[Résolu] Lecture Rapport Hijackthis

[hypatia]

 

Cette fois, c'est bon, SDFix a été jusqu'au bout, et le PC a bien redémarré aprés qu'il est dit "finished" et j'ai pu récupéré le rapport SDFix que voici:

 

 

SDFix: Version 1.157

 

Run by Tixu on 15/03/2008 at 12:22

 

Microsoft Windows XP [version 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

Name:

aiqpbter

Google Online Search Service

hipsrv

taskmon.sys

RAG73

aiqpbter

Google Online Search Service

hipsrv

taskmon.sys

 

Path:

 

aiqpbter - Deleted

Google Online Search Service - Deleted

hipsrv - Deleted

taskmon.sys - Deleted

RAG73 - Deleted

aiqpbter - Deleted

Google Online Search Service - Deleted

hipsrv - Deleted

taskmon.sys - Deleted

 

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Session Manager\SubSystems:

Trojan File basetlvxl32.dll and startup entry Found!

basetlvxl32.dll will be removed after reboot if registry value is repaired

 

Resetting AppInit_DLLs value

 

 

Rebooting

 

Service asc3550p - Deleted after Reboot

Service asc3550p - Deleted after Reboot

Service asc3550p - Deleted after Reboot

Service asc3550p - Deleted after Reboot

Service asc3550p - Deleted after Reboot

 

Session Manager\SubSystems:

ServerDll value restored to basesrv.dll

Key export:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]

"Windows"=%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

 

 

 

Checking Files :

 

Trojan Files Found:

 

C:\WINDOWS\SYSTEM32\APKRMD~1.BMP - Deleted

C:\WINDOWS\SYSTEM32\CNMHSRQL.BMP - Deleted

C:\WINDOWS\SYSTEM32\GBATKBMD.BMP - Deleted

C:\WINDOWS\SYSTEM32\HGBEDK~1.BMP - Deleted

C:\WINDOWS\SYSTEM32\IHCRAD.BMP - Deleted

C:\WINDOWS\SYSTEM32\ILGBQL.BMP - Deleted

C:\WINDOWS\SYSTEM32\KRIPCR~1.BMP - Deleted

C:\WINDOWS\SYSTEM32\NAPOR.BMP - Deleted

C:\WINDOWS\SYSTEM32\ALGSRV.EXE - Deleted

C:\WINDOWS\SYSTEM32\FILEKAN.EXE - Deleted

C:\WINDOWS\SYSTEM32\WM05.DLL - Deleted

C:\TELXLS~1.EXE - Deleted

C:\414059~1 - Deleted

C:\WINDOWS\SYSTEM32\ADSN.DLL - Deleted

C:\WINDOWS\SYSTEM32\AUTH.DLL - Deleted

C:\WINDOWS\SYSTEM32\AVIFIL.DLL - Deleted

C:\WINDOWS\SYSTEM32\CLBCAT.DLL - Deleted

C:\WINDOWS\SYSTEM32\CLBCATE.DLL - Deleted

C:\WINDOWS\SYSTEM32\CLBCATQF.DLL - Deleted

C:\WINDOWS\SYSTEM32\CNVFA.DLL - Deleted

C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe - Deleted

C:\Documents and Settings\Tixu\Local Settings\Application Data\cftmon.exe - Deleted

C:\D.TMP - Deleted

C:\E.TMP - Deleted

C:\WINDOWS\Temp\1.dllb - Deleted

C:\WINDOWS\Temp\2.dllb - Deleted

C:\WINDOWS\Temp\5.dllb - Deleted

C:\WINDOWS\Temp\6.dllb - Deleted

C:\WINDOWS\Temp\7.dllb - Deleted

C:\Documents and Settings\LocalService\Application Data\ultra\uninstall.bat - Deleted

C:\WINDOWS\Temp\v3xd1.g22me - Deleted

C:\WINDOWS\Temp\v4xd3.ga2me - Deleted

C:\WINDOWS\Temp\v4xd6.gam5e - Deleted

C:\WINDOWS\Temp\v5xd2.g3ame - Deleted

C:\WINDOWS\Temp\v5xd4.ga2me - Deleted

C:\WINDOWS\Temp\v6xdt4.game - Deleted

C:\WINDOWS\Temp\vx1dt1.game - Deleted

C:\WINDOWS\Temp\vx1dt3.game - Deleted

C:\WINDOWS\Temp\vx3dt2.game - Deleted

C:\WINDOWS\system32\alt.exe.exe - Deleted

C:\WINDOWS\system32\shift.exe.exe - Deleted

C:\WINDOWS\Temp\v3xd1.g22me - Deleted

C:\WINDOWS\Temp\v4xd3.ga2me - Deleted

C:\WINDOWS\Temp\v4xd6.gam5e - Deleted

C:\WINDOWS\Temp\v5xd2.g3ame - Deleted

C:\WINDOWS\Temp\v5xd4.ga2me - Deleted

C:\WINDOWS\Temp\v6xdt4.game - Deleted

C:\WINDOWS\Temp\vx1dt1.game - Deleted

C:\WINDOWS\Temp\vx1dt3.game - Deleted

C:\WINDOWS\Temp\vx3dt2.game - Deleted

C:\Program Files\IE Extensions\cj.v2.dll - Deleted

C:\WINDOWS\system32\msgk230.exe - Deleted

C:\WINDOWS\system32\msgk374.exe - Deleted

C:\WINDOWS\system32\msgk387.exe - Deleted

C:\WINDOWS\system32\msgk414.exe - Deleted

C:\WINDOWS\system32\msgk421.exe - Deleted

C:\WINDOWS\system32\msgk427.exe - Deleted

C:\WINDOWS\system32\msgk449.exe - Deleted

C:\Documents and Settings\Tixu\ie_updates3r.exe - Deleted

C:\findfast.exe - Deleted

C:\WINDOWS\system32\clbcat.dll - Deleted

C:\WINDOWS\system32\crypts.dll - Deleted

C:\WINDOWS\system32\mswinup.exe - Deleted

C:\WINDOWS\system32\svchost.t__ - Deleted

C:\WINDOWS\system32\sys_2.dll - Deleted

C:\WINDOWS\system32\winlogans.tmp - Deleted

C:\WINDOWS\system32\winlugan.exe - Deleted

C:\WINDOWS\system32\winmed.exe - Deleted

C:\WINDOWS\system32\winsvcup.exe - Deleted

C:\WINDOWS\system32\winupsvc.exe - Deleted

C:\WINDOWS\system32\WLCtrl32.dll - Deleted

C:\WINDOWS\system32\wm05.dll - Deleted

C:\WINDOWS\system32\wmldap.dll - Deleted

C:\WINDOWS\taskmon.exe - Deleted

C:\WINDOWS\Temp\babkinepaxnut.exe - Deleted

C:\WINDOWS\Temp\iframestat.exe - Deleted

C:\WINDOWS\SYSTEM32\AHGJML~1.BMP - Deleted

C:\WINDOWS\SYSTEM32\CNEDKJ~1.BMP - Deleted

C:\WINDOWS\SYSTEM32\JMPORQ~1.BMP - Deleted

C:\WINDOWS\SYSTEM32\QPOJMP.BMP - Deleted

C:\WINDOWS\SYSTEM32\REDGFA~1.BMP - Deleted

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\1.dllb - Deleted

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\2.dllb - Deleted

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\5.dllb - Deleted

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\6.dllb - Deleted

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\7.dllb - Deleted

C:\SDFix\backups_old1\1.dllb - Deleted

C:\SDFix\backups_old1\2.dllb - Deleted

C:\SDFix\backups_old1\5.dllb - Deleted

C:\SDFix\backups_old1\6.dllb - Deleted

C:\SDFix\backups_old1\7.dllb - Deleted

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\v3xd1.g22me - Deleted

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\v4xd3.ga2me - Deleted

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\v4xd6.gam5e - Deleted

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\v5xd2.g3ame - Deleted

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\v5xd4.ga2me - Deleted

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\v6xdt4.game - Deleted

C:\SDFix\backups_old1\v3xd1.g22me - Deleted

C:\SDFix\backups_old1\v4xd3.ga2me - Deleted

C:\SDFix\backups_old1\v4xd6.gam5e - Deleted

C:\SDFix\backups_old1\v5xd2.g3ame - Deleted

C:\SDFix\backups_old1\v5xd4.ga2me - Deleted

C:\SDFix\backups_old1\v6xdt4.game - Deleted

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\vx1dt1.game - Deleted

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\vx1dt3.game - Deleted

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\vx3dt2.game - Deleted

C:\SDFix\backups_old1\vx1dt1.game - Deleted

C:\SDFix\backups_old1\vx1dt3.game - Deleted

C:\SDFix\backups_old1\vx3dt2.game - Deleted

C:\WINDOWS\system32\basetlvxl32.dll - Deleted

C:\WINDOWS\system32\basetlvxl32.dll - Deleted

C:\WINDOWS\system32\basetlvxl32.dll - Deleted

C:\WINDOWS\system32\basetlvxl32.dll - Deleted

C:\WINDOWS\system32\basetlvxl32.dll - Deleted

C:\SDFix\backups_old1\1.dllb - Deleted

C:\SDFix\backups_old1\2.dllb - Deleted

C:\SDFix\backups_old1\5.dllb - Deleted

C:\SDFix\backups_old1\6.dllb - Deleted

C:\SDFix\backups_old1\7.dllb - Deleted

C:\SDFix\backups_old1\v3xd1.g22me - Deleted

C:\SDFix\backups_old1\v4xd3.ga2me - Deleted

C:\SDFix\backups_old1\v4xd6.gam5e - Deleted

C:\SDFix\backups_old1\v5xd2.g3ame - Deleted

