[Résolu] Rapport Hijackthis

jollyroger · le 19 août 2008

Bonjour,

Quelqu'un pourrait-il avoir l'amabilité de m'analyser ce rapport svp?

Il traine encore des malwares sur ce PC dont je n'arrive pas à me débarrasser...

Merci beaucoup

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:23:06, on 19/08/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\melle--caro\Bureau\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads.bannerstyle.biz/bc/123kah.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe

O2 - BHO: (no name) - {4116CFB6-5F77-2FD9-0413-5A00BFB388CA} - (no file)

O2 - BHO: (no name) - {52043E63-F814-41BB-A8B8-A35474C6C1BD} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: {15c5cea0-9d63-424b-5044-34bf77d7583e} - {e3857d77-fb43-4405-b424-36d90aec5c51} - C:\WINDOWS\system32\zwlvuz.dll

O2 - BHO: (no name) - {E857C6E9-76CB-4DFD-95D7-1981E90B65FD} - (no file)

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Enable

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [bM9b8ffa74] Rundll32.exe "C:\WINDOWS\system32\anxqxaeb.dll",s

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [VnrBlock20] "C:\Program Files\VnrBlock\VnrBlock20.exe"

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: jkkHbcYq - jkkHbcYq.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--

End of file - 5091 bytes

Modifié le 19 août 2008 par jollyroger

pear · le 19 août 2008

Bonjour,

# vous devez désactiver la protection en temps réel, de votre antivirus qui détecte certains composanst de ce logiciel comme néfastes.

* Pour cela, faites un clic droit sur l'icône en bas à droite à côté de l'horloge.

Télécharger SDFix (créé par AndyManchesta)

et le sauvegarder sur le Bureau.

Double cliquer sur SDFix.exe et choisir Install pour l'extraire

SDFix s'installe à la racine de la partition système (par défaut, Généralement C:). .

Redémarrer en mode sans échec

* Ouvrir le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clic sur RunThis.cmd pour lancer le script.

* Appuyer sur Y pour commencer le processus de nettoyage.

* Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis demandera d'appuyer sur une touche pour redémarrer.

Si Sdfix ne se lance pas

1)Démarrer->Exécuter

Copiez/collez :

%systemroot%\system32\cmd.exe /K %systemdrive%\SDFix\apps\FixPath.exe

cliquez ok, et validez.

Redémarrez et essayez de nouveau de lancer Sdfix.

2)Si vous avez le message Cette commande a été désactivée par votre Administrateur

Appuyez sur une touche pour continuer:

Démarrer->Exécuter

Copiez/Collez

%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg

Validez

Relancez Sdfix

* Le redémarrage sera plus lent qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.

* Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.

* Appuyer sur une touche pour finir l'exécution du script et charger les icônes du Bureau.

* Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.

* Postez le rapport ici.

Téléchargez Malwarebytes' Anti-Malware (MBAM)

* Double cliquez sur l'icône Download_mbam-setup.exe pour lancer le processus d'installation.

Enregistrez le sur le bureau .

Fermer toutes les fenêtres et programmes

Suivez les indications (en particulier le choix de la langue et l'autorisation d'accession à Internet)

N'apportez aucune modification aux réglages par défaut et, en fin d'installation,

Vérifiez que les options Update Malwarebytes' Anti-Malware et Launch Malwarebytes' Anti-Malware sont cochées

MBAM démarrera automatiquement et enverra un message demandant à mettre à jour le programme avant de lancer une analyse.

cliquer sur OK pour fermer la boîte de dialogue..

* Dans l'onglet "mise à jour", cliquez sur le bouton Recherche de mise à jour:

Si le pare-feu demande l'autorisation à MBAM de se connecter, acceptez.

* Une fois la mise à jour terminée, allez dans l'onglet Recherche.

* Sélectionnez "Exécuter un examen complet"

* Cliquez sur "Rechercher"

* .L' analyse prendra un certain temps, soyez patient !

* A la fin , un message affichera :

L'examen s'est terminé normalement.

*Si MBAM n'a rien trouvé, il le dira aussi.

Cliquez sur "Ok" pour poursuivre.

*Fermez les navigateurs.

Cliquez sur Afficher les résultats .

*Sélectionnez tout et cliquez sur Supprimer la sélection,

MBAM va détruire les fichiers et clés de registre et en mettre une copie dans la quarantaine.

puis ouvrir le Bloc-notes et y copier le rapport d'analyse qui peut être retrouvé sous l'onglet Rapports/logs.

* Copiez-collez ce rapport dans la prochaine réponse.

Modifié le 19 août 2008 par pear

jollyroger · le 19 août 2008

Et hop!

Malwarebytes' Anti-Malware 1.25

Version de la base de données: 1070

Windows 5.1.2600 Service Pack 2

14:22:02 19/08/2008

mbam-log-08-19-2008 (14-22-02).txt

Type de recherche: Examen complet (C:\|)

Eléments examinés: 71331

Temps écoulé: 19 minute(s), 48 second(s)

Processus mémoire infecté(s): 0

Module(s) mémoire infecté(s): 1

Clé(s) du Registre infectée(s): 16

Valeur(s) du Registre infectée(s): 1

Elément(s) de données du Registre infecté(s): 0

Dossier(s) infecté(s): 3

Fichier(s) infecté(s): 61

Processus mémoire infecté(s):

(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):

C:\WINDOWS\system32\zwlvuz.dll (Trojan.Vundo.H) -> Delete on reboot.

Clé(s) du Registre infectée(s):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3857d77-fb43-4405-b424-36d90aec5c51} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e3857d77-fb43-4405-b424-36d90aec5c51} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm9b8ffa74 (Trojan.Agent) -> Delete on reboot.

Elément(s) de données du Registre infecté(s):

(Aucun élément nuisible détecté)

Dossier(s) infecté(s):

C:\Program Files\Outerinfo (Adware.Outerinfo) -> Quarantined and deleted successfully.

C:\Program Files\Outerinfo\FF (Adware.Outerinfo) -> Quarantined and deleted successfully.

C:\Program Files\Outerinfo\FF\components (Adware.Outerinfo) -> Quarantined and deleted successfully.

Fichier(s) infecté(s):

C:\WINDOWS\system32\zwlvuz.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\fxyrcypb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bpycryxf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rrwxqary.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yraqxwrr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wjrdwjgg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ggjwdrjw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ybcfkwxi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ixwkfcby.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\melle--caro\DoctorWeb\Quarantine\A0150589.exe (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\melle--caro\DoctorWeb\Quarantine\QdrPack16.exe (Adware.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\components\srff.dll (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP56\A0082120.exe (Adware.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP56\A0082132.exe (Adware.ISM) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP59\A0083229.exe (Adware.ISM) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP66\A0109507.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP66\A0110553.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP66\A0117647.dll (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP67\A0150220.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP67\A0150225.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP67\A0150196.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP67\A0150198.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP67\A0150206.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP68\A0150555.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP68\A0150556.exe (Adware.ISM) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP68\A0150557.exe (Malware.Trace) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP68\A0150560.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP68\A0150591.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP68\A0150592.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP68\A0150593.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP68\A0150595.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP68\A0150596.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP68\A0150598.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP68\A0150599.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP68\A0150600.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP68\A0150601.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP69\A0150690.exe (Adware.ISM) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP70\A0150925.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP70\A0150926.dll (Adware.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP70\A0150927.exe (Trojan.BHO) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP70\A0150928.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP73\A0151530.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7CE40D9D-4CD5-44F8-8BE4-5801E401722D}\RP73\A0151539.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cdwqyb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nlkvqjql.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pvvitcdo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uesykfox.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\jibwwp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kcnfhnwi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\qtfxkxlu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Program Files\Outerinfo\Terms.rtf (Adware.Outerinfo) -> Quarantined and deleted successfully.

C:\Program Files\Outerinfo\FF\chrome.manifest (Adware.Outerinfo) -> Quarantined and deleted successfully.

C:\Program Files\Outerinfo\FF\install.rdf (Adware.Outerinfo) -> Quarantined and deleted successfully.

C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt (Adware.Outerinfo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\anxqxaeb.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\BM9b8ffa74.xml (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\BM9b8ffa74.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

pear · le 19 août 2008

C'est bien.

J'attends aussi le rapport Sdfix.

Désinstallez la Restauration Système.

Poste de Travail->Propriétés->Restauration Système.

Cocher la case "Désactiver la Restauration sur tous les lecteurs".

Vous la décocherez par la suite.

Un nouveau point de restauration sera créé au redémarrage.

Télécharger Avira AntiVir Personal

NB : le choix d'Antivir comme antivirus à utiliser dans le cadre de cette procédure, a reposé sur les critères suivants :

--- failles de votre antivirus qui a laissé passer des malwares

--- En mode sans échec ,seuls les processus systèmes sont lancés.Il est donc plus facile de supprimer les infections

--- Antivir peut-être installé et désinstallé facilement

--- Antivir est reconnu pour son efficacité en mode sans échec

Paramètres conseillés

Clic droit sur le parapluie->Configure

Cliquer Expert mode->Scan:

Cocher: All files

Additionnal Settings:tout cocher

Clic sur scan +

Action for concerning files:

Cocher

copie file to quarantine before action

Primary action...................: repair => au cas ou ce serait un fichier système corrompu

Secondary action.................: delete => s'il y a détection, autant supprimer. une sauvegarde sera dans la quarantaine

Désactivez votre antivirus actuel

Redémarrez en mode sans échec.

Lancez le scan

Postez le rapport

jollyroger · le 19 août 2008

SDFix: Version 1.216

Run by Administrateur on 19/08/2008 at 13:18

Microsoft Windows XP [version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\LOG\20080807231432156.log - Deleted

C:\Program Files\BChanger\data.dat - Deleted

C:\Program Files\BChanger\Uninstall.exe - Deleted

C:\Program Files\NoDNS\UnInstall.exe - Deleted

C:\Program Files\Sakora\Sakora.exe.lzma - Deleted

C:\Program Files\Spcron\Spc.dll.lzma - Deleted

C:\Program Files\VnrBlock\VnrBlock20.exe - Deleted

C:\Program Files\VnrBlock\xtarga.gz - Deleted

C:\Program Files\.autoreg - Deleted

C:\WINDOWS\system32\real.txt - Deleted

Folder C:\Documents and Settings\melle--caro\Application Data\SpeedRunner - Removed

Folder C:\Documents and Settings\All Users\Application Data\SoftLand Ltd - Removed

Folder C:\Program Files\BChanger - Removed

Folder C:\Program Files\CPV - Removed

Folder C:\Program Files\NoDNS - Removed

Folder C:\Program Files\Sakora - Removed

Folder C:\Program Files\Skra - Removed

Folder C:\Program Files\Spcron - Removed

Folder C:\Program Files\VnrBlock - Removed

Folder C:\Program Files\XP Antivirus - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-19 13:41:17

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bdc000b6b]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001bdc000b6b]

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

"TracesProcessed"=dword:00000074

"TracesSuccessful"=dword:00000004

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 2 Mar 2006 93,184 A.SH. --- "C:\Program Files\Internet Explorer\IEXPLORE.EXE"

Mon 18 Aug 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\24af2a69c06a4de03e35dc89d706475f\BIT1.tmp"

Mon 18 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\326d1a08fc685e3efad9e9a5b059ebfb\BIT2C.tmp"

Mon 18 Feb 2008 1,505,808 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\32a68038cbc8e2f304034165d1cab2e1\BIT34.tmp"

Mon 18 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5b6da8fb69b176ee583a3734e2af76e6\BIT2D.tmp"

Mon 18 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\60f98441524da959e4cfd96533bfcea5\BIT33.tmp"

Mon 18 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7333946973f87a4fdf879a85eeae256b\BIT2E.tmp"

Mon 18 Feb 2008 10,092,048 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8b3179d71e82d8085d960408b16ae5bf\BIT30.tmp"

Mon 18 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9526baba4c0a42975f8fabcda9ca8dc3\BIT31.tmp"

Mon 18 Feb 2008 1,229,688 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc7043d60e692448b548f03d568309ab\BIT2F.tmp"

Mon 18 Feb 2008 4,856,848 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f3fd033e4d9140ea4bb2ff5810443583\BIT32.tmp"

Finished!

pear · le 19 août 2008

C'est bon.

Voyons ce que dit Antivir.

jollyroger · le 19 août 2008

Version information:

BUILD.DAT : 8.1.0.331 16934 Bytes 12/08/2008 11:46:00

AVSCAN.EXE : 8.1.4.7 315649 Bytes 26/06/2008 08:57:53

AVSCAN.DLL : 8.1.4.0 40705 Bytes 26/05/2008 07:56:40

LUKE.DLL : 8.1.4.5 164097 Bytes 12/06/2008 12:44:19

LUKERES.DLL : 8.1.4.0 12033 Bytes 26/05/2008 07:58:52

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 10:33:34

ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 24/06/2008 13:54:15

ANTIVIR2.VDF : 7.0.6.10 2587136 Bytes 14/08/2008 14:12:52

ANTIVIR3.VDF : 7.0.6.37 168448 Bytes 19/08/2008 14:12:53

Engineversion : 8.1.1.23

AEVDF.DLL : 8.1.0.5 102772 Bytes 09/07/2008 08:46:50

AESCRIPT.DLL : 8.1.0.68 315770 Bytes 19/08/2008 14:12:59

AESCN.DLL : 8.1.0.23 119156 Bytes 19/08/2008 14:12:58

AERDL.DLL : 8.1.0.20 418165 Bytes 09/07/2008 08:46:50

AEPACK.DLL : 8.1.2.1 364917 Bytes 19/08/2008 14:12:58

AEOFFICE.DLL : 8.1.0.22 192890 Bytes 19/08/2008 14:12:57

AEHEUR.DLL : 8.1.0.50 1388918 Bytes 19/08/2008 14:12:56

AEHELP.DLL : 8.1.0.15 115063 Bytes 09/07/2008 08:46:50

AEGEN.DLL : 8.1.0.36 315764 Bytes 19/08/2008 14:12:55

AEEMU.DLL : 8.1.0.7 430452 Bytes 19/08/2008 14:12:54

AECORE.DLL : 8.1.1.8 172406 Bytes 19/08/2008 14:12:54

AEBB.DLL : 8.1.0.1 53617 Bytes 24/04/2008 08:50:42

AVWINLL.DLL : 1.0.0.12 15105 Bytes 09/07/2008 08:40:05

AVPREF.DLL : 8.0.2.0 38657 Bytes 16/05/2008 09:28:01

AVREP.DLL : 8.0.0.2 98344 Bytes 19/08/2008 14:12:53

AVREG.DLL : 8.0.0.1 33537 Bytes 09/05/2008 11:26:40

AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 08:29:23

AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12/06/2008 12:27:49

SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 17:28:02

SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12/06/2008 12:49:40

NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 12:05:10

RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12/06/2008 13:48:07

RCTEXT.DLL : 8.0.52.0 86273 Bytes 27/06/2008 13:34:37

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: repair

Secondary action.................: delete

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:,

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: All files

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: mardi 19 août 2008 16:52

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'wscntfy.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'SMax4.exe' - '1' Module(s) have been scanned

Scan process 'SMax4PNP.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'TosBtSrv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'SMAgent.exe' - '1' Module(s) have been scanned

Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned

Scan process 'MDM.EXE' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'aawservice.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'savedump.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

36 processes with 36 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan the registry.

The registry was scanned ( '45' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\Program Files\Internet Explorer\profsycy.html

[DETECTION] Contains HEUR/HTML.Malware suspicious code

[NOTE] The detection was classified as suspicious.

[NOTE] A backup was created as '4919e00f.qua' ( QUARANTINE )

[NOTE] Attempting to perform action using the ARK lib.

[NOTE] A backup was created as '4b22e8f8.qua' ( QUARANTINE )

C:\WINDOWS\Driver Cache\i386\driver.cab

[0] Archive type: CAB (Microsoft)

--> epnhte4n.dll

[WARNING] No further files can be extracted from this archive. The archive will be closed

C:\WINDOWS\system32\gaiirmav.dll

[DETECTION] Is the TR/Vundo.FGR Trojan

[NOTE] A backup was created as '4913e2e0.qua' ( QUARANTINE )

[NOTE] Attempting to perform action using the ARK lib.

[NOTE] A backup was created as '4b28ea09.qua' ( QUARANTINE )

C:\WINDOWS\system32\pgxmtnmo.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] A backup was created as '4922e3b9.qua' ( QUARANTINE )

[NOTE] Attempting to perform action using the ARK lib.

[NOTE] A backup was created as '4b19eb52.qua' ( QUARANTINE )

C:\WINDOWS\system32\pshnsu.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] A backup was created as '4912e3c7.qua' ( QUARANTINE )

[NOTE] Attempting to perform action using the ARK lib.

[NOTE] A backup was created as '4b29eb20.qua' ( QUARANTINE )

End of the scan: mardi 19 août 2008 17:19

Used time: 27:09 Minute(s)

The scan has been done completely.

3245 Scanning directories

148453 Files were scanned

3 viruses and/or unwanted programs were found

1 Files were classified as suspicious:

0 files were deleted

0 files were repaired

8 files were moved to quarantine

0 files were renamed

1 Files cannot be scanned

148448 Files not concerned

841 Archives were scanned

2 Warnings

4 Notes

pear · le 19 août 2008

Bonsoir,

A propos d'Avast

Avast vs Antivir

vous pouvez utiliser cet outil de suppression d'Avast!

Supprimer Avast

Il est conseillé de redémarrer l'ordinateur une fois Avast! désinstallé.

Ensuite , quel que soit votre choix, ne gardez qu'un seul antivirus actif.

Gardez Mbam, excellent en désinfection.

Postez un rapport Hijackthis, svp, avec vos commentaires sur l'état de votre machine.

jollyroger · le 19 août 2008

Merci beaucoup, je vais conserver Antivir. Il me semble très performant.

Bravo et encore merci pour votre disponibilité et la qualité de vos conseils.

Voici pour le log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:01:31, on 19/08/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\melle--caro\Bureau\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads.bannerstyle.biz/bc/123kah.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe,