(résolu) Trojan.Vundo.EHX - Sécurité, virus et assimilés::Trojan et spywares

Passionné(e) d'internet, de logiciels, de forums ? 01net recrute...

Auteur

Message

lethi

Posté le 30/04/2008 17:47:17

bonjour à tous,

mon pc est infecté, merci pour votre aide.
je précise, je suis très nulle en informatique!!! :'(

-->Message édité par lethi le 08/05/2008 16:41:38<--

Alex_o

Posté le 30/04/2008 17:51:37

Salut,

1) Pour commencer, si tu as Ad-Aware, Spybot, Avast, Norton et McAfee, désinstalles-les. Dans les forums de désinfection, ils sont connus pour leur inefficacité.
2) Télécharge Malwarebytes' Anti-Malware http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
fais une mise à jour puis un examen complet et supprime ce qu'il te trouve
3) Télécharge Avira AntiVir http://www.download.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-103(...)
fais une mise à jour puis un scan complet et mets en quarantaine ce qu'il te trouve
4) Tu peux également télécharger Spyware Terminator car il permet une protection en temps réel contre les spyware http://www.spywareterminator.com/download/download.aspx
(pendant l'installation, ne pas installer Crawler toolbar)
5) Pour accroître l'efficacité de ces logiciels, il est conseillé de les mettre à jour puis d'effectuer les scans en mode sans échec http://forum.telecharger.01net.com/telecharger/securite_virus_et_assimiles/fa(...)

FACULTATIF: pour optimiser les performances du pc
6) CCleaner Slim http://www.ccleaner.com/download/builds.aspx
7) TuneUp Utilities http://www.tuneup.fr/products/tuneup-utilities/

lethi

Posté le 30/04/2008 17:54:30

merci pour la rapidité!!!
bon j'ai déjà antivir, je vais virer les autres si j'y arrive.
a+

Alex_o

Posté le 30/04/2008 17:57:41

Ok, après ça assures-toi qu'ils sont à jour. Puis démarre en ton ordinateur en mode sans échec (touche F8 avant le démarrage de Windows XP). Ensuite, effectue les scans Malwarebytes et AntiVir. Pour Malwarebytes, supprimes manuellement les fichiers trouvés (car il ne le fait pas automatiquement). Pour AntiVir, mets les fichiers infectés en quarantaine.

Lis ça si tu ne comprends pas comment démarrer en mode sans échec. http://forum.telecharger.01net.com/telecharger/securite_virus_et_assimiles/fa(...)

Si ça ne marche pas, attends l'aide d'un expert du forum.

-->Message édité par Alex_o le 30/04/2008 17:59:38<--

lethi

Posté le 30/04/2008 18:12:23

mince j'ai lancé le scan mais pas en mode sans échec
faut-il que j'arrête le scan et me mettre tout de suite en mode sans échec
merci

BlackTig3r

Posté le 30/04/2008 18:14:38

Salut lethi,

Fais plutôt ça

Télécharge puis installe Hijackthis (Trend Micro)
Poste ensuite un rapport dans ta prochaine réponse.
AIDE: Comment utiliser Hijackthis v2.0.2

lethi

Posté le 01/05/2008 08:51:07

merci pour votre aide

voici le rapport hijackthis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:48:39, on 01/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe
C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {026D2294-85A8-4CB2-97B3-C0118EE83653} - C:\WINDOWS\system32\ljJDUNdE.dll (file missing)
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3} - C:\WINDOWS\system32\rqRHwVPj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {991C8CD4-0936-4265-98FE-120C870FCCE6} - C:\WINDOWS\system32\geBqoNEV.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: qtvglped - {3D91099B-562D-49EC-BDBD-78C5DE9CAED9} - C:\WINDOWS\qtvglped.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [e4814954] rundll32.exe "C:\WINDOWS\system32\anocceqk.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fr.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://fdata.over-blog.com/99/00/00/01/js/javauploader/ImageUploader4.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: rqRHwVPj - C:\WINDOWS\SYSTEM32\rqRHwVPj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MysqlInventime - Unknown owner - c:\mysql\bin\mysqld-nt.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Planificateur LiveUpdate automatique - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 10428 bytes

lethi

Posté le 01/05/2008 08:55:18

voici également le rapport malwarebytes
vaiq maintenant lancer le scan antivir
merci

Malwarebytes' Anti-Malware 1.11
Version de la base de données: 702

Type de recherche: Examen complet (A:\|C:\|D:\|G:\|H:\|)
Eléments examinés: 122381
Temps écoulé: 2 hour(s), 10 minute(s), 51 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 1
Clé(s) du Registre infectée(s): 9
Valeur(s) du Registre infectée(s): 1
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 3

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
C:\WINDOWS\system32\rqRHwVPj.dll (Trojan.Vundo) -> No action taken.

Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\CLSID\{6a6eae1b-4ad6-4035-974d-504d6dbaa9c3} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6a6eae1b-4ad6-4035-974d-504d6dbaa9c3} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrhwvpj (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\qtvglped.bwom (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\qtvglped.toolbar.1 (Trojan.FakeAlert) -> No action taken.

Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6a6eae1b-4ad6-4035-974d-504d6dbaa9c3} (Trojan.Vundo) -> No action taken.

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
C:\WINDOWS\system32\rqRHwVPj.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP684\A0209823.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\rtqmekwg.exe (Trojan.FakeAlert) -> No action taken.

lethi

Posté le 01/05/2008 10:19:16

voici le rapport antivir :

Avira AntiVir Personal
Report file date: jeudi 1 mai 2008 09:00

Scanning for 1245960 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Save mode
Username: emmanuelle
Computer name: BABEY

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 09/04/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 20/04/2008 18:48:34
AVSCAN.DLL : 8.1.1.0 53505 Bytes 20/04/2008 18:48:34
LUKE.DLL : 8.1.2.9 151809 Bytes 20/04/2008 18:48:34
LUKERES.DLL : 8.1.2.1 12033 Bytes 20/04/2008 18:48:34
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07/03/2008 06:55:31
ANTIVIR2.VDF : 7.0.3.197 1260032 Bytes 22/04/2008 18:45:14
ANTIVIR3.VDF : 7.0.3.235 248832 Bytes 30/04/2008 06:42:57
Engineversion : 8.1.0.37
AEVDF.DLL : 8.1.0.5 102772 Bytes 20/04/2008 18:48:35
AESCRIPT.DLL : 8.1.0.28 233851 Bytes 01/05/2008 06:43:06
AESCN.DLL : 8.1.0.15 119157 Bytes 01/05/2008 06:43:06
AERDL.DLL : 8.1.0.20 418165 Bytes 25/04/2008 17:48:48
AEPACK.DLL : 8.1.1.4 364918 Bytes 30/04/2008 05:56:39
AEOFFICE.DLL : 8.1.0.18 192890 Bytes 20/04/2008 18:48:35
AEHEUR.DLL : 8.1.0.21 1196407 Bytes 01/05/2008 06:43:05
AEHELP.DLL : 8.1.0.14 115063 Bytes 20/04/2008 18:48:35
AEGEN.DLL : 8.1.0.18 299381 Bytes 25/04/2008 17:48:45
AEEMU.DLL : 8.1.0.5 430450 Bytes 20/04/2008 18:48:35
AECORE.DLL : 8.1.0.27 168310 Bytes 20/04/2008 18:48:35
AVWINLL.DLL : 1.0.0.7 14593 Bytes 20/04/2008 18:48:34
AVPREF.DLL : 8.0.0.1 25857 Bytes 20/04/2008 18:48:34
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
AVREG.DLL : 8.0.0.0 30977 Bytes 20/04/2008 18:48:34
AVARKT.DLL : 1.0.0.23 307457 Bytes 20/04/2008 18:48:34
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 20/04/2008 18:48:34
SQLITE3.DLL : 3.3.17.1 339968 Bytes 20/04/2008 18:48:34
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 20/04/2008 18:48:34
NETNT.DLL : 8.0.0.1 7937 Bytes 20/04/2008 18:48:34
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 20/04/2008 18:48:31
RCTEXT.DLL : 8.0.32.0 86273 Bytes 20/04/2008 18:48:31

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: jeudi 1 mai 2008 09:00

Starting search for hidden objects.
The driver could not be initialized.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
11 processes with 11 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '37' files ).

