Problème de virus et de spywares

[nirvan32]

Bonjour à tous.

 

Suite au message de Did71, voila le rapport de Look2me-Destroyer :

 

Look2Me-Destroyer V1.0.12

 

Scanning for infected files.....

Scan started at 30/03/2006 19:04:05

 

Infected! C:\WINDOWS\system32\e402ledo1h0c.dll

Infected! C:\WINDOWS\system32\k6260gfse6260.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000034.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000131.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000165.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000171.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000216.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000217.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000218.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000219.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000220.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000221.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000222.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000223.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000224.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000256.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000277.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000281.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000345.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000357.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000361.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000373.dll

Infected! C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000380.dll

Infected! C:\WINDOWS\system32\Abdiodev.dll

Infected! C:\WINDOWS\system32\j0j6la1s1d.dll

Infected! C:\WINDOWS\system32\k6260gfse6260.dll

 

Attempting to delete infected files...

 

Attempting to delete: C:\WINDOWS\system32\k6260gfse6260.dll

C:\WINDOWS\system32\k6260gfse6260.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000034.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000034.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000131.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000131.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000165.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000165.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000171.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000171.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000216.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000216.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000217.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000217.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000218.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000218.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000219.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000219.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000220.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000220.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000221.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000221.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000222.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000222.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000223.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000223.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000224.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000224.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000256.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000256.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000277.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000277.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000281.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000281.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000345.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000345.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000357.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000357.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000361.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000361.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000373.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000373.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000380.dll

C:\System Volume Information\_restore{7C361FAB-4DEE-4C40-9ED4-926BD19870D6}\RP1\A0000380.dll Deleted successfully!

 

Attempting to delete: C:\WINDOWS\system32\Abdiodev.dll

C:\WINDOWS\system32\Abdiodev.dll Deleted successfully!

 

Attempting to delete: C:\WINDOWS\system32\j0j6la1s1d.dll

C:\WINDOWS\system32\j0j6la1s1d.dll Deleted successfully!

 

Attempting to delete: C:\WINDOWS\system32\k6260gfse6260.dll

C:\WINDOWS\system32\k6260gfse6260.dll Deleted successfully!

 

Making registry repairs.

 

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SideBySide

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{145E358F-C52E-40D6-A1DE-CBD6F24C2399}"

HKCR\Clsid\{145E358F-C52E-40D6-A1DE-CBD6F24C2399}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B84BF2F5-6841-4D62-AA5C-BF7998105B97}"

HKCR\Clsid\{B84BF2F5-6841-4D62-AA5C-BF7998105B97}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{47BB5488-5FF5-4146-8602-67BE05B34FB7}"

HKCR\Clsid\{47BB5488-5FF5-4146-8602-67BE05B34FB7}

 

Restoring Windows certificates.

 

Replaced hosts file with default windows hosts file

 

 

Restoring SeDebugPrivilege for Administrateurs - Succeeded

 

 

Et voila le rapport Hijack This

Logfile of HijackThis v1.99.1

Scan saved at 19:12:57, on 30/03/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\PROGRA~1\Wanadoo\CnxMon.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Alwil Software\Avast4\setup\avast.setup

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\System32\yhsjfvt.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\ebgqvvmd.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\System32\pmnnk.dll

O2 - BHO: WTLHelper Object - {75DC57F8-D831-4AB8-86B7-4F826F4A0873} - C:\WINDOWS\System32\pmnlj.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [bh1sobfs] C:\WINDOWS\System32\bh1sobfs.exe

O4 - HKLM\..\Run: [WinDLL (steam.dll)] rundll32.exe C:\WINDOWS\System32\steam.dll,start

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Microsoft Update] wuamkop.exe

O4 - HKLM\..\Run: [bxmon] rundll32.exe C:\WINDOWS\System32\bxmon.dll,start

O4 - HKLM\..\Run: [AdobeReaderPro] winzip.exe

O4 - HKLM\..\Run: [Realtek Sound Manager] yhsjfvt.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [WinFix service] ebgqvvmd.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop.exe

O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe

O4 - HKLM\..\RunServices: [sysctl32] sysctl.exe

O4 - HKLM\..\RunServices: [AdobeReaderPro] winzip.exe

O4 - HKLM\..\RunServices: [Realtek Sound Manager] yhsjfvt.exe

O4 - HKLM\..\RunServices: [WinFix service] ebgqvvmd.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)

