[Résolu] Mon PC est infecté et le rapport HijackThis ne s'ouvre pas

speck41 · le 12 juillet 2009

Bonjour, j'ai des fenêtres web qui s'ouvrent toutes seule, même lorsqu'il n'y a aucune activité sur mon ordinateur.

J'ai une connexion internet par câble et je ne voudrais pas que quelqu'un utilise ma bande passante.....

Alors, j'ai commencé la procédure de pré désinfection et lorsque j'arrive à:

- Redémarrer le PC en mode normal

- installation et utilisation d'HijackThis

-- créer un nouveau dossier à la racine de C:\Program Files\HijackThis (double clic sur poste de travail/double clic sur l'icone de C/double clic sur le répertoire Program Files/clic droit dans la fenêtre, choisir nouveau dossier et le nommer HijackThis) ; dézipper le programme précédemment téléchargé lors de la phase 1 dans ce nouveau dossier HijackThis, créer un raccourci sur le bureau.

Important: surtout, ne pas créer ce dossier HijackThis dans un répertoire temporaire

-- arrêter tous les programmes en cours et fermer toutes les fenêtres

-- lancer HijackThis à l'aide du raccourci et cliquer sur le bouton "Do a system scan and save a logfile"

-- le rapport HijackThis (fichier log) va être enregistré dans C:\Program Files\HijackThis (penser à ajouter un chiffre à la suite du nom du rapport si vous voulez conserver un historique de vos rapports ex : HijackThis 1, HijackThis 2...)

HijackThis ne s'ouvre pas........

Je suis bloqué là, quelqu'un peut m'aider? Je me suis déjà servis de HijackThis et tout avait bien été.

Merci

Speck41

Je vous joins le rapport de AntiVir:

Avira AntiVir Personal

Report file date: 12 juillet 2009 12:24

Scanning for 1515293 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Save mode

Username : Famille Kelly Begin

Computer name : ORDISALON

Version information:

BUILD.DAT : 9.0.0.403 17961 Bytes 03/06/2009 17:05:00

AVSCAN.EXE : 9.0.3.6 466689 Bytes 11/05/2009 14:14:47

AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 15:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 16:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 15:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 17:30:36

ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 24/06/2009 16:16:23

ANTIVIR2.VDF : 7.1.4.198 778752 Bytes 08/07/2009 16:16:26

ANTIVIR3.VDF : 7.1.4.220 504320 Bytes 11/07/2009 16:16:28

Engineversion : 8.2.0.204

AEVDF.DLL : 8.1.1.1 106868 Bytes 30/04/2009 16:52:04

AESCRIPT.DLL : 8.1.2.13 426362 Bytes 12/07/2009 16:16:35

AESCN.DLL : 8.1.2.3 127347 Bytes 14/05/2009 16:02:01

AERDL.DLL : 8.1.2.2 438642 Bytes 12/07/2009 16:16:34

AEPACK.DLL : 8.1.3.18 401783 Bytes 27/05/2009 21:07:20

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 12/07/2009 16:16:33

AEHEUR.DLL : 8.1.0.137 1823095 Bytes 12/07/2009 16:16:32

AEHELP.DLL : 8.1.3.6 205174 Bytes 12/07/2009 16:16:30

AEGEN.DLL : 8.1.1.48 348532 Bytes 12/07/2009 16:16:29

AEEMU.DLL : 8.1.0.9 393588 Bytes 09/10/2008 19:32:40

AECORE.DLL : 8.1.6.12 180599 Bytes 27/05/2009 21:07:20

AEBB.DLL : 8.1.0.3 53618 Bytes 09/10/2008 19:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 05/12/2008 15:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 19:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 15:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 24/03/2009 20:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 15:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 20:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 13:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 15:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 15/05/2009 20:39:58

RCTEXT.DLL : 9.0.37.0 86785 Bytes 17/04/2009 15:19:48

Configuration settings for the scan:

Jobname.............................: Local Drives

Configuration file..................: c:\program files\avira\antivir desktop\alldrives.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:, A:, E:, F:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: off

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Deviating archive types.............: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox,

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: 12 juillet 2009 12:24

The scan of running processes will be started

Scan process 'taskmgr.exe' - '1' Module(s) have been scanned

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

12 processes with 12 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Boot sector 'A:\'

[iNFO] In the drive 'A:\' no data medium is inserted!

Starting to scan executable files (registry).

