A l'aide antivir détecte intrusions Résolu

Question

Bonjour,

Bonjour,

antivir me détecte plusieurs intrusions et mon pc est lent . Merci de m'aider ;)

Voici les rapports :

Antivir

AntiVir PersonalEdition Classic
Report file date: dimanche 24 février 2008 20:02

Scanning for 1120425 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: DISTRITOP

Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 14:50:28
ANTIVIR2.VDF : 7.0.2.113 1673728 Bytes 08/02/2008 21:08:55
ANTIVIR3.VDF : 7.0.2.180 334848 Bytes 22/02/2008 21:13:22
AVEWIN32.DLL : 7.6.0.67 3293696 Bytes 16/02/2008 21:14:59
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 16/01/2008 21:08:44
AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: dimanche 24 février 2008 20:02

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'CursorXP.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'Keyhook.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'StarWindServiceAE.exe' - '1' Module(s) have been scanned
Scan process 'kpf4ss.exe' - '1' Module(s) have been scanned
Scan process 'snmp.exe' - '1' Module(s) have been scanned
Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'libusbd-nt.exe' - '1' Module(s) have been scanned
Scan process 'CDAC11BA.EXE' - '1' Module(s) have been scanned
Scan process 'BTNtService.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
41 processes with 41 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '27' files ).

Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\094add81-fd34-47b3-86ce-4e6dd4b3b05a.7\composite.cab
[0] Archive type: CAB (Microsoft)
--> EnableDisable Internet Explorer Cookies.saf
[DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
[INFO] The file was moved to '482ecd98.qua'!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\094add81-fd34-47b3-86ce-4e6dd4b3b05a.7\script.htm
[DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
[INFO] The file was moved to '4833cd8e.qua'!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\094add81-fd34-47b3-86ce-4e6dd4b3b05a.7\View\4\SupportAction.cab
[0] Archive type: CAB (Microsoft)
--> EnableDisable Internet Explorer Cookies.saf
[DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
[INFO] The file was moved to '4831cda2.qua'!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e3f9e45cf7b.4\composite.cab
[0] Archive type: CAB (Microsoft)
--> Schakel de cookies in Internet Explorer in of uit.saf
[DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
[INFO] The file was moved to '482ecda1.qua'!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e3f9e45cf7b.4\script.htm
[DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
[INFO] The file was moved to '4833cd99.qua'!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e3f9e45cf7b.4\View\4\SupportAction.cab
[0] Archive type: CAB (Microsoft)
--> Schakel de cookies in Internet Explorer in of uit.saf
[DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
[INFO] The file was moved to '4831cdae.qua'!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e58067de1e02.7\composite.cab
[0] Archive type: CAB (Microsoft)
--> Désactivez or activez les cookies dans Internet Explorer.saf
[DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
[INFO] The file was moved to '482ecdaa.qua'!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e58067de1e02.7\script.htm
[DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
[INFO] The file was moved to '4833cda0.qua'!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e58067de1e02.7\View\4\SupportAction.cab
[0] Archive type: CAB (Microsoft)
--> Désactivez or activez les cookies dans Internet Explorer.saf
[DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
[INFO] The file was moved to '4831cdb4.qua'!
C:\System Volume Information\_restore{86E11626-5203-4B6B-99A3-889F6E4C5699}\RP861\A0279595.exe
[DETECTION] Contains detection pattern of the dropper DR/OneStep.C.90
[INFO] The file was moved to '47f3d7ac.qua'!
C:\WINDOWS\system32\ActiveScan\pskavs.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[INFO] The file was moved to '482cdd4b.qua'!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\' <HP_RECOVERY>

End of the scan: dimanche 24 février 2008 22:32
Used time: 2:30:45 min

The scan has been done completely.

6606 Scanning directories
461578 Files were scanned
2 viruses and/or unwanted programs were found
9 Files were classified as suspicious:
0 files were deleted
0 files were repaired
11 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
461576 Files not concerned
16196 Archives were scanned
2 Warnings
0 Notes

-----------------------------------------------------------------------------------------------------------------------

Hijackthis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:48:34, on 25/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Belgacom\bin\sprtcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\aideonline.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.proximus.be/pickx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ustart.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Belgacom] "C:\Program Files\Belgacom\bin\sprtcmd.exe" /P Belgacom
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - https://onedrive.live.com/?id=favorites
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Rechercher avec google - C:\Windows\Web\ContextGoo.htm.
O8 - Extra context menu item: Télécharger avec Star Downloader - C:\Documents and Settings\HP_Propriétaire\Mes documents\Star Downloader\sdie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O16 - DPF: {4E7BD74F-2B8D-469E-85B1-A42BE89AAE29} - https://www.proximus.be/pickx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-BE/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/DivXBrowserPlugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://selfcare.belgacom.net/static/pc/dlbridgesy/SymDlBrg.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - https://sourceforge.net/p/libusb-win32/wiki/Home/ - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

End of file - 10296 bytes

Afficher la suite

g!rly · Answer

Bonsoir aless2706,

Je suis là ;-)

A l´aide de hijack this coche et fix ceci :

O16 - DPF: {4E7BD74F-2B8D-469E-85B1-A42BE89AAE29} - https://www.proximus.be/pickx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

Télécharge Clean:

-> http://www.malekal.com/download/clean.zip

-> Dézippe tout le contenu dans un dossier que tu auras cré au préalable (sur ton bureau par exemple). Double clic sur clean ou clean.cmd choisie l'option 1.
   
   Un rapport va s'ouvrir, copie et colle le contenu sur le forum.

-> pour ceux ou celles qui auraient un doute sur comment deziper un fichier :

   http://www.tutopat.com/viewtopic.php?t=933&sid=34215b238376bfb22ef9e8eca9995914

@+

aless2706 · Answer

Ah merci d'etre venue ;) 

 
Voici le rapport 


lun. 25/02/2008 a 20:37:01.67 
 
*** Recherche des fichiers dans C: 
 
*** Recherche des fichiers dans C:\WINDOWS\ 
C:\WINDOWS\ALCXMNTR.EXE FOUND 
 
*** Recherche des fichiers dans C:\WINDOWS\system32 
"C:\WINDOWS\Downloaded Program Files\CONFLICT.1" FOUND 
 
*** Recherche des fichiers dans C:\Program Files 
*** Fin du rapport !

g!rly · Answer

;-)

D´une pierre deux coups en mode sans echec :

A.V.G :

-> Télécharger AVG Anti-Spyware (ewido)

   http://www.commentcamarche.net/telecharger/telecharger 218 avg anti spyware

-> L´installer.

-> lancer AVG Anti-Spyware et clicker sur le bouton Mise à jour. Patienter...
   
   p.s : si les mises a jours ne se font pas, elles sont telechargable ici :

   http://downloads.ewido.net/avgas-signatures-full-current.exe

-> Sur la page "analyse":

   choisir d´abord l'onglet "paramètres".
   
   sous « Comment réagir » clicker sur « Actions recommandées » et dans le menu déroulant, choisir « Supprimer ».

-> Une aide en image au cas ou :

   Tutoriel d´installation et de parametrages :

   http://www.kachouri.com/tuto/tuto-161-avg-anti-spyware-75-pour-votre-securite.html   

-> Redémarre en mode sans échec : 

   Comment redémarrer en mode sans echec? 

   Tu redemarre le pc et tapote la touche F8 des le début de l allumage sans t´arrêter.
   Une fenêtre sur fond noir va s’ouvrir, tu te déplaces avec les flèches du clavier sur démarrer en mode sans échec puis tape entrée.
   Une fois sur le bureau si il n y a pas toutes les couleurs et autres c´est normal!
   Ps : si F8 ne marche pas utilise la touche F5.

-> Tuto : http://forum.telecharger.01net.com/forum/high-tech/SECURITE/Securite/redemarrer-mode-echec-sujet_1526_1.htm

-> Une fois en mode sans echec, 

demarres le scan a l´aide d´avg

-> Lancer le scan, (c´est long...).

-> A la fin du scan copier Et coller le rapport ici. 

puis

ouvre le dossier que tu auvais crée et click sur clean.cmd et choisis l'option 2.

-> Redémarre normalement et poste le rapport de clean et celui d´avg. 

@+

aless2706 · Answer

Voila , alors j'ai eu un petit problème , je n'ai pas eu le rapport d'AVG , s'est-il enregistré automatiquement quelque part ? 

Je me rappelle qu'il avait trouvé 7 fichiers suspect et ensuite j'ai mis utiliser les actions je crois et ca c'est supprimé , ensuite j'ai regardé dans l'onglet rapport mais il n'y en avait aucun..

sinon voici le rapport Clean : 


Script execute en mode sans echec 
Rapport clean par Malekal_morte - http://www.malekal.com 
Script execute en mode sans echec lun. 25/02/2008 a 22:33:24.64 

Microsoft Windows XP [version 5.1.2600]
 
*** Suppression des fichiers dans C: 
 
*** Suppression des fichiers dans C:\WINDOWS\ 
tentative de suppression de C:\WINDOWS\ALCXMNTR.EXE 
 
*** Suppression des fichiers dans C:\WINDOWS\system32 
tentative de suppression de "C:\WINDOWS\Downloaded Program Files\CONFLICT.1" 
 
*** Suppression des fichiers dans C:\Program Files 
 
*** Suppression des clefs du registre effectuee.. 
*** Fin du rapport ! 


Merci de ton aide ;)

g!rly · Answer

Re,

C´est dommage pour le rapport d´avg...

passe ceci :

Télécharge combofix.exe (par sUBs) sur ton Bureau.

-> http://download.bleepingcomputer.com/sUBs/ComboFix.exe     

-> Double clique combofix.exe.
-> Tape sur la touche 1 (Yes) pour démarrer le scan.
-> Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse. 

NOTE : Le rapport se trouve également ici : C:\Combofix.txt

Avant d'utiliser ComboFix :

-> Déconnecte toi d'internet et referme les fenêtres de tous les programmes en cours.

-> Désactive provisoirement et seulement le temps de l'utilisation de ComboFix, la protection en temps réel de ton Antivirus et de tes Antispywares, qui peuvent géner fortement la procédure de recherche et de nettoyage de l'outil.

Une fois fait, sur ton bureau double-clic sur Combofix.exe.

- Répond oui au message d'avertissement, pour que le programme commence à procéder à l'analyse du pc.

/!\ Pendant la durée de cette étape, ne te sert pas du pc et n'ouvre aucun programmes.

- En fin de scan il est possible que ComboFix ait besoin de redemarrer le pc pour finaliser la désinfection\recherche, laisses-le faire.

- Un rapport s'ouvrira ensuite dans le bloc notes, ce fichier rapport Combofix.txt, est automatiquement sauvegardé et rangé à C:\Combofix.txt)

-> Réactive la protection en temps réel de ton Antivirus et de tes Antispywares, avant de te reconnecter à internet.

-> Reviens sur le forum, et copie et colle la totalité du contenu de C:\Combofix.txt dans ton prochain message.

-> Tutoriel https://www.bleepingcomputer.com/combofix/fr/comment-utiliser-combofix

