Analyse smitfraudfix svp

Résolu
julie64 -  
g!rly Messages postés 18462 Statut Contributeur -
Bonjour,

On a récupéré un rogue je crois sur notre ordi, à chaque fois qu'on se connecte, des fenêtres s'ouvrent, soit pour télécharger un programme anti virus, soit pour jouer au casino, soit ce sont des sites pornos.
Voilà le rapport smitfraudfix. Pouvez-vous m'aider?
MErci par avance
Julie

SmitFraudFix v2.147

Rapport fait à 10:05:39,98, 09/02/2008
Executé à partir de C:\Documents and Settings\pascal\Bureau\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est NTFS
Fix executé en mode normal

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\pascal

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\pascal\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\pascal\Favoris

»»»»»»»»»»»»»»»»»»»»»»»» Bureau

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues

»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll

»»»»»»»»»»»»»»»»»»»»»»»» Fin
Configuration: Windows XP
Internet Explorer 6.0

29 réponses

  • 1
  • 2
  1. gil le fantom Messages postés 2809 Statut Membre 25
     
    bonjour
    tu poste un rapport hijackthis ftp://ftp.commentcamarche.com/download/HJTInstall.exe
    = Clic-droit sur Hijackthis
    = Extraire ici ( ou extraire sans confirmation ou tout ou unzip)
    = clic droit sur Hijackthis ==> renommer ==> écrire : test.exe ( à la place de hijackthis.exe) <== Important
    =Double-clic dessus
    = Clic Do a system scan and save the log
    =coller le rapport
    si problème voir l'aide
    http://perso.orange.fr/rginformatique/section%20virus/demohijack.htm
    0
  2. julie64
     
    Voilà le rapport hijackthis. En plus de me dire les pbs, tu pourrais me dire comment optimiser mon ordi en enlevant des lignes 04 et 023? si besoin...
    Merci pour ton aide

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:29:37, on 09/02/2008
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Drmupgds\Drmupgds.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\SoftwareDistribution\Download\0f3b253aad0a8aabb3b967ea387368e5\update\update.exe
    c:\windows\softwaredistribution\download\0f3b253aad0a8aabb3b967ea387368e5\spuninst.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://fr.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ustart.org
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
    O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &Search - ?p=ZK
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O15 - Trusted Zone: *.amaena.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://jjpr64.wordpress.com/
    O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/...
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - https://jjpr64.wordpress.com/
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    0
  3. gil le fantom Messages postés 2809 Statut Membre 25
     
    Fais un clic droit sur ce lien :
    http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe

    Enregistrer la cible (du lien) sous... et enregistre-le sur ton bureau.
    Fais un clic droit sur navilog1.zip et choisis "tout extraire"
    Ensuite double clique sur navilog1.exe pour lancer l'installation.
    Une fois l'installation terminée, le fix s'exécutera automatiquement.
    (Si ce n'est pas le cas, double-clique sur le raccourci Navilog1 présent sur le bureau).

    Laisse-toi guider. Au menu principal, choisis 1 et valides.
    (ne fais pas le choix 2,3 ou 4 sans notre avis/accord)
    Patiente jusqu'au message :
    *** Analyse Termine le ..... ***
    Appuie sur une touche comme demandé, le blocnote va s'ouvrir.
    Copie-colle l'intégralité dans une réponse. Referme le blocnote.
    Le rapport est en outre sauvegardé à la racine du disque (fixnavi.txt)
    0
  4. julie64
     
    Voilà le rapport navilog

    Search Navipromo version 3.4.3 commencé le 09/02/2008 à 11:54:08,87

    !!! Attention,ce rapport peut indiquer des fichiers/programmes légitimes!!!
    !!! Postez ce rapport sur le forum pour le faire analyser !!!
    !!! Ne lancez pas la partie désinfection sans l'avis d'un spécialiste !!!

    Outil exécuté depuis C:\Program Files\navilog1
    Mise à jour le 06.02.2008 à 18h00 par IL-MAFIOSO

    Microsoft Windows XP [version 5.1.2600]
    Internet Explorer : 6.0.2600.0000
    Système de fichiers : NTFS

    Executé en mode normal

    *** Recherche Programmes installés ***

    *** Recherche dossiers dans C:\WINDOWS ***

    *** Recherche dossiers dans C:\Program Files ***

    *** Recherche dossiers dans C:\DOCUME~1\ALLUSE~1\APPLIC~1 ***

    *** Recherche dossiers dans "C:\Documents and Settings\pascal\application data" ***

    *** Recherche dossiers dans "C:\Documents and Settings\pascal\local settings\application data" ***

    *** Recherche dossiers dans "C:\Documents and Settings\pascal\MENUDM~1\PROGRA~1" ***

    *** Recherche dossiers dans C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1 ***

    *** Recherche avec Catchme-rootkit/stealth malware detector par gmer ***
    pour + d'infos : http://www.gmer.net

    Aucun Fichier trouvé

    *** Recherche avec GenericNaviSearch ***
    !!! Tous ces résultats peuvent révéler des fichiers légitimes !!!
    !!! A vérifier impérativement avant toute suppression manuelle !!!

    * Recherche dans C:\WINDOWS\system32 *

    * Recherche dans "C:\Documents and Settings\pascal\local settings\application data" *

    *** Recherche fichiers ***

    *** Recherche clés spécifiques dans le Registre ***

    *** Module de Recherche complémentaire ***
    (Recherche fichiers spécifiques)

    1)Recherche nouveaux fichiers Instant Access :

    2)Recherche Heuristique :

    * Dans C:\WINDOWS\system32 :

    * Dans "C:\Documents and Settings\pascal\local settings\application data" :

    3)Recherche Certificats :

    Certificat Egroup absent !

    4)Recherche fichiers connus :

    C:\WINDOWS\system32\utvwa.ini2 trouvé ! infection Vundo possible non traitée par cet outil !