Starting the file scan:

Begin scan in 'C:\' <HDD>
C:\pagefile.sys
[WARNING] The file could not be opened!

End of the scan: jeudi 1 mai 2008 10:03
Used time: 1:02:52 min

The scan has been done completely.

7007 Scanning directories
458186 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
458186 Files not concerned
7553 Archives were scanned
1 Warnings
0 Notes

lethi

Posté le 01/05/2008 10:23:54

voici un second scan de hijackthis en mode sans échec cette fois-ci
les rapports antivir et malwarebytes ont été fait en mode sans échec

je pars quelques jours, donc je reprendrai la désinfection de mon pc plus tard.
en attendant, vous pouvez toujours me laisser la marche à suivre :hello:

merci encore beaucoup pour votre aide.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:14, on 01/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {026D2294-85A8-4CB2-97B3-C0118EE83653} - C:\WINDOWS\system32\ljJDUNdE.dll (file missing)
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3} - C:\WINDOWS\system32\rqRHwVPj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {991C8CD4-0936-4265-98FE-120C870FCCE6} - C:\WINDOWS\system32\geBqoNEV.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: qtvglped - {3D91099B-562D-49EC-BDBD-78C5DE9CAED9} - C:\WINDOWS\qtvglped.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [e4814954] rundll32.exe "C:\WINDOWS\system32\anocceqk.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fr.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://fdata.over-blog.com/99/00/00/01/js/javauploader/ImageUploader4.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: rqRHwVPj - C:\WINDOWS\SYSTEM32\rqRHwVPj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MysqlInventime - Unknown owner - c:\mysql\bin\mysqld-nt.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Planificateur LiveUpdate automatique - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8805 bytes

BlackTig3r

Posté le 01/05/2008 12:40:43

Re,

Télécharge VirtumundoBegone sur le Bureau.

Double clique ensuite sur "VirtumundoBeGone.exe" et suis les instructions.
Une fois terminé, redémarre et poste le rapport VBG.TXT créé sur le Bureau
dans ta prochaine réponse avec un nouveau rapport HijackThis.

NOTE: Ne t'inquiète pas si tu vois un message Ecran bleu "Erreur fatale", c'est normal et attendu.

&

Télécharge VundoFix.exe.
Double clique sur "VundoFix.exe".
Clique sur "Scan for Vundo".
Lorsque le scan est complété, clique sur le bouton "Remove Vundo"

Ensuite clique sur "Yes".
Après avoir cliqué sur "Yes", le Bureau va disparaitre pendant la suppression des fichiers inféctés.
Tu auras un message comme quoi l'ordinateur va S'eteindre, fais "Ok".

Poste le rapport qui se trouve dans C:\vundofix.txt.

lethi

Posté le 04/05/2008 21:18:36

coucou me revoilà,

voici les rapports :

