Besoin d aide PC Infecté

Moumoune · le 11 mars 2008

Bonjour,

J ai le PC portable qui est infecté.

N arrivant pas à m'en sortir, j ai installé antivir. Avast était mon antivirus jusqu'a ce jour et bien qu il ma informé de trojans, ils reviennent systematiquement, et le PC rame voit se bloque

J ai vraiment besoin d aide

Voici ma configuration

Systeme :

Microsoft Windows XP Edition Familiale

Version 2002

Service Pack 2

Utilisateur Moumoune

55639-OEM-0011903-00117

Fujitsu Siemens Computer

Mobile

Mobile AMD Athlon XP-M

2600+

1,99GHz, 480 MO de Ram

Navigateur internet ie7

J ai fait un scan antivir dont voici le rapport :

AntiVir PersonalEdition Classic

Report file date: mardi 11 mars 2008 17:52

Scanning for 1142431 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Username: SYSTEM

Computer name: GADIS

Version information:

BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00

AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29

AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51

LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47

LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15

ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07/03/2008 15:51:12

ANTIVIR2.VDF : 7.0.3.3 2048 Bytes 07/03/2008 15:51:12

ANTIVIR3.VDF : 7.0.3.16 76800 Bytes 11/03/2008 15:51:12

AVEWIN32.DLL : 7.6.0.73 3334656 Bytes 11/03/2008 15:51:13

AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26

AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17

AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24

AVPACK32.DLL : 7.6.0.3 360488 Bytes 11/03/2008 15:51:13

AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06

AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33

AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18

NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42

RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13

RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37

SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: off

Scan boot sector.................: on

Boot sectors.....................: C:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: mardi 11 mars 2008 17:52

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'webshots.scr' - '1' Module(s) have been scanned

Scan process 'Printkey 2000 Fr.exe' - '1' Module(s) have been scanned

Scan process 'soffice.bin' - '1' Module(s) have been scanned

Scan process 'soffice.exe' - '1' Module(s) have been scanned

Scan process 'reader_sl.exe' - '1' Module(s) have been scanned

Scan process 'WLANUTL.exe' - '1' Module(s) have been scanned

Scan process 'pv.exe' - '1' Module(s) have been scanned

Scan process 'MalwareAlarm.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'ashDisp.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'TWCU.exe' - '1' Module(s) have been scanned

Scan process 'MsgPlus.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'ashWebSv.exe' - '1' Module(s) have been scanned

Scan process 'ashMaiSv.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'slserv.exe' - '1' Module(s) have been scanned

Scan process 'gemback.exe' - '1' Module(s) have been scanned

Scan process 'GemServ.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'acs.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'ashServ.exe' - '1' Module(s) have been scanned

Scan process 'aswUpdSv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

46 processes with 46 modules were scanned

Start scanning boot sectors:

Boot sector 'C:\'

[NOTE] No virus was found!

Starting to scan the registry.

C:\WINDOWS\system32\brwvnpoy.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '484db965.qua'!

C:\WINDOWS\system32\brwvnpoy.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

C:\WINDOWS\system32\uhuxruhg.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '484bb95e.qua'!

C:\WINDOWS\system32\uhuxruhg.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

The registry was scanned ( '28' files ).

Starting the file scan:

Begin scan in 'C:\' <SYSTEM>

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\Documents and Settings\Moumoune\Local Settings\Temp\_bm1fcmlkcmFkaXBfbWFfa3cxX21hNWZycw_dmlydXM_bm1fNjg1NjRfMzZmMDM2YWViODYyMTF

kYzhhNWRmNjg1NjRlZmZmZmZfOGE1ZGJlMDE4Y2M1NGRlYTg0M2ZlYWYyMDhmZmYxZjQ_.exe

[DETECTION] Is the Trojan horse TR/Peed.A.74

[iNFO] The file was moved to '4843bb97.qua'!

C:\Documents and Settings\Moumoune\Local Settings\Temp\_bm1fcmlkcmFkaXBfbWFfa3cxX21hNWZycw_ZG93bmxvYWQ_bm1fNjg1NjRfMzZmMDM2YWViODY

yMTFkYzhhNWRmNjg1NjRlZmZmZmZfOGE1ZGJlMDE4Y2M1NGRlYTg0M2ZlYWYyMDhmZmYxZjQ_.exe

[DETECTION] Is the Trojan horse TR/Peed.A.74

[iNFO] The file was moved to '4843bb9e.qua'!