The registry was scanned ( '46' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O5WFQ781\promote[1].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[1].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[2].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[3].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[4].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[5].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[6].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[7].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[8].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[9].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SN6TG18N\468_60[1].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

Begin scan in 'D:\'

D:\Mes documents\Denis Leveques\CN_Europe_NT_2010.1_FULL_Unlocked_\CN_Europe_NT_2010.1_FULL_Unlocked_.zip

[0] Archive type: ZIP

--> CN_Europe_NT_2010.1_Unlocked/GMAPPROM.IMG

[WARNING] The file could not be written!

D:\Sauvegarde Temp Dossiers\EXE\cluster 1001109.EXE

[0] Archive type: NSIS

--> /goodchroma.jpg

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1001893.EXE

[0] Archive type: NSIS

--> /goodchroma.jpg

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1005714.EXE

[0] Archive type: NSIS

--> Normal/alnav_arrowsbg.bmp

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1006447.EXE

[0] Archive type: NSIS

--> Normal/alnav_arrowsbg.bmp

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1007180.EXE

[0] Archive type: NSIS

--> Normal/alnav_arrowsbg.bmp

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1008641.EXE

[0] Archive type: NSIS

--> ProgramFilesDir/[PluginsDir]/LangDLL.dll

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1010071.EXE

[0] Archive type: NSIS

--> /histogram_modestereo.gif

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1010764.EXE

[0] Archive type: NSIS

--> /histogram_modestereo.gif

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1017325.EXE

[0] Archive type: NSIS

--> [ProgramFilesDir]/Visicom Media/FTP Expert 3/license.txt

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1028854.EXE

[0] Archive type: NSIS

--> Settings/QuickList.exe

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1029280.EXE

[0] Archive type: NSIS

--> Settings/QuickList.exe

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1029706.EXE

[0] Archive type: NSIS

--> Settings/QuickList.exe

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1030132.EXE

[0] Archive type: NSIS

--> Settings/QuickList.exe

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1030558.EXE

[0] Archive type: NSIS

--> Settings/QuickList.exe

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1030984.EXE

[0] Archive type: NSIS

--> Settings/QuickList.exe

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1031410.EXE

[0] Archive type: NSIS

--> Settings/QuickList.exe

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1318368.EXE

[0] Archive type: NSIS

--> /goodchroma.jpg

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1319892.EXE

[0] Archive type: NSIS

--> Normal/alnav_arrowsbg.bmp

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1320625.EXE

[0] Archive type: NSIS

--> Normal/alnav_arrowsbg.bmp

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 1327046.EXE

[0] Archive type: NSIS

--> Settings/QuickList.exe

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 2845944.EXE

[0] Archive type: CAB SFX (self extracting)

--> \@promt Professional 7 readme.txt

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 28552.EXE

[0] Archive type: NSIS

--> ProgramFilesDir/libaccess_output_udp_plugin.dll

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 2978547.EXE

[0] Archive type: CAB SFX (self extracting)

--> \kis.en.msi

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 3068547.EXE

[0] Archive type: NSIS

--> ProgramFilesDir/[installDir]/Resources/Devices/PA.jar

[WARNING] The file could not be written!

D:\Sauvegarde Temp Dossiers\EXE\cluster 33880.EXE

[0] Archive type: NSIS

--> [PluginsDir]/modern-wizard.bmp

[WARNING] No further files can be extracted from this archive. The archive will be closed

D:\Sauvegarde Temp Dossiers\EXE\cluster 413940.EXE

[0] Archive type: CAB SFX (self extracting)

--> \0x0407.ini

[WARNING] No further files can be extracted from this archive. The archive will be closed

Begin scan in 'A:\'

Search path A:\ could not be opened!

System error [21]: Le périphérique n'est pas prêt.

Begin scan in 'E:\'

Search path E:\ could not be opened!

System error [21]: Le périphérique n'est pas prêt.

Begin scan in 'F:\'

Search path F:\ could not be opened!

System error [21]: Le périphérique n'est pas prêt.

Beginning disinfection:

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O5WFQ781\promote[1].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

[NOTE] The file was moved to '4ac94d63.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[1].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

[NOTE] The file was moved to '4b68fc04.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[2].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

[NOTE] The file was moved to '4b69e4fc.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[3].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

[NOTE] The file was moved to '4b6a8d94.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[4].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

[NOTE] The file was moved to '4b6d85dc.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[5].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

[NOTE] The file was moved to '49e6231c.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[6].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

[NOTE] The file was moved to '49f93b24.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[7].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

[NOTE] The file was moved to '49f8336c.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[8].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

[NOTE] The file was moved to '49fbc8b4.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S3ILGZK1\promote[9].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

[NOTE] The file was moved to '49fac0fc.qua'!

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SN6TG18N\468_60[1].htm

[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

[NOTE] The file was moved to '4a924d27.qua'!

End of the scan: 12 juillet 2009 16:52

Used time: 2:29:52 Hour(s)

The scan has been done completely.

8350 Scanned directories

326161 Files were scanned

11 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

11 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

326149 Files not concerned

2604 Archives were scanned

55 Warnings

12 Notes

Modifié le 3 août 2009 par speck41

Falkra · le 12 juillet 2009

Bonsoir,

voici de quoi commencer.

Télécharge ATF Cleaner (clique) par Atribune.

Double-clique sur ATF-Cleaner.exe pour lancer le programme.
Sous l'onglet Main, choisis : Select All
Clique sur le bouton Empty Selected

Si tu utilises le navigateur Firefox :

Clique sur Firefox en haut et choisis : Select All
Clique le bouton Empty Selected
NOTE : Si tu veux conserver tes mots de passe sauvegardés, clique sur No à l'invite.

Si tu utilises le navigateur Opera :

Clique Opera en haut et choisis : Select All
Clique sur le bouton Empty Selected
NOTE : Si tu veux conserver tes mots de passe sauvegardés, clique No à l'invite.

Clique sur Exit, dans le menu principal, pour quitter le programme.

----------

HijackThis ne s'ouvre pas, est-ce qu'il y a un message d'erreur ?

speck41 · le 12 juillet 2009

Bonjour Falkra, merci de prendre mes problèmes en charge.

Il n'y a aucun message d'erreur lorsque j'essais d'ouvrir HijackThis, même que Malwarebytes' Anti-Malware ne s'ouvre pas non plus, je n'y comprends rien. ATF cleaner fonctionne et je l'utilise déjà plusieurs fois par semaine.

Merci

Speck41

Falkra · le 13 juillet 2009

Ok, pas de problème.

Le logiciel qui suit n'est à utiliser que prescrit par un helper qualifié et formé à l'outil.

Ne pas utiliser en dehors de ce cas de figure ou seul : dangereux.

Télécharge combofix.exe de sUBs et sauvegarde le sur ton bureau (et pas ailleurs).

Assure toi que tous les programmes sont fermés avant de commencer.
Désactive l'antivirus, sinon combofix va te mettre un message (sinon, dis ok au message).
Double-clique combofix.exe afin de l'exécuter.
Clique sur "Oui" au message de Limitation de Garantie qui s'affiche.
Si on te propose de redémarrer parc qu'un rootkit a été trouvé, fais-le.
On va te proposer de télécharger et installer la console de récupération, clique sur "Oui" au message, autorise le téléchargement dans ton firewall si demandé, puis accepte le message de contrat utilisateur final.
Le bureau disparaît, c'est normal, et il va revenir.
Ne ferme pas la fenêtre qui s'ouvre, tu te retrouverais avec un bureau vide.
Lorsque l'analyse sera terminée, un rapport apparaîtra.
Copie-colle ce rapport dans ta prochaine réponse.
Le rapport se trouve dans : C:\Combofix.txt (si jamais).

speck41 · le 13 juillet 2009

Voici le log demandé:

ComboFix 09-07-13.01 - Famille Kelly Begin 2009-07-13 17:20.1.1 - NTFSx86

Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.510.255 [GMT -4:00]

Running from: c:\documents and settings\Famille Kelly Begin\Bureau\combofix\pouet.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Installer\19a45fd.msi

