Pc qui rame et forumeux débutant

[blackcrichton]

Bonsoir

 

Je suis à la fois débutant sur ce forum et en infomatique ! Mon PC me fait des misères depuis deux jours : il rame, se bloque, m'ouvre des fenêtres que j'aurais surement apprécié à 15 ans et me bloque des programmes !! Super lourd.

 

Je vous joins le log hijackthis que je viens de sortir en espérant que vous pourrez me donner un coup de main

 

D'avance merci !!

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:15:19, on 05/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Securitoo\Common\FSMA32.EXE

C:\WINDOWS\System32\FTRTSVC.exe

C:\Program Files\Securitoo\Common\FSMB32.EXE

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\IQONAN~1\ONLNSVC.EXE

C:\Program Files\Securitoo\Common\FCH32.EXE

C:\PROGRA~1\IQONAN~1\scanwscs.exe

C:\Program Files\Securitoo\Common\FAMEH32.EXE

C:\Program Files\Securitoo\Anti-Virus\fsqh.exe

C:\Program Files\Securitoo\FSAUA\program\fsaua.exe

C:\Program Files\Securitoo\FWES\Program\fsdfwd.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\IQONAN~1\emlproxy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Securitoo\Common\FSM32.EXE

C:\PROGRA~1\Wanadoo\TaskBarIcon.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\newmaxxsv234.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DialMessenger\dialmessenger.exe

C:\Program Files\Securitoo\FSGUI\fsguidll.exe

C:\PROGRA~1\Wanadoo\GestionnaireInternet.exe

C:\PROGRA~1\Wanadoo\ComComp.exe

C:\PROGRA~1\Wanadoo\Toaster.exe

C:\PROGRA~1\Wanadoo\Inactivity.exe

C:\PROGRA~1\Wanadoo\PollingModule.exe

C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE

C:\PROGRA~1\Wanadoo\Watch.exe

C:\PROGRA~1\Wanadoo\WOOBrowser\WOOBrowser.exe

c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe

C:\PROGRA~1\FICHIE~1\LogiShrd\LComMgr\LVComSX.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Logitech\QuickCam10\QuickCam10.exe

C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Fichiers communs\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Backup_Drivers\svchost.exe

C:\Backup_Drivers\svchost.exe

C:\Backup_Drivers\svchost.exe

C:\Backup_Drivers\svchost.exe

C:\Backup_Drivers\svchost.exe

C:\Backup_Drivers\svchost.exe

C:\Backup_Drivers\svchost.exe

C:\Backup_Drivers\svchost.exe

C:\WINDOWS\TEMP\ms-B.exe

C:\Backup_Drivers\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Backup_Drivers\svchost.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fr.msn.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.fr/0SEFRFR/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fr.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fr/0SEFRFR/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer optimisé pour MSN

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: (no name) - {D61D7E1A-6613-49CA-B6F9-51DB248E209D} - C:\Program Files\Video ActiveX Access\iesplg.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: C:\PROGRA~1\IQONAN~1\emlproxy.exe

O4 - HKLM\..\Run: [scanner Reminder] C:\PROGRA~1\IQONAN~1\remind.exe

O4 - HKLM\..\Run: [update Scheduler] C:\PROGRA~1\IQONAN~1\UPSCHD.EXE /CHECK

O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\IQONAN~1\CATEYE.EXE

O4 - HKLM\..\Run: [Messenger] C:\PROGRA~1\IQONAN~1\SCANMSG.EXE

O4 - HKLM\..\Run: [Activate Scanner] C:\PROGRA~1\IQONAN~1\ACTIVATE.EXE

O4 - HKLM\..\Run: [startup Scan] C:\PROGRA~1\IQONAN~1\sensor.exe /loadrun

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\GestMaj.exe TaskBarIcon.exe

O4 - HKLM\..\Run: [system] C:\WINDOWS\system32\kernelwind32.exe

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Securitoo\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Securitoo\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [systemSv12] C:\WINDOWS\system32\newmaxxsv234.exe

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

O4 - HKLM\..\RunOnce: [startup Scan] C:\PROGRA~1\IQONAN~1\sensor.exe /check

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WOOKIT] C:\Program Files\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx

O4 - HKCU\..\Run: [DialMessenger] "C:\Program Files\DialMessenger\dialmessenger.exe" -background

O4 - HKCU\..\Run: [CDriver] c:\Backup_Drivers\svchost.exe

O4 - HKCU\..\Run: [DDriver] c:\Backup_Drivers\svchost.exe

O4 - HKCU\..\Run: [alpha] c:\Backup_Drivers\svchost.exe

O4 - HKCU\..\Run: [beta] c:\Backup_Drivers\svchost.exe

O4 - HKCU\..\Run: [gamma] c:\Backup_Drivers\svchost.exe

O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe

O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video ActiveX Access\imsmain.exe

O4 - HKLM\..\Policies\Explorer\Run: [CDriver] c:\Backup_Drivers\svchost.exe

O4 - HKLM\..\Policies\Explorer\Run: [DDriver] c:\Backup_Drivers\svchost.exe

O4 - HKLM\..\Policies\Explorer\Run: [alpha] c:\Backup_Drivers\svchost.exe

O4 - HKLM\..\Policies\Explorer\Run: [beta] c:\Backup_Drivers\svchost.exe

O4 - HKLM\..\Policies\Explorer\Run: [gamma] c:\Backup_Drivers\svchost.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [systemDriverLoad] (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [systemDriver] (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [FDriver] (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [ADriver] (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [CDriver] c:\Backup_Drivers\svchost.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [DDriver] c:\Backup_Drivers\svchost.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [alpha] c:\Backup_Drivers\svchost.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [beta] c:\Backup_Drivers\svchost.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [gamma] c:\Backup_Drivers\svchost.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.orange.fr (file missing) (HKCU)

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O17 - HKLM\System\CCS\Services\Tcpip\..\{ED3608C0-F62B-47AA-B829-2D274D559654}: NameServer = 85.255.114.195,85.255.112.139

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139

O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll

O22 - SharedTaskScheduler: adirondack - {547aaa89-7e6b-42b4-b112-a64955f86a2a} - C:\WINDOWS\system32\zpuwriz.dll (file missing)

O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\VINCEN~1\LOCALS~1\Temp\dnlsvc.exe

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\Securitoo\Anti-Virus\fsgk32st.exe (file missing)

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Securitoo\FSAUA\program\fsaua.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Securitoo\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Securitoo\Common\FSMA32.EXE

O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\IQONAN~1\ONLNSVC.EXE

O23 - Service: iQon Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\IQONAN~1\scanwscs.exe

O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32\dmdar.exe (file missing)

 

--

End of file - 12549 bytes

[bruce lee]

Bonjour blackcrichton et bienvenue sur ce forum

 

Tu connais ?:

 

O4 - HKLM\..\Policies\Explorer\Run: [CDriver] c:\Backup_Drivers\svchost.exe

 

---------

 

 

1/Télécharger http://siri.urz.free.fr/Fix/SmitfraudFix.exe ou ici: http://siri.geekstogo.com/SmitfraudFix.exe (de S!Ri) sur ton bureau

 

 

2/Double cliquer sur smitfraudfix.exe

 

Sélectionner 1 dans le menu pour créer un rapport des fichiers responsables de l'infection.

sauvegarde ce rapport et poste le

 

Imprime ces instructions si nécessaire car il va y avoir un redémarrage de l'ordinateur.

 

Télécharge FixWareout de l'un de ces deux liens :

http://downloads.subratam.org/Fixwareout.exe

http://download.bleepingcomputer.com/lonny/Fixwareout.exe

 

Sauvegarde-le sur ton Bureau, puis lance-le.

Clique Next, puis Install, et assure-toi que "Run fixit" soit coché, puis clique Finish.

Suis les directives à l'écran.

L'outil va te demander de redémarrer ton PC; fais-le s'il te plaît.

Le redémarrage risque de prendre un peu plus de temps; ceci est normal.

Suite au redémarrage, copie/colle le contenu du rapport généré par l'outil qui se trouve ici : C:\fixwareout\report.txt

 

Télécharge SDFix(créé par AndyManchesta) et sauvegarde le sur ton Bureau.

