Infection éliminée??
Boubou
-
jlpjlp Messages postés 52399 Statut Contributeur sécurité -
jlpjlp Messages postés 52399 Statut Contributeur sécurité -
Bonjour,
ci-joint les rapports suite aux scans AVG/biddefender/hijackthis.
Mon copier-coller de biddefender n'a pas été sauvegardé il avait trouvé 23 menaces.
Si qqun peut m'aider... Merci pour votre aide
+ Résultat de l'analyse:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Nettoyé.
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Nettoyé.
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Erreur lors du nettoyage.
HKU\S-1-5-21-3191265265-2514352173-1016402473-1004\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Nettoyé.
C:\Documents and Settings\nico\Local Settings\Temp\Cookies\nico@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@adrevolver[2].txt -> TrackingCookie.Adrevolver : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@media.adrevolver[2].txt -> TrackingCookie.Adrevolver : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@adtech[1].txt -> TrackingCookie.Adtech : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@advertising[2].txt -> TrackingCookie.Advertising : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@adviva[2].txt -> TrackingCookie.Adviva : Nettoyé.
C:\Documents and Settings\nico\Local Settings\Temp\Cookies\nico@atdmt[1].txt -> TrackingCookie.Atdmt : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@bluestreak[1].txt -> TrackingCookie.Bluestreak : Nettoyé.
C:\Documents and Settings\nico\Local Settings\Temp\Cookies\nico@bluestreak[2].txt -> TrackingCookie.Bluestreak : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@clickbank[1].txt -> TrackingCookie.Clickbank : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@doubleclick[1].txt -> TrackingCookie.Doubleclick : Nettoyé.
C:\Documents and Settings\nico\Local Settings\Temp\Cookies\nico@doubleclick[1].txt -> TrackingCookie.Doubleclick : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@mediaplex[1].txt -> TrackingCookie.Mediaplex : Nettoyé.
C:\Documents and Settings\nico\Local Settings\Temp\Cookies\nico@mediaplex[2].txt -> TrackingCookie.Mediaplex : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@auto.search.msn[1].txt -> TrackingCookie.Msn : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@smartadserver[2].txt -> TrackingCookie.Smartadserver : Nettoyé.
C:\Documents and Settings\nico\Local Settings\Temp\Cookies\nico@smartadserver[1].txt -> TrackingCookie.Smartadserver : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@statcounter[1].txt -> TrackingCookie.Statcounter : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@fnacmagasin.solution.weborama[2].txt -> TrackingCookie.Weborama : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@weborama[1].txt -> TrackingCookie.Weborama : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@m.webtrends[2].txt -> TrackingCookie.Webtrends : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Nettoyé.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:04, on 30/08/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: system C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\nico\svchost.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Microsoft Winedows Updateing] NinKey.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [MicroSoft HardMuscle] kdjfdssdl.com
O4 - HKLM\..\RunServices: [Microsoft Winedows Updateing] NinKey.exe
O4 - HKLM\..\RunOnce: [Microsoft Winedows Updateing] NinKey.exe
O4 - HKCU\..\Run: system C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\nico\svchost.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-3191265265-2514352173-1016402473-1004\..\Run: system C:\WINDOWS\system32\drivers\services.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Windows Service Network] tirtzcqizrj.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: system C:\WINDOWS\system32\drivers\services.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Winedows Updateing] NinKey.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [MicroSoft HardMuscle] kdjfdssdl.com (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [MicroSoft HardMuscle] kdjfdssdl.com (User 'Default user')
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Service d'indexation (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: Micr0s0ft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\sxch0st.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE (file missing)
O23 - Service: Planificateur de tâches (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
O23 - Service: Onduleur (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
ci-joint les rapports suite aux scans AVG/biddefender/hijackthis.
Mon copier-coller de biddefender n'a pas été sauvegardé il avait trouvé 23 menaces.
Si qqun peut m'aider... Merci pour votre aide
+ Résultat de l'analyse:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Nettoyé.
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Nettoyé.
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Erreur lors du nettoyage.
HKU\S-1-5-21-3191265265-2514352173-1016402473-1004\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Nettoyé.
C:\Documents and Settings\nico\Local Settings\Temp\Cookies\nico@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@adrevolver[2].txt -> TrackingCookie.Adrevolver : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@media.adrevolver[2].txt -> TrackingCookie.Adrevolver : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@adtech[1].txt -> TrackingCookie.Adtech : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@advertising[2].txt -> TrackingCookie.Advertising : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@adviva[2].txt -> TrackingCookie.Adviva : Nettoyé.
C:\Documents and Settings\nico\Local Settings\Temp\Cookies\nico@atdmt[1].txt -> TrackingCookie.Atdmt : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@bluestreak[1].txt -> TrackingCookie.Bluestreak : Nettoyé.
C:\Documents and Settings\nico\Local Settings\Temp\Cookies\nico@bluestreak[2].txt -> TrackingCookie.Bluestreak : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@clickbank[1].txt -> TrackingCookie.Clickbank : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@doubleclick[1].txt -> TrackingCookie.Doubleclick : Nettoyé.
C:\Documents and Settings\nico\Local Settings\Temp\Cookies\nico@doubleclick[1].txt -> TrackingCookie.Doubleclick : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@mediaplex[1].txt -> TrackingCookie.Mediaplex : Nettoyé.
C:\Documents and Settings\nico\Local Settings\Temp\Cookies\nico@mediaplex[2].txt -> TrackingCookie.Mediaplex : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@auto.search.msn[1].txt -> TrackingCookie.Msn : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@smartadserver[2].txt -> TrackingCookie.Smartadserver : Nettoyé.
C:\Documents and Settings\nico\Local Settings\Temp\Cookies\nico@smartadserver[1].txt -> TrackingCookie.Smartadserver : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@statcounter[1].txt -> TrackingCookie.Statcounter : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@fnacmagasin.solution.weborama[2].txt -> TrackingCookie.Weborama : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@weborama[1].txt -> TrackingCookie.Weborama : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@m.webtrends[2].txt -> TrackingCookie.Webtrends : Nettoyé.
C:\Documents and Settings\nico\Cookies\nico@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Nettoyé.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:04, on 30/08/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: system C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\nico\svchost.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Microsoft Winedows Updateing] NinKey.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [MicroSoft HardMuscle] kdjfdssdl.com
O4 - HKLM\..\RunServices: [Microsoft Winedows Updateing] NinKey.exe
O4 - HKLM\..\RunOnce: [Microsoft Winedows Updateing] NinKey.exe
O4 - HKCU\..\Run: system C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\nico\svchost.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-3191265265-2514352173-1016402473-1004\..\Run: system C:\WINDOWS\system32\drivers\services.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Windows Service Network] tirtzcqizrj.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: system C:\WINDOWS\system32\drivers\services.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Winedows Updateing] NinKey.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [MicroSoft HardMuscle] kdjfdssdl.com (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [MicroSoft HardMuscle] kdjfdssdl.com (User 'Default user')
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Service d'indexation (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: Micr0s0ft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\sxch0st.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE (file missing)
O23 - Service: Planificateur de tâches (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
O23 - Service: Onduleur (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
A voir également:
- Infection éliminée??
- Menace éliminée par Avast ✓ - Forum Virus
- Message avast menace éliminée - Forum Virus
- Infection pc ✓ - Forum Virus
- [Pnkbstra]infection ✓ - Forum Virus
- Infection virus ✓ - Forum Virus
12 réponses
donc le plus simple est de tout reinstaller et formater windows!
avant de formater enregistre tes données et telecharge sur une clé ou un cd un parefeu et un antivirus pour les installer avant d'aller sur le net surtout sinon tu sera de nouveau infécté!!! et ensuite mettre a jour windows avec le sp2
antivirus :
AVAST en français ou ANTIVIR (en anglais mais très efficace)
https://www.malekal.com/avira-free-security-antivirus-gratuit/ (merci Malekal)
--------
un pare feu :
KERIO ou JETICO ou ZONE ALARM (mettre que le parefeu gratuit) ou COMODO
https://www.clubic.com/telecharger-fiche11071-sunbelt-personal-firewall-ex-kerio.html
https://manuelsdaide.com/contact/
http://www.open-files.com/forum/index.php?showtopic=29277
zonealarm
et tant qu'a faire installe aussi un antiespion comme spybot:
https://www.01net.com/telecharger/windows/Securite/anti-spyware/fiches/26157.html
avant de formater enregistre tes données et telecharge sur une clé ou un cd un parefeu et un antivirus pour les installer avant d'aller sur le net surtout sinon tu sera de nouveau infécté!!! et ensuite mettre a jour windows avec le sp2
antivirus :
AVAST en français ou ANTIVIR (en anglais mais très efficace)
https://www.malekal.com/avira-free-security-antivirus-gratuit/ (merci Malekal)
--------
un pare feu :
KERIO ou JETICO ou ZONE ALARM (mettre que le parefeu gratuit) ou COMODO
https://www.clubic.com/telecharger-fiche11071-sunbelt-personal-firewall-ex-kerio.html
https://manuelsdaide.com/contact/
http://www.open-files.com/forum/index.php?showtopic=29277
zonealarm
et tant qu'a faire installe aussi un antiespion comme spybot:
https://www.01net.com/telecharger/windows/Securite/anti-spyware/fiches/26157.html
maintenant si tu ne veux pas formater on peut tenter de desinfecter ton ordi mais il y aura du boulot!!!
1/ mettre un parefeu
2/
Télécharge SDFix (créé par AndyManchesta) et sauvegarde le sur ton Bureau.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
• Redémarre ton ordinateur
• Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde).
• A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
• Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
• Choisis ton compte.
Déroule la liste des instructions ci-dessous :
• Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
• Appuie sur Y pour commencer le processus de nettoyage.
• Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
• Appuie sur une touche pour redémarrer le PC.
• Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
• Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
• Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
• Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
• Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum
3/installe antivir et colles un rapport avec
4/ remets un hijackhtis et dis tes soucis
1/ mettre un parefeu
2/
Télécharge SDFix (créé par AndyManchesta) et sauvegarde le sur ton Bureau.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
• Redémarre ton ordinateur
• Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde).
• A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
• Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
• Choisis ton compte.
Déroule la liste des instructions ci-dessous :
• Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
• Appuie sur Y pour commencer le processus de nettoyage.
• Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
• Appuie sur une touche pour redémarrer le PC.
• Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
• Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
• Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
• Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
• Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum
3/installe antivir et colles un rapport avec
4/ remets un hijackhtis et dis tes soucis
heu tu est bien infecter la
instal ce prog:https://www.01net.com/telecharger/windows/Securite/anti-spam/fiches/44096.html
lance le sur : recherche complet
a la fin met tout en quarantaine et copie et colle le raprt ici pour voir
instal ce prog:https://www.01net.com/telecharger/windows/Securite/anti-spam/fiches/44096.html
lance le sur : recherche complet
a la fin met tout en quarantaine et copie et colle le raprt ici pour voir
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
Formater c'est ce que fais déjà depuis bien longtemps (remise aux paramètres de sortie d'usine si on parle bien de la m chose). C'est pour ça que j'en reviens au SP1 pas dantivirus ni de parefeu. Après chaque formatage, y a tjs un truc qui bueuge. Par exemple, suite au dernier, je veux réinstaller mon MS Office mais apparemment mon Windows installer ne fonctionne pas. Lors du téléchargement erreur j'ai ce message. :
Le programme d'instTallation du KB893803v2 n'a pas pu sauvegarder la clé du registre
HKCR\CLSID\{000C101D-0000-0000-C000-000000000046}\DllVersion vers le fichier C:\WINDOWS\$MSI31Uninstall_KB893803v2$\reg00045. 5: acces refusé
Donc pas de possibilité de remettre mon MS Office pour l'instant
Récemment c mon périph audio qui vient de me lacher sans aucune raison. Et quand j'installe SP2 je perds mon WIfi alors que je n'ai aucun pb avec en SP1.
J'ai réinitialisé mon ordi 10 fois en un WE et tjs un bug au final. Je vais suivre vos conseils on verra bien. Merci d'avance.
Le programme d'instTallation du KB893803v2 n'a pas pu sauvegarder la clé du registre
HKCR\CLSID\{000C101D-0000-0000-C000-000000000046}\DllVersion vers le fichier C:\WINDOWS\$MSI31Uninstall_KB893803v2$\reg00045. 5: acces refusé
Donc pas de possibilité de remettre mon MS Office pour l'instant
Récemment c mon périph audio qui vient de me lacher sans aucune raison. Et quand j'installe SP2 je perds mon WIfi alors que je n'ai aucun pb avec en SP1.
J'ai réinitialisé mon ordi 10 fois en un WE et tjs un bug au final. Je vais suivre vos conseils on verra bien. Merci d'avance.
Malwarebytes' Anti-Malware 1.25
Version de la base de données: 1101
Windows 5.1.2600 Service Pack 1
13:58:45 31/08/2008
mbam-log-08-31-2008 (13-58-45).txt
Type de recherche: Examen complet (C:\|D:\|)
Eléments examinés: 78849
Temps écoulé: 32 minute(s), 17 second(s)
Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 1
Valeur(s) du Registre infectée(s): 11
Elément(s) de données du Registre infecté(s): 2
Dossier(s) infecté(s): 1
Fichier(s) infecté(s): 10
Processus mémoire infecté(s):
(Aucun élément nuisible détecté)
Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)
Clé(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[system] (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[system] (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft winedows updateing (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft winedows updateing (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\microsoft winedows updateing (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\ImagePath (Hijack.Tasks) -> Bad: (C:\WINDOWS\system32\drivers\services.exe) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
Dossier(s) infecté(s):
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
Fichier(s) infecté(s):
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP1\A0005162.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP1\A0005188.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\vvvasnvv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rld1D.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common\wuauclt.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NinKey.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\crock+mock.config (Worm.Zhelatin) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsub.xml (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svcp.csv (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\nico\mpr2.dat (Malware.Trace) -> Quarantined and deleted successfully.
Pour SDfix il affiche dans le mode sans echec "sdfix" n'est pas reconnu comme une commande interne ou externe un programme executable ou un fichiers de commandes....
Version de la base de données: 1101
Windows 5.1.2600 Service Pack 1
13:58:45 31/08/2008
mbam-log-08-31-2008 (13-58-45).txt
Type de recherche: Examen complet (C:\|D:\|)
Eléments examinés: 78849
Temps écoulé: 32 minute(s), 17 second(s)
Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 1
Valeur(s) du Registre infectée(s): 11
Elément(s) de données du Registre infecté(s): 2
Dossier(s) infecté(s): 1
Fichier(s) infecté(s): 10
Processus mémoire infecté(s):
(Aucun élément nuisible détecté)
Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)
Clé(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[system] (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[system] (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft winedows updateing (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft winedows updateing (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\microsoft winedows updateing (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\ImagePath (Hijack.Tasks) -> Bad: (C:\WINDOWS\system32\drivers\services.exe) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
Dossier(s) infecté(s):
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
Fichier(s) infecté(s):
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP1\A0005162.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP1\A0005188.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\vvvasnvv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rld1D.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common\wuauclt.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NinKey.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\crock+mock.config (Worm.Zhelatin) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsub.xml (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svcp.csv (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\nico\mpr2.dat (Malware.Trace) -> Quarantined and deleted successfully.
Pour SDfix il affiche dans le mode sans echec "sdfix" n'est pas reconnu comme une commande interne ou externe un programme executable ou un fichiers de commandes....
mets un des parfeu proposés
puis
Télécharge MSNFix de Laurent
http://sosvirus.changelog.fr/MSNFix.zip
Décompresse-le et double clic sur le fichier MSNFix.bat.
- Exécute l'option R.
--Si l'infection est détectée, exécute l'option N
- Sauvegarde ce rapport puis fais un copier/coller de ce rapport sur le forum.
Note :
Si une erreur de suppression est détectée un message s'affichera demandant de redémarrer l'ordinateur afin de terminer les opérations. Dans ce cas il suffit de redémarrer l'ordinateur en mode normal
Sauvegarder et fermer le rapport pour que Windows termine de se lancer normalement.
____________________
Télécharge Combofix de sUBs : aide ici : https://forum.pcastuces.com/sujet.asp?f=25&s=37315
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Sauvegarde le sur ton bureau et pas ailleurs !
Aide à l’utilisation de combofix ici: https://bibou0007.forumpro.fr/login?redirect=%2Ft121-topic
Double-clic sur combofix, Il va te poser une question, réponds par la touche 1 et entrée pour valider, laisse toi guider.
Attends que combofix ait terminé, un rapport sera créé. Poste le rapport.
______________
colles un rapport avec antivir:
https://www.malekal.com/avira-free-security-antivirus-gratuit/ (merci Malekal)
______________
recolles un hijackhtis
puis
Télécharge MSNFix de Laurent
http://sosvirus.changelog.fr/MSNFix.zip
Décompresse-le et double clic sur le fichier MSNFix.bat.
- Exécute l'option R.
--Si l'infection est détectée, exécute l'option N
- Sauvegarde ce rapport puis fais un copier/coller de ce rapport sur le forum.
Note :
Si une erreur de suppression est détectée un message s'affichera demandant de redémarrer l'ordinateur afin de terminer les opérations. Dans ce cas il suffit de redémarrer l'ordinateur en mode normal
Sauvegarder et fermer le rapport pour que Windows termine de se lancer normalement.
____________________
Télécharge Combofix de sUBs : aide ici : https://forum.pcastuces.com/sujet.asp?f=25&s=37315
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Sauvegarde le sur ton bureau et pas ailleurs !
Aide à l’utilisation de combofix ici: https://bibou0007.forumpro.fr/login?redirect=%2Ft121-topic
Double-clic sur combofix, Il va te poser une question, réponds par la touche 1 et entrée pour valider, laisse toi guider.
Attends que combofix ait terminé, un rapport sera créé. Poste le rapport.
______________
colles un rapport avec antivir:
https://www.malekal.com/avira-free-security-antivirus-gratuit/ (merci Malekal)
______________
recolles un hijackhtis
Bonjour,
J'ai du réinitialiser mon ordi 2 fois, les virus m'ont shooté mon iexplorer.exe, antivirus s'est désinstallé tout seul après un scan (!!), et j'ai régulièrement des fenêtres de messages "cet arrêt a été initié par Autorité NT\system
c://Windows\system32\lsass.EXE s'est terminé de maniere inattendue avec le code d'état 0. Le système va maintenant s'arrêter"
Après réinitialisation de mon ordi, j'ai pu enfin lancer MSNfix et combofix (simple curseur clignotant avant...). Voila les rapports et encore merci d'avance.
MSNFix 1.742
C:\Documents and Settings\nico\Bureau\MSNFix
Fix exécuté le 02/09/2008 - 18:35:28,90 By nico
mode normal
************************ Recherche les fichiers présents
... C:\WINDOWS\system32\drivers\services.exe
************************ Recherche les dossiers présents
Aucun dossier trouvé
************************ Suppression des fichiers
/!\ ... C:\WINDOWS\system32\drivers\services.exe
************************ Nettoyage du registre
************************ Hostsclean
Cleanhosts v 0.1.0.7 By Laurent
-- Backup : C:\WINDOWS\System32\drivers\etc\hosts-20080902183630
-- original size 0.77 Kb / 20 lines
-- Start cleaning Hosts file ....
-- final size 0.77 Kb / 20 lines
-- entry Found : 0 / Entry check : 310
End .............................. 14.6 Secondes
Les fichiers encore présents seront supprimés au prochain redémarrage
************************ Suppression des fichiers
.. OK ... C:\WINDOWS\system32\drivers\services.exe
************************ Hostsclean
Cleanhosts v 0.1.0.7 By Laurent
-- Backup : C:\WINDOWS\System32\drivers\etc\hosts-20080902183828
-- original size 0.77 Kb / 20 lines
-- Start cleaning Hosts file ....
-- final size 0.77 Kb / 20 lines
-- entry Found : 0 / Entry check : 310
End .............................. 14.92 Secondes
************************ Fichiers suspects
/!\ ces fichiers nécessitent un avis expérimenté avant toute intervention
[C:\g3g6r8w3c2f7.exe] D8B2320A03DD40936D4A17E22CD1BA5A
[color=#FF0000][b]==>/b/color SVP merci d'envoyer le fichier [b] C:\DOCUME~1\nico\Bureau\Upload_Me.zip /b sur http://upload.changelog.fr
Les fichiers et clés de registre supprimés ont été sauvegardés dans le fichier 02092008_18384387.zip
************************ HKLM\...\Winlogon\Userinit
Userinit = C:\WINDOWS\system32\userinit.exe,
Important : http://msnfix.changelog.fr/index.php/2008/05/18/32-alerte
------------------------------------------------------------------------
Auteur : !aur3n7 Contact: https://www.ionos.fr/
------------------------------------------------------------------------
--------------------------------------------- END ---------------------------------------------
ComboFix 08-09-01.03 - nico 2008-09-02 18:42:29.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.1.1252.1.1036.18.358 [GMT 2:00]
Endroit: C:\Documents and Settings\nico\Bureau\ComboFix.exe
* Création d'un nouveau point de restauration
[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!/b/color
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Autorun.inf
.
((((((((((((((((((((((((((((( Fichiers créés 2008-08-02 to 2008-09-02 ))))))))))))))))))))))))))))))))))))
.
2008-09-02 18:29 . 2008-09-02 18:32 58,880 --a------ C:\g3g6r8w3c2f7.exe
2008-09-02 18:26 . 2008-09-02 18:26 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-09-02 18:23 . 2008-09-02 18:05 <REP> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-09-02 18:23 . 2008-09-02 18:09 <REP> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\VERITAS
2008-09-02 18:23 . 2008-09-02 18:05 <REP> d-------- C:\Documents and Settings\nico\WINDOWS
2008-09-02 18:23 . 2002-09-30 16:20 <REP> d--h----- C:\Documents and Settings\nico\Voisinage réseau
2008-09-02 18:23 . 2002-09-30 16:20 <REP> d--h----- C:\Documents and Settings\nico\Voisinage d'impression
2008-09-02 18:23 . 2002-09-30 16:20 <REP> d--h----- C:\Documents and Settings\nico\Modèles
2008-09-02 18:23 . 2008-09-02 18:23 <REP> dr------- C:\Documents and Settings\nico\Mes documents
2008-09-02 18:23 . 2002-09-30 16:20 <REP> dr------- C:\Documents and Settings\nico\Menu Démarrer
2008-09-02 18:23 . 2008-09-02 18:24 <REP> dr------- C:\Documents and Settings\nico\Favoris
2008-09-02 18:23 . 2008-09-02 18:41 <REP> dr------- C:\Documents and Settings\nico\Bureau
2008-09-02 18:23 . 2008-09-02 18:09 <REP> d-------- C:\Documents and Settings\nico\Application Data\VERITAS
2008-09-02 18:23 . 2008-09-02 18:23 <REP> d-------- C:\Documents and Settings\nico
2008-09-02 18:23 . 2008-09-02 18:05 <REP> d-------- C:\Documents and Settings\Default User\WINDOWS
2008-09-02 18:23 . 2008-09-02 18:23 47 --a------ C:\WINDOWS\system32\drivers\IBM_2373_EG3.MRK
2008-09-02 18:23 . 2008-09-02 18:23 10 --a------ C:\WINDOWS\system32\firstboot.ibm
2008-09-02 18:20 . 2008-09-02 18:20 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-09-02 18:15 . 2008-09-02 18:15 <REP> d--hs---- C:\Recycled
2008-09-02 18:15 . 2008-09-02 18:15 61 --a------ C:\WINDOWS\smscfg.ini
2008-09-02 18:13 . 2008-09-02 18:23 <REP> d-------- C:\Program Files\PC-Doctor for Windows
2008-09-02 18:13 . 2000-03-22 21:42 44,192 --a------ C:\WINDOWS\system32\drivers\PcdrNt.sys
2008-09-02 18:11 . 2008-09-02 18:11 0 --ah----- C:\BOOTLOG.PRV
2008-09-02 18:09 . 2008-09-02 18:09 <REP> d-------- C:\WINDOWS\system32\dla
2008-09-02 18:09 . 2008-09-02 18:09 <REP> d-------- C:\Program Files\VERITAS Software