@+

aless2706 · Answer

Slt Alors voila le rapport combofix ComboFix 08-02-25.3 - HP_Propriétaire 2008-02-26 9:41:40.1 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.33 [GMT 1:00] Endroit: C:\Documents and Settings\HP_Propriétaire\Bureau\ComboFix.exe . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . D:\Autorun.inf . ((((((((((((((((((((((((((((( Fichiers créés 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))))))) . 2008-02-25 21:20 . 2008-02-25 21:20 d-------- C:\Documents and Settings\HP_Propriétaire\Application Data\Grisoft 2008-02-25 21:19 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-02-24 17:47 . 2008-02-24 17:47 d-------- C:\Program Files\Lavasoft 2008-02-24 17:47 . 2008-02-24 17:49 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-02-24 17:46 . 2008-02-24 17:46 d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard 2008-02-23 16:38 . 2007-09-02 20:37 4,096 --a------ C:\WINDOWS\system32\drivers\KProcCheck.sys 2008-02-23 13:09 . 2008-02-23 13:09 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-02-23 13:08 . 2008-02-24 22:08 d-------- C:\WINDOWS\system32\ActiveScan 2008-02-23 11:03 . 2008-02-23 11:03 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-02-23 08:22 . 2008-02-23 08:22 d-------- C:\Program Files\Trend Micro 2008-02-23 08:10 . 2008-02-23 08:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-02-23 08:10 . 2008-02-23 08:10 1,409 --a------ C:\WINDOWS\QTFont.for 2008-02-14 08:15 . 2008-02-14 08:15 39,936 --a------ C:\ventedavid.doc 2008-02-10 10:46 . 2004-03-08 23:00 224,016 --a------ C:\WINDOWS\system32\TABCTL32.OCX 2008-02-10 10:46 . 1998-07-12 23:00 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL 2008-02-10 10:46 . 1998-07-12 23:00 59,904 --a------ C:\WINDOWS\system32\Mscc2fr.dll 2008-02-10 10:46 . 1998-07-12 19:00 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL 2008-02-10 10:46 . 1998-07-12 23:00 21,504 --a------ C:\WINDOWS\system32\TABCTFR.DLL 2008-02-10 10:46 . 1998-07-12 23:00 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL 2008-02-04 22:55 . 2008-02-04 22:55 d-------- C:\Program Files\WinLemm 2008-02-04 16:33 . 2004-08-04 00:54 21,504 --a------ C:\WINDOWS\system32\hidserv.dll 2008-02-04 16:33 . 2004-08-04 00:54 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll 2008-02-04 16:32 . 2004-08-04 00:45 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys 2008-02-04 16:32 . 2004-08-04 00:45 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys 2008-02-04 10:22 . 2008-02-04 10:22 d-------- C:\Program Files\LibUSB-Win32-0.1.10.1 2008-02-02 11:26 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2008-02-02 11:26 . 2001-08-17 22:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys 2008-02-02 10:54 . 2008-02-05 20:01 d-------- C:\Program Files\Project64 1.6 2008-02-02 10:49 . 2005-03-09 20:50 46,592 --a------ C:\WINDOWS\system32\libusb0.dll 2008-02-02 10:49 . 2005-03-09 20:50 33,792 --a------ C:\WINDOWS\system32\drivers\libusb0.sys 2008-02-02 10:49 . 2005-03-09 20:50 19,456 --a------ C:\WINDOWS\system32\libusbd-9x.exe 2008-02-02 10:49 . 2005-03-09 20:50 18,944 --a------ C:\WINDOWS\system32\libusbd-nt.exe . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-25 23:17 --------- d-----w C:\Program Files\Microsoft Works 2008-02-25 23:17 --------- d-----w C:\Program Files\Makro 2008-02-25 23:17 --------- d-----w C:\Program Files\Easy Internet signup 2008-02-25 23:17 --------- d-----w C:\Program Files\DivX 2008-02-25 21:58 --------- d-----w C:\Program Files\EuroPoker 2008-02-23 13:01 --------- d-----w C:\Program Files\Windows Live Toolbar 2008-02-23 13:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-02-23 13:00 --------- d-----w C:\Program Files\QuickTime 2008-02-23 12:51 --------- d-----w C:\Program Files\Google 2008-02-23 12:49 --------- d-----w C:\Program Files\CursorXP 2008-02-13 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-01-27 10:24 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\uTorrent 2008-01-26 08:09 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-26 08:09 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\Sega 2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2007-12-07 02:08 824,832 ----a-w C:\WINDOWS\system32\wininet.dll 2007-12-04 18:41 550,912 ------w C:\WINDOWS\system32\oleaut32.dll 2007-10-14 09:34 30,832 ----a-w C:\Documents and Settings\HP_Propriétaire\Application Data\GDIPFONTCACHEV1.DAT 2005-04-20 19:18 56 --sh--r C:\WINDOWS\system32\2565851E8D.sys 2005-04-21 05:20 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 16:34 128000] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-18 18:51 68856] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 11:00 15360] "ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-01-29 17:34 598920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-01-01 15:07 32881] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43 233472] "nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32 wiz.exe] "VTTimer"="VTTimer.exe" [] "SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2004-05-20 09:47 249856] "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe] "AlcxMonitor"="ALCXMNTR.EXE" [] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-31 10:48 249896] "Belgacom"="C:\Program Files\Belgacom\bin\sprtcmd.exe" [2006-06-22 08:34 192512] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-01-01 17:45 98304] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableLockWorkstation"= 0 (0x0) "DisableChangePassword"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoLogoff"= 0 (0x0) "rightsTest"= 1 (0x1) "DisallowRun"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun] "2"= firefox.exe "3"= Opera.exe "4"= netscape.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe"= "C:\WINDOWS\system32\ftp.exe"= "C:\Program Files\iTunes\iTunes.exe"= "C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe"= "C:\Program Files\Messenger\msmsgs.exe"= "%windir%\Network Diagnostic\xpnetdiag.exe"= "C:\Program Files\Ares\Ares.exe"= "C:\Program Files\MSN Messenger\msnmsgr.exe"= "C:\Program Files\MSN Messenger\livecall.exe"= "C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe"= "C:\Program Files\uTorrent\uTorrent.exe"= "C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "15001:TCP"= 15001:TCP:Utor1 R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21] R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21] R2 Planificateur LiveUpdate automatique;Planificateur LiveUpdate automatique;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 16:29] R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21] R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;C:\WINDOWS\system32\drivers\libusb0.sys [2005-03-09 20:50] S3 alcan5ln;SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);C:\WINDOWS\system32\DRIVERS\alcan5ln.sys [2003-12-08 12:53] S3 cdiskdun;cdiskdun;C:\DOCUME~1\HP_PRO~1\LOCALS~1\Temp\cdiskdun.sys [] S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58] S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08] S3 V0010bVd;Creative WebCam Vista #2;C:\WINDOWS\system32\DRIVERS\V0010bVd.sys [2003-04-21 08:19] S3 XPADFL02;XPAD Filter Service 02;C:\WINDOWS\system32\DRIVERS\xpadfl02.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ccad4655-7fb8-11da-8968-00112fbf7215}] \Shell\AutoRun\command - F:\autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6c701a4-37b0-11dc-8c14-00112fbf7215}] \Shell\AutoRun\command - F:\Exe\Autorun.exe . Contenu du dossier 'Scheduled Tasks/Tâches planifiées' "2008-02-23 20:47:19 C:\WINDOWS\Tasks\Connexion facile à Internet.job" - C:\Program Files\Easy Internet signup\HPSdpApp.exe "2008-02-26 08:43:04 C:\WINDOWS\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-26 09:47:10 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . Temps d'accomplissement: 2008-02-26 9:49:54 ComboFix-quarantined-files.txt 2008-02-26 08:49:45 . 2008-02-13 16:20:16 --- E O F ---

g!rly · Answer

Salut Aless,

* Télécharge OTMoveIt2 (de Old_Timer) sur ton bureau : http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
* Double-clique sur OTMoveIt.exe pour lancer le programme,
* Copie la liste de fichiers ou de dossiers ci-dessous et colle-la dans la fenêtre du programme "Paste Custom List of Files/Folders to Move" :

C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\ActiveScan 

* Clique sur MoveIt! pour lancer la suppression,
* Le résultat appraraîtra dans le cadre Results.
* Clique sur Exit pour fermer le programme.
* Poste le rapport qui est situé ici : C:\\_OTMoveIt\MovedFiles
* Il te sera peut-être demandé de redémarrer ton PC. Dans ce cas, clique sur Yes.

Peux tu me dire a quoi correspondent :

C:\Program Files\Project64 1.6
C:\Program Files\Makro

@+

aless2706 · Answer

Re voici le rapport [Custom Input] < C:\WINDOWS\system32\pavas.ico > C:\WINDOWS\system32\pavas.ico moved successfully. < C:\WINDOWS\system32\ActiveScan > C:\WINDOWS\system32\ActiveScan moved successfully. OTMoveIt2 v1.0.20 log created on 02262008_115910 ------------------------------------------------------------------------ Concernant les fichiers , project 64 correspond a un émulateur nintendo et makro , c est un programme pour faire un montage photo , et d'ailleur je vais le supprimer il ne me sert a rien ;) merci de ton aide

g!rly · Answer

Ok

Peux tu performer un scan en ligne ? :

Fais un scan en ligne Kaspersky avec Internet Explorer :
https://www.kaspersky.fr/?domain=webscanner.kaspersky.fr
-> Click sur Démarrer Online-Scanner
-> Click maintenant sur J'accepte.
-> Valide l'installation d'un ou de plusieurs ActiveX si c'est nécessaire.
-> Patiente pendant l'installation des Mises à jour.
-> Choisis par la suite l'analyse du Poste de travail.
-> Sauvegarde puis colle le rapport généré en fin d'analyse.

@+

aless2706 · Answer

Voila le scan 

-------------------------------------------------------------------------------
 KASPERSKY ON-LINE SCANNER REPORT
 Tuesday, February 26, 2008 4:31:08 PM
 Système d'exploitation : Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky On-line Scanner version : 5.0.83.0
 Dernière mise à jour de la base antivirus Kaspersky : 26/02/2008
 Enregistrements dans la base antivirus Kaspersky : 536122
-------------------------------------------------------------------------------

Paramètres d'analyse:
	Analyser avec la base antivirus suivante: standard
	Analyser les archives: vrai
	Analyser les bases de messagerie: vrai

Cible de l'analyse - Poste de travail:
	A:\
	C:\
	D:\
	E:\
	F:\
	G:\

Statistiques de l'analyse:
	Total d'objets analysés: 76111
	Nombre de virus trouvés: 0
	Nombre d'objets infectés: 0 / 0
	Nombre d'objets suspects: 0
	Durée de l'analyse: 02:30:30

Nom de l'objet infecté / Nom du virus / Dernière action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat	L'objet est verrouillé	ignoré
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat	L'objet est verrouillé	ignoré
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-26_Log.ALUSchedulerSvc.LiveUpdate	L'objet est verrouillé	ignoré
C:\Documents and Settings\HP_Propriétaire\Cookies\index.dat	L'objet est verrouillé	ignoré
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log	L'objet est verrouillé	ignoré
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\Adobe\Updater5\aumLib.log	L'objet est verrouillé	ignoré
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat	L'objet est verrouillé	ignoré
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	L'objet est verrouillé	ignoré
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	L'objet est verrouillé	ignoré
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\state\logs\sprtcmd.log	L'objet est verrouillé	ignoré
C:\Documents and Settings\HP_Propriétaire\Local Settings\Historique\History.IE5\index.dat	L'objet est verrouillé	ignoré
C:\Documents and Settings\HP_Propriétaire\Local Settings\Historique\History.IE5\MSHist012008022620080227\index.dat	L'objet est verrouillé	ignoré
C:\Documents and Settings\HP_Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\index.dat	L'objet est verrouillé	ignoré
C:\Documents and Settings\HP_Propriétaire
tuser.dat	L'objet est verrouillé	ignoré
C:\Documents and Settings\HP_Propriétaire
tuser.dat.LOG	L'objet est verrouillé	ignoré
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	L'objet est verrouillé	ignoré
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	L'objet est verrouillé	ignoré
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat	L'objet est verrouillé	ignoré
C:\Documents and Settings\LocalService\Local Settings\Temp\Fichiers Internet temporaires\Content.IE5\index.dat	L'objet est verrouillé	ignoré
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat	L'objet est verrouillé	ignoré
C:\Documents and Settings\LocalService\NTUSER.DAT	L'objet est verrouillé	ignoré
C:\Documents and Settings\LocalService
tuser.dat.LOG	L'objet est verrouillé	ignoré
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	L'objet est verrouillé	ignoré
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	L'objet est verrouillé	ignoré
C:\Documents and Settings\NetworkService\NTUSER.DAT	L'objet est verrouillé	ignoré
C:\Documents and Settings\NetworkService
tuser.dat.LOG	L'objet est verrouillé	ignoré
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\sw_ae-20080226-090036.log	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log.idx	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log.idx	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log.idx	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log.idx	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs
etwork.log	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs
etwork.log.idx	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log.idx	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log.idx	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log	L'objet est verrouillé	ignoré
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log.idx	L'objet est verrouillé	ignoré
C:\System Volume Information\MountPointManagerRemoteDatabase	L'objet est verrouillé	ignoré
C:\System Volume Information\_restore{86E11626-5203-4B6B-99A3-889F6E4C5699}\RP880\change.log	L'objet est verrouillé	ignoré
C:\WINDOWS\Debug\PASSWD.LOG	L'objet est verrouillé	ignoré
C:\WINDOWS\SchedLgU.Txt	L'objet est verrouillé	ignoré
C:\WINDOWS\SoftwareDistribution\EventCache\{983FD2DC-2A01-4A59-AC25-237CE475ED82}.bin	L'objet est verrouillé	ignoré
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	L'objet est verrouillé	ignoré
C:\WINDOWS\Sti_Trace.log	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\CatRoot2\edb.log	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\CatRoot2	mp.edb	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\AppEvent.Evt	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\default	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\default.LOG	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\Internet.evt	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\ODiag.evt	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\OSession.evt	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\SAM	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\SAM.LOG	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\SecEvent.Evt	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\SECURITY	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\SECURITY.LOG	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\software	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\software.LOG	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\SysEvent.Evt	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\system	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\config\system.LOG	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\drivers\sptd.sys	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\h323log.txt	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	L'objet est verrouillé	ignoré
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	L'objet est verrouillé	ignoré
C:\WINDOWS\Temp\Perflib_Perfdata_208.dat	L'objet est verrouillé	ignoré
C:\WINDOWS\wiadebug.log	L'objet est verrouillé	ignoré
C:\WINDOWS\wiaservc.log	L'objet est verrouillé	ignoré
C:\WINDOWS\WindowsUpdate.log	L'objet est verrouillé	ignoré
D:\System Volume Information\_restore{86E11626-5203-4B6B-99A3-889F6E4C5699}\RP880\change.log	L'objet est verrouillé	ignoré

Analyse terminée.

g!rly · Answer

Re,

Supprime ceci :

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\Symantec

pour ce faire tu devras surement faire ceci :

Affiche tous les fichiers et dossiers :
Pour cela :
Clique sur démarrer/panneau de configuration/option des dossiers/affichage

Cocher afficher les dossiers cacher

Décoche la case "Masquer les fichiers protégés du système d'exploitation (recommandé)"

Décocher masquer les extensions dont le type est connu

Puis fais «Ok» pour valider les changements.

Et appliquer ! 

Ps : ne recache pas encore tes fichiers/dossiers car tu aura besoin de voir l´integralité du fichier prefect pour le vider manuellement a l´etape 3...

Puis nettoie tes fichiers temporaires avec :

1
nettoie tes fichiers temporaires avec ceci : atf cleaner, regarde le tuto...

http://www.infosecu.fr/atf.html

telecharge le ici :

http://serveur1.archive-host.com/membres/up/1366464061/ATF-Cleaner.rar

2
Ccleaner:

-> Télécharge Ccleaner (n'installe pas la barre d'outil Yahoo):

   http://www.commentcamarche.net/telecharger/telechargement 168 ccleaner

-> L´installer.

-> Une fois installé et lancé :

   Dans la colonne de gauche, click sur :

   ->"erreurs" :

      Coches toutes les cases sous"l´integrité du registre", puis click en bas sur "chercher des erreurs" une fois terminé, clic sur "reparer les erreurs", tu auras un message pour sauvegarder ta base de registre, tu click "oui" puis tu recommence jusqu'à ce qu'il ne trouve plus rien.
      
      ps : les sauvegardes que tu auras faites, pourront etre supprimées ulterieurement si tout va bien.