O20 - Winlogon Notify: Mixer - sndmixex.dll (file missing)

O20 - Winlogon Notify: pmnlj - C:\WINDOWS\System32\pmnlj.dll

O20 - Winlogon Notify: pmnnk - C:\WINDOWS\SYSTEM32\pmnnk.dll

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Boonty Games - BOONTY - C:\Program Files\Fichiers communs\BOONTY Shared\Service\Boonty.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U0FORFJJTkUgQ0hBU1NBR05F\command.exe (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: sysec(sysec) (sysec) - Unknown owner - C:\WINDOWS\system32\systsec.exe (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe (file missing)

 

 

Par contre j'ai Antivir qui me trouve toujours le virus pmnnk.dll. Il revient toujour, malgré l'invite d'antivir de le supprimer.

 

Merci beaucoup pour votre aide à tous.

 

A+

[did71]

re,

 

Télécharge VundoFix.exe (par Atribune) sur ton Bureau:

 

http://www.atribune.org/public-beta/VundoFix.exe

 

* Double-clique VundoFix.exe afin de le lancer.

* Clique sur le bouton Scan for Vundo.

* Lorsque le scan est complété, clique sur le bouton Remove Vundo.

* Une invite te demandera si tu veux supprimer les fichiers, clique YES

* Après avoir cliqué "Yes", le Bureau disparaîtra un moment lors de la suppression des fichiers.

* Tu verras une invite qui t'annonce que ton PC va s'éteindre ("shutdown"); clique OK

* Démarre ton PC à nouveau.

* Copie/colle le contenu du rapport situé dans C:\vundofix.txt ainsi qu'un nouveau rapport HijackThis! dans ta prochaine réponse.

 

a+

[nirvan32]

Re bonjour Did71

 

Voila le rapport VundoFix :

 

 

VundoFix V4.2.42

 

Checking Java version...

 

Sun Java not detected

Scan started at 19:39:46 30/03/2006

 

Listing files found while scanning....

 

C:\WINDOWS\System32\pmnnk.dll

C:\WINDOWS\System32\pmnlj.dll

C:\WINDOWS\System32\jlnmp.ini

C:\WINDOWS\System32\jlnmp.bak1

C:\WINDOWS\System32\jlnmp.bak2

C:\WINDOWS\System32\jlnmp.tmp

C:\WINDOWS\System32\pmnnk.dll

 

 

VundoFix V4.2.42

 

Checking Java version...

 

Sun Java not detected

Scan started at 19:39:59 30/03/2006

 

Listing files found while scanning....

 

C:\WINDOWS\System32\pmnnk.dll

C:\WINDOWS\System32\pmnlj.dll

C:\WINDOWS\System32\jlnmp.ini

C:\WINDOWS\System32\jlnmp.bak1

C:\WINDOWS\System32\jlnmp.bak2

C:\WINDOWS\System32\pmnnk.dll

 

C:\WINDOWS\system32\jlnmp.bak1

C:\WINDOWS\system32\jlnmp.bak2

C:\WINDOWS\system32\jlnmp.ini

C:\WINDOWS\system32\pmnlj.dll

No infected files were found.

 

 

VundoFix V4.2.42

 

Checking Java version...

 

Sun Java not detected

Scan started at 19:43:04 30/03/2006

 

Listing files found while scanning....

 

C:\WINDOWS\System32\pmnnk.dll

C:\WINDOWS\System32\pmnlj.dll

C:\WINDOWS\System32\jlnmp.ini

C:\WINDOWS\System32\jlnmp.bak1

C:\WINDOWS\System32\jlnmp.bak2

C:\WINDOWS\System32\pmnnk.dll

 

C:\WINDOWS\system32\jlnmp.bak1

C:\WINDOWS\system32\jlnmp.bak2

C:\WINDOWS\system32\jlnmp.ini

C:\WINDOWS\system32\pmnlj.dll

Attempting to delete C:\WINDOWS\System32\pmnnk.dll

C:\WINDOWS\System32\pmnnk.dll Could not be deleted.