C:\Documents and Settings\Moumoune\Local Settings\Temp\_bm1fcmlkX21hX2t3MV9tYTVmcnM_c29mdA_bm1fNjg1NjRfMzZmMDM2YWViODYyMTFkYzhhNWR

mNjg1NjRlZmZmZmZfOGE1ZGJlMDE4Y2M1NGRlYTg0M2ZlYWYyMDhmZmYxZjQ_.exe

[DETECTION] Is the Trojan horse TR/Peed.A.74

[iNFO] The file was moved to '4843bba3.qua'!

C:\Documents and Settings\Moumoune\Local Settings\Temporary Internet Files\Content.IE5\LP4PSD1O\CA6P318K

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '480cbba1.qua'!

C:\Documents and Settings\Moumoune\Local Settings\Temporary Internet Files\Content.IE5\RJT3MEX7\CAEJ4TQF

[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen

[iNFO] The file was moved to '481bbbe9.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP668\A0130254.vbs

[DETECTION] Is the Trojan horse TR/Small.WY

[iNFO] The file was moved to '4807c4a7.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP669\A0130274.exe

[DETECTION] Contains detection pattern of the dropper DR/MartShop.2

[iNFO] The file was moved to '4807c4c1.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP680\A0132985.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c594.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP683\A0135064.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c5bc.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP683\A0135077.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c5bf.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP684\A0135102.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c5c5.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP685\A0136546.exe

[DETECTION] Is the Trojan horse TR/Peed.A.74

[iNFO] The file was moved to '4807c6e0.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP686\A0137147.exe

[DETECTION] Is the Trojan horse TR/Peed.A.74

[iNFO] The file was moved to '4807c6e7.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP686\A0137176.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c6ee.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP686\A0137177.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c6f2.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP686\A0137178.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c6f5.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP686\A0137180.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c6f8.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP686\A0137182.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c6fc.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP686\A0137200.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c700.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP686\A0137201.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c703.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP686\A0137203.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c706.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP686\A0138357.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c74a.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP686\A0138358.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c74d.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP687\A0138409.exe

[DETECTION] Is the Trojan horse TR/Peed.A.74

[iNFO] The file was moved to '4807c756.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP687\A0138438.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c75a.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP687\A0138439.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c75c.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP687\A0138440.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c75e.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP687\A0138442.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c760.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP687\A0138444.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c762.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP687\A0138462.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c765.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP687\A0138463.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c767.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP687\A0138465.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c769.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP687\A0139618.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c7b0.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP687\A0139619.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c7b2.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP687\A0139667.exe

[DETECTION] Contains suspicious code HEUR/Crypted

[iNFO] The file was moved to '4807c7b7.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP688\A0141658.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c7bd.qua'!

C:\System Volume Information\_restore{F52AFF6A-D3C5-474B-930A-91214A130311}\RP688\A0141659.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4807c7c0.qua'!

C:\WINDOWS\xpupdate.exe

[DETECTION] Is the Trojan horse TR/Peed.A.74

[iNFO] The file was moved to '484bc816.qua'!

C:\WINDOWS\Downloaded Program Files\webinst.dll

[WARNING] 'Is the Trojan horse TR/Peed.A.74'. This detection is probably an error. Please send us this file immediately for further analysis.

C:\WINDOWS\system32\atuupoey.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '484bcc97.qua'!

C:\WINDOWS\system32\awttr.dll

[DETECTION] Is the Trojan horse TR/Vundo.EBV

[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003

[WARNING] The file could not be deleted!

C:\WINDOWS\system32\baxoqkay.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '484ecce0.qua'!

C:\WINDOWS\system32\cmaslthb.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003

[WARNING] The file could not be deleted!

C:\WINDOWS\system32\jkklk.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4841cd29.qua'!

C:\WINDOWS\system32\loqpkrgw.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4847cd37.qua'!

C:\WINDOWS\system32\oxfmdyys.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '483ccd74.qua'!

C:\WINDOWS\system32\pjxjabmj.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '484ecd6e.qua'!

C:\WINDOWS\system32\qaaqrujb.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '4837cd69.qua'!

C:\WINDOWS\system32\yayxv.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was moved to '484fcdb7.qua'!