***Si le lien ne fonctionne pas, essaie celui-ci : http://download.bleepingcomputer.com/andymanchesta/SDFix.exe ***

 

Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :

• Démarre en mode sans échec

http://cybersecurite.xooit.com/t88-Demarre...s-echec.htm#665
 
Déroule la liste des instructions ci-dessous :

• Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
  
• Appuie sur Y pour commencer le processus de nettoyage.
  
• Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
  
• Appuie sur une touche pour redémarrer le PC.
  
• Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
  
• Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
  
• Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
  
• Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
  
• Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum, avec un nouveau log Hijackthis !
  

1. Télécharge combofix.exe (par sUBs) ici :

 

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

 

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

 

sur ton Bureau.

 

2. Double clique sur combofix.exe puis tape 1 pour lancer le scan.

3. Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse.

Modifié le 5 décembre 2007 par bruce lee

[blackcrichton]

Merci de ton aide mon cher Bruce

 

Je ne connais pas du tout "O4 - HKLM\..\Policies\Explorer\Run: [CDriver] c:\Backup_Drivers\svchost.exe"...

 

Comme Tu me l'as demandé j'ai téléchargé Smitfraud. Voici le rapport :

SmitFraudFix v2.258

 

Rapport fait à 21:34:46,66, 05/12/2007

Executé à partir de C:\DOCUME~1\VINCEN~1\Bureau\SmitfraudFix

OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT

Le type du système de fichiers est NTFS

Fix executé en mode normal

 

»»»»»»»»»»»»»»»»»»»»»»»» Process

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Securitoo\Common\FSMA32.EXE

C:\WINDOWS\System32\FTRTSVC.exe

C:\Program Files\Securitoo\Common\FSMB32.EXE

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\IQONAN~1\ONLNSVC.EXE

C:\Program Files\Securitoo\Common\FCH32.EXE

C:\PROGRA~1\IQONAN~1\scanwscs.exe

C:\Program Files\Securitoo\Common\FAMEH32.EXE

C:\Program Files\Securitoo\Anti-Virus\fsqh.exe

C:\Program Files\Securitoo\FSAUA\program\fsaua.exe

C:\Program Files\Securitoo\FWES\Program\fsdfwd.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\IQONAN~1\emlproxy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Securitoo\Common\FSM32.EXE

C:\PROGRA~1\Wanadoo\TaskBarIcon.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\newmaxxsv234.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Securitoo\FSGUI\fsguidll.exe

C:\PROGRA~1\Wanadoo\GestionnaireInternet.exe

C:\PROGRA~1\Wanadoo\ComComp.exe

C:\PROGRA~1\Wanadoo\Toaster.exe

C:\PROGRA~1\Wanadoo\Inactivity.exe

C:\PROGRA~1\Wanadoo\PollingModule.exe

C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE

C:\PROGRA~1\Wanadoo\Watch.exe

C:\PROGRA~1\Wanadoo\WOOBrowser\WOOBrowser.exe

c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe

C:\PROGRA~1\FICHIE~1\LogiShrd\LComMgr\LVComSX.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Logitech\QuickCam10\QuickCam10.exe

C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Fichiers communs\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Backup_Drivers\svchost.exe

C:\WINDOWS\TEMP\ms-81F.exe

C:\Program Files\Windows Media Player\setup_wm.exe

C:\Backup_Drivers\svchost.exe

C:\WINDOWS\TEMP\ms-B.exe

C:\WINDOWS\TEMP\ms-E79.exe

C:\Backup_Drivers\svchost.exe

C:\Backup_Drivers\svchost.exe

C:\Backup_Drivers\svchost.exe

C:\PROGRA~1\Wanadoo\WOOBRO~1\DownloadManager.exe

C:\Backup_Drivers\svchost.exe

C:\Backup_Drivers\svchost.exe

C:\WINDOWS\system32\cmd.exe

C:\Backup_Drivers\svchost.exe

C:\Backup_Drivers\svchost.exe

C:\Backup_Drivers\svchost.exe

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

C:\WINDOWS\system32\PowerVideo.dll PRESENT !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Vincent HILAIRE

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Vincent HILAIRE\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer

 

C:\DOCUME~1\ALLUSE~1\MENUDM~1\Online Security Guide.url PRESENT !