   ->"nettoyeur"
   
      quitte ton navigateur avant de le lancer, dans les propriétés du nettoyeur de l´onglet "windows" et "applications"décoche la derniere case (Avancé si elle est cochée) puis click sur "lancer le nettoyage" qunand il aura terminé le scan click en bas a droite sur "lancer le nettoyage" et accepte par oui.

-> Tutoriel en image :

   https://www.vulgarisation-informatique.com/nettoyer-windows-ccleaner.php

-> Pour ceux qui voudraient aller plus loin en compagnie de jesses (fonctions avancés) :

   http://perso.orange.fr/jesses/Docs/Logiciels/CCleaner.htm 

3
Vide tes fichiers temporaires avec ceci:
->Clean Up 40:
http://pageperso.aol.fr/balltrap34/CleanUp40.exe
->aide en image:(merci a Balltrap34)
http://pageperso.aol.fr/balltrap34/democleanup.htm

click sur option et décoche la case devant : delete prefect files

vide le manuellement :

:: Le contenu du dossier prefetch ::

* C:\WINDOWS\Prefetch <= sauf le fichier layout.ini

* Ne pas oublier de vider la corbeille !

redemarre pas meme si clean up t´y invite...

recache tes fichiers et dossiers...

Désactive ta restauration système:
pour cela :
Click droit sur poste de travail, dans l´arborescence sur propriétés; 
dans la nouvelle fenettre click sur l´onglet restauration système;
coche la case désactiver la restauration systèm et applique.
puis redemarre le pc et click droit sur poste de travail, dans l´arborescence sur propriétés; 
dans la nouvelle fenettre click sur l´onglet restauration systèm
décoche la case désactiver la restauration systèm et applique. 

Une fois redemarrer refais un scan avec antivir avec les reglages ci dessous et post le rapport :

une fois antivir ouvert click surconfiguration et coche la case "expert mode" puis sur l´onglet scanner dans la fenetre du dessous tu va voir : rootkit search click sur le petit + pour deployer et coche la case a coté de ton disk dur
puis click sur configuration en haut a droite; dans la nouvelle fenetre a gauche >scanner > coche "scan all files" et en dessous >scanner priority = High
coche : allow stopping the scanner, comme cela tu peux faire une pause pendant le scan si tu le desir.
puis sur la droite coche les case suivantes : 
scan boot sectors of selected drives
scan master boot sectors
scan memory
search foe rootkit before scan
decoche :
ignore off line files
toujours a gauche > scan > deploie > heuristique > macrovirus heuristic = coché et en dessous > win32 heuristic la case coché et high detection level

@+

aless · Answer

juste une petite chose avant que je redémarre l'ordinateur et que je fasse aller antivir , les 3 fichiers là ne veulent pas se supprimer 

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat 
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat 
C:\Documents and Settings\All Users\Application Data\Symantec 

un message d'erreur s'affiche en disant que c'est partagé ou utilisé

aless2706 · Answer

Voila , j'ai fait l'analyse, parcontre l'option rootkit search n'était pas présente dans l'onglet scan ( expert mode était bien coché ) voici le rapport : AntiVir PersonalEdition Classic Report file date: mardi 26 février 2008 19:44 Scanning for 1123111 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Username: SYSTEM Computer name: DISTRITOP Version information: BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00 AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29 AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51 LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47 LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15 ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 14:50:28 ANTIVIR2.VDF : 7.0.2.181 1993728 Bytes 24/02/2008 21:30:51 ANTIVIR3.VDF : 7.0.2.189 25600 Bytes 25/02/2008 21:49:54 AVEWIN32.DLL : 7.6.0.67 3293696 Bytes 16/02/2008 21:14:59 AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26 AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17 AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24 AVPACK32.DLL : 7.6.0.3 360488 Bytes 16/01/2008 21:08:44 AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06 AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33 AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18 NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42 RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13 RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37 SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: D:, Scan memory......................: on Process scan.....................: on Scan registry....................: on Search for rootkits..............: on Scan all files...................: All files Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: low Start of the scan: mardi 26 février 2008 19:44 Starting search for hidden objects. '57621' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'iexplore.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned Scan process 'CursorXP.exe' - '1' Module(s) have been scanned Scan process 'avgas.exe' - '1' Module(s) have been scanned Scan process 'qttask.exe' - '1' Module(s) have been scanned Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'rundll32.exe' - '1' Module(s) have been scanned Scan process 'rundll32.exe' - '1' Module(s) have been scanned Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned Scan process 'Keyhook.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned Scan process 'wuauclt.exe' - '1' Module(s) have been scanned Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'StarWindServiceAE.exe' - '1' Module(s) have been scanned Scan process 'kpf4ss.exe' - '1' Module(s) have been scanned Scan process 'snmp.exe' - '1' Module(s) have been scanned Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned Scan process 'libusbd-nt.exe' - '1' Module(s) have been scanned Scan process 'CDAC11BA.EXE' - '1' Module(s) have been scanned Scan process 'BTNtService.exe' - '1' Module(s) have been scanned Scan process 'guard.exe' - '0' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'aawservice.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 43 processes with 43 modules were scanned Starting master boot sector scan: Master boot sector HD0 [NOTE] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [NOTE] No virus was found! Boot sector 'D:\' [NOTE] No virus was found! Starting to scan the registry. The registry was scanned ( '25' files ). Starting the file scan: Begin scan in 'C:\' C:\pagefile.sys [WARNING] The file could not be opened! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e3f9e45cf7b.4\composite.cab [0] Archive type: CAB (Microsoft) --> Schakel de cookies in Internet Explorer in of uit.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '483160cb.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e3f9e45cf7b.4\script.htm [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '483660c1.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e3f9e45cf7b.4\View\4\SupportAction.cab [0] Archive type: CAB (Microsoft) --> Schakel de cookies in Internet Explorer in of uit.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '483460d5.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e58067de1e02.7\composite.cab [0] Archive type: CAB (Microsoft) --> Désactivez or activez les cookies dans Internet Explorer.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '483160d1.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e58067de1e02.7\script.htm [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '483660c8.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e58067de1e02.7\View\4\SupportAction.cab [0] Archive type: CAB (Microsoft) --> Désactivez or activez les cookies dans Internet Explorer.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '483460dc.qua'! C:\WINDOWS\system32\drivers\sptd.sys [WARNING] The file could not be opened! Begin scan in 'D:\' End of the scan: mardi 26 février 2008 20:56 Used time: 1:11:30 min The scan has been done completely. 6327 Scanning directories 453883 Files were scanned 0 viruses and/or unwanted programs were found 6 Files were classified as suspicious: 0 files were deleted 0 files were repaired 6 files were moved to quarantine 0 files were renamed 2 Files cannot be scanned 453883 Files not concerned 16184 Archives were scanned 2 Warnings 0 Notes 57621 Objects were scanned with rootkit scan 0 Hidden objects were found

g!rly · Answer

Re,

La recherche de rootkit est bien enclanché par contre c´est la detection des File heuristic...................: low 

toujours a gauche > scan > deploie > heuristique > macrovirus heuristic = coché et en dessous > win32 heuristic la case coché et high detection level 

Par contre il detecte toujours les memes fichiers...

Je ne voie pas trop a quoi correspond ce dossier : C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight

Affiche tous les fichiers et dossiers :
Pour cela :
Clique sur démarrer/panneau de configuration/option des dossiers/affichage

Cocher afficher les dossiers cacher

Décoche la case "Masquer les fichiers protégés du système d'exploitation (recommandé)"

Décocher masquer les extensions dont le type est connu

Puis fais «Ok» pour valider les changements.

Et appliquer !

Va voire dedans et dis moi ce qu´il contient et sa taille stp

@+

aless2706 · Answer

Alors la taille du dossier est de 3,28 mo 

dans ce dossier , il y a 15 dossiers , avec des longs noms , ex : 0b5cb067-5a9e-403d-b886-1f9b0fb65b21.8

dans chacun de ces dossiers se trouve

- un dossier qui se nomme "view" ( sauf dans 2 des 15) des  comprenant encore d'autre dossier  
-un document Xml 
-une archive composite.cab ( sauf dans 2 des 15 )
- un script.htm 
- Clear Ie cache.zip ( uniquement présent dans 2 des 15 dossiers ) 




et sinon pour les 3 fichiers qui ne voulaient pas se supprimer ? 

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat 
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat 
C:\Documents and Settings\All Users\Application Data\Symantec 



Merci de ton aide

g!rly · Answer

Re,

On peux tenter de faire comme ca :

Tu fais une archive de ce dossier pour le sauvegarder et le supprime completement: si tu as un disfonctionnement quelconque tu pourras le remettre...

Tu en pensses quoi?

pour les trois fichiers tu peux les supprimer avec ot move it :

* Télécharge OTMoveIt2 (de Old_Timer) sur ton bureau : http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
* Double-clique sur OTMoveIt.exe pour lancer le programme,
* Copie la liste de fichiers ou de dossiers ci-dessous et colle-la dans la fenêtre du programme "Paste Custom List of Files/Folders to Move" :

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\Symantec

* Clique sur MoveIt! pour lancer la suppression,
* Le résultat appraraîtra dans le cadre Results.
* Clique sur Exit pour fermer le programme.
* Poste le rapport qui est situé ici : C:\\_OTMoveIt\MovedFiles
* Il te sera peut-être demandé de redémarrer ton PC. Dans ce cas, clique sur Yes.

@+

aless2706 · Answer

ok je vais sauvegarder le dossier sur un cd et le supprimer complétement  , normalement il n'y a pas de programmes obligatoires pour windows dedans ?

aless2706 · Answer

Voila s'es fait je l'ai supprimé de mon ordinateur

g!rly · Answer

Re,

ok tres bien ;-)

tu as passé ot_move it? 

@+

aless2706 · Answer

oué je l'ai passe je poste le rapport [Custom Input] < C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat > File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot. < C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat > File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot. < C:\Documents and Settings\All Users\Application Data\Symantec > C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\{896B805C-0909-4044-90DC-7EDEE1D3CC15} moved successfully. C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\{3E45DB70-1E4B-4A9A-991C-DA06F13FED91} moved successfully. C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\{3C7B4014-98B6-49E0-A733-8FA58BD34314} moved successfully. C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\{3BE06DBE-547D-4E92-A27F-74E28369F019} moved successfully. C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\{3A56ECAD-88CC-4B44-B6D8-2F7BABD7EB52} moved successfully. C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\{03737737-F634-4B5A-BE35-C02D494E0E6E} moved successfully. C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine moved successfully. C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus moved successfully. C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads moved successfully. Folder move failed. C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate scheduled to be moved on reboot. C:\Documents and Settings\All Users\Application Data\Symantec\LiveSubscribe moved successfully. Folder move failed. C:\Documents and Settings\All Users\Application Data\Symantec scheduled to be moved on reboot. OTMoveIt2 v1.0.20 log created on 02272008_181017

g!rly · Answer

Aless2706,

il y a quelques fichiers qui on ete programmés pour etre supprimés au redemarage...

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\Symantec scheduled.

Sinon vire les en mode sans echec...

bon, apres tout ca; comment ca va?

@+

aless2706 · Answer

Ok je les effacerai en mode sans échec

mais ici je suis en train d'effectuer un nouveau scan avec antivir mais les memes fichiers reviennent a chaque fois alors que j'ai supprimé . Je laisse l'analyse finir et puis je pose le rapport

aless2706 · Answer

voila le rapport , il détecte tjrs les mêmes fichiers alors que je les avais supprimé auparavant AntiVir PersonalEdition Classic Report file date: jeudi 28 février 2008 19:30 Scanning for 1127639 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Username: SYSTEM Computer name: DISTRITOP Version information: BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00 AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29 AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51 LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47 LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15 ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 14:50:28 ANTIVIR2.VDF : 7.0.2.181 1993728 Bytes 24/02/2008 21:30:51 ANTIVIR3.VDF : 7.0.2.206 98816 Bytes 28/02/2008 12:12:29 AVEWIN32.DLL : 7.6.0.67 3293696 Bytes 16/02/2008 21:14:59 AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26 AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17 AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24 AVPACK32.DLL : 7.6.0.3 360488 Bytes 16/01/2008 21:08:44 AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06 AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33 AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18 NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42 RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13 RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37 SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: D:, Scan memory......................: on Process scan.....................: on Scan registry....................: on Search for rootkits..............: on Scan all files...................: All files Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: low Start of the scan: jeudi 28 février 2008 19:30 Starting search for hidden objects. '56070' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'CursorXP.exe' - '1' Module(s) have been scanned Scan process 'StarWindServiceAE.exe' - '1' Module(s) have been scanned Scan process 'avgas.exe' - '1' Module(s) have been scanned Scan process 'rundll32.exe' - '1' Module(s) have been scanned Scan process 'qttask.exe' - '1' Module(s) have been scanned Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'rundll32.exe' - '1' Module(s) have been scanned Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned Scan process 'Keyhook.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'snmp.exe' - '1' Module(s) have been scanned Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned Scan process 'libusbd-nt.exe' - '1' Module(s) have been scanned Scan process 'CDAC11BA.EXE' - '1' Module(s) have been scanned Scan process 'BTNtService.exe' - '1' Module(s) have been scanned Scan process 'guard.exe' - '0' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'aawservice.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 37 processes with 37 modules were scanned Starting master boot sector scan: Master boot sector HD0 [NOTE] No virus was found! Master boot sector HD1 [NOTE] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [NOTE] No virus was found! Boot sector 'D:\' [NOTE] No virus was found! Starting to scan the registry. The registry was scanned ( '25' files ). Starting the file scan: Begin scan in 'C:\' C:\pagefile.sys [WARNING] The file could not be opened! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\094add81-fd34-47b3-86ce-4e6dd4b3b05a.7\composite.cab [0] Archive type: CAB (Microsoft) --> EnableDisable Internet Explorer Cookies.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '48340141.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\094add81-fd34-47b3-86ce-4e6dd4b3b05a.7\script.htm [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '48390138.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\094add81-fd34-47b3-86ce-4e6dd4b3b05a.7\View\4\SupportAction.cab [0] Archive type: CAB (Microsoft) --> EnableDisable Internet Explorer Cookies.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '4837014c.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e3f9e45cf7b.4\composite.cab [0] Archive type: CAB (Microsoft) --> Schakel de cookies in Internet Explorer in of uit.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '48340148.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e3f9e45cf7b.4\script.htm [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '4839013f.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e3f9e45cf7b.4\View\4\SupportAction.cab [0] Archive type: CAB (Microsoft) --> Schakel de cookies in Internet Explorer in of uit.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '48370153.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e58067de1e02.7\composite.cab [0] Archive type: CAB (Microsoft) --> Désactivez or activez les cookies dans Internet Explorer.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '4834014f.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e58067de1e02.7\script.htm [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '48390145.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e58067de1e02.7\View\4\SupportAction.cab [0] Archive type: CAB (Microsoft) --> Désactivez or activez les cookies dans Internet Explorer.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '48370159.qua'! C:\WINDOWS\system32\drivers\sptd.sys [WARNING] The file could not be opened! Begin scan in 'D:\' End of the scan: jeudi 28 février 2008 20:45 Used time: 1:15:17 min The scan has been done completely. 6313 Scanning directories 452800 Files were scanned 0 viruses and/or unwanted programs were found 9 Files were classified as suspicious: 0 files were deleted 0 files were repaired 9 files were moved to quarantine 0 files were renamed 2 Files cannot be scanned 452800 Files not concerned 16187 Archives were scanned 2 Warnings 0 Notes 56070 Objects were scanned with rootkit scan 0 Hidden objects were found

g!rly · Answer

aless2706.