[05/04/2008, 20:21:58] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\emmanuelle\Bureau\VirtumundoBeGone.exe" )
[05/04/2008, 20:22:26] - Detected System Information:
[05/04/2008, 20:22:26] - Windows Version: 5.1.2600, Service Pack 2
[05/04/2008, 20:22:26] - Current Username: emmanuelle (Admin)
[05/04/2008, 20:22:26] - Windows is in NORMAL mode.
[05/04/2008, 20:22:26] - Searching for Browser Helper Objects:
[05/04/2008, 20:22:26] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[05/04/2008, 20:22:26] - BHO 2: {026D2294-85A8-4CB2-97B3-C0118EE83653} ()
[05/04/2008, 20:22:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/04/2008, 20:22:26] - Checking for HKLM\...\Winlogon\Notify\ljJDUNdE
[05/04/2008, 20:22:26] - Key not found: HKLM\...\Winlogon\Notify\ljJDUNdE, continuing.
[05/04/2008, 20:22:26] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[05/04/2008, 20:22:26] - BHO 4: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[05/04/2008, 20:22:26] - BHO 5: {6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3} ()
[05/04/2008, 20:22:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/04/2008, 20:22:26] - Checking for HKLM\...\Winlogon\Notify\rqRHwVPj
[05/04/2008, 20:22:26] - Found: HKLM\...\Winlogon\Notify\rqRHwVPj - This is probably Virtumundo.
[05/04/2008, 20:22:26] - Assigning {6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3} MSEvents Object
[05/04/2008, 20:22:27] - BHO list has been changed! Starting over...
[05/04/2008, 20:22:27] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[05/04/2008, 20:22:27] - BHO 2: {026D2294-85A8-4CB2-97B3-C0118EE83653} ()
[05/04/2008, 20:22:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/04/2008, 20:22:27] - Checking for HKLM\...\Winlogon\Notify\ljJDUNdE
[05/04/2008, 20:22:27] - Key not found: HKLM\...\Winlogon\Notify\ljJDUNdE, continuing.
[05/04/2008, 20:22:27] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[05/04/2008, 20:22:27] - BHO 4: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[05/04/2008, 20:22:27] - BHO 5: {6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3} (MSEvents Object)
[05/04/2008, 20:22:27] - ALERT: Found MSEvents Object!
[05/04/2008, 20:22:27] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/04/2008, 20:22:27] - BHO 7: {991C8CD4-0936-4265-98FE-120C870FCCE6} ()
[05/04/2008, 20:22:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/04/2008, 20:22:27] - Checking for HKLM\...\Winlogon\Notify\geBqoNEV
[05/04/2008, 20:22:27] - Key not found: HKLM\...\Winlogon\Notify\geBqoNEV, continuing.
[05/04/2008, 20:22:27] - BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/04/2008, 20:22:27] - BHO 9: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} ()
[05/04/2008, 20:22:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/04/2008, 20:22:27] - No filename found. Continuing.
[05/04/2008, 20:22:27] - Finished Searching Browser Helper Objects
[05/04/2008, 20:22:27] - *** Detected MSEvents Object
[05/04/2008, 20:22:27] - Trying to remove MSEvents Object...
[05/04/2008, 20:22:28] - Terminating Process: IEXPLORE.EXE
[05/04/2008, 20:22:28] - Terminating Process: RUNDLL32.EXE
[05/04/2008, 20:22:28] - Disabling Automatic Shell Restart
[05/04/2008, 20:22:28] - Terminating Process: EXPLORER.EXE
[05/04/2008, 20:22:28] - Suspending the NT Session Manager System Service
[05/04/2008, 20:22:29] - Terminating Windows NT Logon/Logoff Manager
[05/04/2008, 20:22:29] - Re-enabling Automatic Shell Restart
[05/04/2008, 20:22:29] - File to disable: C:\WINDOWS\system32\rqRHwVPj.dll
[05/04/2008, 20:22:29] - Renaming C:\WINDOWS\system32\rqRHwVPj.dll -> C:\WINDOWS\system32\rqRHwVPj.dll.vir
[05/04/2008, 20:22:29] - File successfully renamed!
[05/04/2008, 20:22:29] - Removing HKLM\...\Browser Helper Objects\{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}
[05/04/2008, 20:22:29] - Removing HKCR\CLSID\{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}
[05/04/2008, 20:22:29] - Adding Kill Bit for ActiveX for GUID: {6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}
[05/04/2008, 20:22:29] - Deleting ATLEvents/MSEvents Registry entries
[05/04/2008, 20:22:29] - Removing HKLM\...\Winlogon\Notify\rqRHwVPj
[05/04/2008, 20:22:29] - Searching for Browser Helper Objects:
[05/04/2008, 20:22:29] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[05/04/2008, 20:22:29] - BHO 2: {026D2294-85A8-4CB2-97B3-C0118EE83653} ()
[05/04/2008, 20:22:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/04/2008, 20:22:29] - Checking for HKLM\...\Winlogon\Notify\ljJDUNdE
[05/04/2008, 20:22:29] - Key not found: HKLM\...\Winlogon\Notify\ljJDUNdE, continuing.
[05/04/2008, 20:22:29] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[05/04/2008, 20:22:29] - BHO 4: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[05/04/2008, 20:22:29] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/04/2008, 20:22:29] - BHO 6: {991C8CD4-0936-4265-98FE-120C870FCCE6} ()
[05/04/2008, 20:22:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/04/2008, 20:22:29] - Checking for HKLM\...\Winlogon\Notify\geBqoNEV
[05/04/2008, 20:22:29] - Key not found: HKLM\...\Winlogon\Notify\geBqoNEV, continuing.
[05/04/2008, 20:22:29] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/04/2008, 20:22:29] - BHO 8: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} ()
[05/04/2008, 20:22:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/04/2008, 20:22:29] - No filename found. Continuing.
[05/04/2008, 20:22:29] - Finished Searching Browser Helper Objects
[05/04/2008, 20:22:29] - Finishing up...
[05/04/2008, 20:22:29] - A restart is needed.
[05/04/2008, 20:22:29] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[05/04/2008, 20:22:55] - Attempting to Restart via STOP error (Blue Screen!)

