rogchatcom

merci ca va déjà mieux. voici d'abord le report SDFix: Version 1.199 Run by rich on 02/07/2008 at 11:15 Microsoft Windows XP [version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Restoring Default HomePage Value Restoring Default Desktop Components Value Restoring Windows ProductId To Remove Fake Virus Alert Restoring Time Format To Remove Fake Virus Alert Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\tuvWmLba.dll - Deleted C:\HJIBDE.EXE - Deleted C:\KEMV.EXE - Deleted C:\MCLRPGQ.EXE - Deleted C:\PPVGLRW.EXE - Deleted C:\RDKLLJ.EXE - Deleted C:\REMVQQY.EXE - Deleted C:\Documents and Settings\rich\Bureau\Error Cleaner.url - Deleted C:\Documents and Settings\rich\Favoris\Error Cleaner.url - Deleted C:\Documents and Settings\rich\Bureau\Privacy Protector.url - Deleted C:\Documents and Settings\rich\Favoris\Privacy Protector.url - Deleted C:\Documents and Settings\rich\Bureau\Spyware&Malware Protection.url - Deleted C:\Documents and Settings\rich\Favoris\Spyware&Malware Protection.url - Deleted C:\WINDOWS\privacy_danger\index.htm - Deleted C:\WINDOWS\privacy_danger\images\capt.gif - Deleted C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted C:\WINDOWS\privacy_danger\images\down.gif - Deleted C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted C:\WINDOWS\gfetqaxsoet.dll - Deleted C:\WINDOWS\system32\RunOnce.t__ - Deleted C:\WINDOWS\system32\RunOnce.tm_ - Deleted C:\DOCUME~1\rich\LOCALS~1\Temp\media.php.bat - Deleted C:\WINDOWS\gxvpsafm.dll - Deleted C:\WINDOWS\pntqkflv.dll - Deleted C:\WINDOWS\qegbdmwf.dll - Deleted C:\WINDOWS\system32\lt.res - Deleted C:\WINDOWS\system32\sft.res - Deleted C:\WINDOWS\tovafrnm.exe - Deleted Folder C:\Documents and Settings\All Users\Documents\Settings - Removed Folder C:\WINDOWS\privacy_danger - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-02 11:27:15 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40] "khjeh"=hex:20,02,00,00,df,48,6e,49,73,46,e4,1e,c3,23,5a,12,f1,1c,10,5b,2a,.. "hj34z0"=hex:a1,91,1b,04,7c,7f,4c,66,da,40,07,2f,bb,15,d7,1b,89,49,53,9a,2a,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Thu 19 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe" Tue 26 Mar 2002 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Fri 22 Apr 2005 26,624 A..H. --- "C:\Documents and Settings\rich\Bureau\blag\~WRL0003.tmp" Sat 27 Oct 2007 73,216 ...H. --- "C:\Documents and Settings\rich\Bureau\divers\~WRL0001.tmp" Sun 17 Feb 2008 81,408 ...H. --- "C:\Documents and Settings\rich\Bureau\divers\~WRL0002.tmp" Wed 2 Jul 2008 0 A..H. --- "C:\Documents and Settings\rich\Local Settings\Temp\BIT10.tmp" Wed 2 Jul 2008 0 A..H. --- "C:\Documents and Settings\rich\Local Settings\Temp\BIT11.tmp" Wed 2 Jul 2008 0 A..H. --- "C:\Documents and Settings\rich\Local Settings\Temp\BIT2.tmp" Wed 2 Jul 2008 0 A..H. --- "C:\Documents and Settings\rich\Local Settings\Temp\BIT3.tmp" Wed 2 Jul 2008 0 A..H. --- "C:\Documents and Settings\rich\Local Settings\Temp\BIT4.tmp" Wed 2 Jul 2008 0 A..H. --- "C:\Documents and Settings\rich\Local Settings\Temp\BIT42.tmp" Wed 2 Jul 2008 0 A..H. --- "C:\Documents and Settings\rich\Local Settings\Temp\BITF.tmp" Wed 3 May 2006 70,656 A..H. --- "C:\Documents and Settings\rich\Bureau\cl‚\cl‚ richard\~WRL0001.tmp" Tue 9 May 2006 70,656 A..H. --- "C:\Documents and Settings\rich\Bureau\cl‚\cl‚ richard\~WRL0003.tmp" Fri 30 Jun 2006 22,016 A..H. --- "C:\Documents and Settings\rich\Bureau\cl‚\cl‚ richard\~WRL0034.tmp" Mon 26 Jun 2006 77,312 A..H. --- "C:\Documents and Settings\rich\Bureau\cl‚\cl‚ richard\~WRL0272.tmp" Mon 26 Jun 2006 77,312 A..H. --- "C:\Documents and Settings\rich\Bureau\cl‚\cl‚ richard\~WRL0578.tmp" Thu 8 Sep 2005 16,352,768 A..H. --- "C:\Documents and Settings\rich\Bureau\cl‚\cl‚ richard\~WRL0839.tmp" Fri 30 Jun 2006 22,016 A..H. --- "C:\Documents and Settings\rich\Bureau\cl‚\cl‚ richard\~WRL1484.tmp" Mon 12 Jun 2006 22,016 A..H. --- "C:\Documents and Settings\rich\Bureau\cl‚\cl‚ richard\~WRL2676.tmp" Thu 22 Jun 2006 77,312 A..H. --- "C:\Documents and Settings\rich\Bureau\cl‚\cl‚ richard\~WRL3624.tmp" Fri 30 Jun 2006 23,040 A..H. --- "C:\Documents and Settings\rich\Bureau\cl‚\cl‚ richard\~WRL3884.tmp" Finished! et le hijackthis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:36:39, on 02/07/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Hercules\WiFi Station\WifiStation.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\rich\Bureau\HiJackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [lphc7ubj0er75] C:\WINDOWS\system32\lphc7ubj0er75.exe O4 - HKLM\..\Run: [886d177d] rundll32.exe "C:\WINDOWS\system32\fbywcoud.dll",b O4 - Global Startup: WiFi Station.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: Yahoo! Chess - http://origin.games.yahoo.net/games/clients/y/ct5_x.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192271621625 O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab O16 - DPF: {7D5DD829-6C90-42C5-B54C-2AFA82F988BA} (CLoader Object) - http://www.antivirusxp2008.com/tools/virusremover.dll O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f001.mail.caramail.lycos.fr/app/upl...ileUploader.cab O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Plug-and-Play PlugPlaySCardSvr (PlugPlaySCardSvr) - Unknown owner - C:\WINDOWS\System32\a234v.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe -- End of file - 4562 bytes je n'ai pas encore récupéré l'accés au poste de travail, et j'ai encore un pop up qui vient parfois sur le net. (une fois) merci déjà pour tous les conseils. C'est vraiment sympa Richard

j'ai eu le tord de laisser le pc allumé et j'ai perdu le wal paper et l'accés au poste de travail. arg help merci

voici le compte rendu, et merci Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:56: VIRUS ALERT!, on 01/07/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Hercules\WiFi Station\WifiStation.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\rich\Local Settings\Temp\.ex6.tmp C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\rich\Bureau\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O3 - Toolbar: gxvpsafm - {A9C00446-CA14-4EF3-AACB-723AE6634D61} - C:\WINDOWS\gxvpsafm.dll O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [886d177d] rundll32.exe "C:\WINDOWS\system32\sakqupyr.dll",b O4 - HKLM\..\Run: [lphc7ubj0er75] C:\WINDOWS\system32\lphc7ubj0er75.exe O4 - Global Startup: WiFi Station.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: Yahoo! Chess - http://origin.games.yahoo.net/games/clients/y/ct5_x.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192271621625 O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab O16 - DPF: {7D5DD829-6C90-42C5-B54C-2AFA82F988BA} (CLoader Object) - http://www.antivirusxp2008.com/tools/virusremover.dll O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f001.mail.caramail.lycos.fr/app/upl...ileUploader.cab O21 - SSODL: pntqkflv - {5DA3EEBD-6BAE-45D2-9620-84A77E14F68A} - C:\WINDOWS\pntqkflv.dll O21 - SSODL: qegbdmwf - {7778AFB1-4224-42D6-8E86-8D7FF72720B0} - C:\WINDOWS\qegbdmwf.dll O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Plug-and-Play PlugPlaySCardSvr (PlugPlaySCardSvr) - Unknown owner - C:\WINDOWS\System32\a234v.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm -- End of file - 5266 bytes

bonjour, J'ai besoin d'aide , j'ai un virus qui me donne des popup et détourne Google. Je dispose d'Avira Antivir, il détecte le pb mais ne le résoud pas. Je n'ai pas rèussi non plus à enlever manuellement le fichier dll fautif : windows/system32/tuvWmLba.dll merci de m'aider. Richard