oui c´est plus qu´etrange ?!

peux tu faire un scan avec a2square et poster le resultat ici, j´espere que cette fois tu pourras le poster...

http://www.commentcamarche.net/telecharger/telecharger 224 a squared

@+

aless2706 · Answer

Ok désolé du retard je vais faire le scan tout de suite

g!rly · Answer

ok aless2706,

@+

aless2706 · Answer

voila le rapport ;)




Version - a-squared Free 3.1
Dernière mise à jour: 1/03/2008 14:47:34

Réglages Scan:

Objets: Mémoire, Traces, Cookies
Scan archives: Marche
Heuristiques: Marche
Scan ADS: Marche

Début du scan:	2/03/2008 9:52:27

c:\documents and settings\hp_propriétaire\bureau\ares.lnk 	Détecter: Trace.File.Ares
c:\program files\ares\ares.exe 	Détecter: Trace.File.Ares
c:\program files\ares\data\anonproxies.txt.sample 	Détecter: Trace.File.Ares
c:\program files\ares\data\blocked.txt.sample 	Détecter: Trace.File.Ares
c:\program files\ares\data\blocked_keywords.txt.sample 	Détecter: Trace.File.Ares
c:\program files\ares\data\chanlistfilter.txt 	Détecter: Trace.File.Ares
c:\program files\ares\data\gui\general\chat.bmp 	Détecter: Trace.File.Ares
c:\program files\ares\data\gui\general\emotic.bmp 	Détecter: Trace.File.Ares
c:\program files\ares\data\gui\general\libbig.bmp 	Détecter: Trace.File.Ares
c:\program files\ares\data\gui\general\logo.bmp 	Détecter: Trace.File.Ares
c:\program files\ares\data\gui\general\mimesmall.bmp 	Détecter: Trace.File.Ares
c:\program files\ares\data\gui\general\mshareset.bmp 	Détecter: Trace.File.Ares
c:\program files\ares\data\gui\general\player.bmp 	Détecter: Trace.File.Ares
c:\program files\ares\data\gui\general\playlistbtns.bmp 	Détecter: Trace.File.Ares
c:\program files\ares\data\gui\general\prefs.txt 	Détecter: Trace.File.Ares
c:\program files\ares\data\gui\general\searchpnl.bmp 	Détecter: Trace.File.Ares
c:\program files\ares\data\gui\general\searchstars.bmp 	Détecter: Trace.File.Ares
c:\program files\ares\data\gui\general	absbig.bmp 	Détecter: Trace.File.Ares
c:\program files\ares\data\gui\general	abssmall.bmp 	Détecter: Trace.File.Ares
c:\program files\ares\data\gui\general	ransfer.bmp 	Détecter: Trace.File.Ares
c:\program files\ares\data\gui\general\webanim.bmp 	Détecter: Trace.File.Ares
c:\program files\ares\data\homepage.dat 	Détecter: Trace.File.Ares
c:\program files\ares\data\p2pfilter.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\arabic.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\chinese_cn.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\chinese_tw.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\czech.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\dutch.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\finland.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\french.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\german.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\italian.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\japanese.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\kurdish.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\kyrgyz.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\polish.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\portugues.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\slovak.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\spanish.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\spanishla.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang\swedish.txt 	Détecter: Trace.File.Ares
c:\program files\ares\lang	urkish.txt 	Détecter: Trace.File.Ares
c:\program files\ares	cpip_patcher.sys 	Détecter: Trace.File.Ares
c:\program files\ares	cpippatcherdll.dll 	Détecter: Trace.File.Ares
c:\documents and settings\hp_propriétaire\menu démarrer\programmes\ares\ares.lnk 	Détecter: Trace.File.Ares
Value: HKEY_CLASSES_ROOT\arlnk --> URL Protocol 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares\bounds --> Main.Maximized 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares\Columns\Transfers --> Download 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares\Columns\Transfers --> Queue 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares\Columns\Transfers --> Upload 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares\Data --> AresNet1 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares\Data --> JI.AresNet1 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares\Positions\Transfers --> Download 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares\Positions\Transfers --> Queue 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares\Positions\Transfers --> Upload 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> ChatRoom.ServerPort 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> ChatRoom.ShowJP 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Extra.ShowActiveCaption 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> General.AutoConnect 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> General.AutoStartUp 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> General.LastLibraryMode 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> GUI.LastChatRoomBrowse 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> GUI.LastLibrary 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> GUI.LastPMBrowse 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> GUI.LastSearch 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Network.DHTID 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Personal.GUID 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Privacy.SendRegularPath 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> PrivateMessage.AllowBrowse 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> PrivateMessage.AwayMessage 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Start Menu Folder 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Stats.CAvgTime 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Stats.CDnSpeed 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Stats.CFRTime 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Stats.CTtUptime 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Stats.CUpSpeed 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Stats.HasLQCa 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Stats.LstCaQuery 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Stats.LstCaQueryInt 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Transfer.MaximizeUpBandOnIdle 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Transfer.ServerPort 	Détecter: Trace.Registry.Ares
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ares --> DisplayName 	Détecter: Trace.Registry.Ares
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ares --> DisplayVersion 	Détecter: Trace.Registry.Ares
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ares --> Publisher 	Détecter: Trace.Registry.Ares
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ares --> UninstallString 	Détecter: Trace.Registry.Ares
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ares --> URLInfoAbout 	Détecter: Trace.Registry.Ares
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ares --> URLUpdateInfo 	Détecter: Trace.Registry.Ares
Key: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\software\kazaa 	Détecter: Trace.Registry.KaZaA
c:\program files\ares 	Détecter: Trace.Directory.Ares
c:\program files\ares\data 	Détecter: Trace.Directory.Ares
c:\program files\ares\data\gui 	Détecter: Trace.Directory.Ares
c:\program files\ares\data\gui\general 	Détecter: Trace.Directory.Ares
c:\program files\ares\lang 	Détecter: Trace.Directory.Ares
c:\documents and settings\hp_propriétaire\menu démarrer\programmes\ares 	Détecter: Trace.Directory.Ares
c:\documents and settings\hp_propriétaire\application data\shareaza 	Détecter: Trace.Directory.Shareaza Lite
c:\program files\ares\asyncex.ax 	Détecter: Trace.File.Ares
Value: HKEY_CLASSES_ROOT\CLSID\{3E0FA044-926C-42D9-BA12-EF16E980913B}\InprocServer32 --> ThreadingModel 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> ChatRoom.AutoAddToFavorites 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> General.HookBitTorrentExt 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> General.Language 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Playlist.PreviousM3UApp 	Détecter: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-2546207929-2116143017-4249160241-1007\Software\Ares --> Torrents.PreviousApp 	Détecter: Trace.Registry.Ares
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3E0FA044-926C-42D9-BA12-EF16E980913B}\InprocServer32 --> ThreadingModel 	Détecter: Trace.Registry.Ares
Value: HKEY_CLASSES_ROOT\CLSID\{1339B54C-3453-11D2-93B9-000000000000}\InprocServer32 --> ThreadingModel 	Détecter: Trace.Registry.Internet Cleanup 5.0
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1339B54C-3453-11D2-93B9-000000000000}\InprocServer32 --> ThreadingModel 	Détecter: Trace.Registry.Internet Cleanup 5.0
Value: HKEY_CLASSES_ROOT\arlnk --> URL Protocol 	Détecter: Trace.Registry.Ares Galaxy P2P Plus
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\arlnk --> URL Protocol 	Détecter: Trace.Registry.Ares Galaxy P2P Plus
C:\Documents and Settings\HP_Propriétaire\Cookies\hp_propriétaire@2o7[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\HP_Propriétaire\Cookies\hp_propriétaire@bs.serving-sys[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\HP_Propriétaire\Cookies\hp_propriétaire@doubleclick[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\HP_Propriétaire\Cookies\hp_propriétaire@metriweb[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\HP_Propriétaire\Cookies\hp_propriétaire@serving-sys[2].txt 	Détecter: Trace.TrackingCookie

Scanné

Fichiers: 	1620
Traces: 	375688

g!rly · Answer

Salut aless2706.

on dirait que a2 square n´aime pas ares...

tu as deja installé kazaa?

qu´as tu fais tout supprimé ou?

@+

aless2706 · Answer

Oui je l'avais mais je l'ai désinstallé il y a très très longtemps...plus de 1an a mon avis

aless2706 · Answer

Et sinon pour a2square j'ai mis tous en quarantaine

merci de ton aide ;)

g!rly · Answer

ok aless2706,

nous voila toujours avec le meme probleme...

j´ai vu que tu avais d´autres topik sur d´autre forum egalement et la aussi, ca ne va pas plus loin ;-(

Moi je seche un peu a vrai dire...

dis moi quoi

@+

aless2706 · Answer

je vais refaire une analyse antivir et je posterai le rapport apres , pour le moment je n'ai plus eu de détection appart html/zone.gen qui revient chaque jour

g!rly · Answer

ok aless2706,

@+

aless2706 · Answer

voila le rapport , je suis vrmt désolé pour le retard :s mais je suis fort pris ces temps ci..

Il détecte encore les fichiers..tjrs les memes ^^

Ca ne viendrait pas des cookies internet explorer par hazard ? car ma mère avait du les autorisés une fois pour accèder a une fonction sur le site de sa banque..


AntiVir PersonalEdition Classic
Report file date: jeudi 6 mars 2008  21:43

Scanning for 1136109 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version:  (Service Pack 2)  [5.1.2600]
Username:         HP_Propriétaire
Computer name:    DISTRITOP

Version information:
BUILD.DAT    : 270           15603 Bytes  19/09/2007 13:32:00
AVSCAN.EXE   : 7.0.6.1      290856 Bytes  23/08/2007 13:16:29
AVSCAN.DLL   : 7.0.6.0       49192 Bytes  16/08/2007 12:23:51
LUKE.DLL     : 7.0.5.3      147496 Bytes  14/08/2007 15:32:47
LUKERES.DLL  : 7.0.6.1       10280 Bytes  21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0    11030528 Bytes  18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.1.95    3367424 Bytes  14/12/2007 14:50:28
ANTIVIR2.VDF : 7.0.2.181   1993728 Bytes  24/02/2008 21:30:51
ANTIVIR3.VDF : 7.0.2.245    216576 Bytes  06/03/2008 19:53:43
AVEWIN32.DLL : 7.6.0.73    3334656 Bytes  01/03/2008 17:19:54
AVWINLL.DLL  : 1.0.0.7       14376 Bytes  26/02/2007 10:36:26
AVPREF.DLL   : 7.0.2.2       25640 Bytes  18/07/2007 07:39:17
AVREP.DLL    : 7.0.0.1      155688 Bytes  16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3      360488 Bytes  16/01/2008 21:08:44
AVREG.DLL    : 7.0.1.6       30760 Bytes  18/07/2007 07:17:06
AVARKT.DLL   : 1.0.0.20     278568 Bytes  28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20      86056 Bytes  18/07/2007 07:10:18
NETNT.DLL    : 7.0.0.0        7720 Bytes  08/03/2007 11:09:42
RCIMAGE.DLL  : 7.0.1.30    2342952 Bytes  07/08/2007 12:38:13
RCTEXT.DLL   : 7.0.62.0      86056 Bytes  21/08/2007 12:50:37
SQLITE3.DLL  : 3.3.17.1     339968 Bytes  23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Manual Selection
Configuration file...............: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\PROFILES\folder.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, 
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: low

Start of the scan: jeudi 6 mars 2008  21:43

Starting search for hidden objects.
'47680' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'CursorXP.exe' - '1' Module(s) have been scanned
Scan process 'avgas.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'Keyhook.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'StarWindServiceAE.exe' - '1' Module(s) have been scanned
Scan process 'kpf4ss.exe' - '1' Module(s) have been scanned
Scan process 'snmp.exe' - '1' Module(s) have been scanned
Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'libusbd-nt.exe' - '1' Module(s) have been scanned
Scan process 'CDAC11BA.EXE' - '1' Module(s) have been scanned
Scan process 'BTNtService.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '0' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
42 processes with 42 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
      [NOTE]      No virus was found!
Master boot sector HD1
      [NOTE]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
      [NOTE]      No virus was found!