lethi

Posté le 04/05/2008 21:19:49

la suite :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:37:08, on 04/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {026D2294-85A8-4CB2-97B3-C0118EE83653} - C:\WINDOWS\system32\ljJDUNdE.dll (file missing)
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {991C8CD4-0936-4265-98FE-120C870FCCE6} - C:\WINDOWS\system32\geBqoNEV.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: qtvglped - {3D91099B-562D-49EC-BDBD-78C5DE9CAED9} - C:\WINDOWS\qtvglped.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [e4814954] rundll32.exe "C:\WINDOWS\system32\anocceqk.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fr.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://fdata.over-blog.com/99/00/00/01/js/javauploader/ImageUploader4.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MysqlInventime - Unknown owner - c:\mysql\bin\mysqld-nt.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Planificateur LiveUpdate automatique - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8640 bytes

lethi

Posté le 04/05/2008 21:28:06

dernier rapport :

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 12:36:04 11/05/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V7.0.3

Scan started at 20:54:12 04/05/2008

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V7.0.3

Scan started at 21:05:55 04/05/2008

Listing files found while scanning....

No infected files were found.

VundoFix V7.0.3

Scan started at 21:22:40 04/05/2008

Listing files found while scanning....

encore merci pour to aide blacktig3 :hello:

BlackTig3r

Posté le 04/05/2008 21:34:31

Salut,

~ Télécharge ComboFix sur ton Bureau. Editeur : sUBs ~

~ Désactive tes protection résidentes ( Antivirus, Spybot TeaTimer ... ) ~

~ Double clique sur "ComboFix.exe" présent sur ton Bureau afin de le lancer ~

~ Lorsque la recherche sera terminée, un rapport apparaîtra. Poste ce rapport ("C:\combofix.txt") dans ta prochaine réponse. ~

Si tu rencontres des problèmes sur l'utilisation de ComboFix, consulte le guide d'utilisation de ComboFix.

lethi

Posté le 04/05/2008 21:57:27

voici le rapport de combofix :

ComboFix 08-05-01.3 - emmanuelle 2008-05-04 21:46:10.3 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.138 [GMT 2:00]
Endroit: C:\Documents and Settings\emmanuelle\Bureau\ComboFix.exe
* Création d'un nouveau point de restauration
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ulysse\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\EdNUDJjl.ini
C:\WINDOWS\system32\EdNUDJjl.ini2
C:\WINDOWS\system32\kqeccona.ini
C:\WINDOWS\system32\llnmp.ini2
C:\WINDOWS\system32\llnmp.tmp
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\VENoqBeg.ini
C:\WINDOWS\system32\VENoqBeg.ini2

.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-04-04 to 2008-05-04 ))))))))))))))))))))))))))))))))))))
.

2008-04-30 18:08 . 2008-04-30 18:08 <REP> d-------- C:\Documents and Settings\emmanuelle\Application Data\Malwarebytes
2008-04-30 18:07 . 2008-04-30 18:07 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-30 11:25 . 2006-10-05 04:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-30 11:25 . 2006-10-05 04:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-30 11:20 . 2008-04-30 11:25 <REP> d-------- C:\Program Files\Picasa2
2008-04-25 19:51 . 2008-04-25 19:51 <REP> d-------- C:\Documents and Settings\LocalService\Mes documents
2008-04-24 02:06 . 2008-04-30 09:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-24 02:06 . 2008-04-24 02:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-19 00:39 . 2008-04-19 00:39 38,912 --a------ C:\WINDOWS\system32\rqRHwVPj.dll.vir
2008-04-09 17:34 . 2008-04-09 17:37 1,355 --a------ C:\WINDOWS\imsins.BAK

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 15:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-30 09:20 --------- d-----w C:\Program Files\Google
2008-03-28 06:52 --------- d-----w C:\Program Files\Avira
2008-03-28 06:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-03-28 06:45 --------- d-----w C:\Program Files\Fichiers communs\BitDefender
2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:09 1,845,376 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-12 14:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-11 14:03 85,520 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
2008-03-11 13:36 --------- d-----w C:\Program Files\Java
2008-03-01 16:28 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:57 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-29 08:56 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:35 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:35 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:35 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-01-18 14:15 17,788,920 ----a-w C:\Program Files\antivir_workstation_win7u_en_h.exe
2006-03-02 19:05 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{026D2294-85A8-4CB2-97B3-C0118EE83653}]
C:\WINDOWS\system32\ljJDUNdE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{991C8CD4-0936-4265-98FE-120C870FCCE6}]
C:\WINDOWS\system32\geBqoNEV.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3D91099B-562D-49EC-BDBD-78C5DE9CAED9}"= "C:\WINDOWS\qtvglped.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{3d91099b-562d-49ec-bdbd-78c5de9caed9}]
[HKEY_CLASSES_ROOT\qtvglped.1]
[HKEY_CLASSES_ROOT\TypeLib\{5A457828-B0A0-44DF-B5DE-373DFDD87ACC}]
[HKEY_CLASSES_ROOT\qtvglped]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe" [2006-07-31 11:45 139264]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44 196608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 13:49 4670968]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2005-05-09 15:55 180269]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14 217088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2004-02-05 00:04 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 15:47 67072 C:\WINDOWS\SOUNDMAN.EXE]
"EPSON Stylus CX6600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.exe" [2004-03-01 05:00 98304]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-20 20:48 262401]
"e4814954"="C:\WINDOWS\system32\anocceqk.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spamihilator]
C:\Program Files\Spamihilator\spamihilator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 prodrv04;Star Force copy protection driver v4;C:\WINDOWS\system32\drivers\prodrv04.sys [2006-11-15 13:02]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys []

.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2005-07-09 16:54:05 C:\WINDOWS\Tasks\Rappel d'enregistrement 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2005-07-09 16:54:05 C:\WINDOWS\Tasks\Rappel d'enregistrement 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 21:50:52
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs
Les fichiers cach‚s: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MysqlInventime]
"ImagePath"="c:\mysql\bin\mysqld-nt MysqlInventime"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\APPS\HIDSERVICE\HidService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-05-04 21:54:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-04 19:54:38
ComboFix2.txt 2007-12-11 19:05:40

Pre-Run: 95,885,275,136 octets libres
Post-Run: 95,926,448,128 octets libres

151 --- E O F --- 2008-04-09 15:37:46

mille mercis :hello:

lethi

Posté le 06/05/2008 15:12:04

coucou,

je fais quoi après ?
bououh, il n'y a plus personne :pleure:

BlackTig3r

Posté le 06/05/2008 18:27:52

Salut,

Encore désolé de mon retard, hier j'etais pas là :sweat:

On continue

Copie le texte se situant dans le cadre ci-dessous:

File::
C:\WINDOWS\system32\rqRHwVPj.dll.vir
C:\WINDOWS\system32\ljJDUNdE.dll
C:\WINDOWS\system32\geBqoNEV.dll
C:\WINDOWS\qtvglped.dll
C:\WINDOWS\imsins.BAK

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{026D2294-85A8-4CB2-97B3-C0118EE83653}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{991C8CD4-0936-4265-98FE-120C870FCCE6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3D91099B-562D-49EC-BDBD-78C5DE9CAED9}"=-

[-HKEY_CLASSES_ROOT\qtvglped]

[-HKEY_CLASSES_ROOT\qtvglped.1]

Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

< inclued picture >

Cela va relancer Combofix, tape sur 1 puis valide. Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.
S'il n'y a pas de rédémarrage, poste quand même les rapports.

******************

Met à jour Antivir et Malware Byte's Anti-Malware, puis fais une analyse complete du systeme avec, poste les rapports. ( Pour Malware Byte's, prends bien soin de Supprimer la selection à la fin du scan.

-->Message édité par BlackTig3r le 06/05/2008 18:31:02<--

lethi

Posté le 06/05/2008 22:07:36

coucou,

voici les rapports
j'ai fait une mauvaise manipulation pour combofix,
j'espère que ça a marché
merci encore pour ton aide :hello:

ComboFix 08-05-01.3 - emmanuelle 2008-05-06 19:20:38.5 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.163 [GMT 2:00]
Endroit: C:\Documents and Settings\emmanuelle\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\emmanuelle\Bureau\CFScript.txt..txt
* Création d'un nouveau point de restauration

FILE ::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\qtvglped.dll
C:\WINDOWS\system32\geBqoNEV.dll
C:\WINDOWS\system32\ljJDUNdE.dll
C:\WINDOWS\system32\rqRHwVPj.dll.vir
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\rqRHwVPj.dll.vir

.
((((((((((((((((((((((((((((( Fichiers créés 2008-04-06 to 2008-05-06 ))))))))))))))))))))))))))))))))))))
.

2008-05-05 09:52 . 2008-05-05 09:52 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-05 09:52 . 2008-05-05 09:52 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-30 18:08 . 2008-04-30 18:08 <REP> d-------- C:\Documents and Settings\emmanuelle\Application Data\Malwarebytes
2008-04-30 18:07 . 2008-04-30 18:07 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-30 11:25 . 2006-10-05 04:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-30 11:25 . 2006-10-05 04:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-30 11:20 . 2008-04-30 11:25 <REP> d-------- C:\Program Files\Picasa2
2008-04-25 19:51 . 2008-04-25 19:51 <REP> d-------- C:\Documents and Settings\LocalService\Mes documents

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 15:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-30 09:20 --------- d-----w C:\Program Files\Google
2008-03-28 06:52 --------- d-----w C:\Program Files\Avira
2008-03-28 06:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-03-28 06:45 --------- d-----w C:\Program Files\Fichiers communs\BitDefender
2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:09 1,845,376 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-12 14:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-11 14:03 85,520 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
2008-03-11 13:36 --------- d-----w C:\Program Files\Java
2008-03-01 16:28 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:57 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-29 08:56 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:35 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:35 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:35 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-01-18 14:15 17,788,920 ----a-w C:\Program Files\antivir_workstation_win7u_en_h.exe
2006-03-02 19:05 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe" [2006-07-31 11:45 139264]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44 196608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 13:49 4670968]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2005-05-09 15:55 180269]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14 217088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2004-02-05 00:04 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 15:47 67072 C:\WINDOWS\SOUNDMAN.EXE]
"EPSON Stylus CX6600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.exe" [2004-03-01 05:00 98304]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe" [2007-03-16 11:45 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-20 20:48 262401]
"e4814954"="C:\WINDOWS\system32\anocceqk.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 14:00 15360]

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenge