Salut,

télécharge HijackThis ici:
http://telechargement.zebulon.fr/138-hijackthis-1991.html

Dézippe le dans un dossier prévu à cet effet.
Par exemple C:\hijackthis < Enregistre le bien dans c : !
Démo : (Merci a Balltrap34 pour cette réalisation)
http://pageperso.aol.fr/balltrap34/Hijenr.gif

Lance le puis:
clique sur "do a system scan and save logfile" (cf démo)
faire un copier coller du log entier sur le forum

Démo : (Merci a Balltrap34 pour cette réalisation)
http://pageperso.aol.fr/balltrap34/demohijack.htm

Bon courage

A+
"J'avais rêvé d'un monde meilleur...Sans différence de couleurS...Egalité..."-MLK-

Salut,

Télécharge le FixWareout d'un de ces deux sites sur le bureau:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Lance le fix: clique sur Next, puis Install, puis assure toi que "Run fixit" est activé puis clique sur Finish.
Le fix va commencer, suis les messages à l'écran. Il te sera demandé de redémarrer ton ordinateur, fais le. Ton système mettra un peu plus de temps au démarrage, c'est normal.

Quand ton système aura redémarré, suis les invites des messages. Ensuite lance HijackThis. Clique sur Scan et coche les lignes suivantes:

O17 - HKLM\System\CCS\Services\Tcpip\..\{1C505AC8-5394-44AE-9A0E-F88F37591265}: NameServer = 85.255.113.122,85.255.112.169

O17 - HKLM\System\CCS\Services\Tcpip\..\{35416BAD-17C7-4CB6-9EFF-C08D8B0D2A6E}: NameServer = 85.255.113.122,85.255.112.169

O17 - HKLM\System\CCS\Services\Tcpip\..\{373DCFF7-95DB-4CC6-82E1-6A860C36A7BC}: NameServer = 85.255.113.122,85.255.112.169

O17 - HKLM\System\CCS\Services\Tcpip\..\{72F91B3C-902C-4DAF-A43C-3F581C07F693}: NameServer = 85.255.113.122,85.255.112.169

O17 - HKLM\System\CCS\Services\Tcpip\..\{75D3CDDE-25B5-4287-A152-0117E173CC6C}: NameServer = 85.255.113.122,85.255.112.169

O17 - HKLM\System\CCS\Services\Tcpip\..\{E9058AA5-619D-4944-ABB7-31728B3785F4}: NameServer = 85.255.113.122,85.255.112.169

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.122 85.255.112.169

O17 - HKLM\System\CS1\Services\Tcpip\..\{