Starting to scan the registry.
The registry was scanned ( '32' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\pagefile.sys
      [WARNING]   The file could not be opened!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\094add81-fd34-47b3-86ce-4e6dd4b3b05a.7\composite.cab
  [0] Archive type: CAB (Microsoft)
  --> EnableDisable Internet Explorer Cookies.saf
      [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
      [INFO]      The file was moved to '483d5c85.qua'!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\094add81-fd34-47b3-86ce-4e6dd4b3b05a.7\script.htm
      [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
      [INFO]      The file was moved to '48425c7b.qua'!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\094add81-fd34-47b3-86ce-4e6dd4b3b05a.7\View\4\SupportAction.cab
  [0] Archive type: CAB (Microsoft)
  --> EnableDisable Internet Explorer Cookies.saf
      [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
      [INFO]      The file was moved to '48405c90.qua'!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e3f9e45cf7b.4\composite.cab
  [0] Archive type: CAB (Microsoft)
  --> Schakel de cookies in Internet Explorer in of uit.saf
      [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
      [INFO]      The file was moved to '483d5c8c.qua'!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e3f9e45cf7b.4\View\4\SupportAction.cab
  [0] Archive type: CAB (Microsoft)
  --> Schakel de cookies in Internet Explorer in of uit.saf
      [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
      [INFO]      The file was moved to '48405c94.qua'!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e58067de1e02.7\composite.cab
  [0] Archive type: CAB (Microsoft)
  --> Désactivez or activez les cookies dans Internet Explorer.saf
      [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
      [INFO]      The file was moved to '483d5c90.qua'!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e58067de1e02.7\script.htm
      [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
      [INFO]      The file was moved to '48425c86.qua'!
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e58067de1e02.7\View\4\SupportAction.cab
  [0] Archive type: CAB (Microsoft)
  --> Désactivez or activez les cookies dans Internet Explorer.saf
      [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen
      [INFO]      The file was moved to '48405c9a.qua'!
C:\WINDOWS\system32\drivers\sptd.sys
      [WARNING]   The file could not be opened!


End of the scan: jeudi 6 mars 2008  22:53
Used time:  1:09:49 min

The scan has been done completely.

   6155 Scanning directories
 345532 Files were scanned
      0 viruses and/or unwanted programs were found
      8 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
      8 files were moved to quarantine
      0 files were renamed
      2 Files cannot be scanned
 345532 Files not concerned
  10167 Archives were scanned
      2 Warnings
      0 Notes
  47680 Objects were scanned with rootkit scan
      0 Hidden objects were found

g!rly · Answer

salut aless2706,

oui ca vient effectivement des cookies qui sont autorisés...

remonte le niveau de securité concernant les cookies...

puis on va tenté ceci :

Copie le texte ci-dessous :

File::
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\094add81-fd34-47b3-86ce-4e­6dd4b3b05a.7\composite.cab
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\094add81-fd34-47b3-86ce-4e­6dd4b3b05a.7\script.htm
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\094add81-fd34-47b3-86ce-4e­6dd4b3b05a.7\View\4\SupportAction.cab
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e­3f9e45cf7b.4\composite.cab
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e­3f9e45cf7b.4\View\4\SupportAction.cab
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e5­8067de1e02.7\composite.cab
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e5­8067de1e02.7\script.htm
C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e5­8067de1e02.7\View\4\SupportAction.cab

Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix, 

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt

S'il n'y a pas de rédémarrage, poste quand même le rapport. 

@+

aless2706 · Answer

Voila le rapport , j'ai fait glisser le fichier dedans mais apres il ne ma pas demandé de taper 1 ou 2 , il a commencé directement le scan , je ne sais pas si ca a de l'importance mais bon.. ComboFix 08-03-07.4 - HP_Propriétaire 2008-03-08 13:39:50.2 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.32 [GMT 1:00] Endroit: C:\Documents and Settings\HP_Propriétaire\Bureau\ComboFix.exe Command switches used :: C:\Documents and Settings\HP_PropriÚtaire\Bureau\CFscript.txt * Création d'un nouveau point de restauration . ((((((((((((((((((((((((((((( Fichiers créés 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))))))) . 2008-03-08 13:34 . 2008-03-08 13:35 d-------- C:\ComboFix[1] 2008-03-01 14:44 . 2008-03-02 09:54 d-------- C:\Program Files\a-squared Free 2008-02-28 14:53 . 2008-02-28 14:53 37,376 --a------ C:\avendavid.doc 2008-02-26 19:21 . 2008-02-26 19:21 d-------- C:\Program Files\CleanUp! 2008-02-26 12:36 . 2008-02-26 12:36 d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-02-26 11:59 . 2008-02-26 11:59 d-------- C:\_OTMoveIt 2008-02-25 21:20 . 2008-02-25 21:20 d-------- C:\Documents and Settings\HP_Propriétaire\Application Data\Grisoft 2008-02-25 21:19 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-02-24 17:47 . 2008-02-24 17:47 d-------- C:\Program Files\Lavasoft 2008-02-24 17:47 . 2008-02-24 17:49 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-02-24 17:46 . 2008-02-24 17:46 d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard 2008-02-23 16:38 . 2007-09-02 20:37 4,096 --a------ C:\WINDOWS\system32\drivers\KProcCheck.sys 2008-02-23 11:03 . 2008-02-23 11:03 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-02-23 08:22 . 2008-02-23 08:22 d-------- C:\Program Files\Trend Micro 2008-02-23 08:10 . 2008-02-23 08:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-02-23 08:10 . 2008-02-23 08:10 1,409 --a------ C:\WINDOWS\QTFont.for 2008-02-14 08:15 . 2008-02-14 08:15 39,936 --a------ C:\ventedavid.doc 2008-02-10 10:46 . 2004-03-08 23:00 224,016 --a------ C:\WINDOWS\system32\TABCTL32.OCX 2008-02-10 10:46 . 1998-07-12 23:00 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL 2008-02-10 10:46 . 1998-07-12 23:00 59,904 --a------ C:\WINDOWS\system32\Mscc2fr.dll 2008-02-10 10:46 . 1998-07-12 19:00 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL 2008-02-10 10:46 . 1998-07-12 23:00 21,504 --a------ C:\WINDOWS\system32\TABCTFR.DLL 2008-02-10 10:46 . 1998-07-12 23:00 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-07 22:12 --------- d-----w C:\Program Files\EuroPoker 2008-02-27 17:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-02-26 18:22 --------- d-----w C:\Program Files\MSN Messenger 2008-02-26 18:22 --------- d-----w C:\Program Files\Mozilla ActiveX Control v1.7.12 2008-02-26 18:22 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\Vso 2008-02-26 18:22 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\Desktop Sidebar 2008-02-26 11:03 --------- d-----w C:\Program Files\Makro 2008-02-25 23:17 --------- d-----w C:\Program Files\Microsoft Works 2008-02-25 23:17 --------- d-----w C:\Program Files\Easy Internet signup 2008-02-25 23:17 --------- d-----w C:\Program Files\DivX 2008-02-23 13:01 --------- d-----w C:\Program Files\Windows Live Toolbar 2008-02-23 13:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-02-23 13:00 --------- d-----w C:\Program Files\QuickTime 2008-02-23 12:51 --------- d-----w C:\Program Files\Google 2008-02-23 12:49 --------- d-----w C:\Program Files\CursorXP 2008-02-13 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-02-05 19:01 --------- d-----w C:\Program Files\Project64 1.6 2008-02-04 21:55 --------- d-----w C:\Program Files\WinLemm 2008-02-04 09:22 --------- d-----w C:\Program Files\LibUSB-Win32-0.1.10.1 2008-01-27 10:24 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\uTorrent 2008-01-26 08:09 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2007-10-14 09:34 30,832 ----a-w C:\Documents and Settings\HP_Propriétaire\Application Data\GDIPFONTCACHEV1.DAT 2005-04-20 19:18 56 --sh--r C:\WINDOWS\system32\2565851E8D.sys 2005-04-21 05:20 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 16:34 128000] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-18 18:51 68856] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 11:00 15360] "ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-01-29 17:34 598920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-01-01 15:07 32881] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43 233472] "nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32 wiz.exe] "VTTimer"="VTTimer.exe" [] "SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2004-05-20 09:47 249856] "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe] "AlcxMonitor"="ALCXMNTR.EXE" [] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-31 10:48 249896] "Belgacom"="C:\Program Files\Belgacom\bin\sprtcmd.exe" [2006-06-22 08:34 192512] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-01-01 17:45 98304] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableLockWorkstation"= 0 (0x0) "DisableChangePassword"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoLogoff"= 0 (0x0) "rightsTest"= 1 (0x1) "DisallowRun"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun] "2"= firefox.exe "3"= Opera.exe "4"= netscape.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe"= "C:\WINDOWS\system32\ftp.exe"= "C:\Program Files\iTunes\iTunes.exe"= "C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe"= "C:\Program Files\Messenger\msmsgs.exe"= "%windir%\Network Diagnostic\xpnetdiag.exe"= "C:\Program Files\MSN Messenger\msnmsgr.exe"= "C:\Program Files\MSN Messenger\livecall.exe"= "C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe"= "C:\Program Files\uTorrent\uTorrent.exe"= "C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "15001:TCP"= 15001:TCP:Utor1 R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21] R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21] R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21] R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;C:\WINDOWS\system32\drivers\libusb0.sys [2005-03-09 20:50] R3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08] S3 alcan5ln;SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);C:\WINDOWS\system32\DRIVERS\alcan5ln.sys [2003-12-08 12:53] S3 cdiskdun;cdiskdun;C:\DOCUME~1\HP_PRO~1\LOCALS~1\Temp\cdiskdun.sys [] S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58] S3 V0010bVd;Creative WebCam Vista #2;C:\WINDOWS\system32\DRIVERS\V0010bVd.sys [2003-04-21 08:19] S3 XPADFL02;XPAD Filter Service 02;C:\WINDOWS\system32\DRIVERS\xpadfl02.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ccad4655-7fb8-11da-8968-00112fbf7215}] \Shell\AutoRun\command - F:\autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6c701a4-37b0-11dc-8c14-00112fbf7215}] \Shell\AutoRun\command - F:\Exe\Autorun.exe . Contenu du dossier 'Scheduled Tasks/Tâches planifiées' "2008-02-23 20:47:19 C:\WINDOWS\Tasks\Connexion facile à Internet.job" - C:\Program Files\Easy Internet signup\HPSdpApp.exe "2008-03-08 12:43:06 C:\WINDOWS\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-08 13:46:48 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . Temps d'accomplissement: 2008-03-08 13:50:10 ComboFix-quarantined-files.txt 2008-03-08 12:49:59 ComboFix2.txt 2008-02-26 08:49:57 . 2008-02-13 16:20:16 --- E O F ---

g!rly · Answer

bonsoir aless2706,

je viens de reperer un genre de rootkit dans le rapport :

fais ceci :

Copie le texte ci-dessous :

File::
C:\DOCUME~1\HP_PRO~1\LOCALS~1\Temp\cdiskdun.sys

Driver::
cdiskdun

Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix, 

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.

S'il n'y a pas de rédémarrage, poste quand même les rapports.

puis repasses le scan d´antivir pour voir si il detecte encore les memes fichiers qu´au paravant.

@+

aless2706 · Answer

slt , je vais lancer combofix ajd mais je posterai demain tous les rapports , manque de temps ajd :s 

en tout cas merci de ton aide ;)