2008-09-02 18:09 . 2008-09-02 18:09 <REP> d-------- C:\Program Files\IBM RecordNow
2008-09-02 18:09 . 2008-09-02 18:09 <REP> d-------- C:\Program Files\IBM DLA
2008-09-02 18:09 . 2008-09-02 18:09 <REP> d-------- C:\icons
2008-09-02 18:09 . 2008-09-02 18:09 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\VERITAS
2008-09-02 18:09 . 2003-01-10 03:50 98,354 --a------ C:\WINDOWS\dla.exe
2008-09-02 18:09 . 2002-12-20 03:21 83,104 --a------ C:\WINDOWS\system32\drivers\drvmcdb.sys
2008-09-02 18:09 . 2003-01-10 03:50 61,494 --a------ C:\WINDOWS\system32\tfswapi.dll
2008-09-02 18:09 . 2002-12-24 02:56 40,368 --a------ C:\WINDOWS\system32\drivers\drvnddm.sys
2008-09-02 18:09 . 2002-12-24 10:51 22,995 --a------ C:\WINDOWS\system32\drivers\ssrtln.sys
2008-09-02 18:09 . 2002-12-24 10:52 5,589 --a------ C:\WINDOWS\system32\drivers\sscdbhk5.sys
2008-09-02 18:09 . 2008-09-02 18:09 138 --a------ C:\WINDOWS\wininit.ini
2008-09-02 18:08 . 2008-09-02 18:08 <REP> d-------- C:\Program Files\InterVideo
2008-09-02 18:08 . 2008-09-02 18:08 <REP> d-------- C:\Program Files\IBM
2008-09-02 18:08 . 2008-09-02 18:08 <REP> d-------- C:\Documents and Settings\All Users\Application Data\ibm
2008-09-02 18:07 . 2008-09-02 18:07 <REP> d-------- C:\WINDOWS\system32\SBUtils
2008-09-02 18:07 . 2008-09-02 18:07 <REP> d-------- C:\Program Files\SBApps
2008-09-02 18:07 . 2008-09-02 18:07 241 --a------ C:\WINDOWS\Welcome.ini
2008-09-02 18:06 . 2008-09-02 18:06 <REP> d-------- C:\Program Files\Support.com
2008-09-02 18:06 . 2008-09-02 18:06 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Support.com
2008-09-02 18:05 . 2008-09-02 18:05 <REP> d-------- C:\Documents and Settings\Administrateur\WINDOWS
2008-09-02 18:05 . 1998-10-29 17:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-09-02 18:02 . 2008-09-02 18:02 <REP> d-------- C:\Program Files\ltmoh
2008-09-02 18:02 . 2008-09-02 18:02 <REP> d-------- C:\Program Files\ATI Technologies
2008-09-02 18:01 . 2002-09-04 01:05 61,440 --a------ C:\WINDOWS\system32\tp4ex.cpl
2008-09-02 18:01 . 2002-09-04 01:05 61,440 --a------ C:\WINDOWS\system32\FPCALL.dll
2008-09-02 18:01 . 2002-09-04 01:05 53,248 --a------ C:\WINDOWS\system32\TP4HOOK.dll
2008-09-02 18:01 . 2002-09-04 01:05 53,248 --a------ C:\WINDOWS\system32\TP4EX.exe
2008-09-02 18:01 . 2002-09-04 01:05 49,152 --a------ C:\WINDOWS\system32\tp4cross.exe
2008-09-02 18:01 . 2002-09-04 01:05 8,345 --a------ C:\WINDOWS\system32\TP4EX.HLP
2008-09-02 18:01 . 2002-12-26 02:10 7,168 --a------ C:\WINDOWS\system32\drivers\TSMAPIP.SYS
2008-09-02 18:01 . 2002-09-04 01:05 5,928 --a------ C:\WINDOWS\system32\TP4LATCH.WAV
2008-09-02 18:01 . 2002-09-04 01:05 4,458 --a------ C:\WINDOWS\system32\TP4CLICK.WAV
2008-09-02 18:01 . 2008-09-02 18:01 0 -rah----- C:\WINDOWS\system32\drivers\IBM_2373_G1G_TP.MRK
2008-09-02 18:00 . 2003-01-17 01:32 184,320 --a------ C:\WINDOWS\TPBATHLP.EXE
2008-09-02 18:00 . 2002-12-26 01:32 34,816 --a------ C:\WINDOWS\system32\TP98.CPL
2008-09-02 18:00 . 2003-01-17 01:32 15,360 --a------ C:\WINDOWS\system32\drivers\TPPWR.SYS
2008-09-02 18:00 . 2002-12-26 01:32 14,848 --a------ C:\WINDOWS\system32\drivers\SMAPINT.SYS
2008-09-02 18:00 . 2002-12-26 01:32 8,830 --a------ C:\WINDOWS\system32\drivers\TDSMAPI.SYS
2008-09-02 17:59 . 2008-09-02 17:59 <REP> d-------- C:\Program Files\ThinkPad
2008-09-02 17:59 . 2008-09-02 17:59 <REP> d--h----- C:\Program Files\InstallShield Installation Information
2008-09-02 17:59 . 2008-09-02 17:59 <REP> d-------- C:\Program Files\Fichiers communs\InstallShield
2008-09-02 17:59 . 2002-09-30 18:22 86,016 --a------ C:\WINDOWS\_tpiu000.exe
2008-09-02 17:59 . 2003-03-27 02:06 49,152 --a------ C:\WINDOWS\system32\QCONSVC.EXE
2008-09-02 17:59 . 2003-03-27 02:06 2,295 --a------ C:\WINDOWS\system32\drivers\IBMBLDID.SYS
2008-09-02 17:53 . 2003-05-11 16:26 24,576 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-09-02 17:52 . 2001-08-23 17:04 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-09-02 17:52 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-09-02 17:51 . 2002-08-29 11:44 5,120 --a------ C:\WINDOWS\system32\hccoin.dll
2008-09-02 17:50 . 2008-09-02 17:50 <REP> d-------- C:\Program Files\Synaptics
2008-09-02 17:49 . 2008-09-02 17:49 2,500 --a------ C:\WINDOWS\system32\OEMINFO.INI
2008-09-02 17:49 . 2008-09-02 17:49 910 --a------ C:\SYSLEVEL.IBM
2008-09-02 17:47 . 2008-09-02 17:47 <REP> d-------- C:\DRIVERS
2008-09-02 17:38 . 2008-09-02 18:23 <REP> d-a------ C:\IBMTOOLS
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 16:32 44,032 ----a-w C:\WINDOWS\system32\ftp.exe
2008-09-02 16:31 135,168 ----a-w C:\WINDOWS\system32\sfc_os.dll
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-30 13312]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-01-07 495616]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-01-29 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-01-29 573440]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2003-01-24 94208]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-03-27 53248]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-01-17 64000]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-01-17 20480]
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2003-02-17 32835]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2002-12-24 204800]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-04-29 315392]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2002-10-16 1622016]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-01-07 495616]
"StorageGuard"="c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-01-10 106551]
"S3TRAY2"="S3Tray2.exe" [2001-10-11 C:\WINDOWS\system32\S3Tray2.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent"="irprops.cpl" [2002-11-22 C:\WINDOWS\system32\irprops.cpl]
"TP4EX"="tp4ex.exe" [2002-09-04 C:\WINDOWS\system32\TP4EX.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2002-10-18 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-30 13312]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2003-03-27 2295]
R1 TPPWR;TPPWR;C:\WINDOWS\System32\drivers\Tppwr.sys [2003-01-17 15360]
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-UC_SMB - (no file)
.
------- Supplementary Scan -------
.
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 18:43:27
Windows 5.1.2600 Service Pack 1 NTFS
Balayage processus cachés ...
Balayage caché autostart entries ...
Balayage des fichiers cachés ...
Scan terminé avec succès
Les fichiers cachés: 0
**************************************************************************
.