C:\SDFix\backups_old1\v5xd4.ga2me - Deleted

C:\SDFix\backups_old1\v6xdt4.game - Deleted

C:\SDFix\backups_old1\vx1dt1.game - Deleted

C:\SDFix\backups_old1\vx1dt3.game - Deleted

C:\SDFix\backups_old1\vx3dt2.game - Deleted

C:\SDFix\backups_old1\1.dllb - Deleted

C:\SDFix\backups_old1\2.dllb - Deleted

C:\SDFix\backups_old1\5.dllb - Deleted

C:\SDFix\backups_old1\6.dllb - Deleted

C:\SDFix\backups_old1\7.dllb - Deleted

C:\SDFix\backups_old1\v3xd1.g22me - Deleted

C:\SDFix\backups_old1\v4xd3.ga2me - Deleted

C:\SDFix\backups_old1\v4xd6.gam5e - Deleted

C:\SDFix\backups_old1\v5xd2.g3ame - Deleted

C:\SDFix\backups_old1\v5xd4.ga2me - Deleted

C:\SDFix\backups_old1\v6xdt4.game - Deleted

C:\SDFix\backups_old1\vx1dt1.game - Deleted

C:\SDFix\backups_old1\vx1dt3.game - Deleted

C:\SDFix\backups_old1\vx3dt2.game - Deleted

C:\WINDOWS\help\aiqpbter.chm - Deleted

C:\WINDOWS\system\hipsrv.mm - Deleted

C:\WINDOWS\system32\drivers\asc3550p.sys - Deleted

C:\WINDOWS\system32\drivers\riode32.sys - Deleted

C:\WINDOWS\system32\drivers\spools.exe - Deleted

C:\WINDOWS\system32\drivers\symavc32.sys - Deleted

C:\WINDOWS\system32\taskmon.sys - Deleted

C:\WINDOWS\system32\drivers\Qfm33.sys - Deleted

C:\WINDOWS\system32\drivers\RAG73.sys - Deleted

 

 

Could Not Remove C:\WINDOWS\system32\wowfx.dll

 

Folder C:\Program Files\IE Extensions - Removed

Folder C:\Documents and Settings\LocalService\Application Data\ultra - Removed

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-15 12:26:59

Windows 5.1.2600 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\Documents and Settings\\LocalService\\Application Data\\printer.exe"="C:\\Documents and Settings\\LocalService\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"

"\\findfast.exe"="\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"

"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\TEMP\\tmp.exe"="C:\\WINDOWS\\TEMP\\tmp.exe:*:Enabled:msprotector.exe"

"C:\\Documents and Settings\\LocalService\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\LocalService\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\System32\\msprotector.exe"="C:\\WINDOWS\\System32\\msprotector.exe:*:Enabled:msprotector.exe"

"C:\\Documents and Settings\\Tixu\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Tixu\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\Tixu\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe"="C:\\Documents and Settings\\Tixu\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\All Users\\Menu D‚marrer\\Programmes\\D‚marrage\\autorun.exe"="C:\\Documents and Settings\\All Users\\Menu D‚marrer\\Programmes\\D‚marrage\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"C:\\Documents and Settings\\LocalService\\Application Data\\printer.exe"="C:\\Documents and Settings\\LocalService\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"

"\\findfast.exe"="\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"

"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\LocalService\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\LocalService\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\Tixu\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Tixu\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\Tixu\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe"="C:\\Documents and Settings\\Tixu\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\All Users\\Menu D‚marrer\\Programmes\\D‚marrage\\autorun.exe"="C:\\Documents and Settings\\All Users\\Menu D‚marrer\\Programmes\\D‚marrage\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"

 

Remaining Files :

 

C:\WINDOWS\system32\wowfx.dll Found

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"

Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

Thu 13 Mar 2008 41,984 ..SHR --- "C:\WINDOWS\system32\adsldpcq.exe"

Thu 13 Mar 2008 41,984 ..SHR --- "C:\WINDOWS\system32\adsldpz.exe"

Thu 13 Mar 2008 16,384 A.SH. --- "C:\WINDOWS\system32\adsnwc.dll"

Thu 13 Mar 2008 23,552 A.SH. --- "C:\WINDOWS\system32\advapi32s.dll"

Fri 20 Apr 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Fri 20 Apr 2007 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak"

Fri 14 Mar 2008 22,786 ..SHR --- "C:\WINDOWS\Installer\{8ce1b8ee-1dcf-4615-aad6-09bc6c1516d8}\zip.dll"

Wed 12 Mar 2008 23,218 ..SHR --- "C:\WINDOWS\Installer\{d0898880-296d-472d-b9ae-e18d5b9de98b}\zip.dll"

 

Finished!

 

 

Aprés cela, j'ai refait un Hijackthis dont voici le rapport:

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:37:17, on 15/03/2008

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\System32\maxpaynowti1.exe

C:\WINDOWS\System32\maxpaynow1.exe

C:\WINDOWS\System32\msprotector.exe

C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Tixu\Bureau\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [ASocksrv] SocksA.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [DriveSystem] C:\WINDOWS\System32\maxpaynowti1.exe

O4 - HKLM\..\Run: [systemDrive] C:\WINDOWS\System32\maxpaynow1.exe

O4 - HKLM\..\Run: [msprotector.exe] C:\WINDOWS\System32\msprotector.exe

O4 - HKLM\..\Run: [bluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe

O4 - HKCU\..\Run: [bSserver] FileKan.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192725910967

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe

O23 - Service: Gestionnaire de connexion automatique d'accès distant RasAuto Online Search Service (RasAuto Online Search Service) - Unknown owner - C:\WINDOWS\System32\adsldpcq.exe

O23 - Service: WebClient WebClientPolicyAgent (WebClientPolicyAgent) - Unknown owner - C:\WINDOWS\System32\adsldpz.exe

 

--

End of file - 4103 bytes

 

 

Merci encore

[pear]

Très bien Hypatia.!

Ca, c'est du nettoyage!

 

Java n'est pas à jour,donc moins sécurisé.

 

Rendez vous là:

http://www.download.com/Java-Runtime-Envir...4-10009607.html

 

Java Runtime Environment (JRE) 6 Update 5

Download Now

 

S'ouvre une bouvelle page.

 

Vous descendrez là:

 

Java Runtime Environment (JRE) 6 Update 5

Clic sur Download

 

Nouvelle page.

 

Sélectionnez votre platform->Windows

Cochez "I agree to the java..."

clic sur continue

 

Nouvelle page

 

Cochez:

Windows Online Installation

Cochez la flèche orange

" Cochez ici"jre-6u5-windows-i586-p-iftw.exe

 

Cela fait, supprimez les installations java antérieures par "Ajout/Suppression de Programmes"

 

 

Tests Avat vs Antivir

http://forum.malekal.com/viewtopic.php?f=4...fd3f7af39f95487

supprimer Avast

http://www.avast.com/fre/avast-uninstall-utility.html

 

Télécharger Antivir ( http://www.free-av.com).

NB : le choix d'Antivir comme antivirus à utiliser dans le cadre de cette procédure, a reposé sur les critères suivants :

--- failles de votre antivirus qui a laissé passer des malwares

--- En mode sans échec ,seuls les processus systèmes sont lancés.Il est donc plus facile de supprimer les infections

--- Antivir peut-être installé et désinstallé facilement

--- Antivir est reconnu pour son efficacité en mode sans échec

--- Ce tutorial permet de le paramétrer aisément

http://www.malekal.com/tutorial_antivir.php

Désactivez votre antivirus actuel

 

Redémarrez en mode sans échec.

Lancez le scan

 

Télécharger puis installer AVG Anti-Spyware (AVG AS)

http://www.ewido.net/en/download/

Une fois AVG AS lancé, cliquer sur "Mise à jour"

Fermer le programme.

 

Redémarrer en mode sans échec

 

Relancer AVG AS puis choisir l'onglet "Analyse"

Puis l'onglet "Paramètres

Sous la question "Comment réagir ?", cliquer sur "Actions recommandées"et choisir"Quarantaine"

Re-cliquer sur l'onglet "Analyse" puis réaliser une "Analyse complète du système"

 

/!\ Si un fichier est infecté détécté en fin d'analyse /!\

Cliquer sur "Appliquer toutes les actions "

 

Cliquer sur "Enregistrer le rapport" puis sur "Enregistrer le rapport sous"

Enregistrer ce fichier texte sur le bureau.

 

Redémarrer normalement

Copier/Coller le rapport ici.

 

Postez le rapport

 

Lorsque vous faites un Hijackthis,renommez le par exemple Karcher.exe parce que certains malwares qui le détectent le désactivent.

 

Cela fait , postez en un rapport svp.

 

Vous ne mettez jamais Xp à jour ?On va bientôt passer à Xp3.

[hypatia]

Merci pour tout Pear.

 

Pour l'instant, le site de Java est "down" pour maintenance.

J'attends qu'il revienne pour la suite.

 

Merci encore

[hypatia]

Bonsoir,

 

C'est maintenant OK pour la mise à jour de Java et les trois logiciels du post précédent.

 

Ci-aprés les trois rapports :

 

ANTIVIR

 

 

 

AntiVir PersonalEdition Classic

Report file date: samedi 15 mars 2008 21:32

 

Scanning for 1147670 virus strains and unwanted programs.

 

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (plain) [5.1.2600]

Username: Tixu

Computer name: PC2

 

Version information:

BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00

AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29

AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51

LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47

LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15

ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07/03/2008 19:26:53

ANTIVIR2.VDF : 7.0.3.3 2048 Bytes 07/03/2008 19:26:53

ANTIVIR3.VDF : 7.0.3.31 158208 Bytes 14/03/2008 19:26:53

AVEWIN32.DLL : 7.6.0.73 3334656 Bytes 15/03/2008 19:26:54

AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26

AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17

AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24

AVPACK32.DLL : 7.6.0.3 360488 Bytes 15/03/2008 19:26:54

AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06

AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33

AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18

NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42

RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13

RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37

SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

 

Configuration settings for the scan:

Jobname..........................: Local Drives

Configuration file...............: c:\program files\avira\antivir personaledition classic\alldrives.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: off

Scan boot sector.................: on

Boot sectors.....................: D:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

 

Start of the scan: samedi 15 mars 2008 21:32

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avnotify.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

11 processes with 11 modules were scanned

 

Start scanning boot sectors:

Boot sector 'C:\'

[NOTE] No virus was found!

Boot sector 'A:\'

[NOTE] In the drive 'A:\' no data medium is inserted!

 

Starting to scan the registry.

The registry was scanned ( '21' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BraveSentry3.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '483d32f5.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC16.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '484532f1.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC17.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '484532f2.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '492cee13.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC20.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '484532f4.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC25.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '484532f3.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC26.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '492cee14.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC27.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '492cee15.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC28.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '484532f6.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '492cee17.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC31.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '484532f8.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC33.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '492cd7e7.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC34.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '492cee19.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC36.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '484532f7.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '492cee18.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC42.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '484532fa.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip

[DETECTION] Contains suspicious code GEN/PwdZIP

[iNFO] The file was moved to '492cee1b.qua'!

C:\Documents and Settings\LocalService\ftpdll.dll

[DETECTION] Is the Trojan horse TR/Drop.Small.bgx

[iNFO] The file was moved to '484c3302.qua'!

C:\Documents and Settings\LocalService\Application Data\printer.exe

[DETECTION] Is the Trojan horse TR/Qhost.Aes.19

[iNFO] The file was moved to '48453301.qua'!

C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt

[DETECTION] Contains detection pattern of the HTML script virus HTML/Ficticious

[iNFO] The file was moved to '484f32f4.qua'!

C:\Documents and Settings\Tixu\ftpdll.dll

[DETECTION] Is the Trojan horse TR/Drop.Small.bgx

[iNFO] The file was moved to '484c3304.qua'!

C:\Documents and Settings\Tixu\winpmao.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '484a32f9.qua'!

C:\Documents and Settings\Tixu\Bureau\catchme.zip

[0] Archive type: ZIP

--> Qfm33.sys

[DETECTION] Is the Trojan horse TR/Rootkit.Gen

--> RAG73.sys

[DETECTION] Is the Trojan horse TR/Dldr.Agent.ldb.11

--> aiqpbter.chm

[DETECTION] Is the Trojan horse TR/Rootkit.Gen

--> hipsrv.mm

[DETECTION] Is the Trojan horse TR/Rootkit.Gen

--> taskmon.sys

[DETECTION] Is the Trojan horse TR/Proxy.Agent.XO

--> asc3550p.sys

[DETECTION] Is the Trojan horse TR/Rootkit.Gen

--> riode32.sys

[DETECTION] Is the Trojan horse TR/Rootkit.Gen

--> spools.exe

[DETECTION] Is the Trojan horse TR/Drop.Agent.22528

--> symavc32.sys

[DETECTION] Is the Trojan horse TR/Rootkit.Gen

[iNFO] The file was moved to '48503316.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\alt.exe.exe

[DETECTION] Is the Trojan horse TR/Agent.htt

[iNFO] The file was moved to '4850332d.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\babkinepaxnut.exe

[DETECTION] Is the Trojan horse TR/Shell.Eviell

[iNFO] The file was moved to '483e3323.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\cftmon.exe

[DETECTION] Is the Trojan horse TR/Drop.Agent.22528

[iNFO] The file was moved to '48503328.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\crypts.dll

[DETECTION] Is the Trojan horse TR/Dldr.Ag.29696.A

[iNFO] The file was moved to '48553335.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\D.tmp

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '485032f1.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\findfast.exe

[DETECTION] Is the Trojan horse TR/Qhost.Aes.19

[iNFO] The file was moved to '484a332d.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\ie_updates3r.exe

[DETECTION] Is the Trojan horse TR/Dldr.Tiny.x.2

[iNFO] The file was moved to '483b3329.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\iframestat.exe

[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen

[iNFO] The file was moved to '484e332a.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\msgk230.exe

[DETECTION] Is the Trojan horse TR/Dropper.Gen

[iNFO] The file was moved to '48433338.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\msgk374.exe

[DETECTION] Is the Trojan horse TR/Hijacker.Gen

[iNFO] The file was moved to '492aefd9.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\msgk387.exe

[DETECTION] Is the Trojan horse TR/Dldr.Small.svf

[iNFO] The file was moved to '4843333a.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\msgk414.exe

[DETECTION] Contains detection pattern of the dropper DR/MicroJoiner.Gen

[iNFO] The file was moved to '48433339.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\msgk421.exe

[DETECTION] Is the Trojan horse TR/Pakes.cif

[iNFO] The file was moved to '492aefda.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\msgk427.exe

[DETECTION] Is the Trojan horse TR/Peed.A.41

[iNFO] The file was moved to '4843333b.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\msgk449.exe

[DETECTION] Is the Trojan horse TR/Clicker.Agent.TP

[iNFO] The file was moved to '492aefdb.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\shift.exe.exe

[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.pb

[iNFO] The file was moved to '4845332f.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\sys_2.dll

[DETECTION] Is the Trojan horse TR/PSW.Agent.aao.1

[iNFO] The file was moved to '484f3340.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\taskmon.exe

[DETECTION] Is the Trojan horse TR/Spy.Gen

[iNFO] The file was moved to '484f3329.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\winlugan.exe

[DETECTION] Is the Trojan horse TR/Dldr.Tiny.x.2

[iNFO] The file was moved to '484a3331.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\winmed.exe

[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen

[iNFO] The file was moved to '4923efd2.qua'!

C:\Documents and Settings\Tixu\Bureau\SDFix\backups\WLCtrl32.dll

[DETECTION] Is the Trojan horse TR/Dldr.Agent.ldb.11

[iNFO] The file was moved to '481f3315.qua'!

C:\SDFix\backups\backups.zip

[0] Archive type: ZIP

--> backups/1.dllb

[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen

--> backups/2.dllb

[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen

--> backups/5.dllb

[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen

--> backups/6.dllb

[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen

--> backups/7.dllb

[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen

--> backups/v3xd1.g22me

[DETECTION] Is the Trojan horse TR/Dldr.Small.agq.4

--> backups/v4xd3.ga2me

[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen

--> backups/v4xd6.gam5e

[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen

--> backups/v5xd4.ga2me

[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen

--> backups/v6xdt4.game

[DETECTION] Is the Trojan horse TR/Spy.Gen

--> backups/vx1dt1.game

[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen

--> backups/vx1dt3.game

[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen

[iNFO] The file was moved to '483f3a8b.qua'!

C:\SDFix\backups_old3\alt.exe.exe

[DETECTION] Is the Trojan horse TR/Agent.htt

[iNFO] The file was moved to '48503a96.qua'!

C:\SDFix\backups_old3\babkinepaxnut.exe

[DETECTION] Is the Trojan horse TR/Shell.Eviell

[iNFO] The file was moved to '483e3a8c.qua'!

C:\SDFix\backups_old3\cftmon.exe

[DETECTION] Is the Trojan horse TR/Drop.Agent.22528

[iNFO] The file was moved to '48503a92.qua'!

C:\SDFix\backups_old3\crypts.dll

[DETECTION] Is the Trojan horse TR/Dldr.Ag.29696.A

[iNFO] The file was moved to '48553a9f.qua'!

C:\SDFix\backups_old3\D.tmp

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '48503a5b.qua'!

C:\SDFix\backups_old3\findfast.exe

[DETECTION] Is the Trojan horse TR/Qhost.Aes.19

[iNFO] The file was moved to '484a3a96.qua'!

C:\SDFix\backups_old3\ie_updates3r.exe

[DETECTION] Is the Trojan horse TR/Dldr.Tiny.x.2

[iNFO] The file was moved to '483b3a93.qua'!

C:\SDFix\backups_old3\iframestat.exe

[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen

[iNFO] The file was moved to '484e3a94.qua'!

C:\SDFix\backups_old3\msgk230.exe

[DETECTION] Is the Trojan horse TR/Dropper.Gen

[iNFO] The file was moved to '48433aa2.qua'!

C:\SDFix\backups_old3\msgk374.exe

[DETECTION] Is the Trojan horse TR/Hijacker.Gen

[iNFO] The file was moved to '4925f6eb.qua'!

C:\SDFix\backups_old3\msgk387.exe

[DETECTION] Is the Trojan horse TR/Dldr.Small.svf

[iNFO] The file was moved to '48433aa4.qua'!

C:\SDFix\backups_old3\msgk414.exe

[DETECTION] Contains detection pattern of the dropper DR/MicroJoiner.Gen

[iNFO] The file was moved to '4925f6ed.qua'!

C:\SDFix\backups_old3\msgk421.exe

[DETECTION] Is the Trojan horse TR/Pakes.cif

[iNFO] The file was moved to '48433aa3.qua'!

C:\SDFix\backups_old3\msgk427.exe

[DETECTION] Is the Trojan horse TR/Peed.A.41

[iNFO] The file was moved to '4925f6ec.qua'!

C:\SDFix\backups_old3\msgk449.exe

[DETECTION] Is the Trojan horse TR/Clicker.Agent.TP

[iNFO] The file was moved to '48433aa5.qua'!

C:\SDFix\backups_old3\shift.exe.exe

[DETECTION] Contains detection pattern of the worm WORM/Zhelatin.pb

[iNFO] The file was moved to '48453a99.qua'!

C:\SDFix\backups_old3\sys_2.dll

[DETECTION] Is the Trojan horse TR/PSW.Agent.aao.1

[iNFO] The file was moved to '484f3aaa.qua'!

C:\SDFix\backups_old3\taskmon.exe

[DETECTION] Is the Trojan horse TR/Spy.Gen

[iNFO] The file was moved to '484f3a93.qua'!

C:\SDFix\backups_old3\winlugan.exe

[DETECTION] Is the Trojan horse TR/Dldr.Tiny.x.2

[iNFO] The file was moved to '484a3a9b.qua'!

C:\SDFix\backups_old3\winmed.exe

[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen

[iNFO] The file was moved to '492cf6d4.qua'!

C:\SDFix\backups_old3\WLCtrl32.dll

[DETECTION] Is the Trojan horse TR/Dldr.Agent.ldb.11

[iNFO] The file was moved to '481f3a7f.qua'!

C:\WINDOWS\Installer\{8ce1b8ee-1dcf-4615-aad6-09bc6c1516d8}\zip.dll

[DETECTION] Is the Trojan horse TR/Shell.Eviell

[iNFO] The file was moved to '484c3bd2.qua'!

C:\WINDOWS\Installer\{d0898880-296d-472d-b9ae-e18d5b9de98b}\zip.dll

[DETECTION] Is the Trojan horse TR/Shell.Eviell

[iNFO] The file was moved to '484c3bd4.qua'!

C:\WINDOWS\system32\adsldpcq.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '484f3c0c.qua'!

C:\WINDOWS\system32\adsldpz.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '484f3c0d.qua'!

C:\WINDOWS\system32\adsnwc.dll

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '4929f046.qua'!

C:\WINDOWS\system32\advapi32s.dll

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '48523c0e.qua'!

C:\WINDOWS\system32\ftpdll.dll

[DETECTION] Is the Trojan horse TR/Drop.Small.bgx

[iNFO] The file was moved to '484c3c38.qua'!

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt

[DETECTION] Contains detection pattern of the HTML script virus HTML/Ficticious

[iNFO] The file was moved to '484f3c70.qua'!

Begin scan in 'A:\'

Search path A:\ could not be opened!

Le périphérique n'est pas prêt.

 

Begin scan in 'D:\'

Search path D:\ could not be opened!

Le périphérique n'est pas prêt.

 

 

 

End of the scan: samedi 15 mars 2008 22:16

Used time: 43:49 min

 

The scan has been done completely.

 

1897 Scanning directories

174885 Files were scanned

76 viruses and/or unwanted programs were found

17 Files were classified as suspicious:

0 files were deleted

0 files were repaired

74 files were moved to quarantine

0 files were renamed

1 Files cannot be scanned

174809 Files not concerned

875 Archives were scanned

1 Warnings

0 Notes

 

 

 

AVG

 

 

---------------------------------------------------------

AVG Anti-Spyware - Rapport d'analyse

---------------------------------------------------------

 

+ Créé à: 23:42:40 15/03/2008

 

+ Résultat de l'analyse:

 

 

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Nettoyé et sauvegardé (mise en quarantaine).

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Nettoyé et sauvegardé (mise en quarantaine).

HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Erreur lors du nettoyage.

HKU\S-1-5-21-1275210071-1604221776-1801674531-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Nettoyé et sauvegardé (mise en quarantaine).

:mozilla.101:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.2o7 : Nettoyé.

:mozilla.36:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.Overture : Nettoyé.

:mozilla.40:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.Serving-sys : Nettoyé.

:mozilla.41:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.Serving-sys : Nettoyé.

:mozilla.42:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.Serving-sys : Nettoyé.

:mozilla.43:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.Serving-sys : Nettoyé.

:mozilla.44:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.Serving-sys : Nettoyé.

:mozilla.45:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.Serving-sys : Nettoyé.

:mozilla.46:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.Serving-sys : Nettoyé.

:mozilla.106:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.Sitestat : Nettoyé.

:mozilla.108:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.Sitestat : Nettoyé.

:mozilla.35:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.Smartadserver : Nettoyé.

:mozilla.37:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.Smartadserver : Nettoyé.

:mozilla.38:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.Smartadserver : Nettoyé.

:mozilla.39:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.Smartadserver : Nettoyé.

:mozilla.105:C:\Documents and Settings\Tixu\Application Data\Mozilla\Firefox\Profiles\vjyjfusf.default\cookies.txt -> TrackingCookie.Weborama : Nettoyé.

 

 

Fin du rapport

 

 

 

HIJACKTHIS

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:47:49, on 15/03/2008

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Opera\Opera.exe

C:\Documents and Settings\Tixu\Bureau\Karcher.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [ASocksrv] SocksA.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [bSserver] FileKan.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192725910967

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe

O23 - Service: Gestionnaire de connexion automatique d'accès distant RasAuto Online Search Service (RasAuto Online Search Service) - Unknown owner - C:\WINDOWS\System32\adsldpcq.exe (file missing)

O23 - Service: WebClient WebClientPolicyAgent (WebClientPolicyAgent) - Unknown owner - C:\WINDOWS\System32\adsldpz.exe (file missing)

 

--

End of file - 3905 bytes

 

 

MERCI pour tout

[pear]

Bonjour,

 

Télécharger ToolsCleaner! de A.Rothstein pour enlever les programmes utilisés pendant la procédure.

http://a-rothstein.changelog.fr/TC/ToolsCleaner2.exe

* Enregistrer ToolsCleaner2.exe sur le Bureau.

Sous Vista,Clic-droit > Exécuter en tant que Administrateur

* Double-cliquer dessus, puis cliquer sur Recherche --> Le programme va chercher les utilitaires installés

------> Il se peut que la fenêtre devienne blanche pendant le scan, c'est normal !

* Copier-coller le contenu du rapport qui apparait dans la fenêtre blanche.

 

Dans Hijackthis, cochez et fixez ces 2 lignes

O23 - Service: Gestionnaire de connexion automatique d'accès distant RasAuto Online Search Service (RasAuto Online Search Service) - Unknown owner - C:\WINDOWS\System32\adsldpcq.exe (file missing)

O23 - Service: WebClient WebClientPolicyAgent (WebClientPolicyAgent) - Unknown owner - C:\WINDOWS\System32\adsldpz.exe (file missing)

 

Si vous n'utilisez plus Spybot, supprimez ce dossier

 

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery

 

dans le cas contraire désinstallez Spybot, supprimez en les traces, et réinstallez le.

 

Videz les quarantaines d'Antivir et Avgas.

 

Et Bon Vent!

[hypatia]

Bonjour,

 

J'ai exécuté toutes les dernières manips et tout à l'air OK.

Juste une dernière question, j'ai sélectionné et fixé les deux lignes O23 dans Hijackthis mais elles apparaissent toujours dans le rapport quand je rescanne aprés cela, est-ce que c'est normal ?

 

Encore une fois merci pour tout

[pear]

Bonjour,

 

est-ce que c'est normal ?

 

Il faut les désactiver dans la console des services.

 

Démarrer->Exécuter->Services.msc

 

Allez à Gestionnaire de connexion automatique d'accès distant

Double clic pour y accéder

 

Statut du service

Clic sur Arreter

 

Type de démarrage->Désactivé

 

Même manoeuvre pour le service Webclient

 

 

 

Bonjour,

 

est-ce que c'est normal ?

 

Il faut les désactiver dans la console des services.

 

Démarrer->Exécuter->Services.msc

 

Allez à Gestionnaire de connexion automatique d'accès distant

Double clic pour y accéder

 

Statut du service

Clic sur Arreter

 

Type de démarrage->Désactivé

 

Même manoeuvre pour le service Webclient

[hypatia]

Ca y est, c'est fait et tout semble OK maintenant.

 

Vraiment merci pour ta compétence et ta disponibilté.

 

C'est vraiment du bon boulot