g!rly · Answer

Ok

@+

aless2706 · Answer

Voici les rapports Combofix ComboFix 08-03-07.4 - HP_Propriétaire 2008-03-10 21:18:40.3 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.43 [GMT 1:00] Endroit: C:\Documents and Settings\HP_Propriétaire\Bureau\ComboFix.exe Command switches used :: C:\Documents and Settings\HP_PropriÚtaire\Bureau\CFscript.txt * Création d'un nouveau point de restauration . ((((((((((((((((((((((((((((( Fichiers créés 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))))))) . 2008-03-08 13:34 . 2008-03-08 13:35 d-------- C:\ComboFix[1] 2008-03-01 14:44 . 2008-03-02 09:54 d-------- C:\Program Files\a-squared Free 2008-02-28 14:53 . 2008-02-28 14:53 37,376 --a------ C:\avendavid.doc 2008-02-26 19:21 . 2008-02-26 19:21 d-------- C:\Program Files\CleanUp! 2008-02-26 12:36 . 2008-02-26 12:36 d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-02-26 11:59 . 2008-02-26 11:59 d-------- C:\_OTMoveIt 2008-02-25 21:20 . 2008-02-25 21:20 d-------- C:\Documents and Settings\HP_Propriétaire\Application Data\Grisoft 2008-02-25 21:19 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-02-24 17:47 . 2008-02-24 17:47 d-------- C:\Program Files\Lavasoft 2008-02-24 17:47 . 2008-02-24 17:49 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-02-24 17:46 . 2008-02-24 17:46 d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard 2008-02-23 16:38 . 2007-09-02 20:37 4,096 --a------ C:\WINDOWS\system32\drivers\KProcCheck.sys 2008-02-23 11:03 . 2008-02-23 11:03 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-02-23 08:22 . 2008-02-23 08:22 d-------- C:\Program Files\Trend Micro 2008-02-23 08:10 . 2008-02-23 08:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-02-23 08:10 . 2008-02-23 08:10 1,409 --a------ C:\WINDOWS\QTFont.for 2008-02-14 08:15 . 2008-02-14 08:15 39,936 --a------ C:\ventedavid.doc 2008-02-10 10:46 . 2004-03-08 23:00 224,016 --a------ C:\WINDOWS\system32\TABCTL32.OCX 2008-02-10 10:46 . 1998-07-12 23:00 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL 2008-02-10 10:46 . 1998-07-12 23:00 59,904 --a------ C:\WINDOWS\system32\Mscc2fr.dll 2008-02-10 10:46 . 1998-07-12 19:00 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL 2008-02-10 10:46 . 1998-07-12 23:00 21,504 --a------ C:\WINDOWS\system32\TABCTFR.DLL 2008-02-10 10:46 . 1998-07-12 23:00 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-09 21:01 --------- d-----w C:\Program Files\EuroPoker 2008-02-27 17:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-02-26 18:22 --------- d-----w C:\Program Files\MSN Messenger 2008-02-26 18:22 --------- d-----w C:\Program Files\Mozilla ActiveX Control v1.7.12 2008-02-26 18:22 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\Vso 2008-02-26 18:22 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\Desktop Sidebar 2008-02-26 11:03 --------- d-----w C:\Program Files\Makro 2008-02-25 23:17 --------- d-----w C:\Program Files\Microsoft Works 2008-02-25 23:17 --------- d-----w C:\Program Files\Easy Internet signup 2008-02-25 23:17 --------- d-----w C:\Program Files\DivX 2008-02-23 13:01 --------- d-----w C:\Program Files\Windows Live Toolbar 2008-02-23 13:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-02-23 13:00 --------- d-----w C:\Program Files\QuickTime 2008-02-23 12:51 --------- d-----w C:\Program Files\Google 2008-02-23 12:49 --------- d-----w C:\Program Files\CursorXP 2008-02-13 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-02-05 19:01 --------- d-----w C:\Program Files\Project64 1.6 2008-02-04 21:55 --------- d-----w C:\Program Files\WinLemm 2008-02-04 09:22 --------- d-----w C:\Program Files\LibUSB-Win32-0.1.10.1 2008-01-27 10:24 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\uTorrent 2008-01-26 08:09 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2007-10-14 09:34 30,832 ----a-w C:\Documents and Settings\HP_Propriétaire\Application Data\GDIPFONTCACHEV1.DAT 2005-04-20 19:18 56 --sh--r C:\WINDOWS\system32\2565851E8D.sys 2005-04-21 05:20 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 16:34 128000] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-18 18:51 68856] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 11:00 15360] "ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-01-29 17:34 598920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-01-01 15:07 32881] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43 233472] "nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32 wiz.exe] "VTTimer"="VTTimer.exe" [] "SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2004-05-20 09:47 249856] "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe] "AlcxMonitor"="ALCXMNTR.EXE" [] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-31 10:48 249896] "Belgacom"="C:\Program Files\Belgacom\bin\sprtcmd.exe" [2006-06-22 08:34 192512] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-01-01 17:45 98304] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableLockWorkstation"= 0 (0x0) "DisableChangePassword"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoLogoff"= 0 (0x0) "rightsTest"= 1 (0x1) "DisallowRun"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun] "2"= firefox.exe "3"= Opera.exe "4"= netscape.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe"= "C:\WINDOWS\system32\ftp.exe"= "C:\Program Files\iTunes\iTunes.exe"= "C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe"= "C:\Program Files\Messenger\msmsgs.exe"= "%windir%\Network Diagnostic\xpnetdiag.exe"= "C:\Program Files\MSN Messenger\msnmsgr.exe"= "C:\Program Files\MSN Messenger\livecall.exe"= "C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe"= "C:\Program Files\uTorrent\uTorrent.exe"= "C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "15001:TCP"= 15001:TCP:Utor1 R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21] R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21] R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21] R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;C:\WINDOWS\system32\drivers\libusb0.sys [2005-03-09 20:50] S3 alcan5ln;SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);C:\WINDOWS\system32\DRIVERS\alcan5ln.sys [2003-12-08 12:53] S3 cdiskdun;cdiskdun;C:\DOCUME~1\HP_PRO~1\LOCALS~1\Temp\cdiskdun.sys [] S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58] S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08] S3 V0010bVd;Creative WebCam Vista #2;C:\WINDOWS\system32\DRIVERS\V0010bVd.sys [2003-04-21 08:19] S3 XPADFL02;XPAD Filter Service 02;C:\WINDOWS\system32\DRIVERS\xpadfl02.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ccad4655-7fb8-11da-8968-00112fbf7215}] \Shell\AutoRun\command - F:\autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6c701a4-37b0-11dc-8c14-00112fbf7215}] \Shell\AutoRun\command - F:\Exe\Autorun.exe . Contenu du dossier 'Scheduled Tasks/Tâches planifiées' "2008-02-23 20:47:19 C:\WINDOWS\Tasks\Connexion facile à Internet.job" - C:\Program Files\Easy Internet signup\HPSdpApp.exe "2008-03-10 19:43:01 C:\WINDOWS\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-10 21:25:28 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . Temps d'accomplissement: 2008-03-10 21:28:30 ComboFix-quarantined-files.txt 2008-03-10 20:28:18 ComboFix2.txt 2008-03-08 12:50:13 ComboFix3.txt 2008-02-26 08:49:57 . 2008-02-13 16:20:16 --- E O F --- -------------------------------------------------------------------------------------------------------------------------------------------- Rapport Antivir AntiVir PersonalEdition Classic Report file date: mardi 11 mars 2008 14:58 Scanning for 1141684 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Username: HP_Propriétaire Computer name: DISTRITOP Version information: BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00 AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29 AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51 LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47 LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15 ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07/03/2008 19:57:16 ANTIVIR2.VDF : 7.0.3.3 2048 Bytes 07/03/2008 19:57:16 ANTIVIR3.VDF : 7.0.3.12 65536 Bytes 10/03/2008 19:54:15 AVEWIN32.DLL : 7.6.0.73 3334656 Bytes 01/03/2008 17:19:54 AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26 AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17 AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24 AVPACK32.DLL : 7.6.0.3 360488 Bytes 16/01/2008 21:08:44 AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06 AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33 AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18 NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42 RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13 RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37 SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21 Configuration settings for the scan: Jobname..........................: Manual Selection Configuration file...............: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\PROFILES\folder.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, Scan memory......................: on Process scan.....................: on Scan registry....................: on Search for rootkits..............: on Scan all files...................: All files Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: low Start of the scan: mardi 11 mars 2008 14:58 Starting search for hidden objects. '47041' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned Scan process 'CursorXP.exe' - '1' Module(s) have been scanned Scan process 'avgas.exe' - '1' Module(s) have been scanned Scan process 'qttask.exe' - '1' Module(s) have been scanned Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'rundll32.exe' - '1' Module(s) have been scanned Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned Scan process 'Keyhook.exe' - '1' Module(s) have been scanned Scan process 'rundll32.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'StarWindServiceAE.exe' - '1' Module(s) have been scanned Scan process 'kpf4ss.exe' - '1' Module(s) have been scanned Scan process 'snmp.exe' - '1' Module(s) have been scanned Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned Scan process 'libusbd-nt.exe' - '1' Module(s) have been scanned Scan process 'CDAC11BA.EXE' - '1' Module(s) have been scanned Scan process 'BTNtService.exe' - '1' Module(s) have been scanned Scan process 'guard.exe' - '0' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'a2service.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'aawservice.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 41 processes with 41 modules were scanned Starting master boot sector scan: Master boot sector HD0 [NOTE] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [NOTE] No virus was found! Starting to scan the registry. The registry was scanned ( '32' files ). Starting the file scan: Begin scan in 'C:\' C:\pagefile.sys [WARNING] The file could not be opened! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\094add81-fd34-47b3-86ce-4e6dd4b3b05a.7\composite.cab [0] Archive type: CAB (Microsoft) --> EnableDisable Internet Explorer Cookies.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '48439799.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\094add81-fd34-47b3-86ce-4e6dd4b3b05a.7\script.htm [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '48489791.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\094add81-fd34-47b3-86ce-4e6dd4b3b05a.7\View\4\SupportAction.cab [0] Archive type: CAB (Microsoft) --> EnableDisable Internet Explorer Cookies.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '484697a7.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e3f9e45cf7b.4\composite.cab [0] Archive type: CAB (Microsoft) --> Schakel de cookies in Internet Explorer in of uit.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '484397a6.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e3f9e45cf7b.4\script.htm [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '4848979d.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\4898ff18-15a1-49e8-a94d-5e3f9e45cf7b.4\View\4\SupportAction.cab [0] Archive type: CAB (Microsoft) --> Schakel de cookies in Internet Explorer in of uit.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '484697b4.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e58067de1e02.7\composite.cab [0] Archive type: CAB (Microsoft) --> Désactivez or activez les cookies dans Internet Explorer.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '484397b3.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e58067de1e02.7\script.htm [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '484897ab.qua'! C:\Documents and Settings\HP_Propriétaire\Local Settings\Application Data\SupportSoft\Belgacom\HP_Propriétaire\data\sprt_actionlight\6042dfc5-c19b-4119-80be-e58067de1e02.7\View\4\SupportAction.cab [0] Archive type: CAB (Microsoft) --> Désactivez or activez les cookies dans Internet Explorer.saf [DETECTION] Contains detection pattern of the HTML script virus HTML/Zones.Gen [INFO] The file was moved to '484697c0.qua'! C:\WINDOWS\system32\drivers\sptd.sys [WARNING] The file could not be opened! End of the scan: mardi 11 mars 2008 16:17 Used time: 1:19:50 min The scan has been done completely. 6170 Scanning directories 344958 Files were scanned 0 viruses and/or unwanted programs were found 9 Files were classified as suspicious: 0 files were deleted 0 files were repaired 9 files were moved to quarantine 0 files were renamed 2 Files cannot be scanned 344958 Files not concerned 10187 Archives were scanned 2 Warnings 0 Notes 47041 Objects were scanned with rootkit scan 0 Hidden objects were found --------------------------------------------------------------------------------------------------------------------------------------------------- Log hijackthis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:41:50, on 11/03/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\a-squared Free\a2service.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\WINDOWS\system32\libusbd-nt.exe C:\WINDOWS\system32 vsvc32.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINDOWS\system32 undll32.exe C:\WINDOWS\system32\keyhook.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Belgacom\bin\sprtcmd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\CursorXP\CursorXP.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\aideonline.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.proximus.be/pickx R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ustart.org R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Belgacom] "C:\Program Files\Belgacom\bin\sprtcmd.exe" /P Belgacom O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - https://onedrive.live.com/?id=favorites O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Rechercher avec google - C:\Windows\Web\ContextGoo.htm. O8 - Extra context menu item: Télécharger avec Star Downloader - C:\Documents and Settings\HP_Propriétaire\Mes documents\Star Downloader\sdie.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - https://www.kaspersky.fr/?domain=webscanner.kaspersky.fr O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-BE/a-UNO1/GAME_UNO1.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/DivXBrowserPlugin.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://selfcare.belgacom.net/static/pc/dlbridgesy/SymDlBrg.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - https://sourceforge.net/p/libusb-win32/wiki/Home/ - C:\WINDOWS\system32\libusbd-nt.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32 vsvc32.exe O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

g!rly · Answer

aless2706,

tu n´as pas du faire ceci :

Copie le texte ci-dessous :

File::
C:\DOCUME~1\HP_PRO~1\LOCALS~1\Temp\cdiskdun.sys

Driver::
cdiskdun

Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif 

pour les trouvailles d´antivir c´est toujours pareil comme tu le constates ;-(

recommences en tout le script combofix...

@+

aless2706 · Answer

Voila le rapport

g!rly · Answer

salut aless2706.

le rapport ?

aless · Answer

oups...je l'avais oublié..lol

ComboFix 08-03-07.4 - HP_Propriétaire 2008-03-13 16:10:22.4 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.32 [GMT 1:00]
Endroit: C:\Documents and Settings\HP_Propriétaire\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_PropriÚtaire\Bureau\CFscript.txt
* Création d'un nouveau point de restauration
.

((((((((((((((((((((((((((((( Fichiers créés 2008-02-13 to 2008-03-13 ))))))))))))))))))))))))))))))))))))
.

2008-03-08 13:34 . 2008-03-08 13:35 <REP> d-------- C:\ComboFix[1]
2008-03-01 14:44 . 2008-03-02 09:54 <REP> d-------- C:\Program Files\a-squared Free
2008-02-28 14:53 . 2008-02-28 14:53 37,376 --a------ C:\avendavid.doc
2008-02-26 19:21 . 2008-02-26 19:21 <REP> d-------- C:\Program Files\CleanUp!
2008-02-26 12:36 . 2008-02-26 12:36 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-26 11:59 . 2008-02-26 11:59 <REP> d-------- C:\_OTMoveIt
2008-02-25 21:20 . 2008-02-25 21:20 <REP> d-------- C:\Documents and Settings\HP_Propriétaire\Application Data\Grisoft
2008-02-25 21:19 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-24 17:47 . 2008-02-24 17:47 <REP> d-------- C:\Program Files\Lavasoft
2008-02-24 17:47 . 2008-02-24 17:49 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-24 17:46 . 2008-02-24 17:46 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-02-23 16:38 . 2007-09-02 20:37 4,096 --a------ C:\WINDOWS\system32\drivers\KProcCheck.sys
2008-02-23 11:03 . 2008-02-23 11:03 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 08:22 . 2008-02-23 08:22 <REP> d-------- C:\Program Files\Trend Micro
2008-02-23 08:10 . 2008-02-23 08:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-23 08:10 . 2008-02-23 08:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-14 08:15 . 2008-02-14 08:15 39,936 --a------ C:\ventedavid.doc

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-12 19:31 --------- d-----w C:\Program Files\EuroPoker
2008-02-27 17:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-26 18:22 --------- d-----w C:\Program Files\MSN Messenger
2008-02-26 18:22 --------- d-----w C:\Program Files\Mozilla ActiveX Control v1.7.12
2008-02-26 18:22 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\Vso
2008-02-26 18:22 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\Desktop Sidebar
2008-02-26 11:03 --------- d-----w C:\Program Files\Makro
2008-02-25 23:17 --------- d-----w C:\Program Files\Microsoft Works
2008-02-25 23:17 --------- d-----w C:\Program Files\Easy Internet signup
2008-02-25 23:17 --------- d-----w C:\Program Files\DivX
2008-02-23 13:01 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-23 13:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-23 13:00 --------- d-----w C:\Program Files\QuickTime
2008-02-23 12:51 --------- d-----w C:\Program Files\Google
2008-02-23 12:49 --------- d-----w C:\Program Files\CursorXP
2008-02-05 19:01 --------- d-----w C:\Program Files\Project64 1.6
2008-02-04 21:55 --------- d-----w C:\Program Files\WinLemm
2008-02-04 09:22 --------- d-----w C:\Program Files\LibUSB-Win32-0.1.10.1
2008-01-27 10:24 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\uTorrent
2008-01-26 08:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-10-14 09:34 30,832 ----a-w C:\Documents and Settings\HP_Propriétaire\Application Data\GDIPFONTCACHEV1.DAT
2005-04-20 19:18 56 --sh--r C:\WINDOWS\system32\2565851E8D.sys
2005-04-21 05:20 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 16:34 128000]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-18 18:51 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 11:00 15360]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-01-29 17:34 598920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-01-01 15:07 32881]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43 233472]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"VTTimer"="VTTimer.exe" []
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2004-05-20 09:47 249856]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-31 10:48 249896]
"Belgacom"="C:\Program Files\Belgacom\bin\sprtcmd.exe" [2006-06-22 08:34 192512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-01-01 17:45 98304]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)
"rightsTest"= 1 (0x1)
"DisallowRun"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"2"= firefox.exe
"3"= Opera.exe
"4"= netscape.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15001:TCP"= 15001:TCP:Utor1

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;C:\WINDOWS\system32\drivers\libusb0.sys [2005-03-09 20:50]
R3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
S3 alcan5ln;SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);C:\WINDOWS\system32\DRIVERS\alcan5ln.sys [2003-12-08 12:53]
S3 cdiskdun;cdiskdun;C:\DOCUME~1\HP_PRO~1\LOCALS~1\Temp\cdiskdun.sys []
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58]
S3 V0010bVd;Creative WebCam Vista #2;C:\WINDOWS\system32\DRIVERS\V0010bVd.sys [2003-04-21 08:19]
S3 XPADFL02;XPAD Filter Service 02;C:\WINDOWS\system32\DRIVERS\xpadfl02.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ccad4655-7fb8-11da-8968-00112fbf7215}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6c701a4-37b0-11dc-8c14-00112fbf7215}]
\Shell\AutoRun\command - F:\Exe\Autorun.exe

.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-02-23 20:47:19 C:\WINDOWS\Tasks\Connexion facile à Internet.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-03-12 21:43:02 C:\WINDOWS\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 16:17:41
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
Temps d'accomplissement: 2008-03-13 16:20:41
ComboFix-quarantined-files.txt 2008-03-13 15:20:30
ComboFix2.txt 2008-03-10 20:28:32
ComboFix3.txt 2008-03-08 12:50:13
ComboFix4.txt 2008-02-26 08:49:57
.
2008-03-12 22:22:33 --- E O F ---

g!rly · Answer

aless,

je sais pas si tu le fais bien ou quoi mais le service est encore la...

essaie comme ca :

Sélectionne cette liste ci dessous :

Files to Delete:
C:\DOCUME~1\HP_PRO~1\LOCALS~1\Temp\cdiskdun.sys

Drivers to unload:
cdiskdun

--> Clic droit copier

- Ouvre le Bloc-Note et clic sur le menu Edition/Coller afin de coller le contenu qui est dans le cadre ci-dessus
- Enregistre le fichier sur ton bureau sous le nom remove.txt

- Télécharge The Avenger
- Dézip le contenu de l'archive sur ton bureau et double-clic sur avenger.exe
- Clique sur "Ok"
- Sélectionne "Load Script from File" et clique sur l'icône en forme de dossier.
- Sélectionne le fichier remove.txt qui est sur ton bureau
- Clique sur le feu vert pour lancer le script
- Clique sur "Oui"
- Accepte de redémarrer ton pc.

Quand le PC a redémarre ouvre le fichier C:\avenger.txt et copie/colle le contenu ici.

@+

aless2706 · Answer

ca ne marche pas :( 

il met un message d'erreur disant que le texte doit commencer par une commande :/

g!rly · Answer

salut aless,

reessaie avec combofix stp

Copie le texte ci-dessous :

File::
C:\DOCUME~1\HP_PRO~1\LOCALS~1\Temp\cdiskdun.sys

Driver::
cdiskdun

Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix, 

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt

@+

aless2706 · Answer

voila le rapport

ComboFix 08-03-07.4 - HP_Propriétaire 2008-03-17 20:44:23.5 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.40 [GMT 1:00]Endroit: C:\Documents and Settings\HP_Propriétaire\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_PropriÚtaire\Bureau\CFscript.txt
* Création d'un nouveau point de restauration
.

((((((((((((((((((((((((((((( Fichiers créés 2008-02-17 to 2008-03-17 ))))))))))))))))))))))))))))))))))))
.

2008-03-08 13:34 . 2008-03-08 13:35 <REP> d-------- C:\ComboFix[1]
2008-03-01 14:44 . 2008-03-02 09:54 <REP> d-------- C:\Program Files\a-squared Free
2008-02-28 14:53 . 2008-02-28 14:53 37,376 --a------ C:\avendavid.doc
2008-02-26 19:21 . 2008-02-26 19:21 <REP> d-------- C:\Program Files\CleanUp!
2008-02-26 12:36 . 2008-02-26 12:36 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-26 11:59 . 2008-02-26 11:59 <REP> d-------- C:\_OTMoveIt
2008-02-25 21:20 . 2008-02-25 21:20 <REP> d-------- C:\Documents and Settings\HP_Propriétaire\Application Data\Grisoft
2008-02-25 21:19 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-24 17:47 . 2008-02-24 17:47 <REP> d-------- C:\Program Files\Lavasoft
2008-02-24 17:47 . 2008-02-24 17:49 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-24 17:46 . 2008-02-24 17:46 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-02-23 16:38 . 2007-09-02 20:37 4,096 --a------ C:\WINDOWS\system32\drivers\KProcCheck.sys
2008-02-23 11:03 . 2008-02-23 11:03 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 08:22 . 2008-02-23 08:22 <REP> d-------- C:\Program Files\Trend Micro
2008-02-23 08:10 . 2008-02-23 08:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-23 08:10 . 2008-02-23 08:10 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 20:40 --------- d-----w C:\Program Files\EuroPoker
2008-03-12 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-27 17:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-26 18:22 --------- d-----w C:\Program Files\MSN Messenger
2008-02-26 18:22 --------- d-----w C:\Program Files\Mozilla ActiveX Control v1.7.12
2008-02-26 18:22 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\Vso
2008-02-26 18:22 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\Desktop Sidebar
2008-02-26 11:03 --------- d-----w C:\Program Files\Makro
2008-02-25 23:17 --------- d-----w C:\Program Files\Microsoft Works
2008-02-25 23:17 --------- d-----w C:\Program Files\Easy Internet signup
2008-02-25 23:17 --------- d-----w C:\Program Files\DivX
2008-02-23 13:01 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-23 13:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-23 13:00 --------- d-----w C:\Program Files\QuickTime
2008-02-23 12:51 --------- d-----w C:\Program Files\Google
2008-02-23 12:49 --------- d-----w C:\Program Files\CursorXP
2008-02-05 19:01 --------- d-----w C:\Program Files\Project64 1.6
2008-02-04 21:55 --------- d-----w C:\Program Files\WinLemm
2008-02-04 09:22 --------- d-----w C:\Program Files\LibUSB-Win32-0.1.10.1
2008-01-27 10:24 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\uTorrent
2008-01-26 08:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 09:34 30,832 ----a-w C:\Documents and Settings\HP_Propriétaire\Application Data\GDIPFONTCACHEV1.DAT
2005-04-20 19:18 56 --sh--r C:\WINDOWS\system32\2565851E8D.sys
2005-04-21 05:20 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 16:34 128000]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-18 18:51 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 11:00 15360]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-01-29 17:34 598920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-01-01 15:07 32881]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43 233472]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"VTTimer"="VTTimer.exe" []
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2004-05-20 09:47 249856]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-31 10:48 249896]
"Belgacom"="C:\Program Files\Belgacom\bin\sprtcmd.exe" [2006-06-22 08:34 192512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-01-01 17:45 98304]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)
"rightsTest"= 1 (0x1)
"DisallowRun"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"2"= firefox.exe
"3"= Opera.exe
"4"= netscape.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15001:TCP"= 15001:TCP:Utor1

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;C:\WINDOWS\system32\drivers\libusb0.sys [2005-03-09 20:50]
S3 alcan5ln;SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);C:\WINDOWS\system32\DRIVERS\alcan5ln.sys [2003-12-08 12:53]
S3 cdiskdun;cdiskdun;C:\DOCUME~1\HP_PRO~1\LOCALS~1\Temp\cdiskdun.sys []
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
S3 V0010bVd;Creative WebCam Vista #2;C:\WINDOWS\system32\DRIVERS\V0010bVd.sys [2003-04-21 08:19]
S3 XPADFL02;XPAD Filter Service 02;C:\WINDOWS\system32\DRIVERS\xpadfl02.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ccad4655-7fb8-11da-8968-00112fbf7215}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6c701a4-37b0-11dc-8c14-00112fbf7215}]
\Shell\AutoRun\command - F:\Exe\Autorun.exe

.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-02-23 20:47:19 C:\WINDOWS\Tasks\Connexion facile à Internet.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-03-17 19:43:02 C:\WINDOWS\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 20:51:02
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
Temps d'accomplissement: 2008-03-17 20:54:14
ComboFix-quarantined-files.txt 2008-03-17 19:53:59
ComboFix2.txt 2008-03-13 15:20:43
ComboFix3.txt 2008-03-10 20:28:32
ComboFix4.txt 2008-03-08 12:50:13
ComboFix5.txt 2008-02-26 08:49:57
.
2008-03-12 22:22:33 --- E O F ---

g!rly · Answer

aless,

je pensse que tu fais mal la manip

telecharge ce fichier et dezip le sur ton bureau puis suis la manip`

https://www.cjoint.com/?drwhYNcon0

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix,

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt

@+

aless2706 · Answer

Désolé pour le retard

Normalement déja les autres fois je suis bien la manip comme il est marqué , je fais glisser le fichier sur l'icone de combofix et puis il se lance..

Merci de ton aide ;)

Voici le rapport :

ComboFix 08-03-07.4 - HP_Propriétaire 2008-03-18 15:06:52.6 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.46 [GMT 1:00]
Endroit: C:\Documents and Settings\HP_Propriétaire\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_PropriÚtaire\Bureau\CFScript.txt
* Création d'un nouveau point de restauration
.

((((((((((((((((((((((((((((( Fichiers créés 2008-02-18 to 2008-03-18 ))))))))))))))))))))))))))))))))))))
.

2008-03-08 13:34 . 2008-03-08 13:35 <REP> d-------- C:\ComboFix[1]
2008-03-01 14:44 . 2008-03-02 09:54 <REP> d-------- C:\Program Files\a-squared Free
2008-02-28 14:53 . 2008-02-28 14:53 37,376 --a------ C:\avendavid.doc
2008-02-26 19:21 . 2008-02-26 19:21 <REP> d-------- C:\Program Files\CleanUp!
2008-02-26 12:36 . 2008-02-26 12:36 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-26 11:59 . 2008-02-26 11:59 <REP> d-------- C:\_OTMoveIt
2008-02-25 21:20 . 2008-02-25 21:20 <REP> d-------- C:\Documents and Settings\HP_Propriétaire\Application Data\Grisoft
2008-02-25 21:19 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-24 17:47 . 2008-02-24 17:47 <REP> d-------- C:\Program Files\Lavasoft
2008-02-24 17:47 . 2008-02-24 17:49 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-24 17:46 . 2008-02-24 17:46 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-02-23 16:38 . 2007-09-02 20:37 4,096 --a------ C:\WINDOWS\system32\drivers\KProcCheck.sys
2008-02-23 11:03 . 2008-02-23 11:03 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 08:22 . 2008-02-23 08:22 <REP> d-------- C:\Program Files\Trend Micro
2008-02-23 08:10 . 2008-02-23 08:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-23 08:10 . 2008-02-23 08:10 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 20:35 --------- d-----w C:\Program Files\EuroPoker
2008-03-12 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-27 17:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-26 18:22 --------- d-----w C:\Program Files\MSN Messenger
2008-02-26 18:22 --------- d-----w C:\Program Files\Mozilla ActiveX Control v1.7.12
2008-02-26 18:22 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\Vso
2008-02-26 18:22 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\Desktop Sidebar
2008-02-26 11:03 --------- d-----w C:\Program Files\Makro
2008-02-25 23:17 --------- d-----w C:\Program Files\Microsoft Works
2008-02-25 23:17 --------- d-----w C:\Program Files\Easy Internet signup
2008-02-25 23:17 --------- d-----w C:\Program Files\DivX
2008-02-23 13:01 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-23 13:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-23 13:00 --------- d-----w C:\Program Files\QuickTime
2008-02-23 12:51 --------- d-----w C:\Program Files\Google
2008-02-23 12:49 --------- d-----w C:\Program Files\CursorXP
2008-02-05 19:01 --------- d-----w C:\Program Files\Project64 1.6
2008-02-04 21:55 --------- d-----w C:\Program Files\WinLemm
2008-02-04 09:22 --------- d-----w C:\Program Files\LibUSB-Win32-0.1.10.1
2008-01-27 10:24 --------- d-----w C:\Documents and Settings\HP_Propriétaire\Application Data\uTorrent
2008-01-26 08:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 09:34 30,832 ----a-w C:\Documents and Settings\HP_Propriétaire\Application Data\GDIPFONTCACHEV1.DAT
2005-04-20 19:18 56 --sh--r C:\WINDOWS\system32\2565851E8D.sys
2005-04-21 05:20 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 16:34 128000]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-18 18:51 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 11:00 15360]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-01-29 17:34 598920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-01-01 15:07 32881]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43 233472]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"VTTimer"="VTTimer.exe" []
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2004-05-20 09:47 249856]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-31 10:48 249896]
"Belgacom"="C:\Program Files\Belgacom\bin\sprtcmd.exe" [2006-06-22 08:34 192512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-01-01 17:45 98304]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)
"rightsTest"= 1 (0x1)
"DisallowRun"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"2"= firefox.exe
"3"= Opera.exe
"4"= netscape.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15001:TCP"= 15001:TCP:Utor1

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;C:\WINDOWS\system32\drivers\libusb0.sys [2005-03-09 20:50]
S3 alcan5ln;SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);C:\WINDOWS\system32\DRIVERS\alcan5ln.sys [2003-12-08 12:53]
S3 cdiskdun;cdiskdun;C:\DOCUME~1\HP_PRO~1\LOCALS~1\Temp\cdiskdun.sys []
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
S3 V0010bVd;Creative WebCam Vista #2;C:\WINDOWS\system32\DRIVERS\V0010bVd.sys [2003-04-21 08:19]
S3 XPADFL02;XPAD Filter Service 02;C:\WINDOWS\system32\DRIVERS\xpadfl02.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ccad4655-7fb8-11da-8968-00112fbf7215}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6c701a4-37b0-11dc-8c14-00112fbf7215}]
\Shell\AutoRun\command - F:\Exe\Autorun.exe

.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-02-23 20:47:19 C:\WINDOWS\Tasks\Connexion facile à Internet.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-03-18 10:43:02 C:\WINDOWS\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 15:13:48
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
Temps d'accomplissement: 2008-03-18 15:16:38
ComboFix-quarantined-files.txt 2008-03-18 14:16:27
ComboFix2.txt 2008-03-17 19:54:17
ComboFix3.txt 2008-03-13 15:20:43
ComboFix4.txt 2008-03-10 20:28:32
ComboFix5.txt 2008-03-08 12:50:13
.
2008-03-12 22:22:33 --- E O F ---

jlpjlp · Answer

slt,
g!rly etant non dispo je vais essayer d'avancer un peu si tu es ok

_______________



Télécharge SDFix (créé par AndyManchesta) et sauvegarde le sur ton Bureau. 
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici : 
• Redémarre ton ordinateur 
• Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde). 
• A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître. 
• Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée". 
• Choisis ton compte. 
Déroule la liste des instructions ci-dessous : 
• Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script. 
• Appuie sur Y pour commencer le processus de nettoyage. 
• Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer. 
• Appuie sur une touche pour redémarrer le PC. 
• Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers. 
• Après le chargement du Bureau, l'outil terminera son travail et affichera Finished. 
• Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau. 
• Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt. 
• Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum

g!rly · Answer

Merci ;-)

aless2706 · Answer

salut , voici le rapport 


Sdfix


[b]SDFix: Version 1.160 [/b]

Run by HP_Propriétaire on dim. 23/03/2008 at 18:25

Microsoft Windows XP [version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


[b]Checking Files [/b]: 

No Trojan Files Found






Removing Temp Files

[b]ADS Check [/b]:
 


                                 [b]Final Check [/b]:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 19:17:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 Le fichier spécifié est introuvable.
scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:a560e19a
"s2"=dword:41951357
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:22,98,fa,60,da,0f,c8,e5,92,a5,84,2d,91,51,f9,4f,b2,bd,01,62,55,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:04,86,2b,c5,c5,b4,05,b0,83,d3,62,d3,1c,89,de,40,e2,44,c5,37,f5,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:22,98,fa,60,da,0f,c8,e5,92,a5,84,2d,91,51,f9,4f,b2,bd,01,62,55,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:04,86,2b,c5,c5,b4,05,b0,83,d3,62,d3,1c,89,de,40,e2,44,c5,37,f5,..

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 64


[b]Remaining Services [/b]:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\ftp.exe"="C:\WINDOWS\system32\ftp.exe:*:Disabled:Logiciel de transfert de fichiers"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes"
"C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe"="C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe:*:Enabled:Assistance à distance - Windows Messenger et voix"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe"="C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:uTorrent"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Wed 20 Apr 2005            56 ..SHR --- "C:\WINDOWS\system32\2565851E8D.sys"
Thu 21 Apr 2005           848 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Fri 29 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT6.tmp"
Fri 29 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\18b19374451d28a8fbaf1939cf31ff45\BIT9.tmp"
Fri 29 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\22fb973e059470cc1b5d76c4ae605351\BITD.tmp"
Fri 29 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT5.tmp"
Fri 29 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BITA.tmp"
Fri 29 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\30285791903730fbf957a83562db4ff4\BIT7.tmp"
Fri 29 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4633c51c90c17af214c8eeab40b9fcf4\BIT4.tmp"
Wed 27 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT2.tmp"
Fri 29 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT3.tmp"
Fri 29 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9e870549834e2bceb796e44a1e3ac6f5\BITC.tmp"
Fri 29 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cb8921d0c7830b2f33c00fa4c8a10d17\BIT8.tmp"
Fri 29 Feb 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BITB.tmp"

[b]Finished![/b]

g!rly · Answer

Salut aless2706,

vide tes fichier temporaire avec :

Vide tes fichiers temporaires avec ceci:

->Clean Up 40:

http://pageperso.aol.fr/balltrap34/CleanUp40.exe

->aide en image:(merci a Balltrap34)

http://perso.orange.fr/rginformatique/section%20virus/democleanup.htm

click sur option et décoche la case devant : delete prefect files

ne redemarre pas le pc.

telecharge autoruns sur ce site :

https://www.clubic.com/telecharger-fiche15501-microsoft-autoruns.html

une fois telchargé dezip le contenu dans un fichier dedié sur ton bureau 

click sur autoruns.exe

une fois le programme ouvert click sur l´onglet driver ou services

dans la liste localise :

cdiskdun

click droit dessus et delete

repasse clean up 40 et redemarre le pc

retourne dans le programme autoruns et dis moi si tu voies toujours cdiskdun ?

@+

aless2706 · Answer

Slt , Voila il est bien supprimé , il n'est plus dans la liste :)

g!rly · Answer

cool aless2706,

reessaie maintenant un scan antivir et post le resultat stp

@+

aless2706 · Answer

Il a rien trouvé , nickel =D


Voici le rapport : 


AntiVir PersonalEdition Classic
Report file date: dimanche 30 mars 2008  19:59

Scanning for 1169688 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version:  (Service Pack 2)  [5.1.2600]
Username:         HP_Propriétaire
Computer name:    DISTRITOP

Version information:
BUILD.DAT    : 270           15603 Bytes  19/09/2007 13:32:00
AVSCAN.EXE   : 7.0.6.1      290856 Bytes  23/08/2007 13:16:29
AVSCAN.DLL   : 7.0.6.0       49192 Bytes  16/08/2007 12:23:51
LUKE.DLL     : 7.0.5.3      147496 Bytes  14/08/2007 15:32:47
LUKERES.DLL  : 7.0.6.1       10280 Bytes  21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0    11030528 Bytes  18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.3.2     5447168 Bytes  07/03/2008 19:57:16
ANTIVIR2.VDF : 7.0.3.85     434176 Bytes  27/03/2008 15:00:02
ANTIVIR3.VDF : 7.0.3.92      20480 Bytes  28/03/2008 14:59:06
AVEWIN32.DLL : 7.6.0.78    3408384 Bytes  28/03/2008 15:00:03
AVWINLL.DLL  : 1.0.0.7       14376 Bytes  26/02/2007 10:36:26
AVPREF.DLL   : 7.0.2.2       25640 Bytes  18/07/2007 07:39:17
AVREP.DLL    : 7.0.0.1      155688 Bytes  16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3      360488 Bytes  16/01/2008 21:08:44
AVREG.DLL    : 7.0.1.6       30760 Bytes  18/07/2007 07:17:06
AVARKT.DLL   : 1.0.0.20     278568 Bytes  28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20      86056 Bytes  18/07/2007 07:10:18
NETNT.DLL    : 7.0.0.0        7720 Bytes  08/03/2007 11:09:42
RCIMAGE.DLL  : 7.0.1.30    2342952 Bytes  07/08/2007 12:38:13
RCTEXT.DLL   : 7.0.62.0      86056 Bytes  21/08/2007 12:50:37
SQLITE3.DLL  : 3.3.17.1     339968 Bytes  23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Manual Selection
Configuration file...............: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\PROFILES\folder.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, 
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: low

Start of the scan: dimanche 30 mars 2008  19:59

Starting search for hidden objects.
'46751' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'CursorXP.exe' - '1' Module(s) have been scanned
Scan process 'avgas.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'Keyhook.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'StarWindServiceAE.exe' - '1' Module(s) have been scanned
Scan process 'kpf4ss.exe' - '1' Module(s) have been scanned
Scan process 'snmp.exe' - '1' Module(s) have been scanned
Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'libusbd-nt.exe' - '1' Module(s) have been scanned
Scan process 'CDAC11BA.EXE' - '1' Module(s) have been scanned
Scan process 'BTNtService.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
42 processes with 42 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
      [NOTE]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
      [NOTE]      No virus was found!

Starting to scan the registry.
The registry was scanned ( '33' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\pagefile.sys
      [WARNING]   The file could not be opened!
C:\WINDOWS\system32\drivers\sptd.sys
      [WARNING]   The file could not be opened!


End of the scan: dimanche 30 mars 2008  20:53
Used time: 53:42 min

The scan has been done completely.

   6195 Scanning directories
 345005 Files were scanned
      0 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      2 Files cannot be scanned
 345005 Files not concerned
  10202 Archives were scanned
      2 Warnings
      0 Notes
  46751 Objects were scanned with rootkit scan
      0 Hidden objects were found

g!rly · Answer

salut aless2706

Oui c´est cool ;-)

C´est grace a autoruns que tu as viré le driver alors ou c´est simplement clean up ou sdfix qui l´avait supprimé des fichiers .temp?

@+

aless2706 · Answer

c est autorun qui l'a supprimé ;)

g!rly · Answer

salut aless2706,

ok, merci pour la precision ;-)

bon je crois que nos chemins vont se separer ici, qu´est ce que tu en pensses ?

@+

aless2706 · Answer

Slt 

oui , en tout cas merci bcp pour ton aide =)

g!rly · Answer

salut,

de rien ;-)

un dernier truc pour supprimer les outils utilisés :

Télécharge ToolsCleaner sur ton bureau.
--> http://www.commentcamarche.net/telecharger/telechargement 34055291 toolsclean(...)
# Clique sur Recherche et laisse le scan agir ...
# Clique sur Suppression pour finaliser.
# Tu peux, si tu le souhaites, te servir des Options facultatives.
# Clique sur Quitter pour obtenir le rapport.
# Poste le rapport (TCleaner.txt) qui se trouve à la racine de ton disque dur (C:\). 

bonne continuation`

bye`

g!rly`

aless2706 · Answer

Salut , voici le rapport : 

-->- Recherche: 

C:\SDFIX: trouvé !
C:\Combofix: trouvé !
C:\Qoobox: trouvé !
C:\_OtMoveIt: trouvé !
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\HijackThis: trouvé !
C:\Documents and Settings\HP_Propriétaire\Bureau\HijackThis.lnk: trouvé !
C:\Documents and Settings\HP_Propriétaire\Bureau\avenger.exe: trouvé !
C:\Documents and Settings\HP_Propriétaire\Bureau\OtMoveIt2.exe: trouvé !
C:\Documents and Settings\HP_Propriétaire\Bureau\ComboFix.exe: trouvé !
C:\Documents and Settings\HP_Propriétaire\Bureau\DiagHelp: trouvé !
C:\Documents and Settings\HP_Propriétaire\Bureau\DiagHelp\DiagHelp: trouvé !
C:\Program Files\Trend Micro\HijackThis: trouvé !
C:\QooBox\Quarantine\C\Combofix: trouvé !
C:\WINDOWS\system32\config\systemprofile\Recent\MSNFix.lnk: trouvé !

---------------------------------
-->- Suppression: 

C:\Documents and Settings\HP_Propriétaire\Bureau\HijackThis.lnk: supprimé !
C:\Documents and Settings\HP_Propriétaire\Bureau\avenger.exe: supprimé !
C:\Documents and Settings\HP_Propriétaire\Bureau\OtMoveIt2.exe: supprimé !
C:\Documents and Settings\HP_Propriétaire\Bureau\ComboFix.exe: supprimé !
C:\WINDOWS\system32\config\systemprofile\Recent\MSNFix.lnk: supprimé !
C:\SDFIX: supprimé !
C:\Combofix: supprimé !
C:\Qoobox: supprimé !
C:\_OtMoveIt: supprimé !
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\HijackThis: supprimé !
C:\Documents and Settings\HP_Propriétaire\Bureau\DiagHelp: supprimé !
C:\Program Files\Trend Micro\HijackThis: supprimé !

Corbeille vidée!
Fichiers temporaires nettoyés !

g!rly · Answer

;-)

bon week end ;D

aless2706 · Answer

merci a toi aussi 

merci encore de ton aide ;) ^^

g!rly · Answer

Merci`
De rien ;-)
^'^

A l'aide antivir détecte intrusions

66 réponses

Votre réponse

Discussions similaires

Newsletters