 

Attempting to delete C:\WINDOWS\System32\pmnlj.dll

C:\WINDOWS\System32\pmnlj.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\System32\jlnmp.ini

C:\WINDOWS\System32\jlnmp.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\System32\jlnmp.bak1

C:\WINDOWS\System32\jlnmp.bak1 Has been deleted!

 

Attempting to delete C:\WINDOWS\System32\jlnmp.bak2

C:\WINDOWS\System32\jlnmp.bak2 Has been deleted!

 

Attempting to delete C:\WINDOWS\System32\pmnnk.dll

C:\WINDOWS\System32\pmnnk.dll Could not be deleted.

 

Performing Repairs to the registry.

Done!

 

A priori, il ne peut pas supprimer pmnnk.dll

 

Et voila le rapport Hijack This :

Logfile of HijackThis v1.99.1

Scan saved at 19:47:19, on 30/03/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Wanadoo\CnxMon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\System32\yhsjfvt.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\System32\ebgqvvmd.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\setup\avast.setup

C:\Program Files\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [bh1sobfs] C:\WINDOWS\System32\bh1sobfs.exe

O4 - HKLM\..\Run: [WinDLL (steam.dll)] rundll32.exe C:\WINDOWS\System32\steam.dll,start

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Microsoft Update] wuamkop.exe

O4 - HKLM\..\Run: [bxmon] rundll32.exe C:\WINDOWS\System32\bxmon.dll,start

O4 - HKLM\..\Run: [AdobeReaderPro] winzip.exe

O4 - HKLM\..\Run: [Realtek Sound Manager] yhsjfvt.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [WinFix service] ebgqvvmd.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop.exe

O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe

O4 - HKLM\..\RunServices: [sysctl32] sysctl.exe

O4 - HKLM\..\RunServices: [AdobeReaderPro] winzip.exe

O4 - HKLM\..\RunServices: [Realtek Sound Manager] yhsjfvt.exe

O4 - HKLM\..\RunServices: [WinFix service] ebgqvvmd.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)

O20 - Winlogon Notify: Mixer - sndmixex.dll (file missing)

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Boonty Games - BOONTY - C:\Program Files\Fichiers communs\BOONTY Shared\Service\Boonty.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U0FORFJJTkUgQ0hBU1NBR05F\command.exe (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: sysec(sysec) (sysec) - Unknown owner - C:\WINDOWS\system32\systsec.exe (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe (file missing)

 

Merci et A+

[did71]

re nirvan32,

 

regarde de plus près ton rapport hijackthis, il a bien été supprimé.

 

on continue le nettoyage, bien infecté le pc!!

 

Télécharge SpySweeper (de Webroot)

(c'est une version d'essai de 14 jours)

http://www.download.com/Webroot-Spy-Sweepe...4-10405877.html

ou

http://www.webroot.com/consumer/products/s...ode=af1&rc=3597

 

· clique sur le lien Free Trial sous la rubrique "SpySweeper"

· installe le programme. Une fois installé, il va se lancer.

· L'option de le mettre à jour va s'afficher, clique sur Yes

· Une fois les mises à jour faites, clique Options sur la gauche

· Clique sur l'onglet Sweep Options

· Sous What to Sweep tu coches les options suivantes :

 

Sweep Memory

Sweep Registry

Sweep Cookies

Sweep All User Accounts

Enable Direct Disk Sweeping

Sweep Contents of Compressed Files

Sweep for Rootkits

Décoche Do not Sweep System Restore Folder

 

· clique sur Sweep Now sur la gauche

· clique sur Start

· quand le scan est terminé, clique sur Next

· assure toi que tous les items sont cochés, puis clique sur Next

· Tous les items cochés seront éliminés

· Si SpySweeper veut redémarrer pour terminer le nettoyage : ACCEPTE

· Clique Session Log en haut à droite, et copie tout ce qu'il y a dans la fenêtre

· Clique sur l'onglet Summary, puis clique sur Finish

· Colle enfin le contenu de "session log" ici

 

ainsi qu'un nouveau hijackthis, j'attaquerai hijack ensuite.

 

a+

[nirvan32]

Re bonsoir Did71

 

Voila le rapport SpySweeper :

 

********

21:01: | Start of Session, jeudi 30 mars 2006 |

21:01: Spy Sweeper started

21:01: Sweep initiated using definitions version 644

21:01: Starting Memory Sweep

21:06: Memory Sweep Complete, Elapsed Time: 00:04:54

21:06: Starting Registry Sweep

21:06: Found Adware: gain - common components

21:06: HKCR\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}\ (7 subtraces) (ID = 126731)

21:06: HKLM\software\classes\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}\ (7 subtraces) (ID = 126751)

21:06: Found Adware: internetoptimizer

21:06: HKCR\clsid\{00000010-6f7d-442c-93e3-4a4827c2e4c8}\ (11 subtraces) (ID = 128881)

21:06: HKLM\software\classes\clsid\{00000010-6f7d-442c-93e3-4a4827c2e4c8}\ (11 subtraces) (ID = 128892)

21:06: HKLM\software\microsoft\windows\currentversion\run\ || internet optimizer (ID = 128916)

21:07: HKLM\software\classes\typelib\{40b1d454-9ca4-43cc-86aa-cb175eac52fb}\ (9 subtraces) (ID = 135201)

21:07: HKCR\typelib\{40b1d454-9ca4-43cc-86aa-cb175eac52fb}\ (9 subtraces) (ID = 135217)

21:07: Found Adware: shopathomeselect

21:07: HKLM\software\winsock2\layered provider sample\ (ID = 141736)

21:07: Found Adware: spysheriff

21:07: HKU\.default\software\microsoft\windows\currentversion\run\ || spysheriff (ID = 142121)

21:07: HKU\.default\software\spysheriff\ (30 subtraces) (ID = 142122)

21:07: Found Adware: syswebtelecom

21:07: HKCR\interface\{66b0c472-a6b5-4e86-8330-f4875af90929}\ (8 subtraces) (ID = 143558)

21:07: HKCR\interface\{639581d0-8376-4073-b73b-45993fa45156}\ (8 subtraces) (ID = 143560)

21:07: HKLM\software\classes\interface\{66b0c472-a6b5-4e86-8330-f4875af90929}\ (8 subtraces) (ID = 143567)

21:07: HKLM\software\classes\interface\{639581d0-8376-4073-b73b-45993fa45156}\ (8 subtraces) (ID = 143569)

21:07: Found Adware: targetsaver

21:07: HKLM\software\microsoft\windows\currentversion\uninstall\tsa\ (2 subtraces) (ID = 143607)

21:07: Found Adware: winad

21:07: HKCR\appid\loaderx.exe\ (1 subtraces) (ID = 147150)

21:07: HKCR\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 147151)

21:07: HKCR\clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c}\ (14 subtraces) (ID = 147153)

21:07: HKLM\software\classes\appid\loaderx.exe\ (1 subtraces) (ID = 147164)

21:07: HKLM\software\classes\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 147165)

21:07: HKLM\software\classes\clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c}\ (14 subtraces) (ID = 147167)

21:07: HKLM\software\classes\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 147176)

21:07: HKCR\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 147244)

21:07: Found Adware: command

21:07: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)

21:07: Found Adware: dollarrevenue

21:07: HKLM\software\policies\ || {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} (ID = 916803)

21:07: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)

21:07: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)

21:07: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)

21:07: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670)

21:07: HKLM\software\policies\ || {6bf52a52-394a-11d3-b153-00c04f79faa6} (ID = 967836)

21:07: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)

21:07: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)

21:07: Found Trojan Horse: trojan-backdoor-snd

21:07: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\mixer\ (4 subtraces) (ID = 1028541)

21:07: HKLM\software\policies\ || {645ff040-5081-101b-9f08-00aa002f954e} (ID = 1036890)

21:07: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)

21:07: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)

21:07: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)

21:07: Found Trojan Horse: rbot

21:07: HKLM\software\microsoft\windows\currentversion\runservices\ || winsystems25 (ID = 1187956)

21:07: HKLM\software\microsoft\windows\currentversion\runservices\ || sysctl32 (ID = 1189233)

21:07: Found Trojan Horse: trojan-downloader-conhook

21:07: HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks\ || {20d57a66-f7df-467d-907b-9b7f4a118ab7} (ID = 1190602)