End of the scan: mardi 11 mars 2008 19:22

Used time: 1:30:16 min

The scan has been done completely.

5085 Scanning directories

370115 Files were scanned

49 viruses and/or unwanted programs were found

1 Files were classified as suspicious:

0 files were deleted

0 files were repaired

48 files were moved to quarantine

0 files were renamed

1 Files cannot be scanned

370066 Files not concerned

8053 Archives were scanned

4 Warnings

11 Notes

Merci d avance

Lien Rag · le 11 mars 2008

Bonsoir

Télécharge HijackThis

Tuto réalisé par Bruce Lee : http://cybersecurite.xooit.com/t138-HijackThis-2-0-2.htm

Clique alors sur "Do a system scan and save a logfile"

Le scan se fait très rapidement, puis un bloc-note apparaît

(le "logfile")

Dans ce bloc-note, va dans "Edition", puis "Selectionner Tout",

le texte est alors séléctionné, retourne dans "Edition" toujours

en laissant le texte séléctionné, et clique sur copier.

Colle le contenu ici dans ta prochaine réponse

Moumoune · le 11 mars 2008

Bonsoir,

Voici le rapport que tu m as demandé

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:42:18, on 11/03/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\acs.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AMD\PowerNow!\GemServ.exe

C:\Program Files\AMD\PowerNow!\gemback.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

C:\Program Files\Messenger Plus! 3\MsgPlus.exe

C:\Program Files\TP-LINK\TWCU\TWCU.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MalwareAlarm\pv.exe

C:\Program Files\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\Program Files\PrintKey 2000 Fr\Printkey 2000 Fr.exe

C:\PROGRA~1\Webshots\webshots.scr

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Documents and Settings\Moumoune\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE

O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TWCU\TWCU.exe" -nogui

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [xpha5f2d] RUNDLL32.EXE w069137f.dll,n 002a5f2b0000000a069137f

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Startup: PrintKey 2000 Fr.lnk = C:\Program Files\PrintKey 2000 Fr\Printkey 2000 Fr.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Global Startup: IEEE 802.11g Wireless LAN Utility.lnk = ?

O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O15 - Trusted Zone: http://*.aufeminin.com

O15 - Trusted Zone: http://hoylegames.sierra.com

O16 - DPF: {00000000-0000-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int20.exe

O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.drivecleaner.com/installdrivecleanerstart_fr.cab

O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst_fr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154872230061

O20 - AppInit_DLLs: 303169590.dll

O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TW91bW91bmU\command.exe (file missing)

O23 - Service: AMD PowerNow! Technology Service (GemServ) - Advanced Micro Devices - C:\Program Files\AMD\PowerNow!\GemServ.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--

End of file - 5618 bytes

Lien Rag · le 11 mars 2008

Deja

Desinstallation de Avast

ensuite garde Avira càd 1 seul antivirus ( sinon risque de planter la bécane)

Puis fais ceci dans l'ordre

1) Télécharge SmitFraudFix

Double clic sur SmitfraudFix.exe pour le lancer

Choisis l'option 1 (Recherche)

Post le rapport

2) Redémarre en mode sans échec (F8 lors du boot)

Relance SmitfraudFix et choisis cette fois l’option 2 et réponds oui à chaque question

3) Redémarre en mode normal

Post le 2ème rapport

Moumoune · le 12 mars 2008

Re

Désolée j ai été longue je suis sur le pc fixe pour poster car je n arrivais pas mon pc se bloquait;

j ai fait les deux rapports comme tu m as demandé.

lors du premier rapport tout c est bien passé.

pour le 2eme en faisant F8 pour le mode sans échec je suis tombé sur un ecran tout en anglais alors j ai quitté

j ai fait msconfig et j ai démarré en mode diagnostic. Je pensais que c etait la meme chose mais il ne semble pas le rapport dis mode normal.

J en profite pour te poser une question. A l ouverture du pc j ai trois possibilités avant la mire windows XP

F2 Bios setup

F12 Boot setup

Escap Skip Boot logo

Est ce une de ses touches que je devais choisir pour le mode sans echec?

Pour récupérer les rapports, comme les trojans s affolait avant meme d avoir la possibilité de recup les 2 rapports j ai supprimer la connexion Internet et apres x tentatives j ai reussit a désactiver antivir.

