Spyware secure : je nage dans le marasme

[drims]

Bonjour,

 

J'ai besoin de votre aide. J'ai vu qu'il y avait d'autres postes sur spyware secure mais j'ai pas compris grand chose... Pourriez-vous s'il vous plait m'indiquer la procédure à suivre pour me débarasser de spyware ?

 

Je me sens un peu perdue... Alors merci d'avance pour vos explications et la marche à suivre

 

Drims

[Lien Rag]

Bonsoir

 

Télécharge HijackThis

 

Tuto réalisé par Bruce Lee : http://cybersecurite.xooit.com/t138-HijackThis-2-0-2.htm

 

Clique alors sur "Do a system scan and save a logfile"

Le scan se fait très rapidement, puis un bloc-note apparaît

(le "logfile")

Dans ce bloc-note, va dans "Edition", puis "Selectionner Tout",

le texte est alors séléctionné, retourne dans "Edition" toujours

en laissant le texte séléctionné, et clique sur copier.

Colle le contenu ici dans ta prochaine réponse

[drims]

Bonsoir et merci pour ta réponse ultra-rapide ! Alors voilà le rapport est ci-dessous. Sinon c'est toujours panique à bord, d'autant qu'avast vient de me mettre 4 fichiers en quarantaine : kernel32.dll, qvdntlmw.dll, winsock.dll et wsock.dll. Puis-je les supprimer tout simplement ?

Bon, ben merci de me répondre, parce que là je suis plutôt dépassée...

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:50:30, on 26/03/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Acer\eManager\anbmServ.exe

C:\Documents and Settings\All Users\Application Data\uzifcbmv\mdolevob.exe

C:\acer\epm\epm-dm.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Launch Manager\QtZgAcer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Neuf\Kit\WiFi\9wifi.exe

C:\Program Files\antiviirus.exe

C:\Program Files\tmp0.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\eduxyjet.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\tmp1.exe

C:\Program Files\Hercules\WiFi Station\WifiStation.exe

C:\Program Files\tmp2.exe

C:\Program Files\tmp3.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://recherche.neuf.fr/ie/default.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://recherche.neuf.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.fr.netscape.com/fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://recherche.neuf.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.fr.netscape.com/fr/home/winsearch200.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.fr.netscape.com/fr/home/winsearch.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.fr.netscape.com/fr/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://recherche.neuf.fr/ie/default.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.fr.netscape.com/keyword/%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: GNX Bingo - {04618753-8BCC-4227-AE2A-4981EB17FCEF} - C:\WINDOWS\kdftlboerql.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [epm-dm] c:\acer\epm\epm-dm.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE

O4 - HKLM\..\Run: [LaunchApp] Alaunch

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB002" /M "Stylus C86"

O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB002" /M "Stylus C66"

O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"

O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Autoconfigurateur WiFi Neuf] "C:\Program Files\Neuf\Kit\WiFi\9wifi.exe"

O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [gufyjtgj] C:\WINDOWS\system32\eduxyjet.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKLM\..\Policies\Explorer\Run: [1A1ktngkj5] C:\Documents and Settings\All Users\Application Data\uzifcbmv\mdolevob.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: WiFi Station.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://xscanner.spyshredderscanner.com/setup/webinst_fr.cab

O21 - SSODL: RunOnceWin - {f7b4cb73-b93c-42ac-ad7a-b506d9209431} - C:\WINDOWS\Installer\{f7b4cb73-b93c-42ac-ad7a-b506d9209431}\RunOnceWin.dll

O21 - SSODL: zip - {fc6459ac-77ec-468e-a0b6-fb08861bd2f0} - C:\WINDOWS\Installer\{fc6459ac-77ec-468e-a0b6-fb08861bd2f0}\zip.dll

O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

 

--

End of file - 8081 bytes

[Lien Rag]

1) Télécharge SmitFraudFix

 

 

Double clic sur SmitfraudFix.exe pour le lancer

Choisis l'option 1 (Recherche)

Post le rapport

 

2) Redémarre en mode sans échec (F8 lors du boot)

 

Relance SmitfraudFix et choisis cette fois l’option 2 et réponds oui à chaque question

 

3) Redémarre en mode normal

Post moi le 2ème rapport

[drims]

Bonjour, voici le premier rapport :

 

SmitFraudFix v2.309

 

Rapport fait à 7:46:45,70, 29/03/2008

Executé à partir de C:\Documents and Settings\sentier nature\Bureau\SmitfraudFix

OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT

Le type du système de fichiers est FAT32

Fix executé en mode normal

 

»»»»»»»»»»»»»»»»»»»»»»»» Process

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Acer\eManager\anbmServ.exe

C:\Documents and Settings\All Users\Application Data\uzifcbmv\mdolevob.exe

C:\acer\epm\epm-dm.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Launch Manager\QtZgAcer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Neuf\Kit\WiFi\9wifi.exe

C:\Program Files\antiviirus.exe

C:\documents and settings\sentier nature\local settings\application data\auwje.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\eduxyjet.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\tmp0.exe

C:\Program Files\Hercules\WiFi Station\WifiStation.exe

C:\Program Files\tmp1.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\tmp2.exe

C:\Program Files\tmp3.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\cmd.exe

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\sentier nature

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\sentier nature\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SENTIE~1\FAVORIS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Bureau

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

 

C:\Program Files\tmp???????.exe PRESENT !

C:\Program Files\antiviirus.exe PRESENT !

C:\Program Files\tmp?.exe PRESENT !

 

»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Ma page d'accueil"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

 

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

 

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

+--------------------------------------------------+

[!] Suspicious: kdftlboerql.dll

BHO: GNX Bingo - {04618753-8BCC-4227-AE2A-4981EB17FCEF}

TypeLib: {8E49CB3D-F702-47E1-8F68-7EDDC5F65B17}

Interface: {30104E21-FF0B-484C-A6CD-B2735A0D7DCE}

Interface: {41A7FC42-796E-4E9F-95F9-073EC8290138}

 

[!] Suspicious: RunOnceWin.dll

SSODL: RunOnceWin - {f7b4cb73-b93c-42ac-ad7a-b506d9209431}

 

[!] Suspicious: zip.dll

SSODL: zip - {fc6459ac-77ec-468e-a0b6-fb08861bd2f0}

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Description: Hercules Wireless G USB - Miniport d'ordonnancement de paquets

DNS Server Search Order: 192.168.1.1

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{D48F1699-C2D2-4F96-BA73-D28F7B2848AD}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS2\Services\Tcpip\..\{D48F1699-C2D2-4F96-BA73-D28F7B2848AD}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Fin

[drims]

Et voici le deuxième rapport :

 

SmitFraudFix v2.309

 

Rapport fait à 7:55:49,93, 29/03/2008

Executé à partir de C:\Documents and Settings\sentier nature\Bureau\SmitfraudFix

OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT

Le type du système de fichiers est FAT32

Fix executé en mode sans echec

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Arret des processus

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

127.0.0.1 localhost

 

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

 

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

C:\WINDOWS\kdftlboerql.dll deleted.

C:\WINDOWS\Installer\{f7b4cb73-b93c-42ac-ad7a-b506d9209431}\RunOnceWin.dll deleted

C:\WINDOWS\Installer\{fc6459ac-77ec-468e-a0b6-fb08861bd2f0}\zip.dll deleted

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

 

S!Ri's WS2Fix: LSP not Found.

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés

 

C:\Program Files\antiviirus.exe supprimé

C:\Program Files\tmp???????.exe supprimé

 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

 

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{D48F1699-C2D2-4F96-BA73-D28F7B2848AD}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS2\Services\Tcpip\..\{D48F1699-C2D2-4F96-BA73-D28F7B2848AD}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre

 

Nettoyage terminé.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Fin

[drims]

Merci de ta précieuse aide, tu m'es d'un grand secours !

 

 

Je voudrais aussi savoir si je peux supprimer sans danger pour le fonctionnement de mon ordinateur les fichiers mis en quarantaine par avast : kernel32.dll, qvdntlmw.dll, winsock.dll, wsock32.dll ?

[Lien Rag]

Je crois surtout que tu devrais changer d'antivirus

 

Desinstallation de Avast

 

http://www.malekal.com//tutorial_antivir_security_suite.php

 

Fais nous un scan avira complet ensuite et post le rapport

[drims]

Bonsoir !

J'ai désinstallé Avast pour le remplacer par Antivir. J'ai un ptit peu cafouillé par contre

Bon, du coup il y a 2 rapports... Le premier avant que je lise toute la procédure et que je m'apercoive qu'il fallait d'abord redémarrer en mode sans échec

Je l'ai interrompu en cours...

Le voici :

 

AntiVir PersonalEdition Classic

Report file date: samedi 29 mars 2008 19:36

 

Scanning for 1169688 virus strains and unwanted programs.

 

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Username: SYSTEM

Computer name: ACER-86ABAAF10A

 

Version information:

BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00

AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:30

AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:52

LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:48

LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:22

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:16

ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07/03/2008 18:33:04

ANTIVIR2.VDF : 7.0.3.85 434176 Bytes 27/03/2008 18:33:04

ANTIVIR3.VDF : 7.0.3.92 20480 Bytes 28/03/2008 18:33:04

AVEWIN32.DLL : 7.6.0.78 3408384 Bytes 29/03/2008 18:33:04

AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:28

AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:18

AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24

AVPACK32.DLL : 7.6.0.3 360488 Bytes 29/03/2008 18:33:04

AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:08

AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:34

AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:20

NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:44

RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:14

RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:38

SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:22

 

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: off

Scan boot sector.................: on

Boot sectors.....................: D:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

 

Start of the scan: samedi 29 mars 2008 19:36

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned

Scan process 'ALG.EXE' - '1' Module(s) have been scanned

Scan process 'MDM.EXE' - '1' Module(s) have been scanned

Scan process 'WiFiStation.exe' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned

Scan process 'EDUXYJET.EXE' - '1' Module(s) have been scanned

Module is infected -> 'C:\WINDOWS\system32\eduxyjet.exe'

Scan process 'MSMSGS.EXE' - '1' Module(s) have been scanned

Scan process 'AUWJE.EXE' - '1' Module(s) have been scanned

Module is infected -> 'C:\documents and settings\sentier nature\local settings\application data\auwje.exe'

Scan process '9WIFI.EXE' - '1' Module(s) have been scanned

Scan process 'RUNDLL32.EXE' - '1' Module(s) have been scanned

Scan process 'E_S4I0R2.EXE' - '1' Module(s) have been scanned

Scan process 'HKCMD.EXE' - '1' Module(s) have been scanned

Scan process 'IGFXTRAY.EXE' - '1' Module(s) have been scanned

Scan process 'QtZgAcer.EXE' - '1' Module(s) have been scanned

Scan process 'REALPLAY.EXE' - '1' Module(s) have been scanned

Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned

Scan process 'JUSCHED.EXE' - '1' Module(s) have been scanned

Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned

Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned

Scan process 'EPM-DM.EXE' - '1' Module(s) have been scanned

Scan process 'MDOLEVOB.EXE' - '1' Module(s) have been scanned

Module is infected -> 'C:\Documents and Settings\All Users\Application Data\uzifcbmv\mdolevob.exe'

Scan process 'anbmServ.exe' - '1' Module(s) have been scanned

Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned

Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned

Scan process 'ashServ.exe' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'LSASS.EXE' - '1' Module(s) have been scanned

Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned

Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned

Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned

Scan process 'SMSS.EXE' - '1' Module(s) have been scanned

Process 'EDUXYJET.EXE' has been terminated

Process 'AUWJE.EXE' has been terminated

Process 'MDOLEVOB.EXE' has been terminated

C:\WINDOWS\system32\eduxyjet.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '48638cbd.qua'!

C:\documents and settings\sentier nature\local settings\application data\auwje.exe

[DETECTION] Is the Trojan horse TR/Dldr.Swizzor.Gen

[iNFO] The file was moved to '48658cd1.qua'!

C:\Documents and Settings\All Users\Application Data\uzifcbmv\mdolevob.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '485d8cd4.qua'!

 

44 processes with 41 modules were scanned

 

Start scanning boot sectors:

Boot sector 'C:\'

[NOTE] No virus was found!

Boot sector 'D:\'

[NOTE] No virus was found!

 

Starting to scan the registry.

 

The registry was scanned ( '40' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\' <ACER>

C:\hiberfil.sys

[WARNING] The file could not be opened!

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\WINDOWS\drnpfdxrgq.dll

[DETECTION] Is the Trojan horse TR/BHO.Agent.221184

[iNFO] The file was moved to '485c9120.qua'!

 

 

End of the scan: samedi 29 mars 2008 20:21

Used time: 45:34 min

 

The scan has been canceled!

 

2387 Scanning directories

192248 Files were scanned

7 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

0 files were deleted

0 files were repaired

4 files were moved to quarantine

0 files were renamed

2 Files cannot be scanned

192241 Files not concerned

6333 Archives were scanned

2 Warnings

0 Notes

[drims]

Et le second quand j'ai tout fait dans les règles :

J'ai mis tout ce qui a été trouvé au scan en quarantaine !?

 

Voilà, j'attends le retour ! Bonne soirée et bon week-end !

 

AntiVir PersonalEdition Classic

Report file date: samedi 29 mars 2008 20:26

 

Scanning for 1169688 virus strains and unwanted programs.

