Infection Win32 Horst a-z

Paperdumèpresque... · le 20 janvier 2007

Bonsoir,

La bête est revenu, et les procdures semblent avoir évolué.

Ci joint rapport d'Hijackthis

Merci d'avance.

Logfile of HijackThis v1.99.1

Scan saved at 18:17:29, on 20/01/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

C:\Acer\Empowering Technology\ePresentation\ePresentation.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

C:\ALWILS~1\Avast4\ashDisp.exe

C:\Acer\Empowering Technology\eLock\Monitor\LockMon.exe

D:\EA GAMES\D-Tools\daemon.exe

C:\Program Files\Fichiers communs\InstallShield\UpdateService\ISUSPM.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe

C:\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe

D:\Microsoft Etudes\Microsoft Encarta 2007 - Études DVD\EDICT.EXE

D:\WinZip\WZQKPICK.EXE

D:\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\Program Files\Fichiers communs\Logitech\khalshared\KHALMNPR.EXE

C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

C:\Alwil Software\Avast4\aswUpdSv.exe

C:\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\E_S00RP2.EXE

C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe

C:\Acer\Empowering Technology\eLock\LockServ.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\DOCUME~1\Erick\LOCALS~1\Temp\RtkBtMnt.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Alwil Software\Avast4\ashMaiSv.exe

C:\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ThiWeb Live\thiweblive.exe

C:\Program Files\ThiWeb Live\tlmaj.exe

D:\eDonkey2000\edonkey2000.exe

D:\SlySoft\AnyDVD\AnyDVD.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Web Companion\2007\ENCWCSVR.EXE

C:\Alwil Software\Avast4\ashSimpl.exe

C:\Program Files\Internet Explorer\iexplore.exe

D:\WINZIP\winzip32.exe

C:\Documents and Settings\Erick\Local Settings\Temp\wz1cdb\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neufportail.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: BHO pour Compagnon Web Encarta - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Compagnon Web Encarta - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

O4 - HKLM\..\Run: [boot] C:\Acer\Empowering Technology\ePower\Boot.exe

O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe

O4 - HKLM\..\Run: [eLockMonitor] C:\Acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe

O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1

O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Fichiers communs\Logitech\khalshared\KHALMNPR.EXE"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [VirtualCloneDrive] "D:\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM\..\Run: [avast!] C:\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [\\ERICK\EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P32 "\\ERICK\EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [CloneCDTray] "D:\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\EA GAMES\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [ThiWebLive] C:\Program Files\ThiWeb Live\thiweblive.exe

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [\\ERICK\EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P32 "\\ERICK\EPSON Stylus Photo RX500" /M "Stylus Photo RX500" /EF "HKCU"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [L07FXLRD_91841093] "D:\Microsoft Etudes\Microsoft Encarta 2007 - Études DVD\EDICT.EXE" -m

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [AnyDVD] D:\SlySoft\AnyDVD\AnyDVD.exe

O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE

O4 - Global Startup: Logitech SetPoint.lnk = ?

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: Barre de recherche Encarta - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162399818292

O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - http://config.zebulon.fr/plugins/hardwaredetection.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab

O16 - DPF: {8F48147B-78D9-40F9-ACC0-BDDE59B246F4} (AccountHelper Class) - http://abonnement.aliceadsl.fr/configurate...countHelper.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540001} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{CA9ECA96-7B92-4560-83C7-94BA1E46595E}: NameServer = 86.64.145.140,84.103.237.140

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Fichiers communs\Microsoft Shared\Help\hxds.dll

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FICHIE~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP2.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe

O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe

O23 - Service: NBService - Nero AG - D:\NERO\Nero 7\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Malekal_morte · le 20 janvier 2007

Bonjour,

Télécharge sur ton bureau : http://www.malekal.com/download/clean.zip

Une fois sur le bureau, tu fais un clic droit sur ton fichier clean.zip et dans le menu déroulant, tu clics sur extrait tout ou extraire ici.

Cela va créer un dossier clean.

Double-clic sur ce dossier clean, tu y trouveras dedans plusieurs fichiers.

Double-clic sur clean. Cela va ouvrir une fenêtre noire.

Un menu va apparaître, choisis l'option 1 en appuyant sur la touche 1 de ton clavier.

Clean va travailler.

Un rapport Va etre généré, colle le contenu entier ici.

Paperdumèpresque... · le 20 janvier 2007

J'ai fait l nécessaire et voici le résultat:

Rapport clean par Malekal_morte - http://www.malekal.com

Option 1, executee le 20/01/2007 a 18:25:41,30

*** Recherche de fichiers sur C:

*** Recherche des fichiers dans C:\WINDOWS\

C:\WINDOWS\RUNXMLPL.exe FOUND

*** Recherche des fichiers dans C:\WINDOWS\system32

C:\WINDOWS\system32\spool\drivers\setup.exe FOUND

C:\WINDOWS\system\smss.exe FOUND

"C:\DOCUME~1\Erick\LOCALS~1\Temp\??exhdd*.exe" FOUND

"C:\Documents and Settings\All Users\Documents\setup.exe" FOUND

*** Fin du rapport !

@+

Malekal_morte · le 20 janvier 2007

Voici la manipulation à effectuer en entier

Merci de bien vouloir :

- Lire attentivement les instructions demandées et prendre son temps pour les effectuer convenablement, sinon la désinfection ne sera pas complète.

- Si certains éléments ne sont pas trouvés, merci de le signaler mais de poursuivre les manipulations jusqu'au bout.

- A l'issu de la procédure, merci de bien copier/coller TOUS les rapports demandés.

- N'hésitez pas à consulter les liens d'aides, ils sont là pour vous guider !

Suis la procédure de cette page : http://www.malekal.com/Trojan-Proxy.Win32.Horst.php

Sur HiJackThis, refais un scan et coches les lignes suivantes :

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

---> puis clic sur le bouton "Fix Checked"

n'hésite pas à consulter l'aide HiJackThis

- Télécharge et installe AVG Anti-Spyware - Tutorial : http://www.malekal.com/tutorial_AVG_AntiSpyware.html

- Mets le à jour à partir du menu Mise à jour en haut

-- Redémarre en mode en mode sans échec, si tu sais pas comment on fait lis ceci

Double-clic sur ce dossier clean, tu y trouveras dedans plusieurs fichiers.

Double-clic sur clean. Cela va ouvrir une fenêtre noire.

Un menu va apparaître, choisis l'option 2 en appuyant sur la touche 2 de ton clavier.

Clean va travailler.

Un rapport Va etre généré, colle le contenu entier ici.

- Ouvre AVG Anti-Spyware et clic sur l'onglet Analyse, puis le sous-onglet Paramètres

- Sélectionne dans Comment Réagir ? Quarantine. (voir l'aide l'aide AVG Anti-Spyware)

- Reviens au sous-onglet Analyser puis clique sur Analyse complète du système.

---> Le scan démarre.

A la fin clique sur Appliquer toutes les actions, les éléments doivent alors être déplacés en quarantaine.

Puis clique sur Enregistrer le rapport d'analyse et enregistre le rapport sur le Bureau.

Aide : N'hésite pas à consulter l'Aide AVG Anti-Spyware pour tout problème.

-- Redémarre en mode normal : Menu Démarrer / Arreter / Redémarre l'ordinateur

Attention : dans le cas où l'ordinateur redémarre en boucle en mode sans échec, faire la manipulation inverse en décochant l'option /SAFEBOOT à l'aide de msconfig : voir à nouveau cette page : cliquez-ici

-- Fais un scan en ligne avec Internet Explorer : Scan Kaspersky et colle le rapport ici. Si tu es perdu, tu peux suivre cette aide pour les scans en ligne

-- Copie/Colle ici les rapports :

- AVG Anti-Spyware

- le rapport clean : Poste de travail / double clic sur disque C / double-clic sur rapport_clean.txt et copier/coller le contenu ici C:\rapport_clean.txt

- ainsi qu'un nouveau log HiJackThis

Paperdumèpresque... · le 20 janvier 2007

Si j'ai bien tout lu (pas Freud),

Je vais me mettre en mode sans echec; masi que fais-je d'Avast, je le supprime, ou je le ferme??????

et oui, paperdumèpresque...

Modifié le 20 janvier 2007 par Paperdumèpresque...

angelique · le 20 janvier 2007

bah! tu fais rien, et tu suis la procédure de Malekal!! avast ne sera pas actif en mode sans echec. ;o)

Malekal_morte · le 20 janvier 2007

Ne pas toucher à Avast!

Paperdumèpresque... · le 20 janvier 2007

Messages bien reçus, je ne touche pas à AVAST

A très bientôt, je suis sur le point de partir au travail.

Paperdumèpresque... · le 22 janvier 2007

Je suis en retard, mais j'ai pas un métier facile.

Voici les différents rapprots suite à la mise en oeuvre de la procédure ad-hoc:

KASPERSKY ONLINE SCANNER REPORT

Monday, January 22, 2007 6:02:43 AM

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 21/01/2007

Kaspersky Anti-Virus database records: 246024

Scan Settings

Scan using the following antivirus database standard

Scan Archives true

Scan Mail Bases true

Scan Target My Computer

C:\

D:\

E:\

F:\

G:\

Scan Statistics

Total number of scanned objects 197021

Number of viruses found 1

Number of infected objects 1 / 0

Number of suspicious objects 0

Duration of the scan process 02:16:10

Infected Object Name Virus Name Last Action

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_a08.dat Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_20c.dat Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F834AE9E-32E1-4C4D-942C-CF29D50D1E2C}.crmlog Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{48F09448-1596-469F-988F-8D87B8DF023E}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\ModemLog_HDAUDIO Soft Data Fax Modem with SmartCP.txt Object is locked skipped

C:\WINDOWS\$_hpcst$.hpc Object is locked skipped

C:\WINDOWS\CSC000001 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\NtfB.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\NtfC.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_d10.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010001.ci Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010002.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010003.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010001.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010004.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010005.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010001.wsb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010006.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010007.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010008.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010009.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles01000D.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles01000E.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles01000F.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010010.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010011.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010012.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010013.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010014.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles010016.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles01001D.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy6.gthr Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.59.gthr Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.59.Crwl Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Erick\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Erick\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Temp\~DF798D.tmp Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Temp\~DFE83E.tmp Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Temp\~DF5347.tmp Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Temp\~DF540D.tmp Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Temp\Perflib_Perfdata_2f8.dat Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Historique\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Historique\History.IE5\MSHist012007012120070122\index.dat Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Application Data\ApplicationHistory\ePower_DMC.exe.3ca0acde.ini.inuse Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Application Data\ApplicationHistory\ePresentation.exe.e70224e9.ini.inuse Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Application Data\ApplicationHistory\LockMon.exe.7987f3da.ini.inuse Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped

C:\Documents and Settings\Erick\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal Object is locked skipped

C:\Documents and Settings\Erick\Cookies\index.dat Object is locked skipped

C:\system volume information\_restore{7D0A09CF-FCEC-40B1-949D-E158943906CC}\RP183\change.log Object is locked skipped

C:\eDS_PSD_drive.vmdf Object is locked skipped

C:\Alwil Software\Avast4\DATA\report\Protection résidente.txt Object is locked skipped

C:\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped

C:\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped

C:\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped

C:\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

D:\System Volume Information\_restore{7D0A09CF-FCEC-40B1-949D-E158943906CC}\RP183\A0032277.exe Infected: Trojan-Downloader.Win32.Agent.aii skipped

D:\System Volume Information\_restore{7D0A09CF-FCEC-40B1-949D-E158943906CC}\RP183\change.log Object is locked skipped

Scan process completed.

----------------------------------------------------------------------------------------------------------

Script execute en mode sans echec

Rapport clean par Malekal_morte - http://www.malekal.com

Option 2, executee le 20/01/2007 a 19:15:43,87

Microsoft Windows XP [version 5.1.2600]

*** Suppression de fichiers sur C:

*** Suppression des fichiers dans C:\WINDOWS\

tentative de suppression de C:\WINDOWS\RUNXMLPL.exe

*** Suppression des fichiers dans C:\WINDOWS\system32

tentative de suppression de C:\WINDOWS\system32\spool\drivers\setup.exe

tentative de suppression de C:\WINDOWS\system\smss.exe

tentative de suppression de "C:\DOCUME~1\Erick\LOCALS~1\Temp\??exhdd*.exe"

tentative de suppression de "C:\Documents and Settings\All Users\Documents\setup.exe"

*** Suppression des clefs du registre effectuee..

*** Fin du rapport !

---------------------------------------------------------------------------------------------+

AVG Anti-Spyware - Rapport d'analyse

---------------------------------------------------------

+ Créé à: 23:32:40 20/01/2007

+ Résultat de l'analyse:

D:\eDonkey2000 Downloads\Encarta\ Encarta collection 2007 - Microsoft [ Full crack nocd patch multilanguage]\ !Encarta collection 2007 - Microsoft [ installer ].exe -> Adware.Casino : Nettoyé et sauvegardé (mise en quarantaine).

C:\system volume information\_restore{7D0A09CF-FCEC-40B1-949D-E158943906CC}\RP183\A0032269.exe -> Backdoor.Tagent.e : Nettoyé et sauvegardé (mise en quarantaine).

D:\System Volume Information\_restore{7D0A09CF-FCEC-40B1-949D-E158943906CC}\RP181\A0031991.exe -> Backdoor.Tagent.e : Nettoyé et sauvegardé (mise en quarantaine).

C:\system volume information\_restore{7D0A09CF-FCEC-40B1-949D-E158943906CC}\RP183\A0032262.exe -> Downloader.Agent.aii : Nettoyé et sauvegardé (mise en quarantaine).

C:\system volume information\_restore{7D0A09CF-FCEC-40B1-949D-E158943906CC}\RP183\A0032268.exe -> Downloader.Agent.aii : Nettoyé et sauvegardé (mise en quarantaine).

D:\eDonkey2000 Downloads\Virtual DJ Studio 4.4 serial cracks.exe -> Downloader.Agent.aii : Nettoyé et sauvegardé (mise en quarantaine).

Fin du rapport

------------------------------------------------------------------------------------------------------+

Logfile of HijackThis v1.99.1

Scan saved at 06:03:54, on 22/01/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

C:\Acer\Empowering Technology\ePresentation\ePresentation.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

D:\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\ALWILS~1\Avast4\ashDisp.exe

D:\SlySoft\CloneCD\CloneCDTray.exe

C:\Acer\Empowering Technology\eLock\Monitor\LockMon.exe

D:\EA GAMES\D-Tools\daemon.exe

C:\Program Files\Fichiers communs\InstallShield\UpdateService\ISUSPM.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ThiWeb Live\thiweblive.exe

C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe

C:\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe

D:\Microsoft Etudes\Microsoft Encarta 2007 - Études DVD\EDICT.EXE

D:\SlySoft\AnyDVD\AnyDVD.exe

D:\WinZip\WZQKPICK.EXE

D:\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\Program Files\ThiWeb Live\tlmaj.exe

C:\Program Files\Fichiers communs\Logitech\khalshared\KHALMNPR.EXE

C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

C:\Alwil Software\Avast4\aswUpdSv.exe

C:\Alwil Software\Avast4\ashServ.exe

C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\E_S00RP2.EXE

C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe

C:\Acer\Empowering Technology\eLock\LockServ.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\DOCUME~1\Erick\LOCALS~1\Temp\RtkBtMnt.exe

C:\WINDOWS\system32\dllhost.exe

C:\Alwil Software\Avast4\ashMaiSv.exe

C:\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Web Companion\2007\ENCWCSVR.EXE

D:\LOGICIELS UTILITAIRES\Eradiquer W horst 32\HijackThis.exe