C:\DOCUME~1\ALLUSE~1\MENUDM~1\Security Troubleshooting.url PRESENT !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\VINCEN~1\Favoris

 

C:\DOCUME~1\VINCEN~1\Favoris\Online Security Test.url PRESENT !

 

»»»»»»»»»»»»»»»»»»»»»»»» Bureau

 

C:\DOCUME~1\ALLUSE~1\Bureau\Online Security Guide.url PRESENT !

C:\DOCUME~1\ALLUSE~1\Bureau\Security Troubleshooting.url PRESENT !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

 

C:\Program Files\Video ActiveX Access\ PRESENT !

 

»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Ma page d'accueil"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{547aaa89-7e6b-42b4-b112-a64955f86a2a}"="adirondack"

 

[HKEY_CLASSES_ROOT\CLSID\{547aaa89-7e6b-42b4-b112-a64955f86a2a}\InProcServer32]

@="C:\WINDOWS\system32\zpuwriz.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{547aaa89-7e6b-42b4-b112-a64955f86a2a}\InProcServer32]

@="C:\WINDOWS\system32\zpuwriz.dll"

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"="csyod.exe"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Votre ordinateur est certainement victime d'un détournement de DNS: 85.255.x.x détecté !

 

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Miniport d'ordonnancement de paquets

DNS Server Search Order: 85.255.114.195

DNS Server Search Order: 85.255.112.139

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4F20A3C8-5B2A-4769-BE5E-A674406B2FA2}: DhcpNameServer=85.255.114.195,85.255.112.139

HKLM\SYSTEM\CCS\Services\Tcpip\..\{ED3608C0-F62B-47AA-B829-2D274D559654}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{ED3608C0-F62B-47AA-B829-2D274D559654}: NameServer=85.255.114.195,85.255.112.139

HKLM\SYSTEM\CS1\Services\Tcpip\..\{4F20A3C8-5B2A-4769-BE5E-A674406B2FA2}: DhcpNameServer=85.255.114.195,85.255.112.139

HKLM\SYSTEM\CS1\Services\Tcpip\..\{ED3608C0-F62B-47AA-B829-2D274D559654}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{ED3608C0-F62B-47AA-B829-2D274D559654}: NameServer=85.255.114.195,85.255.112.139

HKLM\SYSTEM\CS3\Services\Tcpip\..\{4F20A3C8-5B2A-4769-BE5E-A674406B2FA2}: DhcpNameServer=85.255.114.195,85.255.112.139

HKLM\SYSTEM\CS3\Services\Tcpip\..\{ED3608C0-F62B-47AA-B829-2D274D559654}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{ED3608C0-F62B-47AA-B829-2D274D559654}: NameServer=85.255.114.195,85.255.112.139

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.114.195 85.255.112.139

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.114.195 85.255.112.139

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.114.195 85.255.112.139

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Fin

 

 

 

Voici maintenant le rapport issu de sdfix

 

 

SDFix: Version 1.117

 

Run by Vincent HILAIRE on 05/12/2007 at 22:48

 

Microsoft Windows XP [version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

Name:

dnlsvc

Driver

msdirect

 

Path:

"C:\DOCUME~1\VINCEN~1\LOCALS~1\Temp\dnlsvc.exe"

\??\C:\WINDOWS\system32\kernelw.sys

\??\C:\WINDOWS\system32\msdirect.sys

 

dnlsvc - Deleted

Driver - Deleted

msdirect - Deleted

 

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Restoring Missing Security Center Service

Restoring Missing SharedAccess Service

 

Rebooting...

 

Service asc3550p - Deleted after Reboot

 

Normal Mode:

Checking Files:

 

Trojan Files Found:

 

C:\Documents and Settings\All Users\Documents\Settings\bot.dll - Deleted

C:\Documents and Settings\Vincent HILAIRE\Local Settings\Temp\1.dllb - Deleted

C:\WINDOWS\system32\msdirect.sys - Deleted

C:\Documents and Settings\Vincent HILAIRE\Local Settings\Temp\ma11x1dd12111v.game - Deleted

C:\WINDOWS\Temp\ms-11.exe - Deleted

C:\WINDOWS\Temp\ms-13.exe - Deleted

C:\WINDOWS\Temp\ms-14.exe - Deleted

C:\WINDOWS\Temp\ms-17.exe - Deleted

C:\WINDOWS\Temp\ms-19.exe - Deleted

C:\WINDOWS\Temp\ms-1A.exe - Deleted

C:\WINDOWS\Temp\ms-1B.exe - Deleted

C:\WINDOWS\Temp\ms-28.exe - Deleted

C:\WINDOWS\Temp\ms-A.exe - Deleted

C:\WINDOWS\Temp\ms-B.exe - Deleted

C:\WINDOWS\Temp\ms-C.exe - Deleted

C:\WINDOWS\Temp\ms-D.exe - Deleted

C:\DOCUME~1\VINCEN~1\LOCALS~1\Temp\dnlsvc.exe - Deleted

C:\1.exe - Deleted

C:\Backup_Drivers\svchost.exe - Deleted

C:\syst.exe - Deleted

C:\WINDOWS\noskrnl.config - Deleted

C:\WINDOWS\system32\dllh8jkd1q5.exe - Deleted

C:\WINDOWS\system32\dllh8jkd1q6.exe - Deleted

C:\WINDOWS\system32\dllh8jkd1q7.exe - Deleted

C:\WINDOWS\system32\dllh8jkd1q8.exe - Deleted

C:\WINDOWS\system32\kernelw.sys - Deleted

C:\WINDOWS\system32\kernelwind32.exe - Deleted

C:\WINDOWS\system32\m1ax1d1213216143v.exe - Deleted

C:\WINDOWS\system32\max1d11643v.exe - Deleted

C:\WINDOWS\system32\newmaxxsv234.exe - Deleted

C:\WINDOWS\system32\svcp.csv - Deleted

C:\WINDOWS\system32\vedxga4me1.exe - Deleted

C:\WINDOWS\system32\vx.tll - Deleted

C:\WINDOWS\system32\winsub.xml - Deleted

C:\WINDOWS\system32\drivers\asc3550p.sys - Deleted

 

 

 

Folder C:\Documents and Settings\All Users\Documents\Settings - Removed

Folder C:\Backup_Drivers - Removed

 

Removing Temp Files...

 

ADS Check:

 

C:\WINDOWS

No streams found.

 

C:\WINDOWS\system32

No streams found.

 

C:\WINDOWS\system32\svchost.exe

No streams found.

 

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-05 22:54:11

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

scanning hidden registry entries ...

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache \xc4]

"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,70,02,05,00,00,00,00,64,b3,6f,d5,88,..

"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall \xc4]

"UninstallString"="C:\WINDOWS\IsUn0411.exe -f"C:\Program Files\\x201a\xb7\x201a\xbd\x201a\xb6\x201a\xa8\x2014\xce\x2019\x192\\x2030\xc4\x201c\xfa\x81i\x2018\xcc\x152\xb1\x201d\xc5\x0081D\x201am\x201ad\x201as\x81j\Uninst.isu""

"DisplayName"="\x2030\xc4\x201c\xfa\x81i\x2018\xcc\x152\xb1\x201d\xc5\x0081D\x201am\x201ad\x201as\x81j"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\32 \xb7]

"Order"=hex:08,00,00,00,02,00,00,00,7c,00,00,00,01,00,00,00,01,00,00,00,70,..

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\32 \xb7 \xc4]

"Order"=hex:08,00,00,00,02,00,00,00,88,00,00,00,01,00,00,00,01,00,00,00,7c,..

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

Remaining Files:

---------------

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes:

 

 

Finished!

 

 

 

Et enfin last but not least le rapport hijackthis :

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:04:19, on 05/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Securitoo\Common\FSMA32.EXE

C:\WINDOWS\System32\FTRTSVC.exe

C:\Program Files\Securitoo\Common\FSMB32.EXE

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\IQONAN~1\ONLNSVC.EXE

C:\Program Files\Securitoo\Common\FCH32.EXE

C:\PROGRA~1\IQONAN~1\scanwscs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Securitoo\Common\FAMEH32.EXE

C:\Program Files\Securitoo\Anti-Virus\fsqh.exe

C:\Program Files\Securitoo\FSAUA\program\fsaua.exe

C:\Program Files\Securitoo\FWES\Program\fsdfwd.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\IQONAN~1\emlproxy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Securitoo\Common\FSM32.EXE