c:\windows\Installer\896881.msi

c:\windows\Installer\89688a.msi

c:\windows\Installer\c3a088.msi

c:\windows\Installer\c3a08e.msi

c:\windows\Installer\c3a094.msi

c:\windows\Installer\c3a09a.msi

c:\windows\Installer\c3a0a0.msi

c:\windows\Installer\c3a0a6.msi

c:\windows\Installer\c3a0b3.msi

c:\windows\Installer\c3a0b9.msi

c:\windows\Installer\c3a0c3.msi

c:\windows\Installer\c3a0df.msi

c:\windows\Installer\c3a115.msi

c:\windows\Installer\c3a11b.msi

c:\windows\Installer\c3a121.msi

c:\windows\Installer\c3a12d.msi

c:\windows\Installer\c3a134.msi

c:\windows\Installer\d8d065.msi

c:\windows\jestertb.dll

c:\windows\system32\_000111_.tmp.dll

c:\windows\system32\_000112_.tmp.dll

c:\windows\system32\_000113_.tmp.dll

c:\windows\system32\_007686_.tmp.dll

c:\windows\system32\_007687_.tmp.dll

c:\windows\system32\_007688_.tmp.dll

c:\windows\system32\_007689_.tmp.dll

c:\windows\system32\_007696_.tmp.dll

c:\windows\system32\_007697_.tmp.dll

c:\windows\system32\_007698_.tmp.dll

c:\windows\system32\_007700_.tmp.dll

c:\windows\system32\_007701_.tmp.dll

c:\windows\system32\_007704_.tmp.dll

c:\windows\system32\_007705_.tmp.dll

c:\windows\system32\_007707_.tmp.dll

c:\windows\system32\_007708_.tmp.dll

c:\windows\system32\_007709_.tmp.dll

c:\windows\system32\_007711_.tmp.dll

c:\windows\system32\_007712_.tmp.dll

c:\windows\system32\_007714_.tmp.dll

c:\windows\system32\_007715_.tmp.dll

c:\windows\system32\_007719_.tmp.dll

c:\windows\system32\_007720_.tmp.dll

c:\windows\system32\_007722_.tmp.dll

c:\windows\system32\_007725_.tmp.dll

c:\windows\system32\_007727_.tmp.dll

c:\windows\system32\_007728_.tmp.dll

c:\windows\system32\_007729_.tmp.dll

c:\windows\system32\_007730_.tmp.dll

c:\windows\system32\_007733_.tmp.dll

c:\windows\system32\_007734_.tmp.dll

c:\windows\system32\_007735_.tmp.dll

c:\windows\system32\_007736_.tmp.dll

c:\windows\system32\_007737_.tmp.dll

c:\windows\system32\_007742_.tmp.dll

c:\windows\system32\_007744_.tmp.dll

c:\windows\system32\drivers\MSIVXdsgvbvmaivemhhifvowwtqhgajplxaij.sys

c:\windows\system32\mfc45.dll

c:\windows\system32\MSIVXcount

c:\windows\system32\MSIVXdkdlnvkmwusdiawfetfyrtmqfamxnbbu.dll

c:\windows\system32\MSIVXpdcgypaiaaquoiraromimexugxwjkkah.dll

c:\windows\system32\tmp.reg

c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_MSIVXserv.sys

-------\Legacy_NPF

-------\Legacy_PERFMONS

-------\Service_gaopdxserv.sys

((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))

.

2009-07-12 16:01 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-07-12 16:01 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-07-12 16:01 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-07-12 16:01 . 2009-07-12 16:01 -------- d-----w- c:\program files\Avira

2009-07-12 16:01 . 2009-07-12 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-07-12 14:59 . 2009-02-11 14:19 15504 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-12 14:59 . 2009-02-11 14:19 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-12 14:20 . 2009-07-12 14:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-07-12 12:45 . 2009-07-12 12:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-07-12 12:45 . 2009-07-12 12:45 -------- d-----w- c:\program files\AlfaVid

2009-07-08 23:35 . 2009-07-08 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2009-07-02 00:45 . 2002-12-10 07:20 102439 ----a-w- c:\windows\system32\sipr3260.dll

2009-07-02 00:45 . 2007-03-19 01:37 65602 ----a-w- c:\windows\system32\cook3260.dll

2009-07-02 00:45 . 2006-05-20 21:16 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll

2009-07-02 00:45 . 2006-05-12 00:21 626688 ----a-w- c:\windows\system32\vp7vfw.dll

2009-06-29 23:30 . 2009-06-29 23:30 -------- d-----w- c:\documents and settings\Famille Kelly Begin\Application Data\Intuit Canada

2009-06-28 18:21 . 2009-06-28 18:21 -------- d-----w- c:\program files\Verbatim

2009-06-27 22:52 . 2009-07-09 00:56 -------- d-----w- c:\program files\Microsoft Works

2009-06-27 22:47 . 2009-06-27 22:47 -------- d-----w- c:\program files\Microsoft.NET