Temps d'accomplissement: 2008-09-02 18:44:22
ComboFix-quarantined-files.txt 2008-09-02 16:44:20
Pre-Run: 6,522,544,128 octets libres
Post-Run: 6,516,289,536 octets libres
163
Avira AntiVir Personal
Report file date: mardi 2 septembre 2008 18:57
Scanning for 1594576 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 1) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: IBM-7B6869A25BA
Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 09/04/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 18/03/2008 09:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 07/02/2008 08:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 28/02/2008 08:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 21/02/2008 08:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 10:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 24/06/2008 16:55:47
ANTIVIR2.VDF : 7.0.6.94 2998784 Bytes 31/08/2008 16:56:04
ANTIVIR3.VDF : 7.0.6.106 129024 Bytes 02/09/2008 16:56:05
Engineversion : 8.1.1.23
AEVDF.DLL : 8.1.0.5 102772 Bytes 25/02/2008 09:58:21
AESCRIPT.DLL : 8.1.0.68 315770 Bytes 02/09/2008 16:56:21
AESCN.DLL : 8.1.0.23 119156 Bytes 02/09/2008 16:56:20
AERDL.DLL : 8.1.0.20 418165 Bytes 02/09/2008 16:56:19
AEPACK.DLL : 8.1.2.1 364917 Bytes 02/09/2008 16:56:17
AEOFFICE.DLL : 8.1.0.22 192890 Bytes 02/09/2008 16:56:16
AEHEUR.DLL : 8.1.0.50 1388918 Bytes 02/09/2008 16:56:15
AEHELP.DLL : 8.1.0.15 115063 Bytes 02/09/2008 16:56:11
AEGEN.DLL : 8.1.0.36 315764 Bytes 02/09/2008 16:56:10
AEEMU.DLL : 8.1.0.7 430452 Bytes 02/09/2008 16:56:09
AECORE.DLL : 8.1.1.8 172406 Bytes 02/09/2008 16:56:07
AEBB.DLL : 8.1.0.1 53617 Bytes 02/09/2008 16:56:06
AVWINLL.DLL : 1.0.0.7 14593 Bytes 23/01/2008 17:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 18/02/2008 10:37:50
AVREP.DLL : 8.0.0.2 98344 Bytes 02/09/2008 16:56:06
AVREG.DLL : 8.0.0.0 30977 Bytes 23/01/2008 17:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 08:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 28/02/2008 08:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 17:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 23/01/2008 17:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 12:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 10/03/2008 14:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 06/03/2008 12:02:11
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: mardi 2 septembre 2008 18:57
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'g3g6r8w3c2f7.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'QCONSVC.EXE' - '1' Module(s) have been scanned
Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'sgtray.exe' - '1' Module(s) have been scanned
Scan process 'ibmmessages.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'tgcmd.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'TpScrex.exe' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'TPONSCR.exe' - '1' Module(s) have been scanned
Scan process 'EzEjMnAp.Exe' - '1' Module(s) have been scanned
Scan process 'TpKmapMn.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'QCWLICON.EXE' - '1' Module(s) have been scanned
Scan process 'TPHKMGR.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\drivers\services.exe'
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'TpKmapMn.exe' - '1' Module(s) have been scanned
Scan process 'TpKmapMn.exe' - '1' Module(s) have been scanned
Scan process 'ibmpmsvc.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'services.exe' has been terminated
C:\WINDOWS\system32\drivers\services.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.xac
[NOTE] The file was moved to '492f711f.qua'!
42 processes with 41 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '44' files ).
Starting the file scan:
Begin scan in 'C:\' <IBM_PRELOAD>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\nico\Bureau\Upload_Me.zip
[0] Archive type: ZIP
--> DOCUME~1/nico/Bureau/Upload_Me/services.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.xac
[NOTE] The file was moved to '49297136.qua'!
C:\Documents and Settings\nico\Bureau\MSNFix\02092008_18384387.zip
[0] Archive type: ZIP
--> backup/services.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.xac
[NOTE] The file was moved to '48ed70fc.qua'!
C:\Documents and Settings\nico\Local Settings\Temporary Internet Files\Content.IE5\O6PGVDER\c12345[1].jpg
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '48ef7109.qua'!
C:\Documents and Settings\nico\Local Settings\Temporary Internet Files\Content.IE5\O6PGVDER\c12345[2].jpg
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '48ef710c.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP1\A0002551.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '48ed8353.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP1\A0002555.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '48ed8356.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP1\A0002558.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '48ed8358.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP1\A0002569.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.xac
[NOTE] The file was moved to '48ed8359.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP1\A0002581.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.xac
[NOTE] The file was moved to '48ed835b.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP2\A0002632.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '48ed835d.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP2\A0002638.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '48ed835e.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP3\A0003638.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '48ed8360.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003870.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '48ed836c.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003899.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.xac
[NOTE] The file was moved to '48ed836f.qua'!
C:\WINDOWS\system32\ftp.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '492d8460.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NO79R1TU\c12345[1].jpg
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '48ef845a.qua'!
C:\WINDOWS\system32\Microsoft\backup.ftp
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '49208497.qua'!
Begin scan in 'D:\' <DONNEES>
D:\codecs\KIT ESSENTIEL\Encodage Video\codecs video\DivX Codec\DivX Player 2.0 Alpha\DivX Player 2.0 Alpha.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Virut.W
[NOTE] The file was moved to '493384ca.qua'!
D:\codecs\KIT ESSENTIEL\Encodage Video\codecs video\DivX Player 2.0 Alpha\DivX Player 2.0 Alpha.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Virut.W
[NOTE] The file was moved to '493384cf.qua'!
D:\codecs\KIT ESSENTIEL\Encodage Video\DivXMachine\DivXMachine\Soft\WM8EUTIL.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Virut.W
[NOTE] The file was moved to '48f584be.qua'!
D:\codecs\KIT ESSENTIEL\graveurs\DoItFast4U\ac3delay\Ac3 Delay Corrector.Exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48f084e4.qua'!
D:\codecs\KIT ESSENTIEL\graveurs\DoItFast4U\DoItFast4U\ac3delay\Ac3 Delay Corrector.Exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48f084ee.qua'!
D:\codecs\Logiciels\Logiciels rip\Easydivx\EasyDivX\softs\audiodec.exe
[DETECTION] Contains code of the Windows virus W32/Virut.V
[NOTE] The file was moved to '49218574.qua'!
D:\codecs\Logiciels\rip, encodeurs, graveurs, lecteurs\Maestro v2.9.2915a.WinNT2k.exe
[0] Archive type: RAR SFX (self extracting)
--> sx32w2.dll
[DETECTION] Is the Trojan horse TR/Agent.15872.A
[NOTE] The file was moved to '492285b9.qua'!
D:\codecs\Logiciels\Versions Winamp\Winamp original\winampa.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '492b85d5.qua'!
D:\RECYCLER\S-1-5-21-271084292-2186999871-3129266360-1004\Dd12.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Small.fot Backdoor server programs
[NOTE] The file was moved to '48ee86af.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003900.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Virut.W
[NOTE] The file was moved to '48ed879d.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003901.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Virut.W
[NOTE] The file was moved to '48ed87a0.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003902.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Virut.W
[NOTE] The file was moved to '48ed87a2.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003903.Exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48ed87a5.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003904.Exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48ed87a6.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003905.exe
[DETECTION] Contains code of the Windows virus W32/Virut.V
[NOTE] The file was moved to '48ed87a8.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003906.exe
[0] Archive type: RAR SFX (self extracting)
--> sx32w2.dll
[DETECTION] Is the Trojan horse TR/Agent.15872.A
[NOTE] The file was moved to '48ed87af.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003907.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48ed87b2.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003908.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Small.fot Backdoor server programs
[NOTE] The file was moved to '48ed87b5.qua'!
D:\sécurité\ZoneAlarm\MailFrontier\UNWISE.EXE
[DETECTION] Contains code of the Windows virus W32/Virut.V
[NOTE] The file was moved to '491487e2.qua'!
End of the scan: mardi 2 septembre 2008 20:36
Used time: 1:38:40 min
The scan has been done completely.
2851 Scanning directories
182326 Files were scanned
38 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
37 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
182288 Files not concerned
7629 Archives were scanned
2 Warnings
37 Notes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:41:59, on 02/09/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\ctfmon.exe
c:\g3g6r8w3c2f7.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\nico\Local Settings\Temporary Internet Files\Content.IE5\HAXFAWRE\zaSetup_fr[1].exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\nico\Local Settings\Temporary Internet Files\Content.IE5\O6PGVDER\HiJackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\services.exe
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [services.exe] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-2736824380-3822268792-2088387023-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
J'ai du réinitialiser mon ordi 2 fois, les virus m'ont shooté mon iexplorer.exe, antivirus s'est désinstallé tout seul après un scan (!!), et j'ai régulièrement des fenêtres de messages "cet arrêt a été initié par Autorité NT\system
c://Windows\system32\lsass.EXE s'est terminé de maniere inattendue avec le code d'état 0. Le système va maintenant s'arrêter"
Après réinitialisation de mon ordi, j'ai pu enfin lancer MSNfix et combofix (simple curseur clignotant avant...). Voila les rapports et encore merci d'avance.
MSNFix 1.742
C:\Documents and Settings\nico\Bureau\MSNFix
Fix exécuté le 02/09/2008 - 18:35:28,90 By nico
mode normal
************************ Recherche les fichiers présents
... C:\WINDOWS\system32\drivers\services.exe
************************ Recherche les dossiers présents
Aucun dossier trouvé
************************ Suppression des fichiers
/!\ ... C:\WINDOWS\system32\drivers\services.exe
************************ Nettoyage du registre
************************ Hostsclean
Cleanhosts v 0.1.0.7 By Laurent
-- Backup : C:\WINDOWS\System32\drivers\etc\hosts-20080902183630
-- original size 0.77 Kb / 20 lines
-- Start cleaning Hosts file ....
-- final size 0.77 Kb / 20 lines
-- entry Found : 0 / Entry check : 310
End .............................. 14.6 Secondes
Les fichiers encore présents seront supprimés au prochain redémarrage
************************ Suppression des fichiers
.. OK ... C:\WINDOWS\system32\drivers\services.exe
************************ Hostsclean
Cleanhosts v 0.1.0.7 By Laurent
-- Backup : C:\WINDOWS\System32\drivers\etc\hosts-20080902183828
-- original size 0.77 Kb / 20 lines
-- Start cleaning Hosts file ....
-- final size 0.77 Kb / 20 lines
-- entry Found : 0 / Entry check : 310
End .............................. 14.92 Secondes
************************ Fichiers suspects
/!\ ces fichiers nécessitent un avis expérimenté avant toute intervention
[C:\g3g6r8w3c2f7.exe] D8B2320A03DD40936D4A17E22CD1BA5A
[color=#FF0000][b]==>/b/color SVP merci d'envoyer le fichier [b] C:\DOCUME~1\nico\Bureau\Upload_Me.zip /b sur http://upload.changelog.fr
Les fichiers et clés de registre supprimés ont été sauvegardés dans le fichier 02092008_18384387.zip
************************ HKLM\...\Winlogon\Userinit
Userinit = C:\WINDOWS\system32\userinit.exe,
Important : http://msnfix.changelog.fr/index.php/2008/05/18/32-alerte
------------------------------------------------------------------------
Auteur : !aur3n7 Contact: https://www.ionos.fr/
------------------------------------------------------------------------
--------------------------------------------- END ---------------------------------------------
ComboFix 08-09-01.03 - nico 2008-09-02 18:42:29.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.1.1252.1.1036.18.358 [GMT 2:00]
Endroit: C:\Documents and Settings\nico\Bureau\ComboFix.exe
* Création d'un nouveau point de restauration
[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!/b/color
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Autorun.inf
.
((((((((((((((((((((((((((((( Fichiers créés 2008-08-02 to 2008-09-02 ))))))))))))))))))))))))))))))))))))
.
2008-09-02 18:29 . 2008-09-02 18:32 58,880 --a------ C:\g3g6r8w3c2f7.exe
2008-09-02 18:26 . 2008-09-02 18:26 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-09-02 18:23 . 2008-09-02 18:05 <REP> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-09-02 18:23 . 2008-09-02 18:09 <REP> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\VERITAS
2008-09-02 18:23 . 2008-09-02 18:05 <REP> d-------- C:\Documents and Settings\nico\WINDOWS
2008-09-02 18:23 . 2002-09-30 16:20 <REP> d--h----- C:\Documents and Settings\nico\Voisinage réseau
2008-09-02 18:23 . 2002-09-30 16:20 <REP> d--h----- C:\Documents and Settings\nico\Voisinage d'impression
2008-09-02 18:23 . 2002-09-30 16:20 <REP> d--h----- C:\Documents and Settings\nico\Modèles
2008-09-02 18:23 . 2008-09-02 18:23 <REP> dr------- C:\Documents and Settings\nico\Mes documents
2008-09-02 18:23 . 2002-09-30 16:20 <REP> dr------- C:\Documents and Settings\nico\Menu Démarrer
2008-09-02 18:23 . 2008-09-02 18:24 <REP> dr------- C:\Documents and Settings\nico\Favoris
2008-09-02 18:23 . 2008-09-02 18:41 <REP> dr------- C:\Documents and Settings\nico\Bureau
2008-09-02 18:23 . 2008-09-02 18:09 <REP> d-------- C:\Documents and Settings\nico\Application Data\VERITAS
2008-09-02 18:23 . 2008-09-02 18:23 <REP> d-------- C:\Documents and Settings\nico
2008-09-02 18:23 . 2008-09-02 18:05 <REP> d-------- C:\Documents and Settings\Default User\WINDOWS
2008-09-02 18:23 . 2008-09-02 18:23 47 --a------ C:\WINDOWS\system32\drivers\IBM_2373_EG3.MRK
2008-09-02 18:23 . 2008-09-02 18:23 10 --a------ C:\WINDOWS\system32\firstboot.ibm
2008-09-02 18:20 . 2008-09-02 18:20 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-09-02 18:15 . 2008-09-02 18:15 <REP> d--hs---- C:\Recycled
2008-09-02 18:15 . 2008-09-02 18:15 61 --a------ C:\WINDOWS\smscfg.ini
2008-09-02 18:13 . 2008-09-02 18:23 <REP> d-------- C:\Program Files\PC-Doctor for Windows
2008-09-02 18:13 . 2000-03-22 21:42 44,192 --a------ C:\WINDOWS\system32\drivers\PcdrNt.sys
2008-09-02 18:11 . 2008-09-02 18:11 0 --ah----- C:\BOOTLOG.PRV
2008-09-02 18:09 . 2008-09-02 18:09 <REP> d-------- C:\WINDOWS\system32\dla
2008-09-02 18:09 . 2008-09-02 18:09 <REP> d-------- C:\Program Files\VERITAS Software
2008-09-02 18:09 . 2008-09-02 18:09 <REP> d-------- C:\Program Files\IBM RecordNow
2008-09-02 18:09 . 2008-09-02 18:09 <REP> d-------- C:\Program Files\IBM DLA
2008-09-02 18:09 . 2008-09-02 18:09 <REP> d-------- C:\icons
2008-09-02 18:09 . 2008-09-02 18:09 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\VERITAS
2008-09-02 18:09 . 2003-01-10 03:50 98,354 --a------ C:\WINDOWS\dla.exe
2008-09-02 18:09 . 2002-12-20 03:21 83,104 --a------ C:\WINDOWS\system32\drivers\drvmcdb.sys
2008-09-02 18:09 . 2003-01-10 03:50 61,494 --a------ C:\WINDOWS\system32\tfswapi.dll
2008-09-02 18:09 . 2002-12-24 02:56 40,368 --a------ C:\WINDOWS\system32\drivers\drvnddm.sys
2008-09-02 18:09 . 2002-12-24 10:51 22,995 --a------ C:\WINDOWS\system32\drivers\ssrtln.sys
2008-09-02 18:09 . 2002-12-24 10:52 5,589 --a------ C:\WINDOWS\system32\drivers\sscdbhk5.sys
2008-09-02 18:09 . 2008-09-02 18:09 138 --a------ C:\WINDOWS\wininit.ini
2008-09-02 18:08 . 2008-09-02 18:08 <REP> d-------- C:\Program Files\InterVideo
2008-09-02 18:08 . 2008-09-02 18:08 <REP> d-------- C:\Program Files\IBM
2008-09-02 18:08 . 2008-09-02 18:08 <REP> d-------- C:\Documents and Settings\All Users\Application Data\ibm
2008-09-02 18:07 . 2008-09-02 18:07 <REP> d-------- C:\WINDOWS\system32\SBUtils
2008-09-02 18:07 . 2008-09-02 18:07 <REP> d-------- C:\Program Files\SBApps
2008-09-02 18:07 . 2008-09-02 18:07 241 --a------ C:\WINDOWS\Welcome.ini
2008-09-02 18:06 . 2008-09-02 18:06 <REP> d-------- C:\Program Files\Support.com
2008-09-02 18:06 . 2008-09-02 18:06 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Support.com
2008-09-02 18:05 . 2008-09-02 18:05 <REP> d-------- C:\Documents and Settings\Administrateur\WINDOWS
2008-09-02 18:05 . 1998-10-29 17:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-09-02 18:02 . 2008-09-02 18:02 <REP> d-------- C:\Program Files\ltmoh
2008-09-02 18:02 . 2008-09-02 18:02 <REP> d-------- C:\Program Files\ATI Technologies
2008-09-02 18:01 . 2002-09-04 01:05 61,440 --a------ C:\WINDOWS\system32\tp4ex.cpl
2008-09-02 18:01 . 2002-09-04 01:05 61,440 --a------ C:\WINDOWS\system32\FPCALL.dll
2008-09-02 18:01 . 2002-09-04 01:05 53,248 --a------ C:\WINDOWS\system32\TP4HOOK.dll
2008-09-02 18:01 . 2002-09-04 01:05 53,248 --a------ C:\WINDOWS\system32\TP4EX.exe
2008-09-02 18:01 . 2002-09-04 01:05 49,152 --a------ C:\WINDOWS\system32\tp4cross.exe
2008-09-02 18:01 . 2002-09-04 01:05 8,345 --a------ C:\WINDOWS\system32\TP4EX.HLP
2008-09-02 18:01 . 2002-12-26 02:10 7,168 --a------ C:\WINDOWS\system32\drivers\TSMAPIP.SYS
2008-09-02 18:01 . 2002-09-04 01:05 5,928 --a------ C:\WINDOWS\system32\TP4LATCH.WAV
2008-09-02 18:01 . 2002-09-04 01:05 4,458 --a------ C:\WINDOWS\system32\TP4CLICK.WAV
2008-09-02 18:01 . 2008-09-02 18:01 0 -rah----- C:\WINDOWS\system32\drivers\IBM_2373_G1G_TP.MRK
2008-09-02 18:00 . 2003-01-17 01:32 184,320 --a------ C:\WINDOWS\TPBATHLP.EXE
2008-09-02 18:00 . 2002-12-26 01:32 34,816 --a------ C:\WINDOWS\system32\TP98.CPL
2008-09-02 18:00 . 2003-01-17 01:32 15,360 --a------ C:\WINDOWS\system32\drivers\TPPWR.SYS
2008-09-02 18:00 . 2002-12-26 01:32 14,848 --a------ C:\WINDOWS\system32\drivers\SMAPINT.SYS
2008-09-02 18:00 . 2002-12-26 01:32 8,830 --a------ C:\WINDOWS\system32\drivers\TDSMAPI.SYS
2008-09-02 17:59 . 2008-09-02 17:59 <REP> d-------- C:\Program Files\ThinkPad
2008-09-02 17:59 . 2008-09-02 17:59 <REP> d--h----- C:\Program Files\InstallShield Installation Information