    *** Analyse terminée le 09/02/2008 à 11:56:57,84 ***
    0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. gil le fantom Messages postés 2809 Statut Membre 25
     
    Télécharge VundoFix.exe (par Atribune) sur ton Bureau.
    http://www.atribune.org/ccount/click.php?id=4

    * Double-clique VundoFix.exe afin de le lancer.
    * Lorsque l'outil se lance à nouveau, clique sur le bouton Scan for Vundo
    * Clique sur le bouton Scan for Vundo.
    * Lorsque le scan est complété, clique sur le bouton Remove Vundo
    * Une invite te demandera si tu veux supprimer les fichiers, clique YES
    * Après avoir cliqué "Yes", le Bureau disparaîtra un moment lors de la suppression des fichiers.
    * Tu verras une invite qui t'annonce que ton PC va s'éteindre ("shutdown"); clique OK
    * Démarre ton PC à nouveau.
    * Copie/colle le contenu du rapport situé dans C:\vundofix.txt ainsi qu'un nouveau rapport HijackThis! dans ta prochaine réponse.

    Note Il est possible que VundoFix soit confronté à un fichier qu'il ne peut supprimer. Si tel est le cas, l'outil se lancera au prochain redémarrage; il faut simplement suivre les instructions ci-haut, à partir de "clique sur le bouton Scan for Vundo".
    0
  7. g!rly Messages postés 18462 Statut Contributeur 407
     
    Salut a vous deux,

    pour suivre...
    0
  8. julie64
     
    C'est normal de faire autant de scan? Comment ça se fait? ça ne dit pas la même chose à chaque fois? Franchement, j'essaie de comprendre les rapports, mais c'est du chinois!!!
    Bon allez je fais vundo.
    0
  9. gil le fantom Messages postés 2809 Statut Membre 25
     
    tu peut m'aider g!rly ? Je ne serai pas là cet apres midi .merci
    0
  10. gil le fantom Messages postés 2809 Statut Membre 25
     
    vu ton rapport, tu est bien infectée .PATIENCE
    0
  11. g!rly Messages postés 18462 Statut Contributeur 407
     
    Salut julie64 et gil le fantom,

    Oui je peux donner un coup de main ;-)

    Attendons de voir le resultat de vundofix qui me semble etre une bonne idée...

    @+
    0
  12. julie64
     
    Merci à tous les deux en tous les cas, bien sympa de s'occuper de nous tous... pauvres brebis égarées..
    Voilà les deux rapports (au passage un des fichiers ne veut pas partir et vundo ne repart pas au redémarrage, il ne le trouve pas!!)

    VundoFix V6.7.8

    Checking Java version...

    Scan started at 13:10:51 09/02/2008

    Listing files found while scanning....

    C:\windows\system32\awvtu.dll
    C:\WINDOWS\system32\hggdcbc.dll
    C:\WINDOWS\system32\nnnoomn.dll
    C:\WINDOWS\system32\nnnoool.dll
    C:\windows\system32\utvwa.ini
    C:\windows\system32\utvwa.ini2

    Beginning removal...

    Attempting to delete C:\windows\system32\awvtu.dll
    C:\windows\system32\awvtu.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\hggdcbc.dll
    C:\WINDOWS\system32\hggdcbc.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\nnnoomn.dll
    C:\WINDOWS\system32\nnnoomn.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\nnnoool.dll
    C:\WINDOWS\system32\nnnoool.dll Could not be deleted.

    Attempting to delete C:\windows\system32\utvwa.ini
    C:\windows\system32\utvwa.ini Has been deleted!

    Attempting to delete C:\windows\system32\utvwa.ini2
    C:\windows\system32\utvwa.ini2 Has been deleted!

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\nnnoool.dll
    C:\WINDOWS\system32\nnnoool.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:33:02, on 09/02/2008
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe
    C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Drmupgds\Drmupgds.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\SoftwareDistribution\Download\0f3b253aad0a8aabb3b967ea387368e5\update\update.exe
    c:\windows\softwaredistribution\download\0f3b253aad0a8aabb3b967ea387368e5\spuninst.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://fr.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ustart.org
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
    O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &Search - ?p=ZK
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O15 - Trusted Zone: *.amaena.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://jjpr64.wordpress.com/
    O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/...
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - https://jjpr64.wordpress.com/
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    0
  13. g!rly Messages postés 18462 Statut Contributeur 407
     
    julie,

    Vundofix a bien bossé ;-)

    fais ceci :

    Télécharge combofix.exe (par sUBs) sur ton Bureau.

    -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    -> Double clique combofix.exe.
    -> Tape sur la touche 1 (Yes) pour démarrer le scan.
    -> Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse.

    NOTE : Le rapport se trouve également ici : C:\Combofix.txt
    Note2 : quitte ton navigateur et tes applications pendans le scan de combofix, ne touche a rien meme pas a ta sourie et post le rapport ici stp avec un nouveau hijack this

    @+
    0
  14. julie64
     
    Voilà les deux rapports

    ComboFix 08-02.05.3 - pascal 2008-02-09 14:11:37.1 - NTFSx86
    Microsoft Windows XP Édition familiale 5.1.2600.0.1252.1.1036.18.594 [GMT 1:00]
    Endroit: C:\Documents and Settings\pascal\Local Settings\Temporary Internet Files\Content.IE5\C759S2XP\ComboFix[1].exe
    * Création d'un nouveau point de restauration

    [color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color]
    .

    (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\System32\mlljk.dll
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\Program Files\Temporary
    C:\WINDOWS\b122.exe
    C:\WINDOWS\b149.exe
    C:\WINDOWS\Downloaded Program Files\UGA6PV_0001_N122M2910NetInstaller.exe
    C:\WINDOWS\lcass.exe
    C:\WINDOWS\mrofinu1000106.exe
    C:\WINDOWS\mrofinu572.exe
    C:\WINDOWS\system32\_003537_.tmp.dll
    C:\WINDOWS\system32\_003698_.tmp.dll
    C:\WINDOWS\system32\_003699_.tmp.dll
    C:\WINDOWS\system32\_003700_.tmp.dll
    C:\WINDOWS\system32\_003701_.tmp.dll
    C:\WINDOWS\system32\_003708_.tmp.dll
    C:\WINDOWS\system32\_003709_.tmp.dll
    C:\WINDOWS\system32\_003710_.tmp.dll
    C:\WINDOWS\system32\_003711_.tmp.dll
    C:\WINDOWS\system32\_003713_.tmp.dll
    C:\WINDOWS\system32\_003716_.tmp.dll
    C:\WINDOWS\system32\_003717_.tmp.dll
    C:\WINDOWS\system32\_003719_.tmp.dll
    C:\WINDOWS\system32\_003720_.tmp.dll
    C:\WINDOWS\system32\_003721_.tmp.dll
    C:\WINDOWS\system32\_003722_.tmp.dll
    C:\WINDOWS\system32\_003723_.tmp.dll
    C:\WINDOWS\system32\_003724_.tmp.dll
    C:\WINDOWS\system32\_003726_.tmp.dll
    C:\WINDOWS\system32\_003730_.tmp.dll
    C:\WINDOWS\system32\_003731_.tmp.dll
    C:\WINDOWS\system32\_003733_.tmp.dll
    C:\WINDOWS\system32\_003734_.tmp.dll
    C:\WINDOWS\system32\_003736_.tmp.dll
    C:\WINDOWS\system32\_003738_.tmp.dll
    C:\WINDOWS\system32\_003739_.tmp.dll
    C:\WINDOWS\system32\_003740_.tmp.dll
    C:\WINDOWS\system32\_003741_.tmp.dll
    C:\WINDOWS\system32\_003742_.tmp.dll
    C:\WINDOWS\system32\_003745_.tmp.dll
    C:\WINDOWS\system32\_003747_.tmp.dll
    C:\WINDOWS\system32\_003748_.tmp.dll
    C:\WINDOWS\system32\_003749_.tmp.dll
    C:\WINDOWS\system32\_003753_.tmp.dll
    C:\WINDOWS\system32\kernel32.exe
    C:\WINDOWS\system32\kjllm.ini
    C:\WINDOWS\system32\kjllm.ini2
    C:\WINDOWS\system32\mlljk.dll
    C:\WINDOWS\system32\nnnoool.dll
    C:\WINDOWS\system32\pac.txt

    ----- BITS: Possible sites infect‚s -----

    hxxp://au.õj+|Cü¤Ì›v÷+È@™JŸ:®½‰NêGD_©½ºD˜QÄ{¶ÀzÎtçÒ»ÌHžG†.XóÆ?1P
    .
    ((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-01-09 to 2008-02-09 ))))))))))))))))))))))))))))))))))))
    .

    2008-02-09 13:10 . 2008-02-09 13:42 <REP> d-------- C:\VundoFix Backups
    2008-02-09 11:44 . 2008-02-09 11:57 <REP> d-------- C:\Program Files\Navilog1
    2008-02-09 09:20 . 2008-02-09 09:20 <REP> d-------- C:\Documents and Settings\pascal\Application Data\Grisoft
    2008-02-09 09:19 . 2008-02-09 09:21 <REP> d-------- C:\Program Files\AVG Anti-Spyware 7.5
    2008-02-09 09:19 . 2008-02-09 09:19 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-02-09 09:19 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2008-02-08 21:38 . 2008-02-09 14:15 69,632 --a------ C:\WINDOWS\system32\el32.dll
    2008-02-08 21:38 . 2008-02-08 21:38 47,104 --a------ C:\winklpo.exe
    2008-02-08 21:38 . 2001-08-28 13:00 22,016 --a------ C:\WINDOWS\system32\userini.exe
    2008-02-08 21:38 . 2008-02-08 21:38 175 --a------ C:\WINDOWS\el.ini
    2008-02-07 08:51 . 2008-02-07 08:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-02-07 08:51 . 2008-02-07 08:51 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-02-05 19:55 . 2008-02-05 19:55 <REP> d-------- C:\Program Files\SpywareBlaster
    2008-02-05 19:30 . 2008-02-05 19:30 <REP> d-------- C:\Program Files\Drmupgds
    2008-02-04 21:23 . 2008-02-07 18:30 <REP> d-------- C:\Program Files\Everest Poker
    2008-02-03 11:50 . 2008-02-03 11:50 <REP> d-------- C:\WINDOWS\system32\2A2E2E29302C2
    2008-02-01 18:21 . 2008-02-01 18:21 36,864 --a------ C:\WINDOWS\17PHolmes572.exe
    2008-02-01 18:18 . 2008-02-09 10:01 <REP> d-------- C:\WINDOWS\system32\nGpxx01
    2008-02-01 18:18 . 2008-02-01 18:55 <REP> d-------- C:\WINDOWS\system32\fee9
    2008-02-01 18:18 . 2008-02-01 18:18 <REP> d-------- C:\WINDOWS\system32\dep1
    2008-02-01 18:18 . 2008-02-01 18:22 <REP> d-------- C:\Temp
    2008-02-01 18:18 . 2008-02-01 18:18 36,864 --a------ C:\WINDOWS\mrofinu572.exe.tmp
    2008-01-18 20:07 . 2008-02-09 08:40 <REP> d-------- C:\Program Files\DivX

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-09 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-02-09 07:41 --------- d-----w C:\Program Files\VCW VicMan's Photo Editor
    2008-02-02 17:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-02-02 17:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-01-30 18:37 --------- d-----w C:\Program Files\eChanblard
    2008-01-03 10:04 --------- d-----w C:\Program Files\photo filtre
    2007-12-25 20:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-12-23 02:02 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2007-12-22 15:04 --------- d-----w C:\Documents and Settings\pascal\Application Data\Canon
    2004-07-18 05:54 460,728 ----a-w C:\WINDOWS\Fonts\SET4AF.tmp
    2004-07-18 05:54 383,140 ----a-w C:\WINDOWS\Fonts\SET4AE.tmp
    2004-07-18 05:54 355,436 ----a-w C:\WINDOWS\Fonts\SET4AD.tmp
    2004-07-17 18:39 409,280 ----a-w C:\WINDOWS\Fonts\SET4AC.tmp
    2004-07-17 18:39 398,372 ----a-w C:\WINDOWS\Fonts\SET4AB.tmp
    2004-07-17 18:39 367,112 ----a-w C:\WINDOWS\Fonts\SET4B3.tmp
    2004-07-17 18:39 352,224 ----a-w C:\WINDOWS\Fonts\SET4B2.tmp
    2004-07-17 18:39 171,792 ----a-w C:\WINDOWS\Fonts\SET4A9.tmp
    2004-07-17 18:39 155,068 ----a-w C:\WINDOWS\Fonts\SET4B0.tmp
    2004-07-17 18:39 134,108 ----a-w C:\WINDOWS\Fonts\SET4AA.tmp
    2004-07-17 18:39 127,596 ----a-w C:\WINDOWS\Fonts\SET4B1.tmp
    .

