32 utilisateurs en ligne

95,408 questions

978,513 réponses

100,966 membres

Identification
Pas encore inscrit ? Cliquez-ici
L'Information Commissioner's Office va ouvrir une enquête suite au sondage de Facebook sur les émotions de 689 003 utisateurs à leur insu... Qu'en pensez-vous ?

page qui bloque

je te retourne le copié collé

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:01:04, on 01/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: myiebho - {7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} - %SystemRoot%\system32\vmmreg32.dll (file missing)
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Villaescusa\Application Data\Dealio\kb127\res\DealioSearch.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fr.htm
O20 - AppInit_DLLs: vmmreg32.dll
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O21 - SSODL: PzMYc - {78398613-D293-2CB9-0C5E-219685B2C5DB} - C:\WINDOWS\system32\spjilv.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

--
End of file - 4412 bytes
posté le 1 Oct 2008 dans la catégorie Internet par nicolo

64 Réponses

Bonjour nicolo

[*] Télécharge MalwareByte's Anti-Malware à partir de l'un de ces liens :
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
http://malwarebytes.gt500.org/
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html


- Enregistre ce fichier sur le bureau

- Le téléchargement terminé ferme ton navigateur ainsi que toutes les applications en cours
- Fais un double-clic sur mbam-setup.exe afin de lancer l'installation

- Pendant l'installation, suis les indications (en particulier le choix de la langue et l'autorisation d'accession à Internet). N'apporte aucune modification aux réglages par défaut et, en fin d'installation, vérifie que les options Update Malwarebytes' Anti-Malware et Launch Malwarebytes' Anti-Malware sont cochées.

- MBAM démarrera automatiquement et enverra un message demandant à mettre à jour le programme avant de lancer une analyse. Comme MBAM se met automatiquement à jour en fin d'installation, clique sur OK pour fermer la boite de dialogue.

- La mise à jour faite quitte Malwarebyte's

[*] Redémarre ton PC en mode sans échec

N'utilise pas Msconfig pour redémarrer ton pc en mode sans échec
Citation:
Au redémarrage de ton PC tapote sur la touche F8 ou F5 sur l'écran suivant déplace toi avec les les fléches de direction et choisis Mode sans échec. Choisis ta session habituelle et non la session Administrateur



- Fais un double clic sur le raccourci de Malwarebyte's qui est sur le bureau

- Sélectionne Exécuter un examen complet si ce n'est pas déja fait
- clique sur Rechercher

[*] Une fois le scan terminé, une fenêtre s'ouvre, clique sur sur Ok

- Si MalwareByte's n'a rien détecté, clique sur Ok Un rapport va apparaître ferme-le.

- Si MalwareByte's a détecté des infections, clique sur Afficher les résultats ensuite sur Supprimer la sélection



- Poste le rapport de MalwareByte's Anti-Malware
- Le rapport de MalwareByte's peut être retrouvé sous l'onglet Rapports/logs

Note : Si MalwareByte's a besoin de redémarrer pour terminer la suppression, accepte en cliquant sur Ok

- Tutoriel pour MalwareByte's ici http://www.malekal.com/tutorial_MalwareBytes_AntiMalware.php


Et cette fois-ci poste le rapport
répondu le 1 Oct 2008 par Geronimo
Bonjour Geronimo,
J'ai suivi tes instructions ci dessus. Mais arrivée à :
- Tutoriel pour MalvareByte's ici http:/www.malekal.... dois-je cliquer ?
Et cette fois-ci poste le rapport ? je suis désolée je ne comprends pas.
Merci de m'éclairer.
En plus j'ai des icones sur le bureau qui ont apparues, et lorsque je clique dessus il et dit "extention de l'application" et dessous il y a msavcs.dll - msscan.dll- mssadv.dll - msfw.dll - msctrl.dll - msiemon.dll.
Que faire ?
répondu le 3 Oct 2008 par nicolo
Bonjour nicolo
nicolo a écrit:
- Tutoriel pour MalvareByte's ici http:/www.malekal.... dois-je cliquer ?
Et cette fois-ci poste le rapport ? je suis désolée je ne comprends pas.


Désolé pour le "Et cette fois-ci poste le rapport " il ne tétait pas destiné.

La définition de Tutoriel http://fr.wikipedia.org/wiki/Tutoriel tu n'a à cliquer nulle part le lien de Malekal est juste la pour te faire voir comment utiliser Malwarebytes'
répondu le 3 Oct 2008 par Geronimo
Bonjour Géronimo,
J'avoue être un peu perdue. La page qui bloquait est partie, les publicités aussi.
Mais impossible d'ouvrir mes mails.
Dois-je faire autre chose. Je panique,
Merci
répondu le 4 Oct 2008 par nicolo
Bonjour nicolo

- Poste le rapport de Malwarebytes demandé, refais un nouveau scan avec Hijackthis poste aussi son rapport
répondu le 4 Oct 2008 par Geronimo
Bonjour Géronimo,
Copié collé du rapport scan, merci pour tes réponses

Malwarebytes' Anti-Malware 1.28
Version de la base de données: 1225
Windows 5.1.2600 Service Pack 2

01/10/2008 16:49:49
mbam-log-2008-10-01 (16-49-49).txt

Type de recherche: Examen complet (C:\|)
Eléments examinés: 120040
Temps écoulé: 21 minute(s), 47 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 1
Clé(s) du Registre infectée(s): 46
Valeur(s) du Registre infectée(s): 7
Elément(s) de données du Registre infecté(s): 3
Dossier(s) infecté(s): 17
Fichier(s) infecté(s): 137

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.

Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\CLSID\{410A6426-0657-1E9B-488B-03113FF27EE1} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34545} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c7f15e1-f31a-44fd-aa1a-2ec63aaffd3a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winvj70 (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winvj70 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\winvj70 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winvj70 (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc324j0ej4t (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhc324j0ej4t (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Classes\hol5_vxiewer.full.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Golden Palace Casino PT (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\appsh (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhc324j0ej4t (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Elément(s) de données du Registre infecté(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Dossier(s) infecté(s):
C:\Program Files\Microsoft Security Adviser (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\akl (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Inet Delivery (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\rhc324j0ej4t (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Application Data\rhc324j0ej4t (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Application Data\rhc324j0ej4t\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Application Data\rhc324j0ej4t\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Application Data\rhc324j0ej4t\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Application Data\rhc324j0ej4t\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Application Data\rhc324j0ej4t\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Application Data\rhc324j0ej4t\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Application Data\rhc324j0ej4t\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Application Data\rhc324j0ej4t\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Application Data\rhc324j0ej4t\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Application Data\rhc324j0ej4t\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Fichier(s) infecté(s):
C:\Program Files\pkyxbye\appsh.dll (Trojan.FakeAlert.H) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\hgnwhcrq\paredyhy.exe.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\rsyncini.exe (Trojan.Shutdowner) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B3BF5352-B406-412E-936E-A9436F19C528}\RP13\A0002235.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphc724j0ej4t.scr (Fake.BlueScreenError) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winvj70.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\BN2.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msavsc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msctrl.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msctrl.log (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msfw.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msiemon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\mssadv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\mssadv.log (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\mssadv_sp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\mssadv_sp.log (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msscan.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\mslagent.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\uninstall.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\akl\akl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\akl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\uninstall.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\unsetup.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Inet Delivery\inetdl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Inet Delivery\intdel.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\rhc324j0ej4t\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc324j0ej4t\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc324j0ej4t\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc324j0ej4t\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc324j0ej4t\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc324j0ej4t\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc324j0ej4t\rhc324j0ej4t.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc324j0ej4t\rhc324j0ej4t.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc324j0ej4t\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dl_ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\a.bat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\userconfig9x.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip1.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip2.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip3.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zipped.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bsva-egihsg52.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\emesx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\medup012.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\medup020.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msnbho.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psof1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regc64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sncntr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssurf022.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssvchost.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\thun.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\thun32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vcatchpi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vbsys2.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphc724j0ej4t.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phc724j0ej4t.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphc724j0ej4t.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\services.exe (Backdoor.ProRat) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest32.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt13.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt17.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt1D.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt25.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt2B.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt2F.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt33.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt3B.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt47.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt50.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt52.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt58.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt59.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt1.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt2.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt3.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt4.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt5.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt6.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.tt7.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villaescusa\Local Settings\Temp\.ttD.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
répondu le 6 Oct 2008 par nicolo
- Fais un double clic sur le raccourci d'hijackthis qui est sur le Bureau.

- Clique sur Do a scan system and save log file
- Le bloc notes s'ouvrira avec le résultat su scan
- Dans le bloc notes menu Edition et Sélectionner tout puis menu Edition et Copier
- Clic droit dans ta prochaine réponse choisis coller.
répondu le 6 Oct 2008 par Geronimo
Bonjour Géronimo,
Réponse à ton courrier du 06/10 :
Je t'ai déja envoyé la copie, non ?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:58:24, on 07/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: myiebho - {7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} - %SystemRoot%\system32\vmmreg32.dll (file missing)
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Villaescusa\Application Data\Dealio\kb127\res\DealioSearch.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fr.htm
O20 - AppInit_DLLs: vmmreg32.dll
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O21 - SSODL: PzMYc - {78398613-D293-2CB9-0C5E-219685B2C5DB} - C:\WINDOWS\system32\spjilv.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

--
End of file - 4411 bytes
répondu le 7 Oct 2008 par nicolo
Bonjour nicolo



[*] Procédure à appliquer en entier. Si tu as des difficultés à une étape passe la mais signale le dans ta prochaine réponse.
- Si tu as des questions à poser n'hésite pas



[*] Je te conseille d'imprimer cette réponse ou copie la dans un fichier texte que tu sauvegardera sur le bureau.



[*] Télécharger :

- OTMoveIt (de Old_Timer) ici http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe enregiste ce fichier sur le Bureau.


1/ Ccleaner

- Télécharge et installe Ccleaner http://www.sosordi.net/Telechargement/logiciel-147-ccleaner
- Lors de son installation décoche la case devant : Ajouter la Barre d'Outils Yahoo! CCleaner



2/ HijackThis

[*] Redémarre ton PC en mode sans échec

N'utilise pas Msconfig pour redémarrer ton pc en mode sans échec
Citation:
Au redémarrage de ton PC tapote sur la touche F8 ou F5 sur l'écran suivant déplace toi avec les les fléches de direction et choisis Mode sans échec. Choisis ta session habituelle et non la session Administrateur



Note : Il est possible qu'après le passage des outils utilisés précédemment certaines lignes ne soient plus présentes

[*] Relance Hijackthis, clique sur Do a scan system only coche la case devant les lignes suivantes

O2 - BHO: myiebho - {7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} - %SystemRoot%\system32\vmmreg32.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O21 - SSODL: PzMYc - {78398613-D293-2CB9-0C5E-219685B2C5DB} - C:\WINDOWS\system32\spjilv.dll

- Ferme les fenêtres en cours sauf hijackthis, clique sur Fix checked



3/ OTMoveIt2

- Double-clique sur OTMoveIt2.exe
- Assure toi que la case Unregister Dll's and Ocx's soit bien cochée

- Copie le texte qui se trouve en citation (sans le mot citation) et, colle le dans le cadre de gauche de OTMoveIt nommé Paste List of Files/Folders to move (Cadre jaune)
Citation:
C:\WINDOWS\system32\spjilv.dll

- Clique sur MoveIt! pour lancer la suppression.
- Lorsqu'un résultat apparaît dans le cadre Results clique sur Exit


Si un fichier ou dossier ne peut pas être supprimé immédiatement, le logiciel te demandera de redémarrer. Accepte en cliquant sur YES.





4/ Démarre Ccleaner

- Clique sur Registre décoche la case devant Intégrité du registre

- Clique sur Nettoyeur
- Onglet Windows ne coche pas la case Avancé
- Onglet Applications laisse toutes les cases cochées
- Clique sur le bouton Analyse puis celle-ci finie sur Lancer le nettoyage



5/ Poste :

- Un nouveau rapport Hijackthis
- Le rapport de OTMoveIt qui se trouve dans C:\_OTMoveIt\MovedFiles.
répondu le 7 Oct 2008 par Geronimo
Bonjour Geronimo,
J'ai suivi tes instructions mot à mot, (dur dur ) je pense y être arrivée. Mais après avoir lancé le nettoyage, il s'affiche une fenêtre en disant " Cette action affectera définitivement ces fichiers du systeme" dois-je répinde OK.
En attendant la réponse, merci
répondu le 13 Oct 2008 par nicolo
Bonjour nicolo

- Je sais
c'est parfois difficile de suivre les instructions données.

- Tu clique sur OK
répondu le 13 Oct 2008 par Geronimo
Bonjour Geronomi,
Je viens d'exécuter la manip.
Dois-je faire autre chose, car la messagerie ne s'ouvre pas, il est indiqué " le module complèmentaire suivent était en cours d'exécution lorsque ce problème est arrivé : vmmreg32.dll"
répondu le 13 Oct 2008 par nicolo
Poste les rapports demandés stp
répondu le 13 Oct 2008 par Geronimo
Bonsoir Géronimo,
Désolée je ne comprends pas ta réponse "poste les rapports demandés stp" ?
Lorsque je clique pour ouvrir ma boite, une fenêtre s'ouvre et il est indiqué : " le module complèmentaire suivent était en cours d'exécution lorsque ce problème est arrivé : vmmreg32.dll"
je ne peux pas copier la fenêtre.
répondu le 16 Oct 2008 par nicolo
Bonsoir nicolo

- Ce n'est pourtant pas difficile à comprendre tu as suivi une procédure de désinfection, je te demande de faire ce qui est à l'étape 7/
répondu le 16 Oct 2008 par Geronimo
Désolée je n'ai pas l'étape 7/
la drnière étape est 5/ Poste
répondu le 16 Oct 2008 par nicolo
Ok autant pour moi dans l'étape 5/ je te demande de poster deux rapports.
répondu le 16 Oct 2008 par Geronimo
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:33:52, on 16/10/2008
Premier rapport Hijackthis :
Le deuxième rapport OTMoveIt, je ne peux y accéder.

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: myiebho - {7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} - %SystemRoot%\system32\vmmreg32.dll (file missing)
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Villaescusa\Application Data\Dealio\kb127\res\DealioSearch.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fr.htm
O20 - AppInit_DLLs: vmmreg32.dll
O21 - SSODL: PzMYc - {78398613-D293-2CB9-0C5E-219685B2C5DB} - C:\WINDOWS\system32\spjilv.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

--
End of file - 4346 bytes
répondu le 16 Oct 2008 par nicolo
==>

- Télécharge combofix.exe (de sUBs) de l'un de ces liens
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe enregistre ce fichier sur le bureau (impératif)


Note : Le scan est à faire navigateur fermé ainsi que toutes les applications en cours, Antivirus et logicels de sécurité fermés ou désactivés.



* Double clique combofix.exe, laisse ensuite le scan se dérouler sans toucher au clavier ni à la souris.

* Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse.