C:\PROGRA~1\Wanadoo\TaskBarIcon.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam10\QuickCam10.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DialMessenger\dialmessenger.exe

C:\Program Files\Securitoo\FSGUI\fsguidll.exe

C:\PROGRA~1\Wanadoo\GestionnaireInternet.exe

C:\PROGRA~1\Wanadoo\ComComp.exe

C:\Program Files\Fichiers communs\LogiShrd\LComMgr\LVComSX.exe

C:\PROGRA~1\Wanadoo\Toaster.exe

C:\PROGRA~1\Wanadoo\Inactivity.exe

C:\PROGRA~1\Wanadoo\PollingModule.exe

C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE

C:\PROGRA~1\Wanadoo\Watch.exe

C:\Program Files\Fichiers communs\Logishrd\LQCVFX\COCIManager.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\Wanadoo\WOOBrowser\WOOBrowser.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fr.msn.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.fr/0SEFRFR/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fr.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fr/0SEFRFR/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer optimisé pour MSN

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: (no name) - {D61D7E1A-6613-49CA-B6F9-51DB248E209D} - C:\Program Files\Video ActiveX Access\iesplg.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: C:\PROGRA~1\IQONAN~1\emlproxy.exe

O4 - HKLM\..\Run: [scanner Reminder] C:\PROGRA~1\IQONAN~1\remind.exe

O4 - HKLM\..\Run: [update Scheduler] C:\PROGRA~1\IQONAN~1\UPSCHD.EXE /CHECK

O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\IQONAN~1\CATEYE.EXE

O4 - HKLM\..\Run: [Messenger] C:\PROGRA~1\IQONAN~1\SCANMSG.EXE

O4 - HKLM\..\Run: [Activate Scanner] C:\PROGRA~1\IQONAN~1\ACTIVATE.EXE

O4 - HKLM\..\Run: [startup Scan] C:\PROGRA~1\IQONAN~1\sensor.exe /loadrun

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\GestMaj.exe TaskBarIcon.exe

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Securitoo\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Securitoo\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

O4 - HKLM\..\RunOnce: [startup Scan] C:\PROGRA~1\IQONAN~1\sensor.exe /check

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WOOKIT] C:\Program Files\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx

O4 - HKCU\..\Run: [DialMessenger] "C:\Program Files\DialMessenger\dialmessenger.exe" -background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.orange.fr (file missing) (HKCU)

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O17 - HKLM\System\CCS\Services\Tcpip\..\{ED3608C0-F62B-47AA-B829-2D274D559654}: NameServer = 85.255.114.195,85.255.112.139

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139

O22 - SharedTaskScheduler: adirondack - {547aaa89-7e6b-42b4-b112-a64955f86a2a} - C:\WINDOWS\system32\zpuwriz.dll (file missing)

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\Securitoo\Anti-Virus\fsgk32st.exe (file missing)

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Securitoo\FSAUA\program\fsaua.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Securitoo\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Securitoo\Common\FSMA32.EXE

O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\IQONAN~1\ONLNSVC.EXE

O23 - Service: iQon Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\IQONAN~1\scanwscs.exe

 

--

End of file - 9990 bytes

 

 

Je vais télécharger combofix et t'envoyer le rapport dans ma prochaine réponse !

 

Merci encore pour ton aide

Modifié le 5 décembre 2007 par blackcrichton

[blackcrichton]

Et voilà pour finir le rapport issu de Combofix.

 

 

 

ComboFix 07-12-02.7 - Vincent HILAIRE 05/12/2007 23:10:01.1 - NTFSx86

Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.93 [GMT 1:00]

Running from: C:\Documents and Settings\Vincent HILAIRE\Bureau\combofix.exe

* Created a new restore point

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\3456346345643.exe

C:\Program Files\video activex access

C:\Program Files\video activex access\iesmin.exe

C:\Program Files\video activex access\iesplg.dll

C:\Program Files\video activex access\ot.ico

C:\Program Files\video activex access\ts.ico

C:\Program Files\video activex access\uninst.exe

C:\WINDOWS\system32\uninstall.exe

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

.

-------\LEGACY_DRIVER

-------\LEGACY_MSDIRECT

 

 

((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-11-05 to 2007-12-05 ))))))))))))))))))))))))))))))))))))

.

 

2007-12-05 22:59 . 2007-12-05 23:14 <REP> d-------- C:\WINDOWS\LastGood.Tmp

2007-12-05 22:47 . 2007-12-05 22:47 <REP> d-------- C:\WINDOWS\ERUNT

2007-12-05 21:31 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-12-05 21:31 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-12-05 19:34 . 2007-12-05 19:34 <REP> d-------- C:\Program Files\CCleaner

2007-12-05 19:31 . 2007-12-05 19:31 2,724,328 --a------ C:\Program Files\ccsetup203.exe

2007-12-05 18:54 . 2007-02-03 19:27 938,272 -ra------ C:\WINDOWS\system32\drivers\LV302V32.SYS

2007-12-05 18:48 . 2007-12-05 18:48 <REP> d-------- C:\Program Files\Logitech

2007-12-05 18:48 . 2007-12-05 18:54 <REP> d-------- C:\Program Files\Fichiers communs\LogiShrd

2007-12-05 18:48 . 2007-12-05 18:48 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Logitech

2007-12-05 18:48 . 2007-12-05 18:48 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd

2007-12-04 20:38 . 2007-12-04 20:38 <REP> d-------- C:\Program Files\Trend Micro

2007-12-04 18:31 . 2007-12-04 18:31 <REP> d-------- C:\VundoFix Backups

2007-12-02 22:07 . 2007-12-02 22:10 <REP> d-------- C:\Program Files\AdvancedCleaner Free

2007-12-02 22:07 . 2003-03-19 08:20 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll

2007-11-30 19:34 . 2007-11-30 19:34 244 --ah----- C:\sqmnoopt04.sqm

2007-11-30 19:34 . 2007-11-30 19:34 232 --ah----- C:\sqmdata04.sqm

2007-11-29 23:14 . 2007-11-29 23:14 244 --ah----- C:\sqmnoopt03.sqm

2007-11-29 23:14 . 2007-11-29 23:14 232 --ah----- C:\sqmdata03.sqm

2007-11-29 18:36 . 2004-08-03 23:00 8,192 --a------ C:\WINDOWS\system32\drivers\changer.sys

2007-11-29 18:36 . 2004-08-03 23:00 8,192 --a--c--- C:\WINDOWS\system32\dllcache\changer.sys

2007-11-28 23:21 . 2007-11-28 23:21 244 --ah----- C:\sqmnoopt02.sqm

2007-11-28 23:21 . 2007-11-28 23:21 232 --ah----- C:\sqmdata02.sqm

2007-11-28 19:15 . 2007-12-02 23:22 980 --a------ C:\0xf9.exe

2007-11-25 22:15 . 2007-11-25 22:15 244 --ah----- C:\sqmnoopt01.sqm

2007-11-25 22:15 . 2007-11-25 22:15 232 --ah----- C:\sqmdata01.sqm

2007-11-18 14:56 . 2007-11-18 14:56 221,696 --a------ C:\WINDOWS\system32\PowerVideo.dll

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-05 22:14 --------- d-----w C:\Program Files\Wanadoo

2007-12-05 22:14 --------- d-----w C:\Program Files\iQon AntiVirus

2007-12-05 19:38 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-12-05 19:38 --------- d-----w C:\Program Files\Grandia2

2007-11-30 19:23 --------- d-----w C:\Program Files\GameSpy Arcade

2007-11-02 13:49 --------- d-----w C:\Program Files\AbiSuite2

2007-10-13 17:08 --------- d-----w C:\Program Files\Windows Live Toolbar

2007-10-13 17:08 --------- d-----w C:\Program Files\Windows Live Favorites

2007-10-10 17:16 --------- d-----w C:\Program Files\Java

2007-08-29 19:35 3,269,904 ----a-w C:\Program Files\DivXWebPlayerInstallerBeta2.exe

2007-04-14 19:18 20 ----a-w C:\Program Files\log.txt

.

 

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 20:00]

"WOOKIT"="C:\Program Files\Wanadoo\Shell.exe" [2004-08-23 13:50]

"DialMessenger"="C:\Program Files\DialMessenger\dialmessenger.exe" [2007-08-09 17:49]

"DriverLoad"="" []

"DriverCheck"="" []

"SystemDriverLoad"="" []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [2005-03-08 10:33 C:\WINDOWS\system32\VTTimer.exe]

"VTTrayp"="VTtrayp.exe" [2005-03-12 00:33 C:\WINDOWS\system32\VTTrayp.exe]

"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 20:42]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 02:24]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-21 02:54]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-18 08:18]

"Email Protection"="C:\PROGRA~1\IQONAN~1\emlproxy.exe" [2006-10-11 18:11]

"Scanner Reminder"="C:\PROGRA~1\IQONAN~1\remind.exe" [2006-10-11 18:11]

"Update Scheduler"="C:\PROGRA~1\IQONAN~1\UPSCHD.exe" [2006-10-11 18:11]

"On-Line Protection"="C:\PROGRA~1\IQONAN~1\CATEYE.EXE" [2006-10-11 18:11]

"Activate Scanner"="C:\PROGRA~1\IQONAN~1\ACTIVATE.EXE" [2006-10-11 18:11]

"Startup Scan"="C:\PROGRA~1\IQONAN~1\sensor.exe" [2006-10-11 18:11]

"SoundMan"="SOUNDMAN.EXE" [2005-08-17 18:39 C:\WINDOWS\SOUNDMAN.EXE]

"WOOWATCH"="C:\PROGRA~1\Wanadoo\Watch.exe" [2004-08-23 13:49]

"WOOTASKBARICON"="C:\PROGRA~1\Wanadoo\GestMaj.exe" [2004-10-14 15:55]

"F-Secure Manager"="C:\Program Files\Securitoo\Common\FSM32.exe" [2007-02-27 13:45]

"F-Secure TNB"="C:\Program Files\Securitoo\FSGUI\TNBUtil.exe" []

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]

"LogitechCommunicationsManager"="C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 01:12]

"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 01:13]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Startup Scan"="C:\PROGRA~1\IQONAN~1\sensor.exe" [2006-10-11 18:11]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 20:00]

"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:55]

 

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys

R0 ScreenNT;ScreenNT;C:\WINDOWS\system32\drivers\ScreenNT.sys

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\VIAMRAID.SYS

R2 EMLSS;EMLSS;C:\WINDOWS\system32\drivers\emltdi.sys

R2 OnlineNT;OnlineNT;\??\C:\PROGRA~1\IQONAN~1\ONLINENT.SYS

R2 X4HSX32;X4HSX32;\??\C:\Program Files\Metaboli Player\X4HSX32.Sys

S1 F-Secure HIPS;F-Secure HIPS;\??\C:\Program Files\Securitoo\HIPS\fshs.sys

S2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\Securitoo\Anti-Virus\Win2K\FSfilter.sys

S2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\Securitoo\Anti-Virus\win2k\fsgk.sys

S2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\Securitoo\Anti-Virus\Win2K\FSrec.sys

S3 FXDRV;FXDRV;\??\D:\Fxdrv.sys

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - D:\setup.exe

\Shell\LVIPCAP\command - D:\techsupt\CaptureTest\Amcap8.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a71db31-590d-11db-9415-806d6172696f}]

\shell\PlayWithPowerDVD\Command - "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%l"

 

.

Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'

"2007-09-16 09:43:44 C:\WINDOWS\Tasks\Scheduled scanning task.job"

- C:\PROGRA~1\SECURI~1\ANTI-V~1\fsav.exe

"2007-12-05 22:12:00 C:\WINDOWS\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job"

.

**************************************************************************

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

**************************************************************************

.

Completion time: 2007-12-05 23:15:49 - machine was rebooted

.

--- E O F ---

 

 

 

 

Les choses semblent déjà aller beaucoup, beaucoup, mieux !

 

Un big thank you

[bruce lee]

Bonjour,

 

Merci de me poster le rapport de Fixwareout.

 

Connais-tu DialMessenger?

 

* Double cliquer sur smitfraudfix.exe

* Sélectionner 2 dans le menu pour supprimer les fichiers responsables de l'infection.

* A la question: Voulez-vous nettoyer le registre ? répondre O (oui)

Poste le rapport.

 

Poste également un nouveau rapport HijackThis.