2009-06-27 22:34 . 2009-06-27 22:34 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2009-06-27 22:31 . 2009-06-27 22:31 -------- d-----w- c:\documents and settings\Famille Kelly Begin\Local Settings\Application Data\Microsoft Help

2009-06-27 22:31 . 2009-07-09 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-06-27 22:27 . 2009-06-27 22:27 -------- d--h--r- C:\MSOCache

2009-06-21 13:47 . 2009-03-27 05:16 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys

2009-06-20 18:59 . 2009-07-02 09:44 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk

2009-06-20 17:58 . 2009-07-03 10:39 -------- d-----w- c:\documents and settings\Famille Kelly Begin\Application Data\Vso

2009-06-20 17:35 . 2009-06-20 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft

2009-06-18 23:37 . 2009-06-18 23:37 -------- d-----w- c:\documents and settings\Famille Kelly Begin\Application Data\Desktopicon

2009-06-18 22:49 . 2009-06-18 22:49 -------- d-----w- c:\documents and settings\Administrateur\Local Settings\Application Data\Adobe

2009-06-18 22:49 . 2009-06-18 22:49 -------- d-sh--w- c:\documents and settings\Administrateur\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-10 23:51 . 2008-01-27 20:12 77352 ----a-w- c:\documents and settings\Famille Kelly Begin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-02 00:45 . 2008-02-25 14:23 -------- d-----w- c:\program files\vso

2009-07-02 00:44 . 2009-04-23 01:30 -------- d-----w- c:\documents and settings\Famille Kelly Begin\Application Data\uTorrent

2009-06-30 14:52 . 2009-05-06 23:30 -------- d-----w- c:\documents and settings\Famille Kelly Begin\Application Data\Winamp

2009-06-29 15:11 . 2001-08-28 12:00 86074 ----a-w- c:\windows\system32\perfc00C.dat

2009-06-29 15:11 . 2001-08-28 12:00 513046 ----a-w- c:\windows\system32\perfh00C.dat

2009-06-27 22:51 . 2008-02-10 15:38 -------- d-----w- c:\program files\MSBuild

2009-06-12 16:10 . 2009-01-11 14:06 -------- d-----w- c:\program files\Windows Desktop Search

2009-06-02 14:05 . 2009-06-02 14:04 -------- d-----w- c:\documents and settings\Famille Kelly Begin\Application Data\PhotoFiltre Studio X

2009-05-30 19:47 . 2009-05-30 19:47 -------- d-----w- c:\documents and settings\Famille Kelly Begin\Application Data\U3

2009-05-28 02:11 . 2009-05-23 13:28 -------- d-----w- c:\program files\ma-config.com

2009-05-28 02:11 . 2009-05-23 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\ma-config.com

2009-05-26 23:33 . 2009-05-26 23:33 -------- d-----w- c:\program files\Virtual Earth 3D

2009-05-23 13:19 . 2009-05-23 13:19 -------- d-----w- c:\program files\SystemRequirementsLab

2009-05-23 13:19 . 2009-05-23 13:19 -------- d-----w- c:\documents and settings\Famille Kelly Begin\Application Data\SystemRequirementsLab

2009-05-23 13:19 . 2009-05-23 13:19 207872 ----a-w- c:\documents and settings\Famille Kelly Begin\Application Data\SystemRequirementsLab\SRLProxy_ind_4.dll

2009-05-23 13:19 . 2009-05-23 13:19 207872 ----a-w- c:\documents and settings\Famille Kelly Begin\Application Data\SystemRequirementsLab\SRLProxy_ind_3.dll

2009-05-23 13:19 . 2009-05-23 13:19 207872 ----a-w- c:\documents and settings\Famille Kelly Begin\Application Data\SystemRequirementsLab\SRLProxy_ind_2.dll

2009-05-23 13:19 . 2009-05-23 13:19 207872 ----a-w- c:\documents and settings\Famille Kelly Begin\Application Data\SystemRequirementsLab\SRLProxy_ind_1.dll

2009-05-18 20:56 . 2008-02-01 08:46 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-05-18 16:38 . 2009-05-18 16:38 -------- d-----w- c:\documents and settings\Famille Kelly Begin\Application Data\Visicom Media

2009-05-13 05:04 . 2004-08-19 20:09 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-12 19:12 . 2008-01-27 20:19 26144 ----a-w- c:\windows\system32\spupdsvc.exe