    ((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14CAEE54-05A8-4871-BC15-18D9CB96C0B9}]
    C:\Program Files\MSN Gaming Zone\hopecedyC:\WINDOWS\System32\fee9\lenamd83122.exe.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F09B3B64-7186-4AE5-9411-DEBA8BABD763}]
    C:\WINDOWS\System32\awvtu.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F62D24BE-AA0B-43E2-96E5-9A782D9B4154}]
    C:\Program Files\MSN Gaming Zone\hopecedyC:\DOCUME~1\pascal\LOCALS~1\Temp\mst455101.exe.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-28 13:00 13312]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55 5674352]
    "Drmupgds"="C:\Program Files\Drmupgds\Drmupgds.exe" [2008-02-05 19:30 61440]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VTTimer"="VTTimer.exe" []
    "VTTrayp"="VTtrayp.exe" []
    "RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-06-20 11:53 1056768]
    "NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
    "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-04 10:10 98304]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
    "SoundMan"="SOUNDMAN.EXE" [2005-07-22 08:00 81920 C:\WINDOWS\SOUNDMAN.EXE]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43 83608]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe" [ ]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
    "!AVG Anti-Spyware"="C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-08-28 13:00 13312]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli scecli

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-09 14:16:04
    Windows 5.1.2600 NTFS

    Balayage processus cach‚s ...

    Balayage cach‚ autostart entries ...

    Balayage des fichiers cach‚s ...

    Scan termin‚ avec succŠs
    Les fichiers cach‚s: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    .
    **************************************************************************
    .
    Temps d'accomplissement: 2008-02-09 14:18:01 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-02-09 13:17:52
    .
    2008-01-30 19:00:54 --- E O F ---

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:18:45, on 09/02/2008
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Drmupgds\Drmupgds.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://fr.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ustart.org
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {14CAEE54-05A8-4871-BC15-18D9CB96C0B9} - C:\Program Files\MSN Gaming Zone\hopecedyC:\WINDOWS\System32\fee9\lenamd83122.exe.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O2 - BHO: (no name) - {F09B3B64-7186-4AE5-9411-DEBA8BABD763} - C:\WINDOWS\System32\awvtu.dll (file missing)
    O2 - BHO: (no name) - {F62D24BE-AA0B-43E2-96E5-9A782D9B4154} - C:\Program Files\MSN Gaming Zone\hopecedyC:\DOCUME~1\pascal\LOCALS~1\Temp\mst455101.exe.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &Search - ?p=ZK
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O15 - Trusted Zone: *.amaena.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://jjpr64.wordpress.com/
    O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/...
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - https://jjpr64.wordpress.com/
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    0
  15. g!rly Messages postés 18462 Statut Contributeur 407
     
    re,

    oui on est sur la bonne voie ;-)

    Copie le texte ci-dessous :

    File::
    C:\winklpo.exe
    C:\WINDOWS\system32\el32.dll
    C:\WINDOWS\el.ini
    C:\WINDOWS\mrofinu572.exe.tmp
    C:\WINDOWS\system32\nGpxx01
    C:\WINDOWS\system32\fee9
    C:\WINDOWS\system32\dep1
    C:\WINDOWS\System32\fee9\lenamd83122.exe.dll
    C:\DOCUME~1\pascal\LOCALS~1\Temp\mst455101.exe.dll

    Collect::
    C:\winklpo.exe

    Folder::
    C:\VundoFix Backups
    C:\Program Files\Navilog1
    C:\Temp
    C:\Program Files\MSN Gaming Zone

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14CAEE54-05A8-4871-BC15-18D9CB96C0B9}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F09B3B64-7186-4AE5-9411-DEBA8BABD763}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F62D24BE-AA0B-43E2-96E5-9A782D9B4154}]

    Ouvre le Bloc-Notes puis colle le texte copié.
    (Démarrer\Tous les programmes\Accessoires\Bloc notes.)
    Sauvegarde ce fichier sous le nom de CFScript.txt.

    Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

    http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif

    Cela va relancer Combofix,

    Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

    Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

    Ne touche à rien tant que le scan n'est pas terminé.

    Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.

    S'il n'y a pas de rédémarrage, poste quand même les rapports.

    Télécharge Zeb-Restore http://telechargement.zebulon.fr/zeb-restore.html enregistre ce fichier sur le bureau.

    -Clic droit Zeb-Restore.zip ==> Extraire tout choisis comme lieu d'enregistrement le bureau.
    -Ouvre le dossier ZR_1.0.0.37 ==> double clic sur Zeb-Restore.exe
    - Coche la case devant : Préfixes et Protocoles Internet et Sites de confiance et sensibles.
    - Ne coche aucune autre case
    -Clique sur Restaurer
    -Redémarre ton PC

    instales un par feu :

    par feu : kerio

    http://www.malekal.com/kerio_firewall.php#mozTocId721480

    https://www.vulgarisation-informatique.com/kerio.php

    https://kerio.probb.fr/f2-sunbelt-kerio-personal-firewall

    ou zone alarm plus facil a configurer mais moins performant

    https://www.malekal.com/tutoriel-zonealarm-firewall/

    et

    regarde ceci concernant avast :

    antivir vs avast :

    -> http://forum.malekal.com/ftopic3528.php

    alors je te conseille de le desinstaller et d´installer antivir a la place

    Telecharge et instal l'antivirus Antivir Personal Edition Classic :

    ->https://www.malekal.com/avira-free-security-antivirus-gratuit/

    https://www.avira.com/en/prime

    http://mickael.barroux.free.fr/securite/antivir.php
    http://speedweb1.free.fr/frames2.php?page=tuto5
    <- tutoriel configuration du scanner...

    une fois antivir ouvert click surconfiguration et coche la case "expert mode" puis sur l´onglet scanner dans la fenetre du dessous tu va voir : rootkit search click sur le petit + pour deployer et coche la case a coté de ton disk dur
    puis click sur configuration en haut a droite; dans la nouvelle fenetre a gauche >scanner > coche "scan all files" et en dessous >scanner priority = High
    coche : allow stopping the scanner, comme cela tu peux faire une pause pendant le scan si tu le desir.
    puis sur la droite coche les case suivantes :
    scan boot sectors of selected drives
    scan master boot sectors
    scan memory
    search foe rootkit before scan
    decoche :
    ignore off line files
    toujours a gauche > scan > deploie > heuristique > macrovirus heuristic = coché et en dessous > win32 heuristic la case coché et high detection level

    je te dis ceci car j´aimerais que tu fasse un scan complet de ta machine a l´aide d´antivir avec les reglages stipulés si dessus et que tu post le rapport dans ta prochaine réponse. ainsi que les autres rapports

    Bon courrage ;-)

    @+
    0
  16. julie64
     
    Voilà donc les rapports combofix et hijackthis.
    Je continue la procédure..
    Est-ce que tu sais les sites qui ont provoqués ce merdier? mon mari demande si everest poker en fait partie?

    ComboFix 08-02.05.3 - pascal 2008-02-09 14:58:06.2 - NTFSx86
    Microsoft Windows XP Édition familiale 5.1.2600.0.1252.1.1036.18.591 [GMT 1:00]
    Endroit: C:\Documents and Settings\pascal\Bureau\ComboFix.exe
    Command switches used :: C:\Documents and Settings\pascal\Bureau\CFScript.txt
    * Création d'un nouveau point de restauration

    [color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color]

    FILE
    C:\DOCUME~1\pascal\LOCALS~1\Temp\mst455101.exe.dll
    C:\WINDOWS\el.ini
    C:\WINDOWS\mrofinu572.exe.tmp
    C:\WINDOWS\system32\dep1
    C:\WINDOWS\system32\el32.dll
    C:\WINDOWS\system32\fee9
    C:\WINDOWS\System32\fee9\lenamd83122.exe.dll
    C:\WINDOWS\system32\nGpxx01
    C:\winklpo.exe
    .

    (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\MSN Gaming Zone\Windows\bckg.dll
    C:\Program Files\MSN Gaming Zone\Windows\bckgres.dll
    C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe
    C:\Program Files\MSN Gaming Zone\Windows\chkr.dll
    C:\Program Files\MSN Gaming Zone\Windows\chkrres.dll
    C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe
    C:\Program Files\MSN Gaming Zone\Windows\cmnclim.dll
    C:\Program Files\MSN Gaming Zone\Windows\Cmnresm.dll
    C:\Program Files\MSN Gaming Zone\Windows\hrtz.dll
    C:\Program Files\MSN Gaming Zone\Windows\hrtzres.dll
    C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe
    C:\Program Files\MSN Gaming Zone\Windows\rvse.dll
    C:\Program Files\MSN Gaming Zone\Windows\rvseres.dll
    C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe
    C:\Program Files\MSN Gaming Zone\Windows\shvl.dll
    C:\Program Files\MSN Gaming Zone\Windows\shvlres.dll
    C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe
    C:\Program Files\MSN Gaming Zone\Windows\uniansi.dll
    C:\Program Files\MSN Gaming Zone\Windows\zclientm.exe
    C:\Program Files\MSN Gaming Zone\Windows\ZCorem.dll
    C:\Program Files\MSN Gaming Zone\Windows\zeeverm.dll
    C:\Program Files\MSN Gaming Zone\Windows\ZNetM.dll
    C:\Program Files\MSN Gaming Zone\Windows\zoneclim.dll
    C:\Program Files\MSN Gaming Zone\Windows\zonelibM.dll
    C:\Program Files\Navilog1
    C:\Program Files\Navilog1\catchme.exe
    C:\Program Files\Navilog1\GetPaths.exe
    C:\Program Files\Navilog1\gnc.exe
    C:\Program Files\Navilog1\navilog1.bat
    C:\Program Files\Navilog1\oem2ansi.exe
    C:\Program Files\Navilog1\Process.exe
    C:\Program Files\Navilog1\reboot.exe
    C:\Program Files\Navilog1\recherok.txt
    C:\Program Files\Navilog1\reg.exe
    C:\Program Files\Navilog1\regnavi.reg
    C:\Program Files\Navilog1\traite.bat
    C:\Program Files\Navilog1\traite2.bat
    C:\Program Files\Navilog1\unins000.dat
    C:\Program Files\Navilog1\unins000.exe
    C:\Temp
    C:\VundoFix Backups
    C:\VundoFix Backups\awvtu.dll.bad
    C:\VundoFix Backups\hggdcbc.dll.bad
    C:\VundoFix Backups\nnnoomn.dll.bad
    C:\VundoFix Backups\nnnoool.dll.bad
    C:\VundoFix Backups\utvwa.ini.bad
    C:\VundoFix Backups\utvwa.ini2.bad
    C:\WINDOWS\el.ini
    C:\WINDOWS\mrofinu572.exe.tmp
    C:\WINDOWS\system32\el32.dll
    C:\winklpo.exe
    C:\Program Files\MSN Gaming Zone . . . . Echec de suppression

    .
    ((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-01-09 to 2008-02-09 ))))))))))))))))))))))))))))))))))))
    .

    2008-02-09 14:11 . 2001-08-28 13:00 388,096 --a------ C:\kmd.exe
    2008-02-09 14:10 . 2008-02-09 14:18 <REP> d-------- C:\ComboFix[1]
    2008-02-09 09:20 . 2008-02-09 09:20 <REP> d-------- C:\Documents and Settings\pascal\Application Data\Grisoft
    2008-02-09 09:19 . 2008-02-09 09:21 <REP> d-------- C:\Program Files\AVG Anti-Spyware 7.5
    2008-02-09 09:19 . 2008-02-09 09:19 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-02-09 09:19 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2008-02-08 21:38 . 2001-08-28 13:00 22,016 --a------ C:\WINDOWS\system32\userini.exe
    2008-02-07 08:51 . 2008-02-07 08:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-02-07 08:51 . 2008-02-07 08:51 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-02-05 19:55 . 2008-02-05 19:55 <REP> d-------- C:\Program Files\SpywareBlaster
    2008-02-05 19:30 . 2008-02-05 19:30 <REP> d-------- C:\Program Files\Drmupgds
    2008-02-04 21:23 . 2008-02-07 18:30 <REP> d-------- C:\Program Files\Everest Poker
    2008-02-03 11:50 . 2008-02-03 11:50 <REP> d-------- C:\WINDOWS\system32\2A2E2E29302C2
    2008-02-01 18:21 . 2008-02-01 18:21 36,864 --a------ C:\WINDOWS\17PHolmes572.exe
    2008-02-01 18:18 . 2008-02-09 10:01 <REP> d-------- C:\WINDOWS\system32\nGpxx01
    2008-02-01 18:18 . 2008-02-01 18:55 <REP> d-------- C:\WINDOWS\system32\fee9
    2008-02-01 18:18 . 2008-02-01 18:18 <REP> d-------- C:\WINDOWS\system32\dep1
    2008-01-18 20:07 . 2008-02-09 08:40 <REP> d-------- C:\Program Files\DivX

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-09 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-02-09 07:41 --------- d-----w C:\Program Files\VCW VicMan's Photo Editor
    2008-02-02 17:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-02-02 17:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-01-30 18:37 --------- d-----w C:\Program Files\eChanblard
    2008-01-03 10:04 --------- d-----w C:\Program Files\photo filtre
    2007-12-25 20:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-12-23 02:02 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2007-12-22 15:04 --------- d-----w C:\Documents and Settings\pascal\Application Data\Canon
    2004-07-18 05:54 460,728 ----a-w C:\WINDOWS\Fonts\SET4AF.tmp
    2004-07-18 05:54 383,140 ----a-w C:\WINDOWS\Fonts\SET4AE.tmp
    2004-07-18 05:54 355,436 ----a-w C:\WINDOWS\Fonts\SET4AD.tmp
    2004-07-17 18:39 409,280 ----a-w C:\WINDOWS\Fonts\SET4AC.tmp
    2004-07-17 18:39 398,372 ----a-w C:\WINDOWS\Fonts\SET4AB.tmp
    2004-07-17 18:39 367,112 ----a-w C:\WINDOWS\Fonts\SET4B3.tmp
    2004-07-17 18:39 352,224 ----a-w C:\WINDOWS\Fonts\SET4B2.tmp
    2004-07-17 18:39 171,792 ----a-w C:\WINDOWS\Fonts\SET4A9.tmp
    2004-07-17 18:39 155,068 ----a-w C:\WINDOWS\Fonts\SET4B0.tmp
    2004-07-17 18:39 134,108 ----a-w C:\WINDOWS\Fonts\SET4AA.tmp
    2004-07-17 18:39 127,596 ----a-w C:\WINDOWS\Fonts\SET4B1.tmp
    .

    ((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-28 13:00 13312]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55 5674352]
    "Drmupgds"="C:\Program Files\Drmupgds\Drmupgds.exe" [2008-02-05 19:30 61440]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VTTimer"="VTTimer.exe" []
    "VTTrayp"="VTtrayp.exe" []
    "RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-06-20 11:53 1056768]
    "NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
    "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-04 10:10 98304]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
    "SoundMan"="SOUNDMAN.EXE" [2005-07-22 08:00 81920 C:\WINDOWS\SOUNDMAN.EXE]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43 83608]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe" [ ]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
    "!AVG Anti-Spyware"="C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-08-28 13:00 13312]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli scecli

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-09 15:01:37
    Windows 5.1.2600 NTFS

    Balayage processus cach‚s ...

    Balayage cach‚ autostart entries ...

    Balayage des fichiers cach‚s ...

    Scan termin‚ avec succŠs
    Les fichiers cach‚s: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    .
    **************************************************************************
    .
    Temps d'accomplissement: 2008-02-09 15:03:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-02-09 14:03:21
    ComboFix2.txt 2008-02-09 13:18:01
    .
    2008-01-30 19:00:54 --- E O F ---

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:08:04, on 09/02/2008
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe
    C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Drmupgds\Drmupgds.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://fr.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ustart.org
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &Search - ?p=ZK
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O15 - Trusted Zone: *.amaena.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://jjpr64.wordpress.com/
    O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/...
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - https://jjpr64.wordpress.com/
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    0
  17. gil le fantom Messages postés 2809 Statut Membre 25
     
    Non,c pas everestpoker j l'ai depuis 1 an et j n'ai pas de probleme.
    0
  18. julie64
     
    c'est mon mari qui va être content... il va pouvoir continuer à s'entrainer... ;-)
    0
  19. g!rly Messages postés 18462 Statut Contributeur 407
     
    re,

    oui continue la procedure...

    c´est amena qui a provoqué des embettements...

    il faut savoir aussi que everest poker contient le spyware casino, mais "inofenssif" > une pub de temps en temps...

    @+
    0
  20. julie64
     
    Et voilà maintenant les rapports d'avir... je dis rapports au pluriel parce qu'en fait j'avais pas lu tout ton post et j'ai fait une première analyse sans les paramètres que tu m'avais indiqués ;-(

    sans paramètres:

    AntiVir PersonalEdition Classic
    Report file date: samedi 9 février 2008 16:15

    Scanning for 1096761 virus strains and unwanted programs.

    Licensed to: Avira AntiVir PersonalEdition Classic
    Serial number: 0000149996-ADJIE-0001
    Platform: Windows XP
    Windows version: (plain) [5.1.2600]
    Username: SYSTEM
    Computer name: PASCAL-0DM5OHSF

    Version information:
    BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
    AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
    AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
    LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
    LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
    ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15
    ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 15:13:45
    ANTIVIR2.VDF : 7.0.2.113 1673728 Bytes 08/02/2008 15:13:45
    ANTIVIR3.VDF : 7.0.2.114 2048 Bytes 08/02/2008 15:13:45
    AVEWIN32.DLL : 7.6.0.62 3240448 Bytes 09/02/2008 15:13:47
    AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
    AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
    AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
    AVPACK32.DLL : 7.6.0.3 360488 Bytes 09/02/2008 15:13:48
    AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
    AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
    AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
    NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
    RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
    RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
    SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

    Configuration settings for the scan:
    Jobname..........................: Complete system scan
    Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
    Logging..........................: low
    Primary action...................: interactive
    Secondary action.................: ignore
    Scan master boot sector..........: off
    Scan boot sector.................: on
    Boot sectors.....................: J:,
    Scan memory......................: on
    Process scan.....................: on
    Scan registry....................: on
    Search for rootkits..............: off
    Scan all files...................: Intelligent file selection
    Scan archives....................: on
    Recursion depth..................: 20
    Smart extensions.................: on
    Macro heuristic..................: on
    File heuristic...................: medium

    Start of the scan: samedi 9 février 2008 16:15

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'jucheck.exe' - '1' Module(s) have been scanned
    Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
    Scan process 'Drmupgds.exe' - '1' Module(s) have been scanned
    Module is infected -> 'C:\Program Files\Drmupgds\Drmupgds.exe'
    Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
    Scan process 'avgas.exe' - '1' Module(s) have been scanned
    Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
    Scan process 'jusched.exe' - '1' Module(s) have been scanned
    Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
    Scan process 'qttask.exe' - '1' Module(s) have been scanned
    Scan process 'opwareSE2.exe' - '1' Module(s) have been scanned
    Scan process 'raid_tool.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
    Scan process 'guard.exe' - '0' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    Process 'Drmupgds.exe' has been terminated
    C:\Program Files\Drmupgds\Drmupgds.exe
    [DETECTION] Is the Trojan horse TR/Dldr.Adload.QY
    [INFO] The file was moved to '481ac416.qua'!

    33 processes with 32 modules were scanned

    Start scanning boot sectors:
    Boot sector 'C:\'
    [NOTE] No virus was found!
    Boot sector 'J:\'
    [NOTE] No virus was found!

    Starting to scan the registry.
    C:\WINDOWS\system32\userinit.exe
    [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
    [INFO] The file was moved to '4812c41d.qua'!
    C:\WINDOWS\system32\userinit.exe
    [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen

    The registry was scanned ( '19' files ).

    Starting the file scan:

    Begin scan in 'C:\'
    C:\pagefile.sys
    [WARNING] The file could not be opened!
    C:\Documents and Settings\pascal\Bureau\[4]-Submit_2008-02-09@14.58.zip
    [0] Archive type: ZIP
    --> winklpo.exe
    [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
    [INFO] The file was moved to '480ac423.qua'!
    C:\QooBox\Quarantine\catchme2008-02-09_141541.82.zip
    [0] Archive type: ZIP
    --> mlljk.dll.1
    [DETECTION] Is the Trojan horse TR/Trash.Gen
    [INFO] The file was moved to '4821c844.qua'!
    C:\QooBox\Quarantine\C\VundoFix Backups\awvtu.dll.bad.vir
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [INFO] The file was moved to '4823c863.qua'!
    C:\QooBox\Quarantine\C\VundoFix Backups\hggdcbc.dll.bad.vir
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [INFO] The file was moved to '4814c856.qua'!
    C:\QooBox\Quarantine\C\VundoFix Backups\nnnoomn.dll.bad.vir
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [INFO] The file was moved to '481bc861.qua'!
    C:\QooBox\Quarantine\C\VundoFix Backups\nnnoool.dll.bad.vir
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [INFO] The file was moved to '481bc863.qua'!
    C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir
    [DETECTION] Is the Trojan horse TR/Dldr.Agent.haq.4
    [INFO] The file was moved to '47dfc841.qua'!
    C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir
    [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
    [INFO] The file was moved to '481cc884.qua'!
    C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.tmp.vir
    [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
    [INFO] The file was moved to '481cc886.qua'!
    C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.vir
    [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
    [INFO] The file was moved to '481cc888.qua'!
    C:\QooBox\Quarantine\C\WINDOWS\system32\mlljk.dll.vir
    [DETECTION] Is the Trojan horse TR/Trash.Gen
    [INFO] The file was moved to '4819c884.qua'!
    C:\QooBox\Quarantine\C\WINDOWS\system32\nnnoool.dll.vir
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [INFO] The file was moved to '481bc888.qua'!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP321\A0032748.exe
    [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
    [INFO] The file was moved to '47ddc8c2.qua'!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP322\A0032856.exe
    [DETECTION] Contains detection pattern of the dropper DR/Dldr.VB.cge
    [INFO] The file was moved to '47ddc8c9.qua'!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP322\A0032858.exe
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '47ddc8cc.qua'!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP338\A0039180.exe
    [DETECTION] Is the Trojan horse TR/Agent.wxa.1
    [INFO] The file was moved to '47ddc8e6.qua'!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP338\A0039181.exe
    [DETECTION] Is the Trojan horse TR/Dldr.VB.cge
    [INFO] The file was moved to '47ddc8ea.qua'!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP340\A0040099.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [INFO] The file was moved to '47ddc8ef.qua'!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP340\A0040100.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [INFO] The file was deleted!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP340\A0040101.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [INFO] The file was deleted!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP345\A0040187.exe
    [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
    [INFO] The file was deleted!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP345\A0040188.exe
    [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
    [INFO] The file was deleted!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP345\A0040189.exe
    [DETECTION] Is the Trojan horse TR/Dldr.Agent.haq.4
    [INFO] The file was deleted!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP345\A0040191.dll
    [DETECTION] Is the Trojan horse TR/Vundo.Gen
    [INFO] The file was deleted!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP345\A0040195.dll
    [DETECTION] Is the Trojan horse TR/Trash.Gen
    [INFO] The file was deleted!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP349\A0040780.exe
    [DETECTION] Is the Trojan horse TR/Dldr.Adload.QY
    [INFO] The file was deleted!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP349\A0040781.exe
    [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
    [INFO] The file was deleted!
    C:\WINDOWS\17PHolmes572.exe
    [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
    [INFO] The file was deleted!
    Begin scan in 'J:\' <disque 2>

    End of the scan: samedi 9 février 2008 16:44
    Used time: 28:57 min

    The scan has been done completely.

    3708 Scanning directories
    193000 Files were scanned
    31 viruses and/or unwanted programs were found
    0 Files were classified as suspicious:
    10 files were deleted
    0 files were repaired
    20 files were moved to quarantine
    0 files were renamed
    1 Files cannot be scanned
    192969 Files not concerned
    1333 Archives were scanned
    1 Warnings
    0 Notes

    Avec paramètres:

    AntiVir PersonalEdition Classic
    Report file date: samedi 9 février 2008 16:49

    Scanning for 1096761 virus strains and unwanted programs.

    Licensed to: Avira AntiVir PersonalEdition Classic
    Serial number: 0000149996-ADJIE-0001
    Platform: Windows XP
    Windows version: (plain) [5.1.2600]
    Username: SYSTEM
    Computer name: PASCAL-0DM5OHSF

    Version information:
    BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
    AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
    AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
    LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
    LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
    ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15
    ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 15:13:45
    ANTIVIR2.VDF : 7.0.2.113 1673728 Bytes 08/02/2008 15:13:45
    ANTIVIR3.VDF : 7.0.2.114 2048 Bytes 08/02/2008 15:13:45
    AVEWIN32.DLL : 7.6.0.62 3240448 Bytes 09/02/2008 15:13:47
    AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
    AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
    AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
    AVPACK32.DLL : 7.6.0.3 360488 Bytes 09/02/2008 15:13:48
    AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
    AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
    AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
    NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
    RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
    RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
    SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

    Configuration settings for the scan:
    Jobname..........................: Complete system scan
    Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
    Logging..........................: low
    Primary action...................: interactive
    Secondary action.................: ignore
    Scan master boot sector..........: on
    Scan boot sector.................: on
    Boot sectors.....................: J:,
    Scan memory......................: on
    Process scan.....................: on
    Scan registry....................: on
    Search for rootkits..............: on
    Scan all files...................: All files
    Scan archives....................: on
    Recursion depth..................: 20
    Smart extensions.................: on
    Macro heuristic..................: on
    File heuristic...................: high

    Start of the scan: samedi 9 février 2008 16:49

    Starting search for hidden objects.
    '37320' objects were checked, '0' hidden objects were found.

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'iexplore.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'jucheck.exe' - '1' Module(s) have been scanned
    Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
    Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
    Scan process 'avgas.exe' - '1' Module(s) have been scanned
    Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
    Scan process 'jusched.exe' - '1' Module(s) have been scanned
    Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
    Scan process 'qttask.exe' - '1' Module(s) have been scanned
    Scan process 'opwareSE2.exe' - '1' Module(s) have been scanned
    Scan process 'raid_tool.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
    Scan process 'guard.exe' - '0' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    32 processes with 32 modules were scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [NOTE] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [NOTE] No virus was found!
    Boot sector 'J:\'
    [NOTE] No virus was found!

    Starting to scan the registry.
    The registry was scanned ( '18' files ).

    Starting the file scan:

    Begin scan in 'C:\'
    C:\pagefile.sys
    [WARNING] The file could not be opened!
    C:\Documents and Settings\pascal\Bureau\hijackthis2.txt
    [DETECTION] Contains detection pattern of the HTML script virus HTML/Exploit.Mhtml
    [INFO] The file was moved to '4817cc9e.qua'!
    C:\Documents and Settings\pascal\Bureau\hijackthis3.txt
    [DETECTION] Contains detection pattern of the HTML script virus HTML/Exploit.Mhtml
    [INFO] The file was deleted!
    C:\Documents and Settings\pascal\Bureau\hijackthis4.txt
    [DETECTION] Contains detection pattern of the HTML script virus HTML/Exploit.Mhtml
    [INFO] The file was deleted!
    C:\Documents and Settings\pascal\Bureau\rapport hijack this.txt
    [DETECTION] Contains detection pattern of the HTML script virus HTML/Exploit.Mhtml
    [INFO] The file was deleted!
    C:\Program Files\HijackThis\hijackthis.log
    [DETECTION] Contains detection pattern of the HTML script virus HTML/Exploit.Mhtml
    [INFO] The file was deleted!
    C:\Program Files\HijackThis\startuplist.txt
    [DETECTION] Contains detection pattern of the HTML script virus HTML/Exploit.Mhtml
    [WARNING] The file was ignored!
    C:\System Volume Information\_restore{CBB9A764-9DF5-482C-A7E4-49B8AFE978B7}\RP349\A0040792.exe
    [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
    [INFO] The file was moved to '47ddd58b.qua'!
    Begin scan in 'J:\' <disque 2>

    End of the scan: samedi 9 février 2008 17:38
    Used time: 48:13 min

    The scan has been done completely.

    3705 Scanning directories
    193184 Files were scanned
    7 viruses and/or unwanted programs were found
    0 Files were classified as suspicious:
    4 files were deleted
    0 files were repaired
    2 files were moved to quarantine
    0 files were renamed
    1 Files cannot be scanned
    193177 Files not concerned
    1337 Archives were scanned
    2 Warnings
    0 Notes
    37320 Objects were scanned with rootkit scan
    0 Hidden objects were found
    0
  21. g!rly Messages postés 18462 Statut Contributeur 407
     
    re,

    ok tres bien julie,

    fais ceci maintenant :

    Vide tes fichiers temporaires avec ceci:
    ->Clean Up 40:
    http://pageperso.aol.fr/balltrap34/CleanUp40.exe
    ->aide en image:(merci a Balltrap34)
    http://pageperso.aol.fr/balltrap34/democleanup.htm

    click sur option et décoche la case devant : delete prefect files

    vide le manuellement :

    :: Le contenu du dossier prefetch ::

    * C:\WINDOWS\Prefetch <= sauf le fichier layout.ini

    * Ne pas oublier de vider la corbeille !

    Désactive ta restauration système:
    pour cela :
    Click droit sur poste de travail, dans l´arborescence sur propriétés;
    dans la nouvelle fenettre click sur l´onglet restauration système;
    coche la case désactiver la restauration systèm et applique.
    puis redemarre le pc et click droit sur poste de travail, dans l´arborescence sur propriétés;
    dans la nouvelle fenettre click sur l´onglet restauration systèm
    décoche la case désactiver la restauration systèm et applique.

    comment va le pc maintenant?

    @+
    0
  • 1
  • 2