 

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Username: sentier nature

Computer name: ACER-86ABAAF10A

 

Version information:

BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00

AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:30

AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:52

LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:48

LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:22

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:16

ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07/03/2008 18:33:04

ANTIVIR2.VDF : 7.0.3.85 434176 Bytes 27/03/2008 18:33:04

ANTIVIR3.VDF : 7.0.3.92 20480 Bytes 28/03/2008 18:33:04

AVEWIN32.DLL : 7.6.0.78 3408384 Bytes 29/03/2008 18:33:04

AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:28

AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:18

AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24

AVPACK32.DLL : 7.6.0.3 360488 Bytes 29/03/2008 18:33:04

AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:08

AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:34

AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:20

NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:44

RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:14

RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:38

SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:22

 

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: off

Scan boot sector.................: on

Boot sectors.....................: D:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

 

Start of the scan: samedi 29 mars 2008 20:26

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'Explorer.EXE' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

11 processes with 11 modules were scanned

 

Start scanning boot sectors:

Boot sector 'C:\'

[NOTE] No virus was found!

Boot sector 'D:\'

[NOTE] No virus was found!

 

Starting to scan the registry.

The registry was scanned ( '44' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\' <ACER>

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{7D65FA75-CEC4-4949-A8E3-ACE730FEFF8E}\RP1\A0001085.dll

[DETECTION] Is the Trojan horse TR/BHO.Agent.221184

[iNFO] The file was moved to '481e9ef5.qua'!

C:\System Volume Information\_restore{7D65FA75-CEC4-4949-A8E3-ACE730FEFF8E}\RP1\A0001086.dll

[DETECTION] Is the Trojan horse TR/Shell.Eviell

[iNFO] The file was moved to '481e9ef7.qua'!

C:\System Volume Information\_restore{7D65FA75-CEC4-4949-A8E3-ACE730FEFF8E}\RP1\A0001087.dll

[DETECTION] Is the Trojan horse TR/Shell.Eviell

[iNFO] The file was moved to '481e9efa.qua'!

C:\System Volume Information\_restore{7D65FA75-CEC4-4949-A8E3-ACE730FEFF8E}\RP1\A0001089.exe

[DETECTION] Is the Trojan horse TR/Agent.fwi

[iNFO] The file was moved to '481e9efc.qua'!

C:\System Volume Information\_restore{7D65FA75-CEC4-4949-A8E3-ACE730FEFF8E}\RP1\A0001090.exe

[DETECTION] Is the Trojan horse TR/Agent.fwi

[iNFO] The file was moved to '481e9efe.qua'!

C:\System Volume Information\_restore{7D65FA75-CEC4-4949-A8E3-ACE730FEFF8E}\RP1\A0001091.exe

[DETECTION] Is the Trojan horse TR/Agent.fwi

[iNFO] The file was moved to '481e9f01.qua'!

C:\System Volume Information\_restore{7D65FA75-CEC4-4949-A8E3-ACE730FEFF8E}\RP1\A0001092.exe

[DETECTION] Is the Trojan horse TR/Agent.fwi

[iNFO] The file was moved to '481e9f02.qua'!

C:\System Volume Information\_restore{7D65FA75-CEC4-4949-A8E3-ACE730FEFF8E}\RP1\A0001093.exe

[DETECTION] Is the Trojan horse TR/Agent.fwi

[iNFO] The file was moved to '481e9f05.qua'!

C:\System Volume Information\_restore{7D65FA75-CEC4-4949-A8E3-ACE730FEFF8E}\RP2\A0001209.EXE

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '481e9f0c.qua'!

C:\System Volume Information\_restore{7D65FA75-CEC4-4949-A8E3-ACE730FEFF8E}\RP2\A0001210.EXE

[DETECTION] Is the Trojan horse TR/Dldr.Swizzor.Gen

[iNFO] The file was moved to '481e9f0e.qua'!

C:\System Volume Information\_restore{7D65FA75-CEC4-4949-A8E3-ACE730FEFF8E}\RP2\A0001211.EXE

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[iNFO] The file was moved to '481e9f11.qua'!

C:\System Volume Information\_restore{7D65FA75-CEC4-4949-A8E3-ACE730FEFF8E}\RP2\A0001212.dll

[DETECTION] Is the Trojan horse TR/BHO.Agent.221184

[iNFO] The file was moved to '481e9f15.qua'!

Begin scan in 'D:\' <ACERDATA>

 

 

End of the scan: samedi 29 mars 2008 20:57

Used time: 30:52 min

 

The scan has been done completely.

 

2538 Scanning directories

199216 Files were scanned

12 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

0 files were deleted

0 files were repaired

12 files were moved to quarantine

0 files were renamed

1 Files cannot be scanned

199204 Files not concerned

6469 Archives were scanned

1 Warnings

0 Notes