Virus indeletable

[darkworm]

Bonjour... j'essaye de réparer le PC a une amie et je suis tombée sur un os ...

J'explique :

Le PC est infecté par un(des) virus qui commence a faire *****

les symptomes sont :

-ecran bleu de critical error quand j'utilise moin PC normalement,

-ouverture de sites bidons qui ressemble a des popup( http://www.coupo-ns.com/eon.html, http://www.exhibiting-deals.com/eon.html, http://www.broadcast-ing.com/tau.html) ils s'ouvrent toutes les 15 min.

-alerte de norton antivirus sur le virus downloader dans le fichier C:\windows\systeme32\vtstr.dll

c'est a peu près tout.

 

ce que j'ai deja fais :

 

-essai de suppression manuelle de ce fichier ==> Ce fichier est utilisé par une autre aplication

-restor du système à une date inférieur à l'infection ==>sans succès

-suppression des cookies, fichiers temporaires ( il en reste un : C:\windows\temp\CustomB qui est indeletable )

-j'ai débranché le disque et je l'ai mis en slave dans mon PC perso et je l'ai analisé avec kaspersky ==>34 virus, 33 supprimés

-2e analyse : ==>8 nouveaux virus dont 7 supprimées.

-je l'ai rebrancher dans le PC d'origine et je l'ai analisé avec norton ==>9 virus dont 6 supprimées. les trois fichiersq infectées sont :

-dotrm.dll ==> virus : downloader

-pffmgr.dll ==> virus : adware.look2me

-vtstr.dll ==> virus : downloader

 

voila, la je sèche ... qu'est ce que je fais?

[Thanos]

salut et bienvenue sur ce forum

 

Je vois que tu as déjà bien bossé!!

 

Est ce que tu peux lancer un rapport hijackthis stp =>

 

- télécharger la dernière version d'HijackThis ( http://www.merijn.org/files/hijackthis.zip ou http://telechargement.zebulon.fr/138-hijackthis-1991.html en cas d'indisponibilité !)

N'installe pas Hijackthis dans un répertoire temporaire mais dans C:/Program Files par ex.

 

et fais un scan en cliquant sur le bouton "Do a system scan and save a logfile".Copie/colle le rapport à la suite de ma réponse.

[darkworm]

voila c'est fait. Voici le rapport qu'il me met dans le fichier bloc note :

 

Logfile of HijackThis v1.99.1

Scan saved at 21:45:16, on 20/06/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe

C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe

C:\WINDOWS\TUFJU09O\command.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\VeriSign\NAVI\naviagent.exe

C:\Program Files\Network Monitor\netmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe

C:\windows\system32\lvfbxw.exe

C:\Program Files\MessengerPlus! 3\MsgPlus.exe

C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

C:\Program Files\Messenger\msmsgs.exe

c:\progra~1\intern~1\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\Program Files\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll

R3 - URLSearchHook: SrchHook Class - {15651C7C-E812-44a2-A9AC-B467A2233E7D} - C:\WINDOWS\System32\GIDCAI32.dll (file missing)

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll

O3 - Toolbar: ToolBar888 - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\Program Files\ToolBar888\MyToolBar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [lvfbxw] c:\windows\system32\lvfbxw.exe lvfbxw

O4 - HKLM\..\Run: [Laordll service] icmusvak.exe

O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [Axis Atom File Mode] C:\Documents and Settings\All Users\Application Data\Keepstupidaxisatom\BINDSAFE.exe

O4 - HKLM\..\Run: [defender] C:\\defender26.exe

O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe

O4 - HKLM\..\Run: [newname] C:\\newname25.exe

O4 - HKLM\..\Run: [mswap] rundll32.exe C:\WINDOWS\System32\mswap.dll,start

O4 - HKLM\..\RunServices: [Laordll service] icmusvak.exe

O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

O4 - HKCU\..\Run: [Test Dash] C:\DOCUME~1\CATHER~1\APPLIC~1\FLAWEG~1\bind warn meet.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [udsc] "C:\WINDOWS\System32\RACLE~1\attrib.exe" -vt yazr

O4 - HKCU\..\Run: [fiwr] C:\Program Files\Fichiers communs\fiwr\fiwrm.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZSYYYYYYYYFR

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {16930DCA-0910-4C00-86FF-0C73872D4ABA} - java script:window.location.href="http://www.download-plus.com/fr/emule/default.asp?id="'>http://www.download-plus.com/fr/emule/default.asp?id=" (file missing)

O9 - Extra 'Tools' menuitem: logiciels - {16930DCA-0910-4C00-86FF-0C73872D4ABA} - java script:window.location.href="http://www.download-plus.com/fr/emule/default.asp?id=" (file missing)

O9 - Extra button: private access - {2B44FD33-B048-4B2B-88D5-4B80AB018F29} - C:\WINDOWS\System32\private access (file missing)

O9 - Extra button: 123MP3FR - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\123MP3FR (file missing)

O9 - Extra button: logiciels - {810B72CB-566A-409B-B6A3-31F720C16FAE} - C:\WINDOWS\System32\logiciels (file missing)

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {A2199168-22AC-44A3-BA5F-8A83E693FEBF} - java script:window.location.href="http://www.webmp3musique.com/fr/default.asp?id="'>http://www.webmp3musique.com/fr/default.asp?id=" (file missing)

O9 - Extra 'Tools' menuitem: musique - {A2199168-22AC-44A3-BA5F-8A83E693FEBF} - java script:window.location.href="http://www.webmp3musique.com/fr/default.asp?id=" (file missing)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Aide i-Nav - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)

O9 - Extra 'Tools' menuitem: Aide i-Nav - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)

O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll

O9 - Extra 'Tools' menuitem: Options i-Nav - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll

O9 - Extra button: musique - {F4445FEB-6D20-47CB-9ACF-9D142A7F680A} - C:\WINDOWS\System32\musique (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: (no name) - {FF55FC7B-F2EB-4F50-9409-2F726DD0E112} - java script:window.location.href="http://www.morefreenudes.com/default.asp?id="'>http://www.morefreenudes.com/default.asp?id=" (file missing)

O9 - Extra 'Tools' menuitem: private access - {FF55FC7B-F2EB-4F50-9409-2F726DD0E112} - java script:window.location.href="http://www.morefreenudes.com/default.asp?id=" (file missing)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {15651C7C-E812-44A2-A9AC-B467A2233E7D} (SrchHook Class) - http://www.123mania.com/GIDCAI32.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_mp3.cab

O16 - DPF: {44515AE5-25B3-46CF-833B-0D816C602868} (Matrix Class) - http://acceso.masminutos.com/downloads.cab

O16 - DPF: {71DA2A4E-ACB3-4065-9E41-8BC42EABE427} - http://scripts.dlv4.com/binaries/IA/svcia32_FR_XP.cab

O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicaciones.cab

O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c11.cab

O16 - DPF: {9C5B2F29-1F46-4639-A6B4-828942301D3E} (HTML Class) - http://www.123mania.com/SIPSPI32.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {C80B7FF6-CE60-4079-935E-520C045C30A6} - http://www.mailskinner.com/binaries/msaxsetup.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\ktnql7551.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TUFJU09O\command.exe

O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: VeriSign Updater (navi) - VeriSign, Inc. - C:\Program Files\VeriSign\NAVI\naviagent.exe

O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINDOWS\system32\netbtd.exe (file missing)

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

[Thanos]

ok ! y a du nettoyage en vue!!

 

L2M pour commencer =>

 

Prière d'imprimer ces instructions, ou de les coller dans un fichier texte, pour lecture durant ce fix. Regarde bien la note au bas, avant de débuter.

Télécharge Look2Me-Destroyer.exe (par Atribune) sur ton Bureau.

• Ferme toutes les fenêtres actives avant de passer à l'étape suivante.
  
• Double-clique Look2Me-Destroyer.exe afin de lancer l'outil.
  
• Coche Run this program as a task
  
• Un message s'affichera, te disant ceci : "Look2Me-Destroyer will close and re-open in approximately 1 minute". Clique OK
  
• Il se relancera après la minute, puis clique sur le bouton Scan for L2M; les icônes de ton Bureau vont disparaître : c'est normal.
  
• Lorsque le scan termine, clique sur le bouton Remove L2M
  
• Un message Done Scanning apparaîtra, clique OK.
  
• Un nouveau message s'affichera : Done removing infected files! Look2Me-Destroyer will now shutdown your computer; clique OK.
  
• Ton PC va maintenant s'éteindre.
  
• Démarre ton PC normalement.
  
• Colle le rapport généré (Look2Me-Destroyer.txt), situé sur le Bureau, ainsi qu'un nouveau rapport HijackThis! dans ta prochaine réponse.
  

*Si Look2Me-Destroyer ne se relance pas automatiquement après la minute, redémarre et essaie à nouveau.

[darkworm]

voila le premier rapport :

 

Look2Me-Destroyer V1.0.12

 

Scanning for infected files.....