NOTE : Le rapport se trouve également ici : C:\Combofix.txt

*** Combofix est détecté par certains antivirus comme une infection, il s'agit d'un "faux positif"
répondu le 16 Oct 2008 par Geronimo
Bonsoir,
Je viens de télécharger le premier lien.
Lorsque je fais le double clic sur combofix.exe, sur le bureau, une fnêtre s'ouvre " échoué " puis une autre fenêtre s'ouvre en indiquant " Le guide pour une utiliation correcte du ComboFix se trouve ici : htt://wwwbleepingcomputer.com".....
dois-je accepter ?
répondu le 18 Oct 2008 par nicolo
Tente le scan en mode sans échec
répondu le 18 Oct 2008 par Geronimo
il est énorme ce rapport, je t'envoi le tout ?
répondu le 18 Oct 2008 par nicolo
Si il est trop gros, fractionne le et poste le dans plusieurs réponses à la suite
répondu le 18 Oct 2008 par Geronimo
Lancé depuis: C:\Documents and Settings\Villaescusa\Bureau\ComboFix.exe
* Un nouveau point de restauration a été créé
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\_000012_.tmp.dll
C:\WINDOWS\system32\_000013_.tmp.dll
C:\WINDOWS\system32\clrs.tmp
C:\WINDOWS\system32\drvhive.ocx
C:\WINDOWS\system32\webmin
C:\WINDOWS\system32\winhelp32.exe . . . . impossible à supprimer

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Legacy_SYSREST.SYS


((((((((((((((((((((((((((((( Fichiers créés du 2008-09-18 au 2008-10-18 ))))))))))))))))))))))))))))))))))))
.

2008-10-13 16:01 . 2008-10-13 16:01 <REP> d
C:\Program Files\CCleaner
2008-10-13 15:52 . 2008-10-13 15:52 <REP> d
C:\_OTMoveIt
2008-10-13 15:46 . 2008-10-13 15:58 <REP> d
C:\WINDOWS\system32\CatRoot_bak
2008-10-01 16:25 . 2008-10-01 16:25 <REP> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-10-01 16:25 . 2008-10-01 16:25 <REP> d
C:\Documents and Settings\Villaescusa\Application Data\Malwarebytes
2008-10-01 16:25 . 2008-10-01 16:25 <REP> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-01 16:25 . 2008-09-10 00:04 38,528 --a
C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-01 16:25 . 2008-09-10 00:03 17,200 --a
C:\WINDOWS\system32\drivers\mbam.sys
2008-09-30 09:43 . 2008-10-18 18:33 169,472
C:\WINDOWS\system32\winhelp32.exe
2008-09-28 11:03 . 2008-09-28 11:03 <REP> d
C:\Program Files\Trend Micro
2008-09-28 10:45 . 2008-09-28 10:45 <REP> d
C:\Program Files\Kaspersky Lab
2008-09-28 10:45 . 2008-09-28 10:45 <REP> d
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-09-28 10:45 . 2008-09-28 10:45 96,559 --a
C:\WINDOWS\system32\drivers\klin.dat
2008-09-28 10:45 . 2008-09-28 10:45 87,855 --a
C:\WINDOWS\system32\drivers\klick.dat
2008-09-28 10:45 . 2008-10-18 18:32 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-09-28 10:45 . 2008-10-18 18:32 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-09-28 10:45 . 2008-10-18 18:32 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-28 10:45 . 2008-10-18 18:32 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-26 12:31 . 2008-09-30 09:44 <REP> d
C:\Program Files\Google
2008-09-25 09:18 . 2008-09-25 09:18 <REP> d
C:\Documents and Settings\All Users\Application Data\nibgnerg
2008-09-24 14:15 . 2008-10-01 16:54 <REP> d
C:\Program Files\pkyxbye
2008-09-24 14:15 . 2008-10-01 16:49 <REP> d
C:\Documents and Settings\All Users\Application Data\hgnwhcrq
2008-09-24 14:15 . 2008-09-24 14:15 90,112 --a
C:\WINDOWS\system32\nmzkhsjy.exe
2008-09-24 14:05 . 2008-09-24 14:05 41,984 --a
C:\Documents and Settings\Villaescusa\mssadv.dll
2008-09-24 14:05 . 2008-09-30 09:43 20,480 --a
C:\0xf9.exe
2008-09-24 14:05 . 2008-09-28 10:49 12,800 --a
C:\Documents and Settings\Villaescusa\msscan.dll
2008-09-24 14:05 . 2008-09-28 10:49 12,800 --a
C:\Documents and Settings\Villaescusa\msiemon.dll
2008-09-24 14:05 . 2008-09-28 10:49 12,800 --a
C:\Documents and Settings\Villaescusa\msfw.dll
2008-09-24 14:05 . 2008-09-28 10:49 12,800 --a
C:\Documents and Settings\Villaescusa\msctrl.dll
2008-09-24 14:05 . 2008-09-28 10:49 12,800 --a
C:\Documents and Settings\Villaescusa\msavsc.dll
répondu le 18 Oct 2008 par nicolo
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-04 15:46
d
w C:\Program Files\eMule
2008-09-26 10:31
d
w C:\Program Files\Java
2008-09-25 15:47
d
w C:\Program Files\AskTBar
2008-09-25 15:17
d
w C:\Documents and Settings\Villaescusa\Application Data\Dealio
.

Sigcheck

2008-04-14 04:34 14336 e4bdf223cd75478bf44567b4d5c2634d C:\WINDOWS\SoftwareDistribution\Download\23ec66f2314a80d718b5483ab6e865af\svchost.exe
md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied

2008-04-14 04:34 512000 dd73d6b9f6b4cb630cf35b438b540174 C:\WINDOWS\SoftwareDistribution\Download\23ec66f2314a80d718b5483ab6e865af\winlogon.exe
md5deep: C:\WINDOWS\system32\winlogon.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied
2007-06-13 15:10 1037312 b795475444d6d57a572c14b9e1a29839 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-10 15:00 1036288 4c33e5b9a6197b6ed215f6cfba0a2daa C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-14 04:34 1037824 f2317622d29f9ff0f88aeecd5f60f0dd C:\WINDOWS\SoftwareDistribution\Download\23ec66f2314a80d718b5483ab6e865af\explorer.exe

2008-04-14 04:34 109056 54cb50058851d95e56ec70d09f70857f C:\WINDOWS\SoftwareDistribution\Download\23ec66f2314a80d718b5483ab6e865af\services.exe
md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied

2008-04-14 04:34 13312 91e6024d6d4dcdecdb36c43ecf9bbecb C:\WINDOWS\SoftwareDistribution\Download\23ec66f2314a80d718b5483ab6e865af\lsass.exe
md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied

2005-06-11 02:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-10 15:00 57856 b4ef928e4fad79364a80acba6d999934 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2008-04-14 04:34 57856 460e4ce148bd07218da0b6a3d31885a9 C:\WINDOWS\SoftwareDistribution\Download\23ec66f2314a80d718b5483ab6e865af\spoolsv.exe
md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PzMYc"= {78398613-D293-2CB9-0C5E-219685B2C5DB} - C:\WINDOWS\system32\spjilv.dll [2007-04-16 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=vmmreg32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\FICHIE~1\ULEADS~1\Vio\Dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"MSACM.CEGSM"= mobilev.acm

Les clés de Registre SafeBoot doivent être réparées. Cette machine ne peut pas utiliser le Mode Sans Échec.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
répondu le 18 Oct 2008 par nicolo
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"C:\\APPS\\skype\\phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 32784]
R1 VIDEO;VIDEO;C:\WINDOWS\SYSTEM32\VIDEO.sys [2008-09-30 30464]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S0 Winvj70;Winvj70;C:\WINDOWS\system32\Drivers\Winvj70.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20dc4b62-451f-11dd-9b6b-00038a000015}]
\Shell\AutoRun\command - I:\start.exe
\Shell\FramaKey\command - I:\start.exe
.
- - - - ORPHELINS SUPPRIMES - - - -

BHO-{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} - %SystemRoot%\system32\vmmreg32.dll


