[résolu] liens google modifiés + svchost 300mo + Spybot bloqué

[Vince1415]

Bonjour à tous,

Je me suis inscrit sur ce forum car j'ai lu pas mal de post et l'aide apportée semblait très efficace et pertinente.

Je vous explique mon problème en esperant que quelqu'un pourra m'aider.

 

Le premier lien des résultats de recherche google est toujours modifié sous firefox et IE si bien que lorsque je clique dessus je me retrouve sur des sites de publicités, n'ayant aucun rapport avec la recherche. L'envoie de formulaires sous firefox semble également poser problèmes, et ne fonctionne pas toujours. Je n'ai pas ces problèmes sous opera, ni chrome. Les pages ouvertes sur les résultats Google sont la plupart du temps sur le domaine windowsclick. La réponse des pages est également plus longue que sur Opera et Chrome.

 

J'ai également deux processus svchost qui utilisent respectivement 220mo et 190mo ce qui est tout de même énorme pour ce genre de processus.

 

Et pour finir la plupart des outils pour "nettoyer" ne fonctionnent pas, ainsi je ne peux pas faire de mise à jours dans cwshredder, je ne peux pas lancer Spybot, il ne se passe rien lorsque je le lance et je ne peux pas installer hijackThis, par contre le fichier executable direct sans intsallation fonctionne correctement, l'installation de Malwarebyte's Anti malware ne se lance pas non plus. Seul Adaware semble fonctionner correctement.

 

Y a t'il une autre solution qu'un format c: ? car il s'agit d'un Pc de travail et je ne peux malheureusement pas tout reinstaller si facilement.

L'antivirus est virusScan entreprise 8

 

Voici ci-dessous le log de HijackThis

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:47:02, on 25/02/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Pidgin\pidgin.exe

C:\Program Files\Desktoptopia\Desktoptopia.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\Opera\opera.exe

C:\Documents and Settings\vprothais\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\vprothais\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\vprothais\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\ESTsoft\ALZip\ALZip.exe

C:\Documents and Settings\vprothais\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\vprothais\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\vprothais\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\vprothais\Mes documents\Mes telechargements\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pdc-mougins.xerus.net/proxy.pac

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Companion.JS BHO - {ADDEE521-F1CC-4B89-8C88-B2CF625B9163} - C:\Program Files\Core Services\Companion.JS\CompanionJS.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Desktoptopia.lnk = C:\Program Files\Desktoptopia\Desktoptopia.exe

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Companion.JS - {0402343A-B530-482b-AA27-A61CEC3E4D2E} - C:\Program Files\Core Services\Companion.JS\CompanionJS.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan_fr/scan8/oscan8.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202381037644

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xerus.net

O17 - HKLM\Software\..\Telephony: DomainName = xerus.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xerus.net

O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Service Framework McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 8324 bytes

 

Merci bcp par avance.

Modifié le 27 février 2009 par Vince1415

[Falkra]

Bonjour,

 

oublie spybot et ad-aware, ils ne t'aideront pas là dessus (et de manière générale : bof).

 

Le logiciel qui suit n'est à utiliser que prescrit par un helper qualifié et formé à l'outil.

Ne pas utiliser en dehors de ce cas de figure ou seul : dangereux.

 

Télécharge combofix.exe de sUBs et sauvegarde le sur ton bureau (et pas ailleurs).

• Assure toi que tous les programmes sont fermés avant de commencer.
  
• Désactive l'antivirus, sinon combofix va te mettre un message (sinon, dis ok au message).
  
• Double-clique combofix.exe afin de l'exécuter.
  
• Clique sur "Oui" au message de Limitation de Garantie qui s'affiche.
  
• Si on te propose de redémarrer parc qu'un rootkit a été trouvé, fais-le.
  
• On va te proposer de télécharger et installer la console de récupération, clique sur "Oui" au message, autorise le téléchargement dans ton firewall si demandé, puis accepte le message de contrat utilisateur final.
  
• Le bureau disparaît, c'est normal, et il va revenir.
  
• Ne ferme pas la fenêtre qui s'ouvre, tu te retrouverais avec un bureau vide.
  
• Lorsque l'analyse sera terminée, un rapport apparaîtra.
  
• Copie-colle ce rapport dans ta prochaine réponse.
  Le rapport se trouve dans : C:\Combofix.txt (si jamais).
  

[Vince1415]

Merci pour ton aide voici le rapport de combofix :

 

ComboFix 09-02-24.02 - vprothais 2009-02-25 15:12:59.1 - NTFSx86

Microsoft Windows XP Professionnel 5.1.2600.3.1252.1.1036.18.1983.1462 [GMT 1:00]

Lancé depuis: c:\documents and settings\vprothais\Bureau\plop.exe

* Resident AV is active

 

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\drivers\gaopdxserv.sys

c:\windows\system32\drivers\UACyfulvgbr.sys

c:\windows\system32\mdm.exe

c:\windows\system32\twain32

c:\windows\system32\twain32\local.ds

c:\windows\system32\twain32\user.ds

c:\windows\system32\UACipfqxbnh.dll

c:\windows\system32\UACktawnsde.log

c:\windows\system32\UACpdwqhtmi.dll

c:\windows\system32\UACtqqvohow.dll

c:\windows\system32\UACvyejbirl.log

c:\windows\system32\UACwmlykmot.log

c:\windows\system32\UACxuhtjrte.dat

c:\windows\system32\UACxwhixdxl.dll

 

.

((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Service_UACd.sys

 

 

((((((((((((((((((((((((((((( Fichiers créés du 2009-01-25 au 2009-02-25 ))))))))))))))))))))))))))))))))))))

.

 

2009-02-25 13:48 . 2009-02-25 13:53 <REP> d-------- c:\documents and settings\vprothais\.housecall6.6

2009-02-25 09:10 . 2009-02-25 09:10 <REP> drahs---- C:\zPharaoh.exe

2009-02-25 09:06 . 2009-02-25 09:12 <REP> d-------- c:\program files\Autorun Eater

2009-02-13 13:37 . 1997-11-19 15:49 303,616 --a------ c:\windows\IsUninst.exe

2009-02-13 13:34 . 2009-02-13 13:34 <REP> d-------- c:\documents and settings\vprothais\WINDOWS

2009-02-11 18:03 . 2009-02-11 18:03 22,600 --a------ c:\windows\system32\AAWService_2009_02_11_18_03_32.dmp

2009-02-11 10:25 . 2009-02-11 10:25 <REP> d-------- c:\program files\Fichiers communs\Adobe AIR

2009-02-10 15:25 . 2009-02-10 15:25 <REP> d-------- c:\documents and settings\vprothais\Application Data\OpenOffice.org

2009-02-10 12:03 . 2009-02-10 12:03 <REP> d-------- c:\program files\Spybot - Search & Destroy

2009-02-10 12:03 . 2009-02-10 12:03 <REP> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-02-10 11:43 . 2009-02-10 11:43 <REP> d-------- c:\program files\OpenOffice.org 3

2009-02-10 11:43 . 2009-02-10 11:43 <REP> d-------- c:\program files\JRE

2009-02-09 18:16 . 2009-02-09 18:16 22,600 --a------ c:\windows\system32\AAWService_2009_02_09_18_16_27.dmp

2009-02-09 16:57 . 2009-02-09 16:57 <REP> d-------- c:\documents and settings\LocalService\Bureau

2009-02-09 16:04 . 2009-02-09 16:04 <REP> d-------- c:\documents and settings\vprothais\Application Data\Media Player Classic

2009-02-02 16:13 . 2009-02-02 16:13 <REP> d-------- c:\windows\system32\QuickTime

2009-02-02 16:12 . 2009-02-02 16:12 <REP> d-------- c:\windows\Downloaded Installations

2009-02-02 16:12 . 2009-02-02 16:13 <REP> d-------- c:\program files\Macromedia

2009-02-02 16:12 . 2009-02-02 16:13 <REP> d-------- c:\program files\Fichiers communs\Macromedia

2009-01-29 16:09 . 2009-01-29 16:09 22,102 --a------ c:\windows\system32\AAWService_2009_01_29_16_09_31.dmp

2009-01-29 11:32 . 2009-02-02 11:02 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-01-29 10:54 . 2009-01-29 10:54 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-01-29 10:50 . 2009-01-29 10:50 <REP> d-------- c:\program files\Lavasoft

2009-01-29 10:50 . 2009-01-29 10:54 <REP> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-01-29 10:50 . 2009-01-29 10:50 <REP> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-01-29 10:27 . 2009-02-05 12:24 <REP> d-------- c:\windows\BDOSCAN8

2009-01-28 15:07 . 2009-01-28 15:07 <REP> d-------- c:\program files\CCleaner

2009-01-28 09:13 . 2009-02-25 09:37 5,193 --a------ c:\windows\system32\uacinit.dll

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-25 13:59 --------- d-----w c:\documents and settings\vprothais\Application Data\.purple

2009-02-25 13:28 --------- d-----w c:\program files\Mozilla Thunderbird

2009-02-25 08:54 --------- d-----w c:\documents and settings\vprothais\Application Data\FileZilla

2009-02-19 14:41 --------- d-----w c:\documents and settings\vprothais\Application Data\gtk-2.0

2009-02-11 10:29 --------- d-----w c:\program files\VirtuaWin

2009-02-10 10:43 --------- d-----w c:\program files\Sun

2009-02-10 08:42 --------- d-----w c:\program files\Bonjour

2009-02-09 15:00 --------- d-----w c:\documents and settings\vprothais\Application Data\Inkscape

2009-02-02 15:12 --------- d-----w c:\program files\Fichiers communs\InstallShield

2009-01-30 08:09 --------- d-----w c:\program files\NetDrive

2009-01-29 09:05 --------- d-----w c:\program files\Opera

2009-01-28 14:23 --------- d-----w c:\program files\Phun

2009-01-23 16:33 --------- d-----w c:\program files\eviware

2009-01-19 10:44 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet

2009-01-16 14:31 410,984 ----a-w c:\windows\system32\deploytk.dll

2009-01-16 14:30 --------- d-----w c:\program files\Java

2009-01-15 11:08 --------- d-----w c:\program files\eclipse

2008-12-20 22:47 826,368 ----a-w c:\windows\system32\wininet.dll

2008-10-06 10:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012008100620081007\index.dat

.

 

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Pidgin"="c:\program files\Pidgin\pidgin.exe" [2008-08-31 45091]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-25 94208]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"Network Associates Error Reporting Service"="c:\program files\Fichiers communs\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-02 509784]

"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 c:\windows\RTHDCPL.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

c:\documents and settings\vprothais\Menu D‚marrer\Programmes\D‚marrage\

Desktoptopia.lnk - c:\program files\Desktoptopia\Desktoptopia.exe [2008-08-07 1572864]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-484061587-725345543-1173\Scripts\Logon\0\0]

"Script"=rep_u.bat

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-484061587-725345543-1173\Scripts\Logon\1\0]

"Script"=rep_s.bat

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-484061587-725345543-1290\Scripts\Logon\0\0]

"Script"=rep_u.bat

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-484061587-725345543-1910\Scripts\Logon\0\0]

"Script"=rep_u.bat

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-484061587-725345543-2730\Scripts\Logon\0\0]

"Script"=rep_u.bat

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-14 03:34 1695232 c:\program files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SftpDrive]

--a------ 2008-02-26 05:21 427584 c:\program files\SftpDrive\SftpDrive.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2009-01-16 15:31 136600 c:\program files\Java\jre6\bin\jusched.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

 

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-29 64160]

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2008-02-07 58016]

R1 SftpDrive;SftpDrive;c:\windows\system32\drivers\SftpDrive.sys [2008-02-26 293696]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-10-13 95888]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-10-13 41680]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]

.

Contenu du dossier 'Tâches planifiées'

 

2009-02-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-02 11:01]

 

2009-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-484061587-725345543-2730.job

- c:\documents and settings\vprothais\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 08:22]

.

- - - - ORPHELINS SUPPRIMES - - - -

 

HKLM-Run-Config Loader - (no file)

HKLM-Run-Registry Loader - (no file)

HKLM-Run-MS Config Loader - (no file)

HKLM-Run-Microsoft Office Start - (no file)

HKLM-Run-Windows Backup Configuration - (no file)

HKLM-Run-Microsoft Windows Updater - (no file)

HKLM-Run-Config Loader2 - (no file)

HKLM-Run-Office Startup - (no file)

HKLM-Run-Quicktime Pro 3.0 - (no file)

HKLM-Run-Svhost Loader - (no file)

HKLM-Run-MS Security Hotfix - (no file)

HKLM-Run-Windows Communicator - (no file)

HKLM-Run-Config Loader for Microsoft Windows - (no file)

HKLM-Run-System Loaderav - (no file)

HKLM-Run-ConfiggLoader - (no file)

HKLM-Run-Sound Loader - (no file)

HKLM-Run-Windows Config Manager - (no file)

HKLM-Run-Windows Loader - (no file)

HKLM-Run-Service Controller - (no file)

HKLM-Run-Ms Task - (no file)

HKLM-Run-Mixer - (no file)

HKLM-Run-System Loaderap - (no file)

HKLM-Run-Norton Live Updater - (no file)

HKLM-Run-Windows Update Service - (no file)

HKLM-Run-Configuration Loading - (no file)

HKLM-Run-MS Config Stream - (no file)

HKLM-Run-Win Init - (no file)

HKLM-Run-Windows Startup - (no file)

HKLM-Run-machine-debugger - (no file)

HKLM-Run-WindowsFS - (no file)

HKLM-RunServices-Config Loader - (no file)

HKLM-RunServices-Registry Loader - (no file)

HKLM-RunServices-MS Config Loader - (no file)

HKLM-RunServices-Microsoft Office - (no file)

HKLM-RunServices-Microsoft Office Start - (no file)

HKLM-RunServices-Windows Backup Configuration - (no file)

HKLM-RunServices-Microsoft Windows Updater - (no file)

HKLM-RunServices-Config Loader2 - (no file)

HKLM-RunServices-Office Startup - (no file)

HKLM-RunServices-Quicktime Pro 3.0 - (no file)

HKLM-RunServices-Svhost Loader - (no file)

HKLM-RunServices-MS Security Hotfix - (no file)

HKLM-RunServices-Windows Communicator - (no file)

HKLM-RunServices-Config Loader for Microsoft Windows - (no file)

HKLM-RunServices-System Loaderav - (no file)

HKLM-RunServices-ConfiggLoader - (no file)

HKLM-RunServices-Sound Loader - (no file)

HKLM-RunServices-Windows Config Manager - (no file)

HKLM-RunServices-Windows Loader - (no file)

HKLM-RunServices-Service Controller - (no file)

HKLM-RunServices-Ms Task - (no file)

HKLM-RunServices-Windows Explorer - (no file)

HKLM-RunServices-Mixer - (no file)

HKLM-RunServices-System Loaderap - (no file)

HKLM-RunServices-Norton Live Updater - (no file)

HKLM-RunServices-Windows Update Service - (no file)

HKLM-RunServices-Update - (no file)

HKLM-RunServices-Configuration Loading - (no file)

HKLM-RunServices-MS Config Stream - (no file)

HKLM-RunServices-Win Init - (no file)

HKLM-RunServices-Windows Startup - (no file)

HKLM-RunServices-WindowsFS - (no file)

 

 

.

------- Examen supplémentaire -------

.

uStart Page = hxxp://www.google.fr/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local;<local>

IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: {{0402343A-B530-482b-AA27-A61CEC3E4D2E} - {C30B6FCB-F8B0-4DD4-9207-AA4952BB3F52} - c:\program files\Core Services\Companion.JS\CompanionJS.dll

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.fr/scan_fr/scan8/oscan8.cab

FF - ProfilePath - c:\documents and settings\vprothais\Application Data\Mozilla\Firefox\Profiles\3ve174am.default\

FF - prefs.js: network.proxy.type - 2

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-25 15:15:21

Windows 5.1.2600 Service Pack 3 NTFS

 

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés: 0

 

**************************************************************************

.

--------------------- DLLs chargées dans les processus actifs ---------------------

 

- - - - - - - > 'winlogon.exe'(700)

c:\program files\Bonjour\mdnsNSP.dll

c:\windows\system32\SftpDriveNP.dll

 

- - - - - - - > 'lsass.exe'(756)

c:\program files\Bonjour\mdnsNSP.dll

c:\windows\system32\EntApi.dll

.

Heure de fin: 2009-02-25 15:16:41

ComboFix-quarantined-files.txt 2009-02-25 14:16:28

 

Avant-CF: 23,422,197,760 octets libres

Après-CF: 23,486,189,568 octets libres

 

WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect

 

242 --- E O F --- 2009-02-11 10:51:55

[Falkra]

Ca va aller mieux, mais ce n'est pas fini.

 

• Ouvre le bloc notes. Copie-colle dedans le contenu de la boite code qui suit :
  

@echo off
echo.
echo  -=Extractions de la BdR=-
echo.

set cle=HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-484061587-725345543-1173\Scripts\Logon
echo %cle%
regedit /E c:\reggM1.txt "%cle%"
echo  ------------->>c:\reggM1.txt

set cle=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
echo %cle%
regedit /E c:\reggM2.txt "%cle%"
echo  ------------->>c:\reggM2.txt

copy c:\reggM?.txt c:\regfile.txt>nul
del c:\reggM?.txt
notepad c:\regfile.txt
del c:\regfile.txt

• Sauvegarde cela sur le bureau en donnant comme nom lib.bat (pas d'extension texte donc).
  
• Le fichier va être créé avec une icône d'engrenage, place-le sur le bureau, double clique dessus et poste le rapport qui va s'afficher.
  

 

Ensuite on doit effacer aussi quelques fichiers.

[Vince1415]

Voici le rappport du Bat que tu m'as donné

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-484061587-725345543-1173\Scripts\Logon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-484061587-725345543-1173\Scripts\Logon\0]
"GPO-ID"="cn={0E1E644E-4396-4ED3-9BAF-F3C3CF267700},cn=policies,cn=system,DC=xerus,DC=net"
"SOM-ID"="OU=Metiers,DC=xerus,DC=net"
"FileSysPath"="\\\\xerus.net\\SysVol\\xerus.net\\Policies\\{0E1E644E-4396-4ED3-9BAF-F3C3CF267700}\\User"
"DisplayName"="filer"
"GPOName"="{0E1E644E-4396-4ED3-9BAF-F3C3CF267700}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-484061587-725345543-1173\Scripts\Logon\0\0]
"Script"="rep_u.bat"
"Parameters"=""
"ExecTime"=hex(b):d8,07,02,00,05,00,0f,00,09,00,3a,00,12,00,e1,03

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-484061587-725345543-1173\Scripts\Logon\1]
"GPO-ID"="CN={C062B780-709B-422C-B02D-4D1F6C78355B},CN=Policies,CN=System,DC=xerus,DC=net"
"SOM-ID"="OU=Sysadmin,OU=Metiers,DC=xerus,DC=net"
"FileSysPath"="\\\\xerus.net\\SysVol\\xerus.net\\Policies\\{C062B780-709B-422C-B02D-4D1F6C78355B}\\User"
"DisplayName"="rep_s"
"GPOName"="{C062B780-709B-422C-B02D-4D1F6C78355B}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229272821-484061587-725345543-1173\Scripts\Logon\1\0]
"Script"="rep_s.bat"
"Parameters"=""
"ExecTime"=hex(b):d8,07,02,00,05,00,0f,00,09,00,3a,00,16,00,e9,01

ⴠⴭⴭⴭⴭⴭⴭ਍Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:00000143
"NoDrives"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]

ⴠⴭⴭⴭⴭⴭⴭ਍

 

Il y a par contre des caractères non affichables dans le rapport, je en sais pas si cela est normal.

[Falkra]

C'est normal, pour les caractères, ça fait partie du rapport.

 

Télécharge OTMoveIt3 par OldTimer.

• Enregistre ce fichier sur le Bureau.
  
• Fais un double clic sur OTMoveIt3.exe pour lancer l'exécution de l'outil. (Note: Si tu utilises Vista, fais un clic droit sur le fichier puis choisir Exécuter en tant qu'administrateur).
  
• Copie les lignes de la zone "Code" ci-dessous dans le Presse-papiers en les sélectionnant toutes puis en appuyant simultanément sur les touches CTRL et C (ou, après les avoir sélectionnées, en faisant un clic droit puis en choisissant Copier):
  

  :processes
  explorer.exe 
  :files
  C:\zPharaoh.exe
  c:\autorun.inf
  
  :commands
  [zipfiles]
  [emptytemp]
  [start explorer]

  
  

• Retourne dans la fenêtre de OTMoveIt3, fais un clic droit dans la zone de gauche intitulée "Paste List Of Files/Folders to Move" (sous la barre jaune) puis choisir Coller.
  
• Clique sur le bouton rouge Moveit!.
  
• Ferme OTMoveIt3
  
• Poste dans ta prochaine réponse le rapport de OTMoveIt3 (contenu du fichier C:\_OTMoveIt\MovedFiles\********_******.log - les *** sont des chiffres représentant la date [moisjourannée] et l'heure)
  

Note: Si un fichier ou un dossier ne peut pas être déplacé immédiatement, un redémarrage sera peut-être nécessaire pour permettre de terminer le processus de déplacement. Si le redémarrage de la machine vous est demandé, choisir Oui/Yes.

[Vince1415]

Voici le rapport de OTMoveIt3, il est à noter que j'avais appliqué un "vaccin" à la racine de c: qui créer des fichiers vides contenant le nom des principales menaces afin d'éviter les problèmes comme autorun.inf, d'où la suppression dans le log

 

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\zPharaoh.exe moved successfully.
c:\autorun.inf moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6bc.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\WFV1.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0009\adoc.bx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0009\md.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0009\url.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0009\w.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0009\wb.vx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0008\adoc.bx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0008\md.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0008\url.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0008\w.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0008\wb.vx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0007\adoc.bx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0007\md.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0007\url.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0007\w.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0007\wb.vx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0006\adoc.bx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0006\md.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0006\url.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0006\w.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0006\wb.vx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0005\adoc.bx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0005\md.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0005\url.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0005\w.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0005\wb.vx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0004\adoc.bx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0004\md.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0004\url.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0004\w.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0004\wb.vx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0002\adoc.bx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0002\md.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0002\url.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0002\w.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0002\wb.vx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0001\adoc.bx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0001\md.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0001\url.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0001\w.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0001\wb.vx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0000\adoc.bx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0000\md.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0000\url.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0000\w.ax scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0000\wb.vx scheduled to be deleted on reboot.
Opera cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02252009_154311

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_6bc.dat not found!
File move failed. C:\WINDOWS\temp\WFV1.tmp scheduled to be moved on reboot.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0009\adoc.bx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0009\md.dat moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0009\url.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0009\w.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0009\wb.vx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0008\adoc.bx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0008\md.dat moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0008\url.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0008\w.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0008\wb.vx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0007\adoc.bx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0007\md.dat moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0007\url.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0007\w.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0007\wb.vx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0006\adoc.bx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0006\md.dat moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0006\url.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0006\w.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0006\wb.vx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0005\adoc.bx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0005\md.dat moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0005\url.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0005\w.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0005\wb.vx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0004\adoc.bx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0004\md.dat moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0004\url.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0004\w.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0004\wb.vx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0002\adoc.bx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0002\md.dat moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0002\url.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0002\w.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0002\wb.vx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0001\adoc.bx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0001\md.dat moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0001\url.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0001\w.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0001\wb.vx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0000\adoc.bx moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0000\md.dat moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0000\url.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0000\w.ax moved successfully.
C:\Documents and Settings\vprothais\Local Settings\Application Data\Opera\Opera\Profile\vps\0000\wb.vx moved successfully.

Modifié le 25 février 2009 par Vince1415

[Falkra]

Ok, tu peux vacciner à nouveau alors, parce qu'il y avait aussi une bestiole dans le coin.

 

Après vaccination du C:\, affiche les fichiers cachés et les fichiers protégés :

http://www.libellules.ch/afficher_fichiers.php (mini tuto)

 

Branche ta clé USB et les autres supports amovibles, et voilà la suite.

 

Télécharge Malwarebytes' Anti-Malware (MBAM)

 

• Double clique sur le fichier téléchargé pour lancer le processus d'installation.
  
• Dans l'onglet "Mise à jour", clique sur le bouton "Recherche de mise à jour": si le pare-feu demande l'autorisation à MBAM de se connecter, accepte.
  
• Une fois la mise à jour terminée, rends-toi dans l'onglet "Recherche".
  
• Sélectionne "Exécuter un examen complet"
  
• Clique sur "Rechercher" et choisis les lettres de lecteurs des clés USB et autres supports amovibles + ton c:\
  
• L'analyse démarre, le scan est relativement long, c'est normal.
  
• A la fin de l'analyse, un message s'affiche :

  L'examen s'est terminé normalement. Clique sur 'Afficher les résultats' pour afficher tous les objets trouvés.

  Clique sur "Ok" pour poursuivre. Si MBAM n'a rien trouvé, il te le dira aussi.
  
• Ferme tes navigateurs.
  
• Si des malwares ont été détectés, clique sur Afficher les résultats.
  Sélectionne tout (ou laisse coché) et clique sur Supprimer la sélection, MBAM va détruire les fichiers et clés de registre et en mettre une copie dans la quarantaine.
  
• MBAM va ouvrir le Bloc-notes et y copier le rapport d'analyse. Copie-colle ce rapport et poste-le dans ta prochaine réponse.
  

 

NB : Si MBAM te demande à redémarrer, fais-le.

[Vince1415]

Voici le rapport de mbam, j'ai redémarré pour la suppression du fichier C:\zPharaoh.exe

Il y a déjà un net progrès j'ai pu installer le soft, ce que je ne pouvais pas faire avant

 

Malwarebytes' Anti-Malware 1.34
Version de la base de données: 1801
Windows 5.1.2600 Service Pack 3

2009-02-25 16:07:22
mbam-log-2009-02-25 (16-07-22).txt

Type de recherche: Examen rapide
Eléments examinés: 80921
Temps écoulé: 2 minute(s), 3 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 2

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\zPharaoh.exe (Worm.Mabezat) -> Delete on reboot.

[Falkra]

Ca va aller mieux.

 

Poste un nouveau rapport HijackThis stp.