Voici le 1er rapport :

SmitFraudFix v2.301

Rapport fait à 0:12:12,10, 12/03/2008

Executé à partir de C:\SmitfraudFix

OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT

Le type du système de fichiers est NTFS

Fix executé en mode normal

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\acs.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AMD\PowerNow!\GemServ.exe

C:\Program Files\AMD\PowerNow!\gemback.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

C:\Program Files\Messenger Plus! 3\MsgPlus.exe

C:\Program Files\TP-LINK\TWCU\TWCU.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MalwareAlarm\pv.exe

C:\Program Files\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\Program Files\PrintKey 2000 Fr\Printkey 2000 Fr.exe

C:\PROGRA~1\Webshots\webshots.scr

C:\Documents and Settings\Moumoune\Bureau\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\keyboard1.dat PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Moumoune

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Moumoune\Application Data

C:\Documents and Settings\Moumoune\Application Data\Install.dat PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Moumoune\Favoris

»»»»»»»»»»»»»»»»»»»»»»»» Bureau

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues

»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Ma page d'accueil"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"="303169590.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: TP-LINK 11b/g Wireless Adapter - Miniport d'ordonnancement de paquets

DNS Server Search Order: 192.168.1.1

DNS Server Search Order: 194.98.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{60D41BCE-4A63-4BAE-82CD-A1A772AF98CD}: DhcpNameServer=192.168.1.1 194.98.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{60D41BCE-4A63-4BAE-82CD-A1A772AF98CD}: DhcpNameServer=192.168.1.1 194.98.0.1

HKLM\SYSTEM\CS2\Services\Tcpip\..\{60D41BCE-4A63-4BAE-82CD-A1A772AF98CD}: DhcpNameServer=192.168.1.1 194.98.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 194.98.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 194.98.0.1

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 194.98.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll

»»»»»»»»»»»»»»»»»»»»»»»» Fin

Voici le 2eme rapport :

SmitFraudFix v2.301

Rapport fait à 0:34:18,64, 12/03/2008

Executé à partir de C:\SmitfraudFix

OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT

Le type du système de fichiers est NTFS

Fix executé en mode normal

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Arret des processus

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés

C:\WINDOWS\keyboard1.dat supprimé

C:\Documents and Settings\Moumoune\Application Data\Install.dat supprimé

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre

Nettoyage terminé.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Fin

Et merci beaucoup pour ton aide

Moumoune · le 12 mars 2008

Bonjour,

En premier lieu : excusez les fautes

J ai omis de préciser hier que j ai bien désinstallé Avast

J ai enfin réussit a démarrer en mode sans échec. En fait hier j avais omis par msconfig de cocher le safeboot dans boot.ini

J ai du désinstallé aussi antivir, je n arrivais à rien faire sur le pc. J avais systématiquement une détection awttr.dll

J’ai aussi fait un scan en ligne trend micro, qui n’ a pas pu désinsfecter C/windows/system32/awttr.dll et

HKLM/sofware/Microsoft/windows/current Controlset/services :cmdservices/

J’ai passé Ccleaner et Spybot

J’ai supprimé les fichiers temporaires , désinstallé hijackthis et smitfraudfix.

Je les ai réistallé et voici les rapports.

Rapport Hijacthis :

Logfile of HijackThis v1.99.1

Scan saved at 13:07:40, on 12/03/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\acs.exe

C:\Program Files\AMD\PowerNow!\GemServ.exe

C:\Program Files\AMD\PowerNow!\gemback.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TP-LINK\TWCU\TWCU.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Messenger Plus! 3\MsgPlus.exe

C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe

C:\Program Files\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe

C:\Program Files\PrintKey 2000 Fr\Printkey 2000 Fr.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Hijackthis Version Française\hijackthis vf.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6E311DED-7CCE-4316-8129-02BC4FB8ADA9} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {B345485C-9BF6-4A89-A073-80F9E5DF31C7} - C:\WINDOWS\system32\awttr.dll

O2 - BHO: (no name) - {B605FEB1-F0C3-412A-9F64-56F486CE056F} - (no file)

O2 - BHO: {109b8101-5b91-003b-3474-591a536a010d} - {d010a635-a195-4743-b300-19b51018b901} - C:\WINDOWS\system32\yesvailc.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TWCU\TWCU.exe" -nogui

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [6ce91a53] rundll32.exe "C:\WINDOWS\system32\dlmubgfe.dll",b

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Startup: PrintKey 2000 Fr.lnk = C:\Program Files\PrintKey 2000 Fr\Printkey 2000 Fr.exe

O4 - Global Startup: IEEE 802.11g Wireless LAN Utility.lnk = ?

O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O15 - Trusted Zone: http://*.aufeminin.com

O15 - Trusted Zone: http://hoylegames.sierra.com

O16 - DPF: {00000000-0000-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int20.exe

O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.drivecleaner.com/installdrivecleanerstart_fr.cab

O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst_fr.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154872230061

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - AppInit_DLLs: 303169590.dll

O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\r6r6lg9s16.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TW91bW91bmU\command.exe (file missing)

O23 - Service: AMD PowerNow! Technology Service (GemServ) - Advanced Micro Devices - C:\Program Files\AMD\PowerNow!\GemServ.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Voici le rapport Smitfraudfix en mode normal :

SmitFraudFix v2.301

Rapport fait à 13:31:53,08, 12/03/2008

Executé à partir de C:\Documents and Settings\Moumoune\Bureau\SmitfraudFix

OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT

Le type du système de fichiers est NTFS

Fix executé en mode normal

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\acs.exe

C:\Program Files\AMD\PowerNow!\GemServ.exe

C:\Program Files\AMD\PowerNow!\gemback.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TP-LINK\TWCU\TWCU.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Messenger Plus! 3\MsgPlus.exe

C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe

C:\Program Files\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe

C:\Program Files\PrintKey 2000 Fr\Printkey 2000 Fr.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\xpupdate.exe PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Moumoune

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Moumoune\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Moumoune\Favoris

»»»»»»»»»»»»»»»»»»»»»»»» Bureau

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues

»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"="303169590.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: TP-LINK 11b/g Wireless Adapter - Miniport d'ordonnancement de paquets

DNS Server Search Order: 192.168.1.1

DNS Server Search Order: 194.98.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{60D41BCE-4A63-4BAE-82CD-A1A772AF98CD}: DhcpNameServer=192.168.1.1 194.98.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{60D41BCE-4A63-4BAE-82CD-A1A772AF98CD}: DhcpNameServer=192.168.1.1 194.98.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 194.98.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 194.98.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll

»»»»»»»»»»»»»»»»»»»»»»»» Fin

Voici le rapport Smitfraudfix en mode sans échec :

SmitFraudFix v2.301

Rapport fait à 13:43:36,78, 12/03/2008

Executé à partir de C:\Documents and Settings\Moumoune\Bureau\SmitfraudFix

OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT

Le type du système de fichiers est NTFS

Fix executé en mode sans echec

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Arret des processus

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés

C:\WINDOWS\xpupdate.exe supprimé

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{60D41BCE-4A63-4BAE-82CD-A1A772AF98CD}: DhcpNameServer=192.168.1.1 194.98.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{60D41BCE-4A63-4BAE-82CD-A1A772AF98CD}: DhcpNameServer=192.168.1.1 194.98.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 194.98.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 194.98.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre

Nettoyage terminé.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Fin

Merci d’avance de prendre du temps pour m aider

Lien Rag · le 12 mars 2008

Pourquoi ton dernier rapport Hijack est il sur l'ancienne version .

Pourquoi Avira n'est plus installé

Post moi un Hijack avec la version que je t'ai mis en lien dans mon premier post et que tu dois avoir sur ton bureau

Installe bien Avira si ce n'est pas deja fait ( dans l'hypothese : tu as posté un vieux rapport )

à te lire

Moumoune · le 12 mars 2008

Bonsoir lien Rag,

Comme je te l ai noté dans un précédent message les détections successives ne me permettaient pas de telecharger sur ce PC d 'ou la desinstallation d antivir. J assure par clef USB entre les 2 PC.

Voici le rapport :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:15:03, on 12/03/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\acs.exe

C:\Program Files\AMD\PowerNow!\GemServ.exe

C:\Program Files\AMD\PowerNow!\gemback.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TP-LINK\TWCU\TWCU.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Messenger Plus! 3\MsgPlus.exe

C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe

C:\Program Files\PrintKey 2000 Fr\Printkey 2000 Fr.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TWCU\TWCU.exe" -nogui

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [6ce91a53] rundll32.exe "C:\WINDOWS\system32\dlmubgfe.dll",b

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-21-1054399380-2116445722-1688842310-1009\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Serge')