2008-09-02 17:59 . 2008-09-02 17:59 <REP> d-------- C:\Program Files\Fichiers communs\InstallShield
2008-09-02 17:59 . 2002-09-30 18:22 86,016 --a------ C:\WINDOWS\_tpiu000.exe
2008-09-02 17:59 . 2003-03-27 02:06 49,152 --a------ C:\WINDOWS\system32\QCONSVC.EXE
2008-09-02 17:59 . 2003-03-27 02:06 2,295 --a------ C:\WINDOWS\system32\drivers\IBMBLDID.SYS
2008-09-02 17:53 . 2003-05-11 16:26 24,576 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-09-02 17:52 . 2001-08-23 17:04 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-09-02 17:52 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-09-02 17:51 . 2002-08-29 11:44 5,120 --a------ C:\WINDOWS\system32\hccoin.dll
2008-09-02 17:50 . 2008-09-02 17:50 <REP> d-------- C:\Program Files\Synaptics
2008-09-02 17:49 . 2008-09-02 17:49 2,500 --a------ C:\WINDOWS\system32\OEMINFO.INI
2008-09-02 17:49 . 2008-09-02 17:49 910 --a------ C:\SYSLEVEL.IBM
2008-09-02 17:47 . 2008-09-02 17:47 <REP> d-------- C:\DRIVERS
2008-09-02 17:38 . 2008-09-02 18:23 <REP> d-a------ C:\IBMTOOLS
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 16:32 44,032 ----a-w C:\WINDOWS\system32\ftp.exe
2008-09-02 16:31 135,168 ----a-w C:\WINDOWS\system32\sfc_os.dll
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-30 13312]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-01-07 495616]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-01-29 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-01-29 573440]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2003-01-24 94208]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-03-27 53248]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-01-17 64000]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-01-17 20480]
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2003-02-17 32835]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2002-12-24 204800]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-04-29 315392]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2002-10-16 1622016]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-01-07 495616]
"StorageGuard"="c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-01-10 106551]
"S3TRAY2"="S3Tray2.exe" [2001-10-11 C:\WINDOWS\system32\S3Tray2.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent"="irprops.cpl" [2002-11-22 C:\WINDOWS\system32\irprops.cpl]
"TP4EX"="tp4ex.exe" [2002-09-04 C:\WINDOWS\system32\TP4EX.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2002-10-18 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-30 13312]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2003-03-27 2295]
R1 TPPWR;TPPWR;C:\WINDOWS\System32\drivers\Tppwr.sys [2003-01-17 15360]
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-UC_SMB - (no file)
.
------- Supplementary Scan -------
.
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 18:43:27
Windows 5.1.2600 Service Pack 1 NTFS
Balayage processus cachés ...
Balayage caché autostart entries ...
Balayage des fichiers cachés ...
Scan terminé avec succès
Les fichiers cachés: 0
**************************************************************************
.
Temps d'accomplissement: 2008-09-02 18:44:22
ComboFix-quarantined-files.txt 2008-09-02 16:44:20
Pre-Run: 6,522,544,128 octets libres
Post-Run: 6,516,289,536 octets libres
163
Avira AntiVir Personal
Report file date: mardi 2 septembre 2008 18:57
Scanning for 1594576 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 1) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: IBM-7B6869A25BA
Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 09/04/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 18/03/2008 09:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 07/02/2008 08:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 28/02/2008 08:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 21/02/2008 08:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 10:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 24/06/2008 16:55:47
ANTIVIR2.VDF : 7.0.6.94 2998784 Bytes 31/08/2008 16:56:04
ANTIVIR3.VDF : 7.0.6.106 129024 Bytes 02/09/2008 16:56:05
Engineversion : 8.1.1.23
AEVDF.DLL : 8.1.0.5 102772 Bytes 25/02/2008 09:58:21
AESCRIPT.DLL : 8.1.0.68 315770 Bytes 02/09/2008 16:56:21
AESCN.DLL : 8.1.0.23 119156 Bytes 02/09/2008 16:56:20
AERDL.DLL : 8.1.0.20 418165 Bytes 02/09/2008 16:56:19
AEPACK.DLL : 8.1.2.1 364917 Bytes 02/09/2008 16:56:17
AEOFFICE.DLL : 8.1.0.22 192890 Bytes 02/09/2008 16:56:16
AEHEUR.DLL : 8.1.0.50 1388918 Bytes 02/09/2008 16:56:15
AEHELP.DLL : 8.1.0.15 115063 Bytes 02/09/2008 16:56:11
AEGEN.DLL : 8.1.0.36 315764 Bytes 02/09/2008 16:56:10
AEEMU.DLL : 8.1.0.7 430452 Bytes 02/09/2008 16:56:09
AECORE.DLL : 8.1.1.8 172406 Bytes 02/09/2008 16:56:07
AEBB.DLL : 8.1.0.1 53617 Bytes 02/09/2008 16:56:06
AVWINLL.DLL : 1.0.0.7 14593 Bytes 23/01/2008 17:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 18/02/2008 10:37:50
AVREP.DLL : 8.0.0.2 98344 Bytes 02/09/2008 16:56:06
AVREG.DLL : 8.0.0.0 30977 Bytes 23/01/2008 17:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 08:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 28/02/2008 08:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 17:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 23/01/2008 17:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 12:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 10/03/2008 14:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 06/03/2008 12:02:11
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: mardi 2 septembre 2008 18:57
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'g3g6r8w3c2f7.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'QCONSVC.EXE' - '1' Module(s) have been scanned
Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'sgtray.exe' - '1' Module(s) have been scanned
Scan process 'ibmmessages.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'tgcmd.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'TpScrex.exe' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'TPONSCR.exe' - '1' Module(s) have been scanned
Scan process 'EzEjMnAp.Exe' - '1' Module(s) have been scanned
Scan process 'TpKmapMn.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'QCWLICON.EXE' - '1' Module(s) have been scanned
Scan process 'TPHKMGR.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\drivers\services.exe'
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'TpKmapMn.exe' - '1' Module(s) have been scanned
Scan process 'TpKmapMn.exe' - '1' Module(s) have been scanned
Scan process 'ibmpmsvc.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'services.exe' has been terminated
C:\WINDOWS\system32\drivers\services.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.xac
[NOTE] The file was moved to '492f711f.qua'!
42 processes with 41 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '44' files ).
Starting the file scan:
Begin scan in 'C:\' <IBM_PRELOAD>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\nico\Bureau\Upload_Me.zip
[0] Archive type: ZIP
--> DOCUME~1/nico/Bureau/Upload_Me/services.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.xac
[NOTE] The file was moved to '49297136.qua'!
C:\Documents and Settings\nico\Bureau\MSNFix\02092008_18384387.zip
[0] Archive type: ZIP
--> backup/services.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.xac
[NOTE] The file was moved to '48ed70fc.qua'!
C:\Documents and Settings\nico\Local Settings\Temporary Internet Files\Content.IE5\O6PGVDER\c12345[1].jpg
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '48ef7109.qua'!
C:\Documents and Settings\nico\Local Settings\Temporary Internet Files\Content.IE5\O6PGVDER\c12345[2].jpg
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '48ef710c.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP1\A0002551.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '48ed8353.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP1\A0002555.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '48ed8356.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP1\A0002558.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '48ed8358.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP1\A0002569.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.xac
[NOTE] The file was moved to '48ed8359.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP1\A0002581.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.xac
[NOTE] The file was moved to '48ed835b.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP2\A0002632.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '48ed835d.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP2\A0002638.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '48ed835e.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP3\A0003638.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '48ed8360.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003870.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '48ed836c.qua'!
C:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003899.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.xac
[NOTE] The file was moved to '48ed836f.qua'!
C:\WINDOWS\system32\ftp.exe
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '492d8460.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NO79R1TU\c12345[1].jpg
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '48ef845a.qua'!
C:\WINDOWS\system32\Microsoft\backup.ftp
[DETECTION] Is the Trojan horse TR/Agent.49664.J
[NOTE] The file was moved to '49208497.qua'!
Begin scan in 'D:\' <DONNEES>
D:\codecs\KIT ESSENTIEL\Encodage Video\codecs video\DivX Codec\DivX Player 2.0 Alpha\DivX Player 2.0 Alpha.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Virut.W
[NOTE] The file was moved to '493384ca.qua'!
D:\codecs\KIT ESSENTIEL\Encodage Video\codecs video\DivX Player 2.0 Alpha\DivX Player 2.0 Alpha.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Virut.W
[NOTE] The file was moved to '493384cf.qua'!
D:\codecs\KIT ESSENTIEL\Encodage Video\DivXMachine\DivXMachine\Soft\WM8EUTIL.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Virut.W
[NOTE] The file was moved to '48f584be.qua'!
D:\codecs\KIT ESSENTIEL\graveurs\DoItFast4U\ac3delay\Ac3 Delay Corrector.Exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48f084e4.qua'!
D:\codecs\KIT ESSENTIEL\graveurs\DoItFast4U\DoItFast4U\ac3delay\Ac3 Delay Corrector.Exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48f084ee.qua'!
D:\codecs\Logiciels\Logiciels rip\Easydivx\EasyDivX\softs\audiodec.exe
[DETECTION] Contains code of the Windows virus W32/Virut.V
[NOTE] The file was moved to '49218574.qua'!
D:\codecs\Logiciels\rip, encodeurs, graveurs, lecteurs\Maestro v2.9.2915a.WinNT2k.exe
[0] Archive type: RAR SFX (self extracting)
--> sx32w2.dll
[DETECTION] Is the Trojan horse TR/Agent.15872.A
[NOTE] The file was moved to '492285b9.qua'!
D:\codecs\Logiciels\Versions Winamp\Winamp original\winampa.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '492b85d5.qua'!
D:\RECYCLER\S-1-5-21-271084292-2186999871-3129266360-1004\Dd12.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Small.fot Backdoor server programs
[NOTE] The file was moved to '48ee86af.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003900.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Virut.W
[NOTE] The file was moved to '48ed879d.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003901.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Virut.W
[NOTE] The file was moved to '48ed87a0.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003902.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Virut.W
[NOTE] The file was moved to '48ed87a2.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003903.Exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48ed87a5.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003904.Exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48ed87a6.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003905.exe
[DETECTION] Contains code of the Windows virus W32/Virut.V
[NOTE] The file was moved to '48ed87a8.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003906.exe
[0] Archive type: RAR SFX (self extracting)
--> sx32w2.dll
[DETECTION] Is the Trojan horse TR/Agent.15872.A
[NOTE] The file was moved to '48ed87af.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003907.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48ed87b2.qua'!
D:\System Volume Information\_restore{885FCFDA-B4A3-4CC2-B355-E8F0CDB1EF7E}\RP4\A0003908.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Small.fot Backdoor server programs
[NOTE] The file was moved to '48ed87b5.qua'!
D:\sécurité\ZoneAlarm\MailFrontier\UNWISE.EXE
[DETECTION] Contains code of the Windows virus W32/Virut.V
[NOTE] The file was moved to '491487e2.qua'!
End of the scan: mardi 2 septembre 2008 20:36
Used time: 1:38:40 min
The scan has been done completely.
2851 Scanning directories
182326 Files were scanned
38 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
37 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
182288 Files not concerned
7629 Archives were scanned
2 Warnings
37 Notes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:41:59, on 02/09/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\ctfmon.exe
c:\g3g6r8w3c2f7.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\nico\Local Settings\Temporary Internet Files\Content.IE5\HAXFAWRE\zaSetup_fr[1].exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\nico\Local Settings\Temporary Internet Files\Content.IE5\O6PGVDER\HiJackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\services.exe
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [services.exe] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-2736824380-3822268792-2088387023-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
bis:
mets
un pare feu :
KERIO ou JETICO ou ZONE ALARM (mettre que le parefeu gratuit) ou COMODO
http://www.clubic.com/telecharger-fiche11071-sunbelt-personal-firewall-ex-kerio.html
https://manuelsdaide.com/contact/
http://www.open-files.com/forum/index.php?showtopic=29277
zonealarm
_______________________
Télécharge SDFix (créé par AndyManchesta) et sauvegarde le sur ton Bureau.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
• Redémarre ton ordinateur
• Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde).
• A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
• Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
• Choisis ton compte.
Déroule la liste des instructions ci-dessous :
• Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
• Appuie sur Y pour commencer le processus de nettoyage.
• Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
• Appuie sur une touche pour redémarrer le PC.
• Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
• Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
• Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
• Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
• Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum
___________________________
vire ce qui est en quarantaine dans antivir et recolles un rapport
et un nouvel hijakchtis et dis tes soucis
mets
un pare feu :
KERIO ou JETICO ou ZONE ALARM (mettre que le parefeu gratuit) ou COMODO
http://www.clubic.com/telecharger-fiche11071-sunbelt-personal-firewall-ex-kerio.html
https://manuelsdaide.com/contact/
http://www.open-files.com/forum/index.php?showtopic=29277
zonealarm
_______________________
Télécharge SDFix (créé par AndyManchesta) et sauvegarde le sur ton Bureau.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
• Redémarre ton ordinateur
• Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde).
• A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
• Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
• Choisis ton compte.
Déroule la liste des instructions ci-dessous :
• Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
• Appuie sur Y pour commencer le processus de nettoyage.
• Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
• Appuie sur une touche pour redémarrer le PC.
• Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
• Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
• Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
• Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
• Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum
___________________________
vire ce qui est en quarantaine dans antivir et recolles un rapport
et un nouvel hijakchtis et dis tes soucis
Bonjour,
ZoneAlarm est installé. Ci-joint les rapports. J'ai beaucoup moins de soucis et de fenêtres d'erreur. Encore du danger?
[b]SDFix: Version 1.221 [/b]
Run by nico on 03/09/2008 at 20:50
Microsoft Windows XP [version 5.1.2600]
Running From: C:\Documents and Settings\nico\Bureau\sdfix\SDFix
[b]Checking Services [/b]:
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
[b]Checking Files [/b]:
Trojan Files Found:
C:\WINDOWS\system32\.exe - Deleted
Removing Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 20:54:27
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[b]Remaining Files [/b]:
File Backups: - C:\DOCUME~1\nico\Bureau\sdfix\SDFix\backups\backups.zip
[b]Files with Hidden Attributes [/b]:
[b]Finished![/b]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:05:06, on 03/09/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows NT\Accessoires\WORDPAD.EXE
C:\Documents and Settings\nico\Bureau\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
ZoneAlarm est installé. Ci-joint les rapports. J'ai beaucoup moins de soucis et de fenêtres d'erreur. Encore du danger?
[b]SDFix: Version 1.221 [/b]
Run by nico on 03/09/2008 at 20:50
Microsoft Windows XP [version 5.1.2600]
Running From: C:\Documents and Settings\nico\Bureau\sdfix\SDFix
[b]Checking Services [/b]:
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
[b]Checking Files [/b]:
Trojan Files Found:
C:\WINDOWS\system32\.exe - Deleted
Removing Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 20:54:27
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[b]Remaining Files [/b]:
File Backups: - C:\DOCUME~1\nico\Bureau\sdfix\SDFix\backups\backups.zip
[b]Files with Hidden Attributes [/b]:
[b]Finished![/b]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:05:06, on 03/09/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows NT\Accessoires\WORDPAD.EXE
C:\Documents and Settings\nico\Bureau\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