21:07: Found Adware: findthewebsiteyouneed hijack

21:07: HKU\S-1-5-21-527237240-926492609-839522115-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)

21:07: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || spysheriff (ID = 142123)

21:07: HKU\S-1-5-18\software\spysheriff\ (30 subtraces) (ID = 142125)

21:07: Found Adware: spywareno! components

21:07: HKU\S-1-5-18\software\sno2\ (ID = 782236)

21:07: Found Adware: cws_secure32.html hijack

21:07: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || local page (ID = 946022)

21:07: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || start page (ID = 946023)

21:07: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || default_page_url (ID = 946026)

21:07: Found Adware: spysheriff fakealert

21:07: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || windows installer (ID = 1088024)

21:07: Found Trojan Horse: infected mushrooms

21:07: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || winmedia (ID = 1219418)

21:07: Registry Sweep Complete, Elapsed Time:00:00:37

21:07: Starting Cookie Sweep

21:07: Cookie Sweep Complete, Elapsed Time: 00:00:00

21:07: Starting File Sweep

21:07: Found Adware: whenu savenow

21:07: c:\program files\vvsn (ID = -2147480376)

21:07: c:\program files\network monitor (ID = -2147459771)

21:07: Found Adware: bullguard popup ad

21:07: c:\windows\temp\bullguard (1 subtraces) (ID = -2147476409)

21:08: Found Adware: zquest

21:08: dr140306.exe (ID = 267188)

21:08: a0000153.exe (ID = 270018)

21:08: a0000337.exe (ID = 268082)

21:08: a0000203.dll (ID = 267439)

21:08: a0000038.exe (ID = 251354)

21:08: a0000303.exe (ID = 268083)

21:08: Found Adware: look2me

21:08: a0000193.exe (ID = 65722)

21:08: a0000190.exe (ID = 270018)

21:08: a0000271.dll (ID = 256434)

21:09: a0000259.exe (ID = 270018)

21:09: newname4.exe (ID = 268845)

21:09: Found Adware: webhancer

21:09: a0000161.exe (ID = 267886)

21:09: Found Trojan Horse: sdbot

21:09: a0000108.exe (ID = 267738)

21:09: a0000194.com (ID = 65722)

21:09: a.exe (ID = 271541)

21:09: a0000272.dll (ID = 253303)

21:09: a0000059.exe (ID = 260103)

21:09: a0000273.dll (ID = 253304)

21:09: mousepad4.exe (ID = 268843)

21:09: a0000326.dll (ID = 267439)

21:10: Found Trojan Horse: trojan-backdoor-us15info

21:10: a0000309.exe (ID = 183857)

21:10: a0000330.exe (ID = 183857)

21:10: a0000320.exe (ID = 193995)

21:10: a0000310.exe (ID = 183857)

21:10: a0000311.exe (ID = 183857)

21:10: a0000331.exe (ID = 183857)

21:10: a0000351.exe (ID = 270019)

21:10: a0000312.exe (ID = 183857)

21:10: a0000313.exe (ID = 183857)

21:10: a0000314.exe (ID = 183857)

21:10: a0000332.exe (ID = 183857)

21:10: a0000293.exe (ID = 65739)

21:10: a0000333.exe (ID = 183857)

21:10: a0000315.exe (ID = 183857)

21:10: a0000316.exe (ID = 183857)

21:11: a0000189.exe (ID = 267167)

21:11: a0000317.exe (ID = 183857)

21:11: a0000318.exe (ID = 183857)

21:11: a0000187.exe (ID = 323)

21:11: a0000188.exe (ID = 323)

21:11: a0000334.exe (ID = 185985)

21:11: a0000152.exe (ID = 267167)

21:11: a0000308.exe (ID = 185985)

21:11: a0000168.dll (ID = 267884)

21:11: a0000335.exe (ID = 183857)

21:12: a0000074.exe (ID = 185985)

21:12: a0000078.exe (ID = 185985)

21:12: a0000265.exe (ID = 323)

21:12: a0000076.exe (ID = 193995)

21:12: a0000327.com (ID = 65739)

21:12: a0000207.exe (ID = 185985)

21:12: a0000060.exe (ID = 185985)

21:12: a0000145.exe (ID = 323)

21:12: a0000147.exe (ID = 323)