2009-05-10 16:12 . 2009-05-10 04:33 9022288 ----a-w- c:\documents and settings\Famille Kelly Begin\Application Data\TomTom\HOME\Profiles\zu927ey9.default\extensions\Navcore.8.010.9369@tomtom.com\8-010-9369-1.dll

2009-05-07 15:33 . 2008-07-29 16:52 348672 ----a-w- c:\windows\system32\localspl.dll

2009-04-27 23:59 . 2009-04-27 23:59 152576 ----a-w- c:\documents and settings\Famille Kelly Begin\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-04-19 19:50 . 2008-07-29 16:52 1847296 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:53 . 2004-08-19 20:09 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2009-06-12 16:00 . 2009-02-12 14:08 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76A20DB7-AAD4-4EFD-AE21-57811E5E49E4}]

2009-03-30 23:41 1265664 ----a-w- d:\program files\La barre d'outils AIR MILES\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{DC7A75BF-581D-4675-BDCB-D1B35116EB49}"= "d:\program files\La barre d'outils AIR MILES\Toolbar.dll" [2009-03-30 1265664]

[HKEY_CLASSES_ROOT\clsid\{dc7a75bf-581d-4675-bdcb-d1b35116eb49}]

[HKEY_CLASSES_ROOT\FCTB000058373.IEToolbar.3]

[HKEY_CLASSES_ROOT\TypeLib\{2BA36896-D5E2-425B-85E8-F664D1EA6896}]

[HKEY_CLASSES_ROOT\FCTB000058373.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{DC7A75BF-581D-4675-BDCB-D1B35116EB49}"= "d:\program files\La barre d'outils AIR MILES\Toolbar.dll" [2009-03-30 1265664]

[HKEY_CLASSES_ROOT\clsid\{dc7a75bf-581d-4675-bdcb-d1b35116eb49}]

[HKEY_CLASSES_ROOT\FCTB000058373.IEToolbar.3]

[HKEY_CLASSES_ROOT\TypeLib\{2BA36896-D5E2-425B-85E8-F664D1EA6896}]

[HKEY_CLASSES_ROOT\FCTB000058373.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

"TomTomHOME.exe"="d:\program files\TomTom HOME 2\HOMERunner.exe" [2008-12-09 234856]

"Google Update"="c:\documents and settings\Famille Kelly Begin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-05 133104]

"WeatherEye"="d:\program files\MétéoMédia\MétéoÉclair\WeatherEye.exe" [2009-01-16 4519832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nmctxth"="c:\program files\Fichiers communs\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]

"nmapp"="c:\program files\Network Magic\nmapp.exe" [2009-02-03 451896]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf d:\program files\iolo\System Mechanic 4"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^WordQCRS.lnk]

path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\WordQCRS.lnk

backup=c:\windows\pss\WordQCRS.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Famille Kelly Begin^Menu Démarrer^Programmes^Démarrage^Outil de notification Live Search.lnk]

path=c:\documents and settings\Famille Kelly Begin\Menu Démarrer\Programmes\Démarrage\Outil de notification Live Search.lnk

backup=c:\windows\pss\Outil de notification Live Search.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

"Easy-PrintToolBox"=c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\mIRC\\mirc.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"d:\\Program Files\\Shareaza\\Shareaza.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Documents and Settings\\Famille Kelly Begin\\Bureau\\Le Bureau\\B- Raccourcis du Bureau\\P2P\\utorrent_343_utorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Discovery Service

R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [2008-02-03 19478]

R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [2008-02-03 635012]

R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [2008-02-03 431236]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-07-12 108289]

R2 DLPORTIO;DLPORTIO;c:\windows\DLPORTIO.sys [2008-02-08 3584]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-08-09 596336]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-08-09 596336]

R2 LF30FS;LF30FS;d:\program files\Lock Folder XP 3.6\LF30XP.sys [2004-11-19 101488]

R2 TomTomHOMEService;TomTomHOMEService;d:\program files\TomTom HOME 2\TomTomHOMEService.exe [2009-04-08 92008]

S2 AntiVirUpgradeService;Avira Upgrade Service;"c:\docume~1\FAMILL~1\LOCALS~1\Temp\AVSETUP_4a5a05d9\basic\avupgsvc.exe" /TEMPSTART:""c:\docume~1\FAMILL~1\LOCALS~1\Temp\AVSETUP_4a5a05d9\basic\setup.exe" /NOTEMPCLEANUP /CROSSUPGRADE" --> c:\docume~1\FAMILL~1\LOCALS~1\Temp\AVSETUP_4a5a05d9\basic\avupgsvc.exe [?]

S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-06-21 12672]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-04-27 33176]

S3 iAimFP8;iAimFP8;c:\windows\system32\drivers\wADV11NT.sys [2008-01-27 11935]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1614895754-1801674531-1003Core.job

- c:\documents and settings\Famille Kelly Begin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-05 02:20]

2009-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1614895754-1801674531-1003UA.job

- c:\documents and settings\Famille Kelly Begin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-05 02:20]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.evolutionsynchro.123.fr/

mWindow Title =

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: live.com\maps

Handler: intu-ir2008 - {729D3592-92E7-4cbc-8E44-3C22B3F457B3} - c:\program files\ImpotRapide 2008\ic2008pp.dll

FF - ProfilePath - c:\documents and settings\Famille Kelly Begin\Application Data\Mozilla\Firefox\Profiles\vws7tw35.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.evolutionsynchro.123.fr/|http://www.google.ca/|http://www.infofestival.com/index.php?lang=fr

FF - plugin: c:\documents and settings\Famille Kelly Begin\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll

FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

FF - plugin: d:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-13 17:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,95,93,14,49,7d,ed,42,9a,5a,7b,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,95,93,14,49,7d,ed,42,9a,5a,7b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,e5,8b,83,c6,cc,

39,30,f7,c8,28,51,af,b0,29,a3,98,e6,cf,6b,13,df,bd,3e,9b,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,c7,8f,6f,f4,69,

d2,0e,2f,71,3b,04,66,8b,46,0d,96,cc,d8,e6,f9,aa,e7,0d,3c,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,b2,f8,ad,e8,dd,

82,f1,3b,25,da,ec,7e,55,20,c9,26,e4,1b,f7,c1,ac,ae,96,fd,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,d9,c3,39,0b,79,

63,15,38,3e,1e,9e,e0,57,5a,93,61,88,0c,f1,ca,b0,70,61,29,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,5e,cd,c9,2e,05,

63,9f,48,cd,44,cd,b9,a6,33,6c,cd,be,0b,8e,fa,af,17,3d,df,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,da,9a,29,b4,0b,

fd,d1,84,b0,18,ed,a7,3f,8d,37,a4,a7,a1,3c,bd,e7,ba,d4,b3,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,9f,af,e3,43,d9,

dd,9d,b7,31,77,e1,ba,b1,f8,68,02,71,48,9a,36,6c,59,3a,23,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,71,52,de,ad,21,

65,da,26,83,6c,56,8b,a0,85,96,ab,1e,28,26,a0,60,aa,0e,6f,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,08,d2,47,51,6f,

57,16,bc,51,fa,6e,91,28,9e,14,cc,a8,b8,09,85,e6,b4,d9,2f,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,2f,b1,15,be,b3,

68,16,56,b1,cd,45,5a,a8,c4,f8,b9,bc,1c,2c,35,49,ba,37,44,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,2b,eb,f8,86,0f,

48,34,f5,e3,0e,66,d5,eb,bc,2f,6b,9d,31,91,62,57,16,41,61,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,f6,b0,be,c3,14,

4e,e6,16,fa,ea,66,7f,d4,3b,6b,70,7e,10,6d,13,5e,27,a7,5d,6c,43,2d,1e,aa,22,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1720)

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

c:\program files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\program files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.FRA

.

------------------------ Other Running Processes ------------------------

.

d:\program files\Nero\InCD\InCDsrv.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\WebUpdateSvc.exe

c:\program files\Fichiers communs\Pure Networks Shared\Platform\nmsrvc.exe

c:\windows\system32\wbem\wmiapsrv.exe

.

**************************************************************************

.

Completion time: 2009-07-13 17:49 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-13 21:49

Pre-Run: 980 082 688 octets libres

Post-Run: 869 060 608 octets libres

344 --- E O F --- 2009-07-09 01:34

Merci, j'attends de vos nouvelles.

Speck41

Falkra · le 13 juillet 2009

Très vilaines bestioles.

Tu n'as pas laissé la console de récupération s'installer ! Laisse-la faire au prochain passage si on en fait un.

Poste un nouveau rapport HijackThis stp.

Ca tourne mieux en principe là, déjà.

On n'a pas fini.

speck41 · le 13 juillet 2009

Bonjour,

"Tu n'as pas laissé la console de récupération s'installer ! Laisse-la faire au prochain passage si on en fait un."

Je ne crois pas avoir rien fais pour l'empêcher de s'installer.

Voici le log demandé:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:18:24, on 2009-07-13

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

D:\Program Files\Nero\InCD\InCDsrv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\iolo\common\lib\ioloServiceManager.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

D:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\system32\WebUpdateSvc.exe

C:\Program Files\Fichiers communs\Pure Networks Shared\Platform\nmsrvc.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Fichiers communs\Pure Networks Shared\Platform\nmctxth.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Network Magic\nmapp.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

D:\Program Files\TomTom HOME 2\HOMERunner.exe

D:\Program Files\MétéoMédia\MétéoÉclair\WeatherEye.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.evolutionsynchro.123.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: FCTBPos00Pos - {76A20DB7-AAD4-4EFD-AE21-57811E5E49E4} - D:\Program Files\La barre d'outils AIR MILES\Toolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: La barre d'outils AIR MILES - {DC7A75BF-581D-4675-BDCB-D1B35116EB49} - D:\Program Files\La barre d'outils AIR MILES\Toolbar.dll

O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Fichiers communs\Pure Networks Shared\Platform\nmctxth.exe"

O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Network Magic\nmapp.exe" -autorun -nosplash

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [TomTomHOME.exe] "D:\Program Files\TomTom HOME 2\HOMERunner.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Famille Kelly Begin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [WeatherEye] D:\Program Files\MétéoMédia\MétéoÉclair\WeatherEye.exe

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll

O15 - Trusted Zone: http://maps.live.com

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-CA/a-UNO1/GAME_UNO1.cab

O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://kiw.imgag.com/imgag/cp/install/crusher-kiwen.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O18 - Protocol: intu-ir2007 - {52BAEC6B-9405-46F9-A131-6D50720A3CC4} - D:\Program Files\ImpotRapide 2007\ic2007pp.dll (file missing)

O18 - Protocol: intu-ir2008 - {729D3592-92E7-4CBC-8E44-3C22B3F457B3} - C:\Program Files\ImpotRapide 2008\ic2008pp.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Avira Upgrade Service (AntiVirUpgradeService) - Unknown owner - C:\DOCUME~1\FAMILL~1\LOCALS~1\Temp\AVSETUP_4a5a05d9\basic\avupgsvc.exe (file missing)

O23 - Service: Service Bonjour (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Nero\InCD\InCDsrv.exe

O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe

O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - D:\Program Files\Network Magic\WebServer\bin\nmraapache.exe (file missing)

O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Fichiers communs\Pure Networks Shared\Platform\nmsrvc.exe

O23 - Service: TomTomHOMEService - TomTom - D:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

O23 - Service: Service Messenger Sharing Folders USN Journal Reader (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)

O23 - Service: Web Update Service by PowerProgrammer (WebUpdate) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc.exe

O23 - Service: Windows Search (WSearch) - Unknown owner - C:\WINDOWS\system32\SearchIndexer.exe (file missing)

--

End of file - 8055 bytes

Merci

Speck41

Falkra · le 14 juillet 2009

Relance HijackThis, clique sur "Do a system scan only" puis coche ceci et clique sur le bouton "Fix checked", en bas à gauche :

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - - (no file)

O23 - Service: Avira Upgrade Service (AntiVirUpgradeService) - Unknown owner - C:\DOCUME~1\FAMILL~1\LOCALS~1\Temp\AVSETUP_4a5a05d9\basic\avupgsvc.exe (file missing)

O23 - Service: Service Bonjour (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)

Si windows updates ne fonctionne plus, utilise cette commande dans menu démarrer, exécuter :

netsh winhttp reset proxy

speck41 · le 14 juillet 2009

Bonjour, j'ai fais ce que tu demandais et refais un scan que je te post ici. D'autres choses à faire ?

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 06:02:09, on 2009-07-14

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

D:\Program Files\Nero\InCD\InCDsrv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\iolo\common\lib\ioloServiceManager.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

D:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\system32\WebUpdateSvc.exe

C:\Program Files\Fichiers communs\Pure Networks Shared\Platform\nmsrvc.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Fichiers communs\Pure Networks Shared\Platform\nmctxth.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Network Magic\nmapp.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

D:\Program Files\TomTom HOME 2\HOMERunner.exe

D:\Program Files\MétéoMédia\MétéoÉclair\WeatherEye.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe