilla.118:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Serving-sys : Nettoyé.
:mozilla.119:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Serving-sys : Nettoyé.
:mozilla.120:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Serving-sys : Nettoyé.
:mozilla.121:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Serving-sys : Nettoyé.
:mozilla.151:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Sitestat : Nettoyé.
:mozilla.152:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Sitestat : Nettoyé.
:mozilla.35:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Smartadserver : Nettoyé.
:mozilla.36:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Smartadserver : Nettoyé.
:mozilla.37:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Smartadserver : Nettoyé.
:mozilla.127:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Specificpop : Nettoyé.
:mozilla.137:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Trafic : Nettoyé.
:mozilla.76:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Valueclick : Nettoyé.
:mozilla.77:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Valueclick : Nettoyé.
:mozilla.14:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookies.txt -> TrackingCookie.Weborama : Nettoyé.
:mozilla.14:C:\Documents and Settings\ronan\Application Data\Mozilla\Firefox\Profiles\1x088vfr.default\cookiesnew.txt -> TrackingCookie.Weborama : Nettoyé.
:mozilla.78:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Weborama : Nettoyé.
:mozilla.79:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Weborama : Nettoyé.
:mozilla.80:C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\cookies.txt -> TrackingCookie.Weborama : Nettoyé.
C:\Documents and Settings\arnaud\Cookies\arnaud@m.webtrends[1].txt -> TrackingCookie.Webtrends : Nettoyé.
:mozilla.10:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookies.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.10:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookiesnew.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.11:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookies.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.11:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookiesnew.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.12:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookies.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.12:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookiesnew.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.7:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookies.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.7:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookiesnew.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.8:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookies.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.8:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookiesnew.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.9:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookies.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.9:C:\Documents and Settings\arnaud\Application Data\Mozilla\Firefox\Profiles\06lhlvge.default\cookiesnew.txt -> TrackingCookie.Yieldmanager : Nettoyé.


Fin du rapport

g!rly · Answer

salut  fch22,

tres bien pour avg...

tu peux garder adaware.

j´aimerais maintenant que tu performe un scan complet de ta machine a l´aide d´antivir et que tu post le rapport ici sur le forum.

effectue les reglages suivants avant de le lancer :

une fois antivir ouvert click surconfiguration et coche la case "expert mode" puis sur l´onglet scanner dans la fenetre du dessous tu va voir : rootkit search click sur le petit + pour deployer et coche la case a coté de ton disk dur
puis click sur configuration en haut a droite, dans la nouvelle fenetre a gauche >scanner > coche "scan all files" et en dessous >scanner priority = High
coche : allow stopping the scanner, comme cela tu peux faire une pause pendant le scan si tu le desir.
puis sur la droite coche les case suivantes : 
scan boot sectors of selected drives
scan master boot sectors
scan memory
search foe rootkit before scan
decoche :
ignore off line files
toujours a gauche > scan > deploie > heuristique > macrovirus heuristic = coché et en dessous > win32 heuristic la case coché et high detection level

@+

fch22 · Answer

Salut, désolé je rentre seuleument du boulot J'ai regardé la config de Antivir et c'est déjà ce que j'avais -à part les offline files). Voici déjà un premier rapport d'un scan que j'ai lancé ce midi (qui n'est pas fini car n'ayant pas coché la case automatic action for concerning files, il n'a pas fini et je l'ai interrompu en rentrantr (et oui , il m'a quand même trouvé WORM/Sober.Y, et W32/Magistr.B dans mon Inbox) D'ailleurs, tu conseilles quoi comme action automatique ? copy before action ? primary action = repair ? secondary = ignore ? J'attends ta réponse avant de le lancer. voila le rapport de cet AM AntiVir PersonalEdition Classic Report file date: mercredi 30 janvier 2008 12:53 Scanning for 1084989 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Username: SYSTEM Computer name: FAMILLE Version information: BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00 AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29 AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51 LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47 LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15 ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 22:37:06 ANTIVIR2.VDF : 7.0.2.49 1339904 Bytes 25/01/2008 09:12:33 ANTIVIR3.VDF : 7.0.2.70 200192 Bytes 30/01/2008 11:38:07 AVEWIN32.DLL : 7.6.0.57 3215872 Bytes 30/01/2008 11:38:07 AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26 AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17 AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24 AVPACK32.DLL : 7.6.0.3 360488 Bytes 23/01/2008 22:37:08 AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06 AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33 AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18 NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42 RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13 RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37 SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, Scan memory......................: on Process scan.....................: on Scan registry....................: on Search for rootkits..............: on Scan all files...................: All files Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox, Macro heuristic..................: on File heuristic...................: high Start of the scan: mercredi 30 janvier 2008 12:53 Starting search for hidden objects. '87798' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'avgas.exe' - '1' Module(s) have been scanned Scan process 'guard.exe' - '0' Module(s) have been scanned Scan process 'firefox.exe' - '1' Module(s) have been scanned Scan process 'iPodService.exe' - '1' Module(s) have been scanned Scan process 'FINDFAST.EXE' - '1' Module(s) have been scanned Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'QuickAccess.exe' - '1' Module(s) have been scanned Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned Scan process 'AOSD.EXE' - '1' Module(s) have been scanned Scan process 'WinPatrol.exe' - '1' Module(s) have been scanned Scan process 'realsched.exe' - '1' Module(s) have been scanned Scan process 'opware32.exe' - '1' Module(s) have been scanned Scan process 'ABOARD.EXE' - '1' Module(s) have been scanned Scan process 'PCMService.exe' - '1' Module(s) have been scanned Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'slrundll.exe' - '1' Module(s) have been scanned Scan process 'fxssvc.exe' - '1' Module(s) have been scanned Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'kpf4ss.exe' - '1' Module(s) have been scanned Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 42 processes with 42 modules were scanned Starting master boot sector scan: Master boot sector HD0 [NOTE] No virus was found! [WARNING] The boot sector file could not be read! [WARNING] Error code: 0x0083 Master boot sector HD1 [NOTE] No virus was found! [WARNING] The boot sector file could not be read! [WARNING] Error code: 0x0015 Master boot sector HD2 [NOTE] No virus was found! [WARNING] The boot sector file could not be read! [WARNING] Error code: 0x0015 Master boot sector HD3 [NOTE] No virus was found! [WARNING] The boot sector file could not be read! [WARNING] Error code: 0x0015 Master boot sector HD4 [NOTE] No virus was found! [WARNING] The boot sector file could not be read! [WARNING] Error code: 0x0015 Start scanning boot sectors: Boot sector 'C:\' [NOTE] No virus was found! Starting to scan the registry. The registry was scanned ( '28' files ). Starting the file scan: Begin scan in 'C:\' C:\hiberfil.sys [WARNING] The file could not be opened! C:\pagefile.sys [WARNING] The file could not be opened! C:\Documents and Settings\parents\Application Data\Thunderbird\Profiles\1h0ngh60.default\Mail\pop.libertysurf.fr\Inbox [0] Archive type: Netscape/Mozilla Mailbox --> Mailbox_[Message-ID: <403C457200E778DC@mail01.pds.libertysurf.fr> (a][From: roger.saussol@edfgdf.fr][Subject: Re: Here is the document]198.mim [1] Archive type: MIME --> document_full.pif [DETECTION] Contains detection pattern of the worm WORM/Netsky.D.Dam --> Mailbox_[From: Post@cia.gov][Subject: Your_IP_was_logged][Message-ID: ]622.mim [1] Archive type: MIME --> question_list.zip [DETECTION] Contains detection pattern of the worm WORM/Sober.Y [2] Archive type: ZIP --> File-packed_dataInfo.exe [DETECTION] Contains detection pattern of the worm WORM/Sober.Y [3] Archive type: ZIP SFX (self extracting) [WARNING] The file was ignored! C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\Mail\pop\Inbox [0] Archive type: Netscape/Mozilla Mailbox --> Mailbox_[Message-ID: <3bd95f7b3bfcc530@citronier.wanadoo.fr> (added ][From: bouffant.construction steps.exe [DETECTION] Contains code of the Windows virus W32/Magistr.B [WARNING] The file was ignored! End of the scan: mercredi 30 janvier 2008 18:50 Used time: 5:57:03 min The scan has been canceled! 4857 Scanning directories 114125 Files were scanned 4 viruses and/or unwanted programs were found 0 Files were classified as suspicious: 0 files were deleted 0 files were repaired 0 files were moved to quarantine 0 files were renamed 2 Files cannot be scanned 114121 Files not concerned 4863 Archives were scanned 4 Warnings 1 Notes 87798 Objects were scanned with rootkit scan 0 Hidden objects were found

g!rly · Answer

re,

oui refais le scan avec les reglages que je t´ai stipulés et post le rapport...

@+

fch22 · Answer

tu conseilles quoi comme action automatique ? copy before action ? primary action = repair ? secondary = ignore ?

afideg · Answer

G!rly Attention Avais-tu remarqué ceci dans le ComboFix : [code]

 
----a-w 5,512,872 2007-01-09 00:00:42 C:\Documents and Settings\parents\Mes documents\outils\securité\kerio\kerio 4.2 - kerio.probb.fr .exe  <== observe bien l'intervalle anormal.

sUBs a créé un outil afin de traiter l'infection > RenV.exe Le tool est téléchargeable depuis cette adresse > http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe Le sais-tu ?

fch22 · Answer

Pourtant je l'ai téléchargé hier quand j'était avec G!rly !!

Cela veut dire qu'il faut que je desinstalle Kerio ?

g!rly · Answer

je suis partie dinner...

salut afideg, 

concernant kerio, ne crois tu pas que l´espace est du au double point?

kerio 4.2 - kerio.probb.fr .exe

merci pour le lien concernant l´infection rev.exe.

je lui ferais passé apres le scan d´antivir...

fch22,

pour le scan avec antivir choisie l´action interactive et les reglages que je t´ai donnés plus haut.

@+

fch22 · Answer

Bonsoir,

du coup j'ai desinstallé la version 4.2 que j'avais et j'ai reinstallé  la derniere (de toutes facons j'avais une erreur lorsque la 4.2  essayait d'installer la derniere version).
et j'en ai profité pour faire une sauvegarde 
Bon vue l'heure (et la duree du scan) , je vais lancer antivir mais en mettant automatiquement en quarantaine (de toutes facons, c'est l'action que j'effectue habituellement).
Je vous souhaite une bonne soirée, et je vous poste le rapport demain.
Merci encore pour l'aide.

g!rly · Answer

ok tres bien,

bonne nuit

@demain

fch22 · Answer

Bonjour, voici le rapport Antivir du matin. J'ai bien vérifié que j'avais utilise le mode mise en quarantaine automatique. je vois que j'ai 4 virus dans une vieille archive, je vais verifier que j'en ai une copie et je vais la virer. Par contre j'ai 2 virus dans ma boite aux lettres, je vais essayer d'identifier les mails infectés et les virer si cela peut aider AntiVir PersonalEdition Classic Report file date: jeudi 31 janvier 2008 02:00 Scanning for 1085601 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Username: SYSTEM Computer name: FAMILLE Version information: BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00 AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29 AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51 LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47 LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15 ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 22:37:06 ANTIVIR2.VDF : 7.0.2.49 1339904 Bytes 25/01/2008 09:12:33 ANTIVIR3.VDF : 7.0.2.72 208896 Bytes 30/01/2008 22:23:07 AVEWIN32.DLL : 7.6.0.59 3232256 Bytes 30/01/2008 22:23:07 AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26 AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17 AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24 AVPACK32.DLL : 7.6.0.3 360488 Bytes 23/01/2008 22:37:08 AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06 AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33 AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18 NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42 RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13 RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37 SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21 Configuration settings for the scan: Jobname..........................: Local Hard Disks Configuration file...............: c:\program files\avira\antivir personaledition classic\alldiscs.avp Logging..........................: low Primary action...................: quarantine Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, Scan memory......................: on Process scan.....................: on Scan registry....................: on Search for rootkits..............: on Scan all files...................: All files Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox, Macro heuristic..................: on File heuristic...................: high Start of the scan: jeudi 31 janvier 2008 02:00 Starting search for hidden objects. '87908' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'thunderbird.exe' - '1' Module(s) have been scanned Scan process 'firefox.exe' - '1' Module(s) have been scanned Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'iPodService.exe' - '1' Module(s) have been scanned Scan process 'FINDFAST.EXE' - '1' Module(s) have been scanned Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'QuickAccess.exe' - '1' Module(s) have been scanned Scan process 'avgas.exe' - '1' Module(s) have been scanned Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned Scan process 'AOSD.EXE' - '1' Module(s) have been scanned Scan process 'WinPatrol.exe' - '1' Module(s) have been scanned Scan process 'realsched.exe' - '1' Module(s) have been scanned Scan process 'opware32.exe' - '1' Module(s) have been scanned Scan process 'ABOARD.EXE' - '1' Module(s) have been scanned Scan process 'PCMService.exe' - '1' Module(s) have been scanned Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'slrundll.exe' - '1' Module(s) have been scanned Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned Scan process 'fxssvc.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'kpf4ss.exe' - '1' Module(s) have been scanned Scan process 'slserv.exe' - '1' Module(s) have been scanned Scan process 'guard.exe' - '0' Module(s) have been scanned Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 45 processes with 45 modules were scanned Starting master boot sector scan: Master boot sector HD0 [NOTE] No virus was found! [WARNING] The boot sector file could not be read! [WARNING] Error code: 0x0083 Master boot sector HD1 [NOTE] No virus was found! [WARNING] The boot sector file could not be read! [WARNING] Error code: 0x0015 Master boot sector HD2 [NOTE] No virus was found! [WARNING] The boot sector file could not be read! [WARNING] Error code: 0x0015 Master boot sector HD3 [NOTE] No virus was found! [WARNING] The boot sector file could not be read! [WARNING] Error code: 0x0015 Master boot sector HD4 [NOTE] No virus was found! [WARNING] The boot sector file could not be read! [WARNING] Error code: 0x0015 Start scanning boot sectors: Boot sector 'C:\' [NOTE] No virus was found! Starting to scan the registry. The registry was scanned ( '28' files ). Starting the file scan: Begin scan in 'C:\' C:\hiberfil.sys [WARNING] The file could not be opened! C:\pagefile.sys [WARNING] The file could not be opened! C:\Documents and Settings\parents\Application Data\Thunderbird\Profiles\1h0ngh60.default\Mail\pop.libertysurf.fr\Inbox [0] Archive type: Netscape/Mozilla Mailbox --> Mailbox_[Message-ID: <403C457200E778DC@mail01.pds.libertysurf.fr> (a][From: roger.saussol@edfgdf.fr][Subject: Re: Here is the document]198.mim [1] Archive type: MIME --> document_full.pif [DETECTION] Contains detection pattern of the worm WORM/Netsky.D.Dam --> Mailbox_[From: Post@cia.gov][Subject: Your_IP_was_logged][Message-ID: ]622.mim [1] Archive type: MIME --> question_list.zip [DETECTION] Contains detection pattern of the worm WORM/Sober.Y [2] Archive type: ZIP --> File-packed_dataInfo.exe [DETECTION] Contains detection pattern of the worm WORM/Sober.Y [3] Archive type: ZIP SFX (self extracting) [WARNING] The file was ignored! C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\Mail\pop\Inbox [0] Archive type: Netscape/Mozilla Mailbox --> Mailbox_[Message-ID: <3bd95f7b3bfcc530@citronier.wanadoo.fr> (added ][From: bouffant.construction steps.exe [DETECTION] Contains code of the Windows virus W32/Magistr.B [WARNING] The file was ignored! C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\Mail\pop\Trash [0] Archive type: Netscape/Mozilla Mailbox --> Mailbox_[Message-ID: <3bd95f7b3bfcc530@citronier.wanadoo.fr> (added ][From: bouffant.construction steps.exe [DETECTION] Contains code of the Windows virus W32/Magistr.B [WARNING] The file was ignored! C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\Mail\pop-1\Inbox [0] Archive type: Netscape/Mozilla Mailbox --> Mailbox_[Message-ID: <3bd95f7b3bfcc530@citronier.wanadoo.fr> (added ][From: bouffant.construction steps.exe [DETECTION] Contains code of the Windows virus W32/Magistr.B [WARNING] The file was ignored! C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\Mail\pop.libertysurf.fr\Inbox [0] Archive type: Netscape/Mozilla Mailbox --> Mailbox_[Message-ID: <403C457200E778DC@mail01.pds.libertysurf.fr> (a][From: roger.saussol@edfgdf.fr][Subject: Re: Here is the document]198.mim [1] Archive type: MIME --> document_full.pif [DETECTION] Contains detection pattern of the worm WORM/Netsky.D.Dam [WARNING] The file was ignored! C:\WINDOWS\system32\drivers\Nru68.sys [WARNING] The file could not be opened! C:\WINDOWS\system32\drivers\sptd.sys [WARNING] The file could not be opened! End of the scan: jeudi 31 janvier 2008 03:24 Used time: 1:24:35 min The scan has been done completely. 12677 Scanning directories 493748 Files were scanned 7 viruses and/or unwanted programs were found 0 Files were classified as suspicious: 0 files were deleted 0 files were repaired 0 files were moved to quarantine 0 files were renamed 4 Files cannot be scanned 493741 Files not concerned 15471 Archives were scanned 9 Warnings 2 Notes 87908 Objects were scanned with rootkit scan 0 Hidden objects were found

g!rly · Answer

salut fch22, supprime tous ces mails et n´en fais surtout pas de copie : C:\Documents and Settings\parents\Application Data\Thunderbird\Profiles\1h0ngh60.default\Mail\pop.libertysurf.fr\Inbox --> Mailbox_[Message-ID: <403C457200E778DC@mail01.pds.libertysurf.fr> (a][From: roger.saussol@edfgdf.fr][Subject: Re: Here is the document]198.mim --> Mailbox_[From: Post@cia.gov][Subject: Your_IP_was_logged][Message-ID: ]622.mim --> question_list.zip --> File-packed_dataInfo.exe C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\Mail\pop\Inbox --> Mailbox_[Message-ID: <3bd95f7b3bfcc530@citronier.wanadoo.fr> (added ][From: bouffant.construction steps.exe C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\Mail\pop\Trash --> Mailbox_[Message-ID: <3bd95f7b3bfcc530@citronier.wanadoo.fr> (added ][From: bouffant.construction steps.exe C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\Mail\pop-1\Inbox --> Mailbox_[Message-ID: <3bd95f7b3bfcc530@citronier.wanadoo.fr> (added ][From: bouffant.construction steps.exe C:\Documents and Settings\parents\Mes documents\backup ancien PC\Profiles\parents\Application Data\Mozilla\Profiles\default\xefakpc9.slt\Mail\pop.libertysurf.fr\Inbox --> Mailbox_[Message-ID: <403C457200E778DC@mail01.pds.libertysurf.fr> (a][From: roger.saussol@edfgdf.fr][Subject: Re: Here is the document]198.mim --> document_full.pif et passe le fix proposé par afideg : http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe post le rapport @+

fch22 · Answer

Bonsoir G!rly, 

Je n'arrive pas à supprimer le répertoire , il me dit que certain fichiers sont utilisés par un autre programme, tu as une méthode à proposer ?
et concernant les 2 emails, je ne les trouve pas dans Thunderbird, je supprime les fichiers directement ?

PS: pour la copye, c'est loupe, je viens de griller un DVD avec entre autre ces fichiers

fch22 · Answer

j'ai reussi à supprimer les 4 messages archivés, il ne me reste plus que les 2 ci-dessous (je n'ai pas tout rescanner): Begin scan in 'C:\Documents and Settings\parents\Application Data\Thunderbird\Profiles' C:\Documents and Settings\parents\Application Data\Thunderbird\Profiles\1h0ngh60.default\Mail\pop.libertysurf.fr\Inbox [0] Archive type: Netscape/Mozilla Mailbox --> Mailbox_[Message-ID: <403C457200E778DC@mail01.pds.libertysurf.fr> (a][From: roger.saussol@edfgdf.fr][Subject: Re: Here is the document]198.mim [1] Archive type: MIME --> document_full.pif [DETECTION] Contains detection pattern of the worm WORM/Netsky.D.Dam --> Mailbox_[From: Post@cia.gov][Subject: Your_IP_was_logged][Message-ID: ]622.mim [1] Archive type: MIME --> question_list.zip [DETECTION] Contains detection pattern of the worm WORM/Sober.Y [2] Archive type: ZIP --> File-packed_dataInfo.exe [DETECTION] Contains detection pattern of the worm WORM/Sober.Y [3] Archive type: ZIP SFX (self extracting) [WARNING] The file was ignored! par contre je ne le trouve pas tiens voici le resultat de Renv: [code] Ran on 31/01/2008 - 21:41:29,07 Entries: 0 (0) Directories: 0 Files: 0 Bytes: 0 Blocks: 0 /code j'ai aussi de faire analyser Nru68, mais il n'arrive toujours pas à l'uploader sur le site

g!rly · Answer

re,

en mode sans echec tu as essayé?

fch22 · Answer

G!irly
a priori il ne me reste que le mail infecté dans mon inbox, mais je ne le vois pas sous Thunderbird, et je ne sais pas  ouvrir le fichier Inbox

g!rly · Answer

re,

si tu fais un scan avec antivir en mode sans echec a mon avis il devrait pouvoir le supprimer...

-> Redémarre en mode sans échec : 

   Comment redémarrer en mode sans echec? 

   Tu redemarre le pc et tapote la touche F8 des le début de l allumage sans t´arrêter.
   Une fenêtre sur fond noir va s’ouvrir, tu te déplaces avec les flèches du clavier sur démarrer en mode sans échec puis tape entrée.
   capture d´ecran : http://www.coupdepoucepc.com/images_cdppc4/fichespratiques/windowsxp/modese/modese2.jpg
   Une fois sur le bureau si il n y a pas toutes les couleurs et autres c´est normal!
   Ps : si F8 ne marche pas utilise la touche F5.

et lance le scan et post le resultat

je sais c´est long mais...

@+

fch22 · Answer

G!rly,
 quand je lance le scan en mode interactif, Antivir me dit :
This file is a mailbox, to avoid damaging your emails, this file will not be repaired or deleted.
Tu crois qu'en mode sans ehec , ca changera quelque chose ?

afideg · Answer

Salut à vous 

Pourquoi ne pas supprimer C:\Documents and Settings\parents\Application Data\Thunderbird\Profiles\1h0ngh60.default\Mail\pop.libertysurf.fr\Inbox   ?

Ce qui est en gras avec OT-moveId .
Et c'est quoi ce 1h0ngh60.default ?

Al.

fch22 · Answer

Salut,

ca a l'air d'être la boite aux lettres de Thunderbird, je préfere la garder :-)

Allez bonne nuit

afideg · Answer

Re,

Bon, pour pop.libertysurf.fr, tant pis.
En effet, je vois sur Google < https://www.google.be/search?hl=fr&q=pop.libertysurf.fr&btnG=Recherche+Google&meta=lr%3Dlang_fr&gws_rd=ssl >
J'aurais pu consulter Google avant de parler.

Mais c'est quoi alors 1h0ngh60.default ? 

J'ai abandonné Thunderbird, trop de chicanes .

Al.

fch22 · Answer

Bonjour,

je ne sais pas , mais vu que ce repertoire se trouve dans thunderbird, j'en déduit que c'est thunderbird qui l'a crée lors de l'install.

Cette nuit j'ai  relancé un antivir et j'ai retrouvé tout mes virus : j'avais oublié de purger ma corbeille.
Je le relance ce matin et je vous pose le resultat ce soir.

afideg · Answer

Bonjour,

Cit. « j'en déduis que c'est thunderbird qui l'a crée lors de l'install. » ==> correct.

Al.

fch22 · Answer

Bonjour, voici le dernier scan.... AntiVir PersonalEdition Classic Report file date: vendredi 1 février 2008 07:42 Scanning for 1086273 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Username: SYSTEM Computer name: FAMILLE Version information: BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00 AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29 AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51 LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47 LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15 ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 22:37:06 ANTIVIR2.VDF : 7.0.2.49 1339904 Bytes 25/01/2008 09:12:33 ANTIVIR3.VDF : 7.0.2.75 217088 Bytes 31/01/2008 11:58:41 AVEWIN32.DLL : 7.6.0.59 3232256 Bytes 30/01/2008 22:23:07 AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26 AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17 AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24 AVPACK32.DLL : 7.6.0.3 360488 Bytes 23/01/2008 22:37:08 AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06 AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33 AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18 NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42 RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13 RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37 SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: quarantine Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, Scan memory......................: on Process scan.....................: on Scan registry....................: on Search for rootkits..............: on Scan all files...................: All files Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox, Macro heuristic..................: on File heuristic...................: high Start of the scan: vendredi 1 février 2008 07:42 Starting search for hidden objects. '85129' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'iPodService.exe' - '1' Module(s) have been scanned Scan process 'FINDFAST.EXE' - '1' Module(s) have been scanned Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'QuickAccess.exe' - '1' Module(s) have been scanned Scan process 'avgas.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned Scan process 'WinPatrol.exe' - '1' Module(s) have been scanned Scan process 'AOSD.EXE' - '1' Module(s) have been scanned Scan process 'realsched.exe' - '1' Module(s) have been scanned Scan process 'opware32.exe' - '1' Module(s) have been scanned Scan process 'ABOARD.EXE' - '1' Module(s) have been scanned Scan process 'PCMService.exe' - '1' Module(s) have been scanned Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'slrundll.exe' - '1' Module(s) have been scanned Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned Scan process 'fxssvc.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'kpf4ss.exe' - '1' Module(s) have been scanned Scan process 'slserv.exe' - '1' Module(s) have been scanned Scan process 'guard.exe' - '0' Module(s) have been scanned Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 42 processes with 42 modules were scanned Starting master boot sector scan: Master boot sector HD0 [NOTE] No virus was found! [WARNING] The boot sector file could not be read! [WARNING] Error code: 0x0083 Master boot sector HD1 [NOTE] No virus was found! [WARNING] The boot sector file could not be read! [WARNING] Error code: 0x0015 Master boot sector HD2 [NOTE] No virus was found! [WARNING] The boot sector file could not be read! [WARNING] Error code: 0x0015 Master boot sector HD3 [NOTE] No virus was found! [WARNING] The boot sector file could not be read! [WARNING] Error code: 0x0015 Master boot sector HD4 [NOTE] No virus was found! [WARNING] The boot sector file could not be read! [WARNING] Error code: 0x0015 Start scanning boot sectors: Boot sector 'C:\' [NOTE] No virus was found! Starting to scan the registry. The registry was scanned ( '28' files ). Starting the file scan: Begin scan in 'C:\' C:\hiberfil.sys [WARNING] The file could not be opened! C:\pagefile.sys [WARNING] The file could not be opened! C:\Documents and Settings\parents\Application Data\Thunderbird\Profiles\1h0ngh60.default\Mail\pop.libertysurf.fr\Inbox [0] Archive type: Netscape/Mozilla Mailbox --> Mailbox_[Message-ID: <403C457200E778DC@mail01.pds.libertysurf.fr> (a][From: roger.saussol@edfgdf.fr][Subject: Re: Here is the document]198.mim [1] Archive type: MIME --> document_full.pif [DETECTION] Contains detection pattern of the worm WORM/Netsky.D.Dam --> Mailbox_[From: Post@cia.gov][Subject: Your_IP_was_logged][Message-ID: ]622.mim [1] Archive type: MIME --> question_list.zip [DETECTION] Contains detection pattern of the worm WORM/Sober.Y [2] Archive type: ZIP --> File-packed_dataInfo.exe [DETECTION] Contains detection pattern of the worm WORM/Sober.Y [3] Archive type: ZIP SFX (self extracting) [WARNING] The file was ignored! C:\WINDOWS\system32\drivers\Nru68.sys [WARNING] The file could not be opened! C:\WINDOWS\system32\drivers\sptd.sys [WARNING] The file could not be opened! End of the scan: vendredi 1 février 2008 08:57 Used time: 1:15:27 min The scan has been done completely. 12320 Scanning directories 486855 Files were scanned 3 viruses and/or unwanted programs were found 0 Files were classified as suspicious: 0 files were deleted 0 files were repaired 0 files were moved to quarantine 0 files were renamed 4 Files cannot be scanned 486852 Files not concerned 13791 Archives were scanned 5 Warnings 2 Notes 85129 Objects were scanned with rootkit scan 0 Hidden objects were found

g!rly · Answer

bonsoir a vous deux,

on peux tenter l´outil de symantec :

https://www.cnetfrance.fr/telecharger/symantec-outil-de-suppression-de-netsky-39068441s.htm

fch22, 

telecharge le fix sur l´adresse ci dessus et execute le.

rapporte tes observations.

@+

fch22 · Answer

Bonsoir,

désolé de ne pas avoir répondu plus tot, je regarde cela demain et je vous tiens au courant

Bonne nuit et merci de votre aide

g!rly · Answer

bonne nuit ;-)

fch22 · Answer

bonjour,

netsky fixtool n'a rien trouvé, et antivir me reporte toujours les mêmes virus

fch22 · Answer

bonjour,

je suis toujours preneur d'un coup de main, car mon problème de virus n'est toujours pas résolu:

Antivir "guard"  me detecte toujours WORM/NTECH.Z.4 au démarage (mais pas dans le scan !)
et le scan me trouve toujours WORM/SOBER eyt WORM/NETSKY dans ma boite aux lettre Thunderbird.

et j'ai l'impression qu'il y a un process qui tourne et envoi des mails sur la toile (pour limiter , je stoppe le trafic sur Kerio quand je n'ai pas besoin d'internet), a priori en utilisant smtpdrv.sys



Merci d'avance

fch22 · Answer

Bonjour,

Bonne nouvelle, les virus de la boite aux lettres (il existait une fonction compacter dans Thunderbird qui permet de détruire complètement les fichiers) - Voila une chose de faite.

voici le rapport (sur le repertoire uniquement)



AntiVir PersonalEdition Classic
Report file date: samedi 2 février 2008  16:52

Scanning for 1086273 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version:  (Service Pack 2)  [5.1.2600]
Username:         parents
Computer name:    FAMILLE

Version information:
BUILD.DAT    : 270           15603 Bytes  19/09/2007 13:32:00
AVSCAN.EXE   : 7.0.6.1      290856 Bytes  23/08/2007 13:16:29
AVSCAN.DLL   : 7.0.6.0       49192 Bytes  16/08/2007 12:23:51
LUKE.DLL     : 7.0.5.3      147496 Bytes  14/08/2007 15:32:47
LUKERES.DLL  : 7.0.6.1       10280 Bytes  21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0    11030528 Bytes  18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.1.95    3367424 Bytes  14/12/2007 22:37:06
ANTIVIR2.VDF : 7.0.2.49    1339904 Bytes  25/01/2008 09:12:33
ANTIVIR3.VDF : 7.0.2.75     217088 Bytes  31/01/2008 11:58:41
AVEWIN32.DLL : 7.6.0.59    3232256 Bytes  30/01/2008 22:23:07
AVWINLL.DLL  : 1.0.0.7       14376 Bytes  26/02/2007 10:36:26
AVPREF.DLL   : 7.0.2.2       25640 Bytes  18/07/2007 07:39:17
AVREP.DLL    : 7.0.0.1      155688 Bytes  16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3      360488 Bytes  23/01/2008 22:37:08
AVREG.DLL    : 7.0.1.6       30760 Bytes  18/07/2007 07:17:06
AVARKT.DLL   : 1.0.0.20     278568 Bytes  28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20      86056 Bytes  18/07/2007 07:10:18
NETNT.DLL    : 7.0.0.0        7720 Bytes  08/03/2007 11:09:42
RCIMAGE.DLL  : 7.0.1.30    2342952 Bytes  07/08/2007 12:38:13
RCTEXT.DLL   : 7.0.62.0      86056 Bytes  21/08/2007 12:50:37
SQLITE3.DLL  : 3.3.17.1     339968 Bytes  23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: ShlExt
Configuration file...............: C:\DOCUME~1\parents\LOCALS~1\Temp\209926b6.avp
Logging..........................: low
Primary action...................: quarantine
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, 
Scan memory......................: on
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox, 
Macro heuristic..................: on
File heuristic...................: high

Start of the scan: samedi 2 février 2008  16:52

Starting the file scan:

Begin scan in 'C:\Documents and Settings\parents\Application Data\Thunderbird\Profiles\1h0ngh60.default\Mail\pop.libertysurf.fr'


End of the scan: samedi 2 février 2008  16:54
Used time: 02:06 min

The scan has been done completely.

     17 Scanning directories
   2647 Files were scanned
      0 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      0 Files cannot be scanned
   2647 Files not concerned
   1040 Archives were scanned
      0 Warnings
      0 Notes


Par contre j'ai toujours un traffic d'enfer sur le net , qui me semble anormal.

Je vais rebooter , refaire un scan complet et je poste l'ensemble, à moins que vous ayez une autre idée ?

g!rly · Answer

salut,

quand tu supprime les mails infectés dans thunderbird il doivent aller dans trash alors vide ce dossier apres avoir effacé les e-mail infectés

Vide ensuite ton cache internet : Panneau de configuration / options internet / supprimer fichiers.

peux etre vont il rester dans le dossier inbox alors supprime les si encore present.

dis moi quoi

@+

g!rly · Answer

re,

j´ai lu quelque chose sur cette fonction compacter, mais n´utilisant pas thunderbird, ca m´ai passé au dessus de la tete...

en tout cas le resultat de scan parait bien en effet ;-)

peux tu poster un nouveau hijack this avec ton nouveau scan.

@+

fch22 · Answer

Bonjour,

voici le rapport (D'ailleurs, il cherche quoi HijackThis ?)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:56, on 03/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\slrundll.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Fichiers communs\Real\Update_OBealsched.exe
C:\apps\ABoard\AOSD.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe
C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\microsoft office\Office\FINDFAST.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OBealsched.exe"  -osboot
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Configuration de la C-BOX] C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\microsoft office\Office\FINDFAST.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin
pjpi150_06.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin
pjpi150_06.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {42E1F024-ECC3-456F-B98A-4CE5ACDBF25C} (ActiveFormX Contrôle) - http://ssl-tb.sitadelle.com/...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MysqlInventime - Unknown owner - c:\mysql\bin\mysqld-nt.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

fch22 · Answer

G!rly,

j'ai lu ton mail trop vite, je vais donc lancer le scan maintenant et je te le poste tout à l'heure :-)

fch22 · Answer

Bonjour,

voici le dernier scan complet. Apparement bonne nouvelle il n'a rien trouvé, pourtant, à chaque fois que je redemarre mon PC, antivir Guard me trouve WORM/NTECH.Z.4, et j'ai toujours l'impression qu'il y a un trafic anormal sur mon PC.
    

AntiVir PersonalEdition Classic
Report file date: dimanche 3 février 2008  14:18

Scanning for 1089289 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version:  (Service Pack 2)  [5.1.2600]
Username:         SYSTEM
Computer name:    FAMILLE

Version information:
BUILD.DAT    : 270           15603 Bytes  19/09/2007 13:32:00
AVSCAN.EXE   : 7.0.6.1      290856 Bytes  23/08/2007 13:16:29
AVSCAN.DLL   : 7.0.6.0       49192 Bytes  16/08/2007 12:23:51
LUKE.DLL     : 7.0.5.3      147496 Bytes  14/08/2007 15:32:47
LUKERES.DLL  : 7.0.6.1       10280 Bytes  21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0    11030528 Bytes  18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.1.95    3367424 Bytes  14/12/2007 22:37:06
ANTIVIR2.VDF : 7.0.2.49    1339904 Bytes  25/01/2008 09:12:33
ANTIVIR3.VDF : 7.0.2.81     258560 Bytes  01/02/2008 11:58:43
AVEWIN32.DLL : 7.6.0.62    3240448 Bytes  03/02/2008 11:58:44
AVWINLL.DLL  : 1.0.0.7       14376 Bytes  26/02/2007 10:36:26
AVPREF.DLL   : 7.0.2.2       25640 Bytes  18/07/2007 07:39:17
AVREP.DLL    : 7.0.0.1      155688 Bytes  16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3      360488 Bytes  23/01/2008 22:37:08
AVREG.DLL    : 7.0.1.6       30760 Bytes  18/07/2007 07:17:06
AVARKT.DLL   : 1.0.0.20     278568 Bytes  28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20      86056 Bytes  18/07/2007 07:10:18
NETNT.DLL    : 7.0.0.0        7720 Bytes  08/03/2007 11:09:42
RCIMAGE.DLL  : 7.0.1.30    2342952 Bytes  07/08/2007 12:38:13
RCTEXT.DLL   : 7.0.62.0      86056 Bytes  21/08/2007 12:50:37
SQLITE3.DLL  : 3.3.17.1     339968 Bytes  23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: quarantine
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, 
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox, 
Macro heuristic..................: on
File heuristic...................: high

Start of the scan: dimanche 3 février 2008  14:18

Starting search for hidden objects.
'85274' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'FINDFAST.EXE' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'QuickAccess.exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'UpdaterUI.exe' - '1' Module(s) have been scanned
Scan process 'avgas.exe' - '1' Module(s) have been scanned
Scan process 'AOSD.EXE' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'WinPatrol.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'opware32.exe' - '1' Module(s) have been scanned
Scan process 'ABOARD.EXE' - '1' Module(s) have been scanned
Scan process 'PCMService.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'slrundll.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'fxssvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'kpf4ss.exe' - '1' Module(s) have been scanned
Scan process 'slserv.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '0' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
44 processes with 44 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
      [NOTE]      No virus was found!
      [WARNING]   The boot sector file could not be read!
      [WARNING]   Error code: 0x0083
Master boot sector HD1
      [NOTE]      No virus was found!
      [WARNING]   The boot sector file could not be read!
      [WARNING]   Error code: 0x0015
Master boot sector HD2
      [NOTE]      No virus was found!
      [WARNING]   The boot sector file could not be read!
      [WARNING]   Error code: 0x0015
Master boot sector HD3
      [NOTE]      No virus was found!
      [WARNING]   The boot sector file could not be read!
      [WARNING]   Error code: 0x0015
Master boot sector HD4
      [NOTE]      No virus was found!
      [WARNING]   The boot sector file could not be read!
      [WARNING]   Error code: 0x0015

Start scanning boot sectors:
Boot sector 'C:\'
      [NOTE]      No virus was found!

Starting to scan the registry.
The registry was scanned ( '28' files ).


Starting the file scan:

Begin scan in 'C:\' <HDD>
C:\hiberfil.sys
      [WARNING]   The file could not be opened!
C:\pagefile.sys
      [WARNING]   The file could not be opened!
C:\WINDOWS\system32\drivers\Nru68.sys
      [WARNING]   The file could not be opened!
C:\WINDOWS\system32\drivers\sptd.sys
      [WARNING]   The file could not be opened!


End of the scan: dimanche 3 février 2008  15:34
Used time:  1:16:06 min

The scan has been done completely.

  12452 Scanning directories
 486617 Files were scanned
      0 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      4 Files cannot be scanned
 486617 Files not concerned
  11970 Archives were scanned
      4 Warnings
      1 Notes
  85274 Objects were scanned with rootkit scan
      0 Hidden objects were found

g!rly · Answer

salut fch 22,

hijack this me permet de voir les principales entrées du registre sur ton pc...

antivir doit te trouver le worm dans la restauration system, non?

>System_ volume information\...?

@+

fch22 · Answer

bonsoir G!rly,

System_ volume information est inclus dans le scan non ? sinon ou se trouve-t'il  ?

Pour info j'ai aussi lancé un scan AVG et un AD-AWARE, et ils n'ont rien trouvé !

afideg · Answer

Coucou,

En affichant les "fichiers & dossiers cachés", ça se trouve là :
< http://img87.imageshack.us/img87/9748/screenshot264un9.png >

Bonne chance
Al

fch22 · Answer

Bonsoir G!rly,

désolé je n'ai rien trouvé qui ressemble à system volume information sur la racine de C
et je n'ai pas d'autres disques.
As-tu une idée ?

g!rly · Answer

salut fch22.

fais ceci :

Désactive ta restauration système:
pour cela :
Click droit sur poste de travail, dans l´arborescence sur propriétés; 
dans la nouvelle fenettre click sur l´onglet restauration système;
coche la case désactiver la restauration systèm et applique.
puis redemarre le pc et click droit sur poste de travail, dans l´arborescence sur propriétés; 
dans la nouvelle fenettre click sur l´onglet restauration systèm
décoche la case désactiver la restauration systèm et applique. 

dis moi si apres ca antivir ce declanche encore au demarrage

@+

fch22 · Answer

Salut G!rly

j'avais misé beaucoup d'espoir dans ta procédure, hélas, Antivir guard m'a de nouveau detecté WORM/NTEC.Z.4 au démarrage

g!rly · Answer

re,

tu as des infos sur ou il est situé, je veux dire dans quel repertoire?

fch22 · Answer

le rapport d'antivir est le suivant:

Virus or unwanted program 'Worm/Ntech.Z.4 [WORM/Ntech.Z.4]'
detected in file 'C:\WINDOWS\TEMP\BN1.tmp.
Action performed: Delete file

(et c'est toujours au même endroit)


au fait merci pour ta patience

g!rly · Answer

re,

de  rien pour la patience > il faut bien que l´on arrive a le supprimer ce foutu ver.

tu va utiliser tous ces nettoyeurs a la suite :

1
Ccleaner: ( que le nettoyeur ) 

-> Télécharge Ccleaner (n'installe pas la barre d'outil Yahoo):

   http://www.commentcamarche.net/telecharger/telechargement 168 ccleaner

-> L´installer.

-> Une fois installé et lancé :

   Dans la colonne de gauche, click sur :

   ->"erreurs" :

      Coches toutes les cases dans les propriétés du nettoyeur de l´onglet "windows" et "applications", puis click en bas sur "chercher des erreurs" une fois terminé, clic sur "reparer les erreurs", tu auras un message pour sauvegarder ta base de registre, tu click "oui" puis tu recommence jusqu'à ce qu'il ne trouve plus rien.
      
      ps : les sauvegardes que tu auras faites, pourront etre supprimées ulterieurement si tout va bien.

   ->"nettoyeur"
   
      quitte ton navigateur avant de le lancer, décoche la derniere case (Avancé si elle est cochée) puis click sur "lancer le nettoyage" qunand il aura terminé le scan click en bas a droite sur "lancer le nettoyage" et accepte par oui.

-> Tutoriel en image :

   https://www.vulgarisation-informatique.com/nettoyer-windows-ccleaner.php

-> Pour ceux qui voudraient aller plus loin en compagnie de jesses (fonctions avancés) :

   http://perso.orange.fr/jesses/Docs/Logiciels/CCleaner.htm 

2
nettoie tes fichiers temporaires avec ceci : atf cleaner, regarde le tuto...

http://www.infosecu.fr/atf.html

telecharge le ici :

http://serveur1.archive-host.com/membres/up/1366464061/ATF-Cleaner.rar

3
Vide tes fichiers temporaires avec ceci:
->Clean Up 40:
http://pageperso.aol.fr/balltrap34/CleanUp40.exe
->aide en image:(merci a Balltrap34)
http://pageperso.aol.fr/balltrap34/democleanup.htm

click sur option et décoche la case devant : delete prefect files

vide celui ci manuellement :

:: Le contenu du dossier prefetch ::

* C:\WINDOWS\Prefetch <= sauf le fichier layout.ini

* Ne pas oublier de vider la corbeille !

dis moi quoi 

@+

moe · Answer

Salut G!rly, fch22

Dur, dur à virer ce ver on dirait...

G!rly, re-regarde le premier rapport Combo et dis moi ce que tu penses de C:\WINDOWS\system32\drivers\Nru68.sys ?
Pour ma part c'est un rootkit, et de plus il n'y a aucunes traces de ce fichier sur le net... 

A tenter avec Combo peut-être ?

@++

g!rly · Answer

salut moe,

merci pour ton intervention ;-)

oui pas facile...

c´est vrai que C:\WINDOWS\system32\drivers\Nru68.sys ne me dit rien qui vaille.

j´ai fais egalement des recherches sur le net le concernant et rien comme tu dis...

toute fois antivir et son anti rootkit ne le detect pas ?!

mais combofix indique qu´il a été crée juste apres C:\-1596445751

bon on va tenter :

fch22,

Copie le texte ci-dessous :

File::
C:\WINDOWS\system32\Drivers\Nru68.sys

Driver::
Nru68

Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix, 

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt4

ps : tu as passé tous les nettoyeurs de fichiers temporaires? > recommence apres avoir passé combofix.

@+

fch22 · Answer

bonsoir les amis
je n'ai pas pu vous repondre avant.

bon je lance le combo avec les parametres que tu as fournis et je vous poste le resultat

A+ fred

fch22 · Answer

bonsoir, donc voici le rapport combo: ComboFix 08-01-29.3 - parents 2008-02-06 21:23:44.5 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.167 [GMT 1:00] Endroit: C:\Documents and Settings\parents\Bureau\ComboFix.exe Command switches used :: C:\Documents and Settings\parents\Bureau\CFScript.txt * Création d'un nouveau point de restauration FILE C:\WINDOWS\system32\Drivers\Nru68.sys . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\Drivers\Nru68.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_NRU68 -------\Nru68 -------\smtpdrv ((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))))))) . 2008-02-06 17:00 . 2008-02-06 17:00 d-------- C:\Documents and Settings\ronan\Application Data\Grisoft 2008-02-05 18:24 . 2008-02-05 18:24 65 --a------ C:\WINDOWS\system32\drivers\fwdrv.err 2008-01-30 07:21 . 2008-01-30 07:21 d-------- C:\Documents and Settings\parents\Application Data\Grisoft 2008-01-30 07:21 . 2008-01-30 07:21 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-01-30 07:21 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-01-29 23:59 . 2008-01-29 23:59 d-------- C:\Program Files\Kerio 2008-01-29 23:18 . 2008-01-29 23:18 d-------- C:\WINDOWS\ERUNT 2008-01-29 21:49 . 2008-02-06 21:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-29 21:49 . 2008-01-29 21:49 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-27 13:43 . 2008-01-27 13:43 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus! 2008-01-23 23:30 . 2008-01-23 23:30 d-------- C:\Program Files\Avira 2008-01-23 23:30 . 2008-01-23 23:30 d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-01-23 19:10 . 2008-01-27 13:47 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2008-01-23 19:04 . 2008-01-27 13:48 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2008-01-22 19:40 . 2008-01-22 19:40 d-------- C:\Program Files\Trend Micro . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-06 20:12 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-02-06 16:00 --------- d-----w C:\Documents and Settings\ronan\Application Data\OpenOffice.org2 2008-02-06 10:00 --------- d-----w C:\Documents and Settings\parents\Application Data\Canon 2008-02-05 18:57 --------- d-----w C:\Documents and Settings\parents\Application Data\OpenOffice.org2 2008-02-02 13:08 --------- d-----w C:\Program Files\Fichiers communs\Adobe 2008-02-02 12:16 --------- d-----w C:\Program Files\Network Associates 2008-02-02 12:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates 2008-01-27 12:44 --------- d-----w C:\Program Files\Neuf 2008-01-27 12:37 --------- d-----w C:\Program Files\Mindscape 2008-01-27 12:35 --------- d-----w C:\Program Files\Audio MP3 Converter 2008-01-27 09:57 --------- d-----w C:\Program Files\SuperCopier2 2008-01-27 09:45 --------- d-----w C:\Program Files\AtomixMP3 2008-01-01 22:43 --------- d-----w C:\Documents and Settings\parents\Application Data\Skyline 2008-01-01 10:47 --------- d-----w C:\Program Files\Intuisphere 2007-12-13 15:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\pixelStorm 2005-06-25 08:20 8,192 --sha-w C:\WINDOWS\o2cLicStore.bin 2004-08-05 13:00 65,024 --sha-w C:\WINDOWS\system32\asycfilt.dll 2004-08-05 13:00 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll 2004-08-05 13:00 57,344 --sha-w C:\WINDOWS\system32\mfc42loc.dll 2004-08-05 13:00 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll 2004-08-05 13:00 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll 2004-08-05 13:00 253,952 --sha-w C:\WINDOWS\system32\msvcrt20.dll 2007-05-17 11:29 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll 2004-08-05 13:00 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll 2004-08-05 13:00 30,749 --sha-w C:\WINDOWS\system32\vbajet32.dll . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Configuration de la C-BOX"="C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe" [2004-12-21 18:17 395264] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 10:57 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 14:00 208952] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 14:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 14:00 455168] "ATIPTA"="C:\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 21:10 339968] "PCMService"="c:\Apps\Powercinema\PCMService.exe" [2004-10-08 03:14 81920] "ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 10:31 24576] "Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 10:38 49152] "TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2005-01-20 08:52 180269] "PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016] "WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2005-08-31 14:41 222784] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18 270648] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-23 23:37 249896] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-04-07 03:12 135224] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe" [ ] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 14:00 15360] "DWQueuedReporting"="C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [ ] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe" [ ] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 02:17 443968] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nru68.sys] @="Driver" R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21] R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21] R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-10-18 16:36] R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [1998-08-22 11:00] R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21] R3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58] R3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08] S2 ssoftnt4;ssoftnt4;C:\WINDOWS\system32\Drivers\ssoftnt4.sys [] S3 38a530a3-8412-4567-b27d-ba7003797791;38a530a3-8412-4567-b27d-ba7003797791;D:\Player\cds300.dll [] S3 jatmlano;jatmlano;C:\DOCUME~1\parents\LOCALS~1\Temp\jatmlano.sys [] S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-05-11 12:12] S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-05-11 12:12] S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-05-11 12:12] S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-05-11 12:12] S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-05-11 12:12] S3 ovt530;Webcam Classic;C:\WINDOWS\system32\Drivers\ov530vid.sys [2005-03-15 16:04] S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 21:41] S3 VRETRACE;VRETRACE;C:\DOCUME~1\parents\LOCALS~1\Temp\VRETRACE.sys [] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-06 21:33:44 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cach‚s ... Balayage cach‚ autostart entries ... Balayage des fichiers cach‚s ... Scan termin‚ avec succŠs Les fichiers cach‚s: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\system32\slrundll.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Apps\Powercinema\PCMService.exe C:\apps\ABoard\ABoard.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\apps\ABoard\AOSD.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\microsoft office\Office\FINDFAST.EXE C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************** . Temps d'accomplissement: 2008-02-06 21:40:14 - machine was rebooted ComboFix-quarantined-files.txt 2008-02-06 20:40:04 ComboFix2.txt 2008-01-29 23:38:10 ComboFix3.txt 2008-01-29 21:58:05 ComboFix4.txt 2008-01-29 20:47:34 ComboFix5.txt 2008-01-29 19:11:20 . 2008-01-27 09:13:26 --- E O F ---

fch22 · Answer

J'ai ensuite lancé CCleaner
puis atf (done cleaning 0  bytes freed)
puis cleanup

CleanUp! 4.0 recovered 362.6 MB of disk space from 530 files.
CleanUp! finished on 02/06/08 21:59:16.


et j'ai nettoyer windows\prefetch

g!rly · Answer

re,

Copie le texte ci-dessous :

File::
C:\DOCUME~1\parents\LOCALS~1\Temp\jatmlano.sys

Driver::
jatmlano

Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix, 

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt6 accompagné d'un rapport Hijackthis.

S'il n'y a pas de rédémarrage, poste quand même les rapports

@+

fch22 · Answer

voici le résultat du combo suivi du Hijack ComboFix 08-01-29.3 - parents 2008-02-06 23:46:39.6 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.131 [GMT 1:00] Endroit: C:\Documents and Settings\parents\Bureau\ComboFix.exe Command switches used :: C:\Documents and Settings\parents\Bureau\CFScript.txt * Création d'un nouveau point de restauration FILE C:\DOCUME~1\parents\LOCALS~1\Temp\jatmlano.sys . ((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))))))) . 2008-02-06 21:44 . 2008-02-06 21:44 d-------- C:\Program Files\CCleaner 2008-02-06 17:00 . 2008-02-06 17:00 d-------- C:\Documents and Settings onan\Application Data\Grisoft 2008-02-05 18:24 . 2008-02-05 18:24 65 --a------ C:\WINDOWS\system32\drivers\fwdrv.err 2008-01-30 07:21 . 2008-01-30 07:21 d-------- C:\Documents and Settings\parents\Application Data\Grisoft 2008-01-30 07:21 . 2008-01-30 07:21 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-01-30 07:21 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-01-29 23:59 . 2008-01-29 23:59 d-------- C:\Program Files\Kerio 2008-01-29 23:18 . 2008-01-29 23:18 d-------- C:\WINDOWS\ERUNT 2008-01-29 21:49 . 2008-02-06 23:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-29 21:49 . 2008-01-29 21:49 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-27 13:43 . 2008-01-27 13:43 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus! 2008-01-23 23:30 . 2008-01-23 23:30 d-------- C:\Program Files\Avira 2008-01-23 23:30 . 2008-01-23 23:30 d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-01-23 19:10 . 2008-01-27 13:47 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2008-01-23 19:04 . 2008-01-27 13:48 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2008-01-22 19:40 . 2008-01-22 19:40 d-------- C:\Program Files\Trend Micro . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-06 22:41 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-02-06 20:58 --------- d-----w C:\Program Files\Nvu 2008-02-06 16:00 --------- d-----w C:\Documents and Settings onan\Application Data\OpenOffice.org2 2008-02-06 10:00 --------- d-----w C:\Documents and Settings\parents\Application Data\Canon 2008-02-05 18:57 --------- d-----w C:\Documents and Settings\parents\Application Data\OpenOffice.org2 2008-02-02 13:08 --------- d-----w C:\Program Files\Fichiers communs\Adobe 2008-02-02 12:16 --------- d-----w C:\Program Files\Network Associates 2008-02-02 12:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates 2008-01-27 12:44 --------- d-----w C:\Program Files\Neuf 2008-01-27 12:37 --------- d-----w C:\Program Files\Mindscape 2008-01-27 12:35 --------- d-----w C:\Program Files\Audio MP3 Converter 2008-01-27 09:57 --------- d-----w C:\Program Files\SuperCopier2 2008-01-27 09:45 --------- d-----w C:\Program Files\AtomixMP3 2008-01-01 22:43 --------- d-----w C:\Documents and Settings\parents\Application Data\Skyline 2008-01-01 10:47 --------- d-----w C:\Program Files\Intuisphere 2007-12-13 15:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\pixelStorm 2005-06-25 08:20 8,192 --sha-w C:\WINDOWS\o2cLicStore.bin 2004-08-05 13:00 65,024 --sha-w C:\WINDOWS\system32\asycfilt.dll 2004-08-05 13:00 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll 2004-08-05 13:00 57,344 --sha-w C:\WINDOWS\system32\mfc42loc.dll 2004-08-05 13:00 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll 2004-08-05 13:00 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll 2004-08-05 13:00 253,952 --sha-w C:\WINDOWS\system32\msvcrt20.dll 2007-05-17 11:29 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll 2004-08-05 13:00 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll 2004-08-05 13:00 30,749 --sha-w C:\WINDOWS\system32\vbajet32.dll . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Configuration de la C-BOX"="C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe" [2004-12-21 18:17 395264] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 10:57 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 14:00 208952] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 14:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 14:00 455168] "ATIPTA"="C:\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 21:10 339968] "PCMService"="c:\Apps\Powercinema\PCMService.exe" [2004-10-08 03:14 81920] "ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 10:31 24576] "Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 10:38 49152] "TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB ealsched.exe" [2005-01-20 08:52 180269] "PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016] "WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2005-08-31 14:41 222784] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18 270648] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-23 23:37 249896] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-04-07 03:12 135224] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe" [ ] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 14:00 15360] "DWQueuedReporting"="C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [ ] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe" [ ] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 02:17 443968] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nru68.sys] @="Driver" R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21] R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21] R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-10-18 16:36] R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [1998-08-22 11:00] R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21] R3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58] R3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08] S2 ssoftnt4;ssoftnt4;C:\WINDOWS\system32\Drivers\ssoftnt4.sys [] S3 38a530a3-8412-4567-b27d-ba7003797791;38a530a3-8412-4567-b27d-ba7003797791;D:\Player\cds300.dll [] S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-05-11 12:12] S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-05-11 12:12] S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-05-11 12:12] S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-05-11 12:12] S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-05-11 12:12] S3 ovt530;Webcam Classic;C:\WINDOWS\system32\Drivers\ov530vid.sys [2005-03-15 16:04] S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 21:41] S3 VRETRACE;VRETRACE;C:\DOCUME~1\parents\LOCALS~1\Temp\VRETRACE.sys [] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-06 23:56:32 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cach‚s ... Balayage cach‚ autostart entries ... Balayage des fichiers cach‚s ... Scan termin‚ avec succŠs Les fichiers cach‚s: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\slrundll.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Apps\Powercinema\PCMService.exe C:\apps\ABoard\ABoard.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Fichiers communs\Real\Update_OB ealsched.exe C:\apps\ABoard\AOSD.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\microsoft office\Office\FINDFAST.EXE C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************** . Temps d'accomplissement: 2008-02-07 0:03:02 - machine was rebooted ComboFix-quarantined-files.txt 2008-02-06 23:02:50 ComboFix2.txt 2008-02-06 20:40:15 ComboFix3.txt 2008-01-29 23:38:10 ComboFix4.txt 2008-01-29 21:58:05 ComboFix5.txt 2008-01-29 20:47:34 . 2008-01-27 09:13:26 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 00:06:07, on 07/02/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\slrundll.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\Explorer.EXE C:\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Apps\Powercinema\PCMService.exe C:\apps\ABoard\ABoard.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Fichiers communs\Real\Update_OB ealsched.exe C:\apps\ABoard\AOSD.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\microsoft office\Office\FINDFAST.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe" O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB ealsched.exe" -osboot O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [Configuration de la C-BOX] C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\microsoft office\Office\FINDFAST.EXE O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin pjpi150_06.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin pjpi150_06.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB O16 - DPF: {42E1F024-ECC3-456F-B98A-4CE5ACDBF25C} (ActiveFormX Contrôle) - http://ssl-tb.sitadelle.com/... O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MysqlInventime - Unknown owner - c:\mysql\bin\mysqld-nt.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

g!rly · Answer

salut fn22, 

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe < supprime ceci,  c´est l´updater de mcafee...
arrete le  dans ta start up list avant suppression.
demarrer >executer >msconfig valide par ok

puis 

appuie simultanement sur la touche windows a droit de la barre d´espace (drapeau windows) et sur "e" ->une fois dans le post de travail click sur le disk c > program files >java ouvre le fichier java et click sur le fichier jre1.5.0_06 pour l´ouvrir puis ouvre le fichier bin et dedans tu recherche ceci : jucheck.exe tu double click dessus et effectue la mise a jour de java> tu veux la version 1.6.0_03
une fois la mise a jour effectuée tu va dans ajoute/suppression de program et tu supprime toutes les autres update de java, il ne doit te rester que celle que tu viens de faire : 1.6.0_03 

tuto : https://www.malekal.com/maintenir-java-adobe-reader-et-le-player-flash-a-jour/

comment ca va de ton coté?

@+

fch22 · Answer

Bonjour G!rly

voici le dernier rapport de Antivir de ce matin. Il a enfin detecté le WORM lors du scan, cela signifie t'il qu'il l'a supprimé ?
Je traite tes points ce soir.



AntiVir PersonalEdition Classic
Report file date: jeudi 7 février 2008  07:17

Scanning for 1092968 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version:  (Service Pack 2)  [5.1.2600]
Username:         SYSTEM
Computer name:    FAMILLE

Version information:
BUILD.DAT    : 270           15603 Bytes  19/09/2007 13:32:00
AVSCAN.EXE   : 7.0.6.1      290856 Bytes  23/08/2007 13:16:29
AVSCAN.DLL   : 7.0.6.0       49192 Bytes  16/08/2007 12:23:51
LUKE.DLL     : 7.0.5.3      147496 Bytes  14/08/2007 15:32:47
LUKERES.DLL  : 7.0.6.1       10280 Bytes  21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0    11030528 Bytes  18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.1.95    3367424 Bytes  14/12/2007 22:37:06
ANTIVIR2.VDF : 7.0.2.49    1339904 Bytes  25/01/2008 09:12:33
ANTIVIR3.VDF : 7.0.2.94     307200 Bytes  05/02/2008 12:37:25
AVEWIN32.DLL : 7.6.0.62    3240448 Bytes  03/02/2008 11:58:44
AVWINLL.DLL  : 1.0.0.7       14376 Bytes  26/02/2007 10:36:26
AVPREF.DLL   : 7.0.2.2       25640 Bytes  18/07/2007 07:39:17
AVREP.DLL    : 7.0.0.1      155688 Bytes  16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3      360488 Bytes  23/01/2008 22:37:08
AVREG.DLL    : 7.0.1.6       30760 Bytes  18/07/2007 07:17:06
AVARKT.DLL   : 1.0.0.20     278568 Bytes  28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20      86056 Bytes  18/07/2007 07:10:18
NETNT.DLL    : 7.0.0.0        7720 Bytes  08/03/2007 11:09:42
RCIMAGE.DLL  : 7.0.1.30    2342952 Bytes  07/08/2007 12:38:13
RCTEXT.DLL   : 7.0.62.0      86056 Bytes  21/08/2007 12:50:37
SQLITE3.DLL  : 3.3.17.1     339968 Bytes  23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Local Hard Disks
Configuration file...............: c:\program files\avira\antivir personaledition classic\alldiscs.avp
Logging..........................: low
Primary action...................: quarantine
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, 
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox, 
Macro heuristic..................: on
File heuristic...................: high

Start of the scan: jeudi 7 février 2008  07:17

Starting search for hidden objects.
'80578' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'thunderbird.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'FINDFAST.EXE' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'QuickAccess.exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'UpdaterUI.exe' - '1' Module(s) have been scanned
Scan process 'avgas.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'WinPatrol.exe' - '1' Module(s) have been scanned
Scan process 'AOSD.EXE' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'opware32.exe' - '1' Module(s) have been scanned
Scan process 'ABOARD.EXE' - '1' Module(s) have been scanned
Scan process 'PCMService.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'slrundll.exe' - '1' Module(s) have been scanned
Scan process 'fxssvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'kpf4ss.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '0' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
42 processes with 42 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
      [NOTE]      No virus was found!
      [WARNING]   The boot sector file could not be read!
      [WARNING]   Error code: 0x0083
Master boot sector HD1
      [NOTE]      No virus was found!
      [WARNING]   The boot sector file could not be read!
      [WARNING]   Error code: 0x0015
Master boot sector HD2
      [NOTE]      No virus was found!
      [WARNING]   The boot sector file could not be read!
      [WARNING]   Error code: 0x0015
Master boot sector HD3
      [NOTE]      No virus was found!
      [WARNING]   The boot sector file could not be read!
      [WARNING]   Error code: 0x0015
Master boot sector HD4
      [NOTE]      No virus was found!
      [WARNING]   The boot sector file could not be read!
      [WARNING]   Error code: 0x0015

Start scanning boot sectors:
Boot sector 'C:\'
      [NOTE]      No virus was found!

Starting to scan the registry.
The registry was scanned ( '28' files ).


Starting the file scan:

Begin scan in 'C:\' <HDD>
C:\hiberfil.sys
      [WARNING]   The file could not be opened!
C:\pagefile.sys
      [WARNING]   The file could not be opened!
C:\QooBox\Quarantine\catchme2008-02-06_213336.71.zip
  [0] Archive type: ZIP
  --> Nru68.sys
      [DETECTION] Contains detection pattern of the worm WORM/Ntech.Z.4
      [INFO]      The file was moved to '481eb111.qua'!
C:\WINDOWS\system32\drivers\sptd.sys
      [WARNING]   The file could not be opened!


End of the scan: jeudi 7 février 2008  08:31
Used time:  1:13:24 min

The scan has been done completely.

  11481 Scanning directories
 459017 Files were scanned
      1 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
      1 files were moved to quarantine
      0 files were renamed
      3 Files cannot be scanned
 459016 Files not concerned
  11283 Archives were scanned
      3 Warnings
      1 Notes
  80578 Objects were scanned with rootkit scan
      0 Hidden objects were found

g!rly · Answer

re,

en faite il detecte le driver Nru68.sys( qui contien des parties du worm )qui est dans la quarantaine de combofix que l´on a supprimé grace aux conseils avisés de moe ;-)

donc c´est ok

EDIT
par contre il dit qu´il narrive pas a ouvrir C:\WINDOWS\system32\drivers\sptd.sys qui a été supprimé 3 fois maintenant?!? c´est pas normal qu´il revienne comme ca celui la...

peux tu refaire un sdfix et poster le rapport ici stp

Fch22 > ne tiens pas compte de la partie si dessus sous Edit...

@+

moe · Answer

Salut Fch22, G!rly

La situation prend meilleure tournure on dirait, content pour Fch22 car je crois que ça faisait un bon moment qu'il bataillait avec ce ver si j'en crois son post sur le forum Avira il y a déja plus d'une semaine !

@++ et bonne continuation à tous les deux.

ps:
sptd.sys est je crois, un driver légitime de Daemon Tools :-)

g!rly · Answer

Salut moe,

Tu avais raison pour Nru68.sys; qui etait bien affilié au worm ;-)

Tu as encore raison pour sptd.sys qui apres verification de ma part sur google appartient bien a demon tools;  la honte...

J´ai été un peu vite en besogne pour celui la (sptd.sys), mais l´ayant vu supprimé systematiquement par combofix et sdfix, je me suis dis...

Merci en tout cas de ton aide ;-)

Bonne journée a toi`

@+

Fch22,

Tu peux continuer en fesant ce que je t´ai indiqué au post 72, regarde le post 74;  mais ne tiens pas compte de la partie sous Edit que j´ai edité apres avoir verifié sptd.sys...

@+

moe · Answer

Salut G!rly

Pur coup de chance pour Nru68.sys :-)

Il n'y a pas de quoi avoir la moindre honte G!rly, t'inquiète, en plus c'est peut-être moi qui vais trop vite en besogne si Fch22 n'a pas ou jamais eu installé Daemon Tools et/ou Acohol120% :-)
Fch22 précisera si c'est le cas ou pas d'autant plus si tu me dis que combo ou sdfix suppriment ce fichier, perso je ne savais pas et si tu as un lien je suis preneur histoire de voir à quelle infection est lié le fichier sptd.sys infectieux.

Passe une bonne soirée et de rien...

@++

g!rly · Answer

Resalut moe,

Pur coup de chance pour Nru68.sys :-) 

Tu a de la chance, c´est claire; rien que le numéro de ton message le confirme > 77 ;-D

Pour sptd.sys,

il est vrai qu´il n´y a pas de trace apparente de demon tool ou Acohol120% sur les rapports postés par Fch22.

perso je ne savais pas et si tu as un lien je suis preneur histoire de voir à quelle infection est lié le fichier sptd.sys infectieux. 

En faite c´est sur ce meme topik (post 1, post 10 et post 68) que le driver a été supprimé par combofix et sdfix...

Bonne soirée`

@+

fch22 · Answer

Salut,

 le seul qui a de la chance ici, c'est moi ..... d'être tombé sur un équipe comme vous :-) Merci pour tout.

Voici le résultat des dernieres (j'espere :-) opérations:

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe  supprimé, par contre je le vois toujours dans MSconfig. Est-ce normal ? (j'ai désactivé, supprimé, puis reboote, par contre au démarrage dans msconfig j'ai mis start all service)

D'ailleurs, je peux peut-être viré tout le répertoire Network Associate ?

Java mis à jour 

Concernant daemon tools, je l'ai utilisé il y a un certain temps (par contre je ne sais plus si je l'ai viré ou pas)

G!rly, je n'ai pas compris le post 74, tu veux que je passe un SDFIX?


Qu'est-ce que je fait de tout les fichiers qui sont dans la quarantaine de Antivir ?

g!rly · Answer

Fch22,

la chance ;-)

oui supprime tous le programme par le panneau de configuration : C:\Program Files\Network Associates\

ok pour java ;-)

il serait bien de savoir si tu as encore demon tools...

pour le post 74, en faite je l´ai edité apres l´intervention de moe, ne fais pas sdfix...

vide la qurantaine d´antivir < oui

@+

fch22 · Answer

G!rly

Pas trouvé daemon tools , juste un .exe qui trainait et que je viens de virer.

Pas trouvé non plus network associate dans "supprimer programme", je supprime le répertoire directement?

quarantaine vidé

Je vais relancer un antivir cette nuit, mais je peux peut-être mettre le sujet comme résolu , non ?

g!rly · Answer

re,

oui alors supprime tous le dossier de network associate.

pour deamon tool, j´aimerais bien entendre ce que moe pensse du driver, alors on va attendre son avis ;-)

ok pour antivir, post le rapport demain.

on va encore attendre pour mettre le topik en résolu.

bonne soirée`

@+

fch22 · Answer

G!rly    

j'ai fait le ménage, je lance antivir et je te poste le résultat demain.

Au fait, il fait quoi COMBO ?


bonne nuit à demain

g!rly · Answer

fch22, 

combofix il m´aime beaucoup :D

ok pour antivir

@ demain`

bonne nuit egalement ;-)

moe · Answer

Resalut à tous les deux :-)

fch22, concernant sptd.sys et si tu es sur et certain de ne plus avoir Daemon tools ou alcohol 120 d'installé, il ne te sert plus à grand chose je pense.

Donc G!rly puisque tu voulais mon avis, si fch22 souhaite pousser le nettoyage jusque là, on peut le supprimer en passant par Combofix, je ne crois pas que ça posera un problème particulier à Combo, alors si en plus il t'aime beaucoup il fera çà avec le plus grand soin, j'en suis certain lol :-p
Qu'est-ce que tu en pense ?

Si tout les feux sont aux vert pour  fch22 et pour toi aussi G!rly, voilà un exemple de ce qui peut se faire :

Ouvre le Menu Démarrer > Exécuter
Dans la boîte de dialogue, copie/colle tout ce qui est ci-dessous en gras :
fsutil file createnew "%userprofile%\bureau\CFScript.txt" 0
Puis valide

Reviens sur ton bureau puis ouvre le fichier CFScript.txt
Copie et colle à l'intérieur absolument tout ce qui est en bleu ci-dessous :
Driver::
sptd

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nru68.sys]

File::
C:\Windows\system32\drivers\sptd.sys 
Dans le menu du bloc notes, clic ensuite sur 'Fichier' puis sur "Enregistrer"

Referme le bloc notes, puis  déplace et  relache le fichier CFScript.txt qui se trouve sur le bureau sur l'icône de combofix.exe, exactement comme si tu voulais déposer ce fichier dans un dossier.
Laisse ensuite bosser Combofix et poste le rapport qui sera généré.    

Voilou, bonne fin de soirée à vous deux.

@++

fch22 · Answer

bonsoir,

voici le rapport du dernier scan, 

Moe, je regarde ton post demain soir , en attendant bonne nuit et merci à vous pour votre support 



AntiVir PersonalEdition Classic
Report file date: jeudi 7 février 2008  21:25

Scanning for 1092968 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version:  (Service Pack 2)  [5.1.2600]
Username:         SYSTEM
Computer name:    FAMILLE

Version information:
BUILD.DAT    : 270           15603 Bytes  19/09/2007 13:32:00
AVSCAN.EXE   : 7.0.6.1      290856 Bytes  23/08/2007 13:16:29
AVSCAN.DLL   : 7.0.6.0       49192 Bytes  16/08/2007 12:23:51
LUKE.DLL     : 7.0.5.3      147496 Bytes  14/08/2007 15:32:47
LUKERES.DLL  : 7.0.6.1       10280 Bytes  21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0    11030528 Bytes  18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.1.95    3367424 Bytes  14/12/2007 22:37:06
ANTIVIR2.VDF : 7.0.2.49    1339904 Bytes  25/01/2008 09:12:33
ANTIVIR3.VDF : 7.0.2.94     307200 Bytes  05/02/2008 12:37:25
AVEWIN32.DLL : 7.6.0.62    3240448 Bytes  03/02/2008 11:58:44
AVWINLL.DLL  : 1.0.0.7       14376 Bytes  26/02/2007 10:36:26
AVPREF.DLL   : 7.0.2.2       25640 Bytes  18/07/2007 07:39:17
AVREP.DLL    : 7.0.0.1      155688 Bytes  16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3      360488 Bytes  23/01/2008 22:37:08
AVREG.DLL    : 7.0.1.6       30760 Bytes  18/07/2007 07:17:06
AVARKT.DLL   : 1.0.0.20     278568 Bytes  28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20      86056 Bytes  18/07/2007 07:10:18
NETNT.DLL    : 7.0.0.0        7720 Bytes  08/03/2007 11:09:42
RCIMAGE.DLL  : 7.0.1.30    2342952 Bytes  07/08/2007 12:38:13
RCTEXT.DLL   : 7.0.62.0      86056 Bytes  21/08/2007 12:50:37
SQLITE3.DLL  : 3.3.17.1     339968 Bytes  23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: quarantine
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, 
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox, 
Macro heuristic..................: on
File heuristic...................: high

Start of the scan: jeudi 7 février 2008  21:25

Starting search for hidden objects.
'80613' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'FINDFAST.EXE' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'QuickAccess.exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'avgas.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'WinPatrol.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'AOSD.EXE' - '1' Module(s) have been scanned
Scan process 'opware32.exe' - '1' Module(s) have been scanned
Scan process 'ABOARD.EXE' - '1' Module(s) have been scanned
Scan process 'PCMService.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'slrundll.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'fxssvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'kpf4ss.exe' - '1' Module(s) have been scanned
Scan process 'slserv.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '0' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
42 processes with 42 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
      [NOTE]      No virus was found!
      [WARNING]   The boot sector file could not be read!
      [WARNING]   Error code: 0x0083
Master boot sector HD1
      [NOTE]      No virus was found!
      [WARNING]   The boot sector file could not be read!
      [WARNING]   Error code: 0x0015
Master boot sector HD2
      [NOTE]      No virus was found!
      [WARNING]   The boot sector file could not be read!
      [WARNING]   Error code: 0x0015
Master boot sector HD3
      [NOTE]      No virus was found!
      [WARNING]   The boot sector file could not be read!
      [WARNING]   Error code: 0x0015
Master boot sector HD4
      [NOTE]      No virus was found!
      [WARNING]   The boot sector file could not be read!
      [WARNING]   Error code: 0x0015

Start scanning boot sectors:
Boot sector 'C:\'
      [NOTE]      No virus was found!

Starting to scan the registry.
The registry was scanned ( '30' files ).


Starting the file scan:

Begin scan in 'C:\' <HDD>
C:\hiberfil.sys
      [WARNING]   The file could not be opened!
C:\pagefile.sys
      [WARNING]   The file could not be opened!
C:\WINDOWS\system32\drivers\sptd.sys
      [WARNING]   The file could not be opened!


End of the scan: jeudi 7 février 2008  22:38
Used time:  1:12:30 min

The scan has been done completely.

  11494 Scanning directories
 451516 Files were scanned
      0 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      3 Files cannot be scanned
 451516 Files not concerned
  11295 Archives were scanned
      3 Warnings
      1 Notes
  80613 Objects were scanned with rootkit scan
      0 Hidden objects were found

fch22 · Answer

Bonjour, voici le rapport ComboFix 08-01-29.3 - parents 2008-02-09 9:44:45.7 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.73 [GMT 1:00] Endroit: C:\Documents and Settings\parents\Bureau\ComboFix.exe Command switches used :: C:\Documents and Settings\parents\Bureau\CFScript.txt * Création d'un nouveau point de restauration FILE C:\Windows\system32\drivers\sptd.sys . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\Windows\system32\drivers\sptd.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_SPTD -------\sptd ((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))))))) . 2008-02-07 19:38 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-02-06 21:44 . 2008-02-06 21:44 d-------- C:\Program Files\CCleaner 2008-02-06 17:00 . 2008-02-06 17:00 d-------- C:\Documents and Settings\ronan\Application Data\Grisoft 2008-02-05 18:24 . 2008-02-05 18:24 65 --a------ C:\WINDOWS\system32\drivers\fwdrv.err 2008-01-30 07:21 . 2008-01-30 07:21 d-------- C:\Documents and Settings\parents\Application Data\Grisoft 2008-01-30 07:21 . 2008-01-30 07:21 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-01-30 07:21 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-01-29 23:59 . 2008-01-29 23:59 d-------- C:\Program Files\Kerio 2008-01-29 23:18 . 2008-01-29 23:18 d-------- C:\WINDOWS\ERUNT 2008-01-29 21:49 . 2008-02-09 12:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-29 21:49 . 2008-01-29 21:49 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-27 13:43 . 2008-01-27 13:43 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus! 2008-01-23 23:30 . 2008-01-23 23:30 d-------- C:\Program Files\Avira 2008-01-23 23:30 . 2008-01-23 23:30 d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-01-23 19:10 . 2008-01-27 13:47 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2008-01-23 19:04 . 2008-01-27 13:48 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2008-01-22 19:40 . 2008-01-22 19:40 d-------- C:\Program Files\Trend Micro . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-08 12:13 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-02-07 18:41 --------- d-----w C:\Program Files\Java 2008-02-06 20:58 --------- d-----w C:\Program Files\Nvu 2008-02-06 16:00 --------- d-----w C:\Documents and Settings\ronan\Application Data\OpenOffice.org2 2008-02-06 10:00 --------- d-----w C:\Documents and Settings\parents\Application Data\Canon 2008-02-05 18:57 --------- d-----w C:\Documents and Settings\parents\Application Data\OpenOffice.org2 2008-02-02 13:08 --------- d-----w C:\Program Files\Fichiers communs\Adobe 2008-02-02 12:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates 2008-01-27 12:44 --------- d-----w C:\Program Files\Neuf 2008-01-27 12:37 --------- d-----w C:\Program Files\Mindscape 2008-01-27 12:35 --------- d-----w C:\Program Files\Audio MP3 Converter 2008-01-27 09:57 --------- d-----w C:\Program Files\SuperCopier2 2008-01-27 09:45 --------- d-----w C:\Program Files\AtomixMP3 2008-01-01 22:43 --------- d-----w C:\Documents and Settings\parents\Application Data\Skyline 2008-01-01 10:47 --------- d-----w C:\Program Files\Intuisphere 2007-12-13 15:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\pixelStorm 2005-06-25 08:20 8,192 --sha-w C:\WINDOWS\o2cLicStore.bin 2004-08-05 13:00 65,024 --sha-w C:\WINDOWS\system32\asycfilt.dll 2004-08-05 13:00 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll 2004-08-05 13:00 57,344 --sha-w C:\WINDOWS\system32\mfc42loc.dll 2004-08-05 13:00 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll 2004-08-05 13:00 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll 2004-08-05 13:00 253,952 --sha-w C:\WINDOWS\system32\msvcrt20.dll 2007-05-17 11:29 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll 2004-08-05 13:00 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll 2004-08-05 13:00 30,749 --sha-w C:\WINDOWS\system32\vbajet32.dll . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Configuration de la C-BOX"="C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe" [2004-12-21 18:17 395264] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 10:57 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 14:00 208952] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 14:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 14:00 455168] "ATIPTA"="C:\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 21:10 339968] "PCMService"="c:\Apps\Powercinema\PCMService.exe" [2004-10-08 03:14 81920] "ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 10:31 24576] "Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 10:38 49152] "TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2005-01-20 08:52 180269] "PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016] "WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2005-08-31 14:41 222784] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18 270648] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-23 23:37 249896] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe" [ ] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 14:00 15360] "DWQueuedReporting"="C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [ ] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe" [ ] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 02:17 443968] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21] R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21] R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-10-18 16:36] R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [1998-08-22 11:00] R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21] R3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58] R3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08] S2 ssoftnt4;ssoftnt4;C:\WINDOWS\system32\Drivers\ssoftnt4.sys [] S3 38a530a3-8412-4567-b27d-ba7003797791;38a530a3-8412-4567-b27d-ba7003797791;D:\Player\cds300.dll [] S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-05-11 12:12] S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-05-11 12:12] S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-05-11 12:12] S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-05-11 12:12] S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-05-11 12:12] S3 ovt530;Webcam Classic;C:\WINDOWS\system32\Drivers\ov530vid.sys [2005-03-15 16:04] S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 21:41] S3 VRETRACE;VRETRACE;C:\DOCUME~1\parents\LOCALS~1\Temp\VRETRACE.sys [] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-09 12:12:42 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cach‚s ... Balayage cach‚ autostart entries ... Balayage des fichiers cach‚s ... Scan termin‚ avec succŠs Les fichiers cach‚s: 0 ************************************************************************** . --------------------- DLLs a charg‚ sous des processus courants --------------------- PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156] -> C:\Program Files\Hercules\WebCam Station\PhotoImpression\share\pihook.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\system32\slrundll.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Apps\Powercinema\PCMService.exe C:\apps\ABoard\ABoard.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe C:\apps\ABoard\AOSD.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Cegetel\C-BOX\Wizard\QuickAccess.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\microsoft office\Office\FINDFAST.EXE C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************** . Temps d'accomplissement: 2008-02-09 12:19:24 - machine was rebooted ComboFix-quarantined-files.txt 2008-02-09 11:19:15 ComboFix2.txt 2008-02-06 23:03:04 ComboFix3.txt 2008-02-06 20:40:15 ComboFix4.txt 2008-01-29 23:38:10 ComboFix5.txt 2008-01-29 21:58:05 . 2008-01-27 09:13:26 --- E O F ---

g!rly · Answer

Bonjour Fch22,

Super ;-)

Je crois que notre collaboration se termine ici !

Dis moi quoi.

@+

fch22 · Answer

Bonjour G!rly

Un grand merci à toi et à tous ceux qui m'ont aidé. Une équipe super efficace et compétente.

Je vais clore le topic , mais j'ai une dernière question:

J'ai maintenant Kerio, Antivir, AVG, et AD-Aware SE, est-ce une protection efficace ?

Comme résumé je mettrais bien que le dernier virus WORM/NETCH.Z.4 se trouvait dans Nru68.sys (en tout des morceaux  du virus)

comme Antivir n'arrivait pas à ouvrir le fichier 
C:\WINDOWS\system32\drivers\Nru68.sys
[WARNING] The file could not be opened! 

il n'était pas détecté au scan, par contre le guard lui le détectait une fois qu'il se lançait .

un passage au travers de combofix a permis de le supprimer

au fait comment il se propage ce vers ? (navigation sur internet, ouverture de pieces jointes, MSN,..)

Bon dimanche à tous

g!rly · Answer

Bonjour fch22, 

pour parfaire ta protection instales ceci :

spywareblaster :

http://www.brightfort.com/spywareblaster.html

c´est un resident, il suffit de le mettre a jour de temps en temps car la version gratuite ne le fait pas toute seul , une fois installé et mis a jour tu mets toutes les protections sur "enable"

tuto : http://forum.telecharger.01net.com/forum/high-tech/PRODUITS/Questions-techniques/question-spywareblaser-sujet_174747_1.htm

telecharge aussi cet anti spyware il a aussi un resident le teatimer :

spybot :

http://www.commentcamarche.net/telecharger/telecharger 122 spybot

http://www.safer-networking.org/fr/faq/33.html

Merci pour le resumé ;-)

Ce ver ce propage par mail esentiellement -> piece jointe infecté comme tu l´as vu.

Bonne soirée et bonne continuation

De rien, Merci ;-)

Bye`

fch22 · Answer

merci,

j'ai tout installer

Bonne soirée et à plus !

g!rly · Answer

Ok cool ;-)
Bonne soirée egalement.
Bye`

Trojans Worms/ntech et TR/pandex

91 réponses

Discussions similaires