.
Examen supplémentaire
.
R0 -: HKCU-Main,Start Page = hxxp://www.orange.fr
R1 -: HKCU-Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Compare Prices with &Dealio - C:\Documents and Settings\Villaescusa\Application Data\Dealio\kb127\res\DealioSearch.html
O8 -: E&xporter vers Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O18 -: WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - %~$path:i
O18 -: WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - %~$path:i
O18 -: WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - %~$path:i
O18 -: WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - %~$path:i
O18 -: WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - %~$path:i
O18 -: WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - %~$path:i
.
répondu le 18 Oct 2008 par nicolo
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-18 18:33:53
Windows 5.1.2600 Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...


C:\WINDOWS\vmmreg32.dll 18944 bytes executable
C:\WINDOWS\system32\VIDEO.sys 30464 bytes executable
C:\WINDOWS\system32\vmmreg32.dll 253952 bytes executable
C:\WINDOWS\system32\webmin

Scan terminé avec succès
Fichiers cachés: 4

**************************************************************************
.
Autres processus actifs
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Heure de fin: 2008-10-18 18:36:32 - La machine a redémarré [Villaescusa]
ComboFix-quarantined-files.txt 2008-10-18 16:36:28

Avant-CF: 281 403 920 384 octets libres
Après-CF: 281,305,567,232 octets libres

196 --- E O F --- 2008-09-10 19:03:30

je t'ai adressé 4 copies. Merci
répondu le 18 Oct 2008 par nicolo
1/ Clique sur Démarrer/Exécuter tape notepad clique sur Ok

- Surligne le texte qui est en citation ci-dessous (sans le mot citation) par sélection puis Ctrl-C :

Citation:
File::

C:\WINDOWS\system32\nmzkhsjy.exe
C:\Documents and Settings\Villaescusa\mssadv.dll
C:0xf9.exe
C:\Documents and Settings\Villaescusa\msscan.dll
C:\Documents and Settings\Villaescusa\msiemon.dll
C:\Documents and Settings\Villaescusa\msfw.dll
C:\Documents and Settings\Villaescusa\msctrl.dll
C:\Documents and Settings\Villaescusa\msavsc.dll
C:\WINDOWS\system32\winhelp32.exe
C:\WINDOWS\system32\spjilv.dll
C:\WINDOWS\system32\Drivers\Winvj70.sys


Folder::

C:\Documents and Settings\All Users\Application Data\hgnwhcrq
C:\Program Files\pkyxbye

Driver::

Winvj70

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PzMYc"=-


- Copie la sélection dans le bloc notes

- Enregistre ce fichier sur le bureau (impératif)


- Nom du fichier : CFScript
- Type du fichier : tous les fichiers
- clique sur Enregistrer
- Quitte le Bloc Notes.


2/ Fait un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe comme sur la capture http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

[*] Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!
Ne touche à rien tant que le scan n'est pas terminé.

[*] Une fois le scan achevé, un rapport va s'afficher: poste son contenu.

[*] Si le fichier ne s'ouvre pas, il se trouve ici C:\ComboFix.txt
répondu le 18 Oct 2008 par Geronimo
Bonjour Géronimo, il y en a encore quelques pages :
ComboFix 08-10-19.04 - Villaescusa 2008-10-21 17:06:50.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.481 [GMT 2:00]
Lancé depuis: C:\Documents and Settings\Villaescusa\Bureau\ComboFix.exe
Commutateurs utilisés :: C:\Documents and Settings\Villaescusa\Bureau\CFScript.txt
* Un nouveau point de restauration a été créé

FILE ::
C:\Documents and Settings\Villaescusa\msavsc.dll
C:\Documents and Settings\Villaescusa\msctrl.dll
C:\Documents and Settings\Villaescusa\msfw.dll
C:\Documents and Settings\Villaescusa\msiemon.dll
C:\Documents and Settings\Villaescusa\mssadv.dll
C:\Documents and Settings\Villaescusa\msscan.dll
C:\WINDOWS\system32\Drivers\Winvj70.sys
C:\WINDOWS\system32\nmzkhsjy.exe
C:\WINDOWS\system32\spjilv.dll
C:\WINDOWS\system32\winhelp32.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\hgnwhcrq
C:\Documents and Settings\Villaescusa\msavsc.dll
C:\Documents and Settings\Villaescusa\msctrl.dll
C:\Documents and Settings\Villaescusa\msfw.dll
C:\Documents and Settings\Villaescusa\msiemon.dll
C:\Documents and Settings\Villaescusa\mssadv.dll
C:\Documents and Settings\Villaescusa\msscan.dll
C:\Program Files\pkyxbye
C:\WINDOWS\system32\clrs.tmp
C:\WINDOWS\system32\nmzkhsjy.exe
C:\WINDOWS\system32\spjilv.dll
C:\WINDOWS\system32\webmin
C:\WINDOWS\system32\winhelp32.exe . . . . impossible à supprimer

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Legacy_WINVJ70
\Service_Winvj70
répondu le 21 Oct 2008 par nicolo
((((((((((((((((((((((((((((( Fichiers créés du 2008-09-21 au 2008-10-21 ))))))))))))))))))))))))))))))))))))
.

2008-10-13 16:01 . 2008-10-13 16:01 <REP> d
C:\Program Files\CCleaner
2008-10-13 15:52 . 2008-10-13 15:52 <REP> d
C:\_OTMoveIt
2008-10-13 15:46 . 2008-10-13 15:58 <REP> d
C:\WINDOWS\system32\CatRoot_bak
2008-10-01 16:25 . 2008-10-01 16:25 <REP> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-10-01 16:25 . 2008-10-01 16:25 <REP> d
C:\Documents and Settings\Villaescusa\Application Data\Malwarebytes
2008-10-01 16:25 . 2008-10-01 16:25 <REP> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-01 16:25 . 2008-09-10 00:04 38,528 --a
C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-01 16:25 . 2008-09-10 00:03 17,200 --a
C:\WINDOWS\system32\drivers\mbam.sys
2008-09-30 09:43 . 2008-10-21 17:08 169,472
C:\WINDOWS\system32\winhelp32.exe
2008-09-28 11:03 . 2008-09-28 11:03 <REP> d
C:\Program Files\Trend Micro
2008-09-28 10:45 . 2008-09-28 10:45 <REP> d
C:\Program Files\Kaspersky Lab
2008-09-28 10:45 . 2008-09-28 10:45 <REP> d
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-09-28 10:45 . 2008-09-28 10:45 96,559 --a
C:\WINDOWS\system32\drivers\klin.dat
2008-09-28 10:45 . 2008-09-28 10:45 87,855 --a
C:\WINDOWS\system32\drivers\klick.dat
2008-09-28 10:45 . 2008-10-21 17:08 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-09-28 10:45 . 2008-10-21 17:08 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-09-28 10:45 . 2008-10-21 17:08 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-28 10:45 . 2008-10-21 17:08 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-26 12:31 . 2008-09-30 09:44 <REP> d
C:\Program Files\Google
2008-09-25 09:18 . 2008-09-25 09:18 <REP> d
C:\Documents and Settings\All Users\Application Data\nibgnerg
2008-09-24 14:05 . 2008-09-30 09:43 20,480 --a
C:\0xf9.exe
répondu le 21 Oct 2008 par nicolo

Questions associées:

3 réponses 24 vues
posté le 18 Avr dans la catégorie Internet par garguantua
4 réponses 2 vues
posté le 4 Déc 2012 dans la catégorie Internet par brigan
9 réponses 7 vues
posté le 28 Sept 2008 dans la catégorie Internet par nicolo
11 réponses 5 vues
posté le 4 Sept 2013 dans la catégorie Internet par epeter
12 réponses 1 vue
posté le 9 Fév 2009 dans la catégorie Internet par Pasala
...