Scan started at 20/06/2006 21:59:03

 

Infected! C:\WINDOWS\system32\ktnql7551.dll

Infected! C:\System Volume Information\_restore{4A4616B3-6BA3-4B49-A9AA-DFCB958B3094}\RP310\A0408122.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018734.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018739.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018741.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018746.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018751.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018755.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018762.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018766.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018769.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018773.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018785.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018790.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018801.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018805.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018813.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018817.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018827.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0019020.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0019024.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0019028.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019066.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019070.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019080.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019088.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019093.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019099.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019110.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019115.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019119.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019150.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019154.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019188.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019192.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019196.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019200.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019205.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019209.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019216.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019220.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019228.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019235.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019242.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019248.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019252.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019261.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019273.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019277.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019278.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019279.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019280.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019281.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019282.dll

Infected! C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019283.dll

Infected! C:\WINDOWS\system32\ktnql7551.dll

Infected! C:\WINDOWS\system32\mltime.dll

Infected! C:\WINDOWS\system32\mv60l9jm1.dll

Infected! C:\WINDOWS\system32\pffmgr.dll

Infected! C:\WINDOWS\system32\rJsppp.dll

Infected! C:\WINDOWS\System32\guard.tmp

 

Attempting to delete infected files...

 

Attempting to delete: C:\WINDOWS\system32\ktnql7551.dll

C:\WINDOWS\system32\ktnql7551.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{4A4616B3-6BA3-4B49-A9AA-DFCB958B3094}\RP310\A0408122.dll

C:\System Volume Information\_restore{4A4616B3-6BA3-4B49-A9AA-DFCB958B3094}\RP310\A0408122.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018734.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018734.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018739.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018739.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018741.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018741.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018746.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018746.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018751.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018751.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018755.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018755.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018762.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018762.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018766.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP349\A0018766.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018769.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018769.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018773.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018773.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018785.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018785.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018790.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018790.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018801.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018801.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018805.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018805.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018813.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018813.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018817.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018817.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018827.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0018827.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0019020.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0019020.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0019024.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0019024.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0019028.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP350\A0019028.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019066.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019066.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019070.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019070.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019080.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019080.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019088.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019088.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019093.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019093.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019099.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019099.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019110.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019110.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019115.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019115.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019119.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019119.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019150.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019150.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019154.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019154.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019188.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019188.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019192.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019192.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019196.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019196.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019200.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019200.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019205.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019205.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019209.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019209.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019216.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019216.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019220.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019220.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019228.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019228.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019235.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019235.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019242.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019242.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019248.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019248.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019252.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP351\A0019252.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019261.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019261.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019273.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019273.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019277.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019277.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019278.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019278.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019279.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019279.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019280.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019280.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019281.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019281.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019282.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019282.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019283.dll

C:\System Volume Information\_restore{5137D550-486D-4B5B-AC2F-9F743DDB21C8}\RP352\A0019283.dll Deleted successfully!

 

Attempting to delete: C:\WINDOWS\system32\ktnql7551.dll

C:\WINDOWS\system32\ktnql7551.dll Deleted successfully!

 

Attempting to delete: C:\WINDOWS\system32\mltime.dll

C:\WINDOWS\system32\mltime.dll Deleted successfully!

 

Attempting to delete: C:\WINDOWS\system32\mv60l9jm1.dll

C:\WINDOWS\system32\mv60l9jm1.dll Deleted successfully!

 

Attempting to delete: C:\WINDOWS\system32\pffmgr.dll

C:\WINDOWS\system32\pffmgr.dll Deleted successfully!

 

Attempting to delete: C:\WINDOWS\system32\rJsppp.dll

C:\WINDOWS\system32\rJsppp.dll Deleted successfully!

 

Attempting to delete: C:\WINDOWS\System32\guard.tmp

C:\WINDOWS\System32\guard.tmp Deleted successfully!

 

Making registry repairs.

 

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B9091953-9F2A-4835-BE90-B466C1C729A7}"

HKCR\Clsid\{B9091953-9F2A-4835-BE90-B466C1C729A7}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3E7EBEE3-0388-43D2-AF47-0A2063177B8A}"

HKCR\Clsid\{3E7EBEE3-0388-43D2-AF47-0A2063177B8A}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{79076424-9367-4E68-A572-807A6D7B2D46}"

HKCR\Clsid\{79076424-9367-4E68-A572-807A6D7B2D46}

 

Restoring Windows certificates.

 

Replaced hosts file with default windows hosts file

 

 

Restoring SeDebugPrivilege for Administrateurs - Succeeded

 

-------------------------------------------------------------------------------------------------------------

 

Et voici le rapport hijackThis :

 

 

Logfile of HijackThis v1.99.1

Scan saved at 22:11:36, on 20/06/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe

C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe

C:\WINDOWS\TUFJU09O\command.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\VeriSign\NAVI\naviagent.exe

C:\Program Files\Network Monitor\netmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe

C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

C:\Program Files\MessengerPlus! 3\MsgPlus.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

c:\progra~1\intern~1\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\VeriSign\NAVI\NAVICL~1.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\Program Files\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll

R3 - URLSearchHook: SrchHook Class - {15651C7C-E812-44a2-A9AC-B467A2233E7D} - C:\WINDOWS\System32\GIDCAI32.dll (file missing)

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll

O3 - Toolbar: ToolBar888 - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\Program Files\ToolBar888\MyToolBar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [Laordll service] icmusvak.exe

O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [Axis Atom File Mode] C:\Documents and Settings\All Users\Application Data\Keepstupidaxisatom\BINDSAFE.exe

O4 - HKLM\..\Run: [defender] C:\\defender26.exe

O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe

O4 - HKLM\..\Run: [newname] C:\\newname25.exe

O4 - HKLM\..\Run: [mswap] rundll32.exe C:\WINDOWS\System32\mswap.dll,start

O4 - HKLM\..\RunServices: [Laordll service] icmusvak.exe

O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

O4 - HKCU\..\Run: [Test Dash] C:\DOCUME~1\CATHER~1\APPLIC~1\FLAWEG~1\bind warn meet.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [udsc] "C:\WINDOWS\System32\RACLE~1\attrib.exe" -vt yazr

O4 - HKCU\..\Run: [fiwr] C:\Program Files\Fichiers communs\fiwr\fiwrm.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZSYYYYYYYYFR

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {16930DCA-0910-4C00-86FF-0C73872D4ABA} - java script:window.location.href="http://www.download-plus.com/fr/emule/default.asp?id="'>http://www.download-plus.com/fr/emule/default.asp?id=" (file missing)

O9 - Extra 'Tools' menuitem: logiciels - {16930DCA-0910-4C00-86FF-0C73872D4ABA} - java script:window.location.href="http://www.download-plus.com/fr/emule/default.asp?id=" (file missing)

O9 - Extra button: private access - {2B44FD33-B048-4B2B-88D5-4B80AB018F29} - C:\WINDOWS\System32\private access (file missing)

O9 - Extra button: 123MP3FR - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\123MP3FR (file missing)

O9 - Extra button: logiciels - {810B72CB-566A-409B-B6A3-31F720C16FAE} - C:\WINDOWS\System32\logiciels (file missing)

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {A2199168-22AC-44A3-BA5F-8A83E693FEBF} - java script:window.location.href="http://www.webmp3musique.com/fr/default.asp?id="'>http://www.webmp3musique.com/fr/default.asp?id=" (file missing)

O9 - Extra 'Tools' menuitem: musique - {A2199168-22AC-44A3-BA5F-8A83E693FEBF} - java script:window.location.href="http://www.webmp3musique.com/fr/default.asp?id=" (file missing)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Aide i-Nav - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)

O9 - Extra 'Tools' menuitem: Aide i-Nav - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)

O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll

O9 - Extra 'Tools' menuitem: Options i-Nav - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll

O9 - Extra button: musique - {F4445FEB-6D20-47CB-9ACF-9D142A7F680A} - C:\WINDOWS\System32\musique (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: (no name) - {FF55FC7B-F2EB-4F50-9409-2F726DD0E112} - java script:window.location.href="http://www.morefreenudes.com/default.asp?id="'>http://www.morefreenudes.com/default.asp?id=" (file missing)

O9 - Extra 'Tools' menuitem: private access - {FF55FC7B-F2EB-4F50-9409-2F726DD0E112} - java script:window.location.href="http://www.morefreenudes.com/default.asp?id=" (file missing)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {15651C7C-E812-44A2-A9AC-B467A2233E7D} (SrchHook Class) - http://www.123mania.com/GIDCAI32.cab

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_mp3.cab

O16 - DPF: {44515AE5-25B3-46CF-833B-0D816C602868} (Matrix Class) - http://acceso.masminutos.com/downloads.cab

O16 - DPF: {71DA2A4E-ACB3-4065-9E41-8BC42EABE427} - http://scripts.dlv4.com/binaries/IA/svcia32_FR_XP.cab

O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicaciones.cab

O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c11.cab

O16 - DPF: {9C5B2F29-1F46-4639-A6B4-828942301D3E} (HTML Class) - http://www.123mania.com/SIPSPI32.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {C80B7FF6-CE60-4079-935E-520C045C30A6} - http://www.mailskinner.com/binaries/msaxsetup.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TUFJU09O\command.exe

O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: VeriSign Updater (navi) - VeriSign, Inc. - C:\Program Files\VeriSign\NAVI\naviagent.exe

O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINDOWS\system32\netbtd.exe (file missing)

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

 

violent quand meme comment le PC s'est éteind ^^

[Thanos]

Bien! LookToMe a disparu! Par contre y a encore pas mal de boulot!!

 

Peux tu stp faire analyser les fichiers suivants en ligne? =>

 

Recherche ces fichiers sur le disque dur: certains fichiers sont cachés! pour les rendre visibles fais ceci =>

 

Démarrer, Poste de travail ou autre dossier, Menu Outils, Option des dossiers, onglet Affichage :

Cocher la case : Afficher les fichiers et dossiers cachés

Décocher la case : Masquer les extensions des fichiers dont le type est connu

Décocher la case : Masquer les fichiers protégés du système d'exploitation

cliquer sur "Appliquer"

cliquer sur le bouton "Appliquer à tous les dossiers" / OK

 

*icmusvak.exe => recherche ce fichier qui doit se trouver certainement dans le répertoire C:\windows\system32 si tu ne trouve pas, lance une recherche avec l'assistant windows.

 

*fiwrm.exe => tu le trouvera ici => C:\Program Files\Fichiers communs\fiwr

 

*attrib.exe=> tu le trouvera ici => C:\WINDOWS\System32\RACLE~1

 

-Fais les analyser ici:

 

1- http://virusscan.jotti.org/

2- http://www.virustotal.com/flash/index_en.html

communiquer les 2 rapports.

 

Par exemple:

Lorsque tu cliques sur ces deux adresse,tu as une case nommée "Parcourir", tu cliques dessus et une fenêtre s'ouvre=> parcours ton disque dur , et recherche le fichier fiwrm.exe que tu trouveras en allant dans le dossier C:\Program Files\Fichiers communs\fiwr

 

Tu cliques une fois sur le fichier fiwrm.exe (il prend une couleur bleue!) puis tu cliques sur "ouvrir" en bas de la fenêtre puis sur "submit"(soumettre) pour le virusscan de jotti et "send" pour virustotal.Le scan de ce fichier va débuter.Tu n'as plus qu'à sélectionner puis copier /coller l'analyse .

 

Il est possible que tu reçoives ce message =>

"Server is extremely busy at the moment. Please try again later."auquel cas il faut retenter le coup plus tard!

 

Lance hijackthis et poste un rapport comme ceci:

 

Ouvre HijackThis -> Open the misc tools sections -> open Uninstall manager -> clique sur "Save list" -> enregistre le fichier -> fais-en un copier/coller ici.

 

Merci! après ca on attaque!

[darkworm]

le premier fichier nexiste pas ... je suis en train de faire le 3e. c'est quoi le probleme ?

le 2e non plus nexiste pas ... jai enlever les fichiers cachées pourtant et tout >.<"

HEEEEEELP

Modifié le 20 juin 2006 par darkworm

[darkworm]

premier site 3e fichier :

 

Service load: 0% 100%

 

File: attrib.exe

Status: OK

MD5 a3f376dc99361dac8fde1ee35144569c

Packers detected: -

Scanner results

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

Fortinet Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

UNA Found nothing

VirusBuster Found nothing

VBA32 Found nothing

 

2e site :

 

STATUS: FINISHEDComplete scanning result of "attrib.exe", received in VirusTotal at 06.20.2006, 22:39:24 (CET).

 

Antivirus Version Update Result

AntiVir 6.35.0.13 06.20.2006 no virus found

Authentium 4.93.8 06.20.2006 no virus found

Avast 4.7.844.0 06.20.2006 no virus found

AVG 386 06.20.2006 no virus found

BitDefender 7.2 06.20.2006 no virus found

CAT-QuickHeal 8.00 06.20.2006 no virus found

ClamAV devel-20060426 06.20.2006 no virus found

DrWeb 4.33 06.20.2006 no virus found

eTrust-InoculateIT 23.72.43 06.20.2006 no virus found

eTrust-Vet 12.6.2266 06.20.2006 no virus found

Ewido 3.5 06.20.2006 no virus found

Fortinet 2.77.0.0 06.20.2006 no virus found

F-Prot 3.16f 06.20.2006 no virus found

Ikarus 0.2.65.0 06.20.2006 no virus found

Kaspersky 4.0.2.24 06.20.2006 no virus found

McAfee 4788 06.20.2006 no virus found

Microsoft 1.1481 06.20.2006 no virus found

NOD32v2 1.1611 06.20.2006 no virus found

Norman 5.90.21 06.20.2006 no virus found

Panda 9.0.0.4 06.20.2006 no virus found

Sophos 4.06.0 06.20.2006 no virus found

Symantec 8.0 06.20.2006 no virus found

TheHacker 5.9.8.162 06.20.2006 no virus found

UNA 1.83 06.20.2006 no virus found

VBA32 3.11.0 06.20.2006 no virus found

VirusBuster 4.3.7:9 06.20.2006 no virus found

 

 

Aditional Information

File size: 11264 bytes

MD5: a3f376dc99361dac8fde1ee35144569c

SHA1: 91d0e11e050e3f00af1288eeea1d9793ceb04da6

 

 

<<<UP>>>

Modifié le 20 juin 2006 par darkworm

[darkworm]

le rapport hijackthis :

 

Adobe Acrobat 5.0

Adobe Download Manager 2.0 (Supprimer uniquement)

Adobe Photoshop Album 2.0 Edition Découverte

Adobe Reader 7.0 - Français

Airline Tycoon

ATI - Utilitaire de désinstallation du logiciel

ATI Catalyst Control Center

ATI Control Panel

ATI Display Driver

ATI HYDRAVISION

Barre d'outils MSN

CC_ccProxyMSI

CC_ccStart

ccCommon

Command

Counter-Strike

Google Toolbar for Internet Explorer

Groom ZoneJeux Chat

Ground Control

HijackThis 1.99.1

Jarkanoid 3

Jewel of Atlantis

Lecteur Windows Media 10

LiveReg (Symantec Corporation)

Macromedia Flash Player 8

Macromedia Shockwave Player

Marvell Miniport Driver

Messenger Plus! 3 & Sponsor

Microsoft .NET Framework 1.1

Microsoft Office Professional Edition 2003

MSN Messenger 7.5

MSRedist

My Web Search (Smiley Central)

Nero

Network Monitor

Norton AntiSpam

Norton AntiSpam

Norton AntiVirus

Norton Internet Security

Norton Internet Security

Norton Internet Security

Norton Internet Security

Norton Internet Security

Norton Internet Security

Norton Internet Security

Norton Internet Security

Norton Internet Security

Norton Internet Security (Symantec Corporation)

Norton WMI Update

NVIDIA nForce Drivers

OutcastDVD

Service Pack 1a pour Windows XP

Snowball Wars by OIN

Steam

Symantec Script Blocking Installer

ToolBar888

Tradewinds Legends

TSA

VeriSign i-Nav and Components

Windows Media Format Runtime

Yahoo! Toolbar

[Thanos]

une dernière chose que je te demanderai, car là je vais bosser!!

Laisse moi aussi deux rapports fais comme ceci avec hijackthis:

 

1)Ouvre HijackThis.

Clique sur Open Misc Tools Section

Assure toi que les deux cases de droite sont bien cochées:

* List all minor sections(Full)

* List Empty Sections(Complete)

Clique surGenerate StartupList Log

Click sur "oui" lorsque l'on te le demande.

Cela va générer un rapport,copie le et poste le ici.

Ne quitte pas le programme! enchaine avec ce qui suit.

 

2)clic sur [Open the misc tools section]

clic sur [Open ADS spy]

assure toi que les cases devant:

Quick Scan

et

Ignore safe system infos stream

soient COCHEES

Clic sur Scan, puis sur Save log

poste le rapport ici.

 

Lorsque tu cliques sur Save log, une fenêtre devrait apparaitre : enregistre le fichier sur le bureau.

C'est un fichier texte qui se nomme adsspy.txt.Copie/colle le contenu du rapport ici stp.

Il est aussi possible que le scan ne trouve rien ! Tu dois voir le message "scan complete" s'afficher au dessus du bouton "Scan" pour être sûr que le scan est achevé.

 

Voilà! ces deux rapports

Est il possible que tu ne surfes pas avec le pc infecté le temps qu'on fasse la désinfection?

Laisse le pc allumé stp.

 

@ tout à l'heure!