21:12: a0000319.exe (ID = 183857)

21:12: a0000336.exe (ID = 185985)

21:12: a0000156.exe (ID = 257353)

21:13: Found Trojan Horse: trojan-backdoor-superbgirlz

21:13: a0000325.exe (ID = 183963)

21:13: tsuninst.exe (ID = 193501)

21:13: Found Trojan Horse: trojan downloader matcash

21:13: a0000107.exe (ID = 246327)

21:13: a0000270.dll (ID = 253301)

21:14: Found Adware: maxifiles

21:14: a0000198.exe (ID = 244762)

21:14: a0000169.dll (ID = 267881)

21:14: a0000170.exe (ID = 267900)

21:15: a0000061.exe (ID = 193995)

21:15: a0000386.dll (ID = 159)

21:15: a0000295.exe (ID = 65722)

21:16: a0000344.exe (ID = 231443)

21:18: a0000199.exe (ID = 244762)

21:18: gatorpdpsetup.log (ID = 61399)

21:18: bulldownload.exe (ID = 52017)

21:19: a0000048.exe (ID = 269275)

21:20: a0000298.exe (ID = 268083)

21:20: a0000321.exe (ID = 183857)

21:20: a0000210.exe (ID = 185985)

21:20: a0000070.exe (ID = 193995)

21:21: a0000208.exe (ID = 193995)

21:21: a0000294.exe (ID = 268081)

21:21: a0000297.exe (ID = 268082)

21:21: a0000079.exe (ID = 183857)

21:21: class-barrel (ID = 78229)

21:21: Found Adware: coolwebsearch (cws)

21:21: a0000346.exe (ID = 239915)

21:21: a0000201.exe (ID = 193995)

21:22: Found Adware: effective-i toolbar

21:22: a0000212.exe (ID = 59853)

21:22: a0000322.exe (ID = 183857)

21:22: a0000045.exe (ID = 271541)

21:22: a0000340.exe (ID = 268081)

21:22: a0000323.exe (ID = 183857)

21:22: a0000324.exe (ID = 183857)

21:23: vocabulary (ID = 78283)

21:23: a0000263.exe (ID = 260102)

21:23: a0000155.exe (ID = 168558)

21:23: a0000328.exe (ID = 183857)

21:23: a0000099.exe (ID = 183857)

21:23: a0000261.exe (ID = 260125)

21:23: a0000080.exe (ID = 183857)

21:23: a0000041.exe (ID = 246327)

21:23: newname2[1].exe (ID = 269030)

21:23: Warning: Failed to read file "c:\system volume information\_restore{7c361fab-4dee-4c40-9ed4-926bd19870d6}\rp1\a0000329.exe". Opération réussie

21:23: Found Trojan Horse: trojan-downloader-toolbarpartner

21:23: a0000154.exe (ID = 268844)

21:23: a0000213.exe (ID = 267157)

21:24: a0000101.exe (ID = 183857)

21:24: a0000011.dll (ID = 159)

21:24: a0000102.exe (ID = 183857)

21:24: rp5[1].exe (ID = 271541)

21:26: mousepad5.exe (ID = 270020)

21:26: newname5.exe (ID = 270021)

21:26: a0000202.exe (ID = 185985)

21:27: a0000081.exe (ID = 183857)

21:27: a0000082.exe (ID = 183857)

21:27: a0000083.exe (ID = 183857)

21:27: a0000209.exe (ID = 168558)

21:28: dc36.exe (ID = 183857)

21:28: a0000056.exe (ID = 239915)

21:28: a0000338.exe (ID = 183857)

21:29: spysheriff.lnk (ID = 143527)

21:29: spysheriff.lnk (ID = 143527)

21:29: a0000106.exe (ID = 269275)

21:29: a0000073.exe (ID = 185985)

21:29: a0000072.exe (ID = 257306)

21:29: dc32.exe (ID = 183857)

21:29: a0000264.exe (ID = 269030)

21:29: info[1].txt (ID = 90430)

21:29: toolbar[1].txt (ID = 267167)

21:29: a0000269.exe (ID = 267167)

21:29: a0000084.exe (ID = 183857)

21:29: a0000339.exe (ID = 183857)

21:29: a0000296.exe (ID = 185985)

21:29: a0000067.exe (ID = 185985)

21:29: a0000068.exe (ID = 185985)

21:29: a0000167.exe (ID = 267882)

21:29: a0000341.exe (ID = 183857)

21:29: a0000300.exe (ID = 183857)

21:30: dc33.exe (ID = 183857)

21:30: dc37.exe (ID = 183857)

21:30: dc35.exe (ID = 185985)

21:30: a0000342.exe (ID = 183857)

21:30: a0000301.exe (ID = 183857)

21:30: dc34.exe (ID = 183857)

21:30: a0000085.exe (ID = 183857)

21:30: a0000086.exe (ID = 183857)

21:30: a0000343.exe (ID = 183857)

21:30: a0000292.exe (ID = 183857)

21:30: a0000302.exe (ID = 183857)

21:30: atmtd.dll (ID = 166754)

21:30: dc38.htm (ID = 183857)

21:30: a0000304.exe (ID = 183857)

21:30: a0000305.exe (ID = 183857)

21:31: a0000069.exe (ID = 193995)

21:31: a0000306.exe (ID = 183857)

21:31: a0000195.exe (ID = 168558)

21:31: atmtd.dll._ (ID = 166754)

21:31: a0000307.exe (ID = 185985)

21:31: 00r7uoqi.dat (ID = 75821)

21:31: em4nopt7.dat (ID = 75607)

21:31: scd8hq1s.dat (ID = 75674)

21:31: a0000087.exe (ID = 183857)

21:31: a0000088.exe (ID = 183857)

21:31: a0000089.exe (ID = 185985)

21:31: a0000090.exe (ID = 183857)

21:32: tool2[1].txt (ID = 323)

21:32: a0000267.exe (ID = 323)

21:32: a0000350.exe (ID = 268841)

21:32: a0000200.exe (ID = 168558)

21:32: a0000274.exe (ID = 253306)

21:32: a0000105.exe (ID = 183963)

21:32: a0000196.exe (ID = 168558)

21:32: uninstall_nmon.vbs (ID = 231442)

21:32: a0000197.exe (ID = 168558)

21:34: a0000091.exe (ID = 183857)

21:34: a0000092.exe (ID = 183857)

21:34: a0000093.exe (ID = 183857)

21:34: a0000040.exe (ID = 59853)

21:35: a0000075.exe (ID = 193995)

21:35: a0000094.exe (ID = 183857)

21:35: a0000103.exe (ID = 183857)

21:36: a0000095.exe (ID = 183857)

21:37: a0000104.exe (ID = 183857)

21:37: a0000096.exe (ID = 183857)

21:37: a0000055.exe (ID = 256449)

21:37: a0000262.exe (ID = 257353)

21:37: a0000071.exe (ID = 257306)

21:37: a0000260.exe (ID = 257304)

21:37: Found Adware: findthewebsiteyouneed hijacker

21:37: a0000110.exe (ID = 253754)

21:37: a0000064.exe (ID = 254982)

21:37: a0000109.exe (ID = 253753)

21:37: a0000097.exe (ID = 183857)

21:37: secure32.html (ID = 184319)

21:38: a0000077.exe (ID = 185985)

21:38: a0000058.exe (ID = 246327)

21:38: a0000066.exe (ID = 256449)

21:38: a0000098.exe (ID = 183857)

21:38: a0000162.ini (ID = 267887)

21:38: a0000163.ini (ID = 188794)

21:38: oxiililln4o0kx11oyh1lxci.vbs (ID = 185675)

21:38: File Sweep Complete, Elapsed Time: 00:31:25

21:38: Full Sweep has completed. Elapsed time 00:37:10

21:38: Traces Found: 490

21:40: Removal process initiated

21:40: Quarantining All Traces: infected mushrooms

21:40: Quarantining All Traces: look2me

21:40: Quarantining All Traces: rbot

21:40: Quarantining All Traces: sdbot

21:40: Quarantining All Traces: spysheriff fakealert

21:40: Quarantining All Traces: trojan downloader matcash

21:40: Quarantining All Traces: trojan-backdoor-us15info

21:41: Quarantining All Traces: trojan-downloader-toolbarpartner

21:41: Quarantining All Traces: coolwebsearch (cws)

21:41: Quarantining All Traces: dollarrevenue

21:41: Quarantining All Traces: internetoptimizer

21:41: Quarantining All Traces: maxifiles

21:41: Quarantining All Traces: spysheriff

21:41: Quarantining All Traces: trojan-backdoor-snd

21:41: Quarantining All Traces: trojan-backdoor-superbgirlz

21:41: Quarantining All Traces: trojan-downloader-conhook

21:41: Quarantining All Traces: winad

21:41: Quarantining All Traces: zquest

21:41: Quarantining All Traces: bullguard popup ad

21:41: Quarantining All Traces: command

21:41: Quarantining All Traces: cws_secure32.html hijack

21:41: Quarantining All Traces: effective-i toolbar

21:41: Quarantining All Traces: findthewebsiteyouneed hijacker

21:41: Quarantining All Traces: findthewebsiteyouneed hijack

21:41: Quarantining All Traces: shopathomeselect

21:41: Quarantining All Traces: spywareno! components

21:41: Quarantining All Traces: syswebtelecom

21:41: Quarantining All Traces: targetsaver

21:41: Quarantining All Traces: webhancer

21:41: Quarantining All Traces: gain - common components

21:41: Quarantining All Traces: whenu savenow

21:42: Removal process completed. Elapsed time 00:01:59

********

20:59: | Start of Session, jeudi 30 mars 2006 |

20:59: Spy Sweeper started

21:00: Your spyware definitions have been updated.

21:01: | End of Session, jeudi 30 mars 2006 |

 

Et voila le rapport Hijack This :

 

Logfile of HijackThis v1.99.1

Scan saved at 21:45:20, on 30/03/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Wanadoo\CnxMon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\System32\yhsjfvt.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\System32\ebgqvvmd.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Program Files\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bh1sobfs] C:\WINDOWS\System32\bh1sobfs.exe

O4 - HKLM\..\Run: [WinDLL (steam.dll)] rundll32.exe C:\WINDOWS\System32\steam.dll,start

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Microsoft Update] wuamkop.exe

O4 - HKLM\..\Run: [bxmon] rundll32.exe C:\WINDOWS\System32\bxmon.dll,start

O4 - HKLM\..\Run: [AdobeReaderPro] winzip.exe

O4 - HKLM\..\Run: [Realtek Sound Manager] yhsjfvt.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [WinFix service] ebgqvvmd.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop.exe

O4 - HKLM\..\RunServices: [AdobeReaderPro] winzip.exe

O4 - HKLM\..\RunServices: [Realtek Sound Manager] yhsjfvt.exe

O4 - HKLM\..\RunServices: [WinFix service] ebgqvvmd.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Boonty Games - BOONTY - C:\Program Files\Fichiers communs\BOONTY Shared\Service\Boonty.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: sysec(sysec) (sysec) - Unknown owner - C:\WINDOWS\system32\systsec.exe (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe (file missing)

 

J'ai quand même l'impression que ça s'améliore. Je n'ai pas eu de pub intempestives depuis un p'tit moment !! C'est bon signe ?!

 

A+

[did71]

re,

 

Télécharge SmitfraudFix de S!Ri:

 

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

 

Tu le dézippes sur le Bureau.

 

* Tu ouvres SmitfraudFix, tu double cliques sur SmitfraudFix.cmd et tu choisis l’option 1

Postes le rapport.

 

faut quand même que je vérifie quelque chose, j ai un doute sur ceci :

 

C:\WINDOWS\System32\ebgqvvmd.exe

 

télécharge F-Secure Blacklight

 

http://www.f-secure.com/blacklight/try.shtml

 

Ferme internet et lance-le en double-cliquant sur le fichier blbeta.exe

Accepte la licence, et clique enfin sur "Scan"

 

poste le rapport ensuite

 

a+

[nirvan32]

Bonsoir à tous,

 

DID71, Antivir me met le message suivant lorsque je veux dézipper SmitfraudFix : processe.exe contains signature of the SPR/Processor.20 program.

 

Que dois-je faire ?

 

Merci de ton aide.

[did71]

bonsoir,

 

désactive antivir s'il te gêne, tu le réactivera ensuite.

 

et continue la procédure.

 

a+

Modifié le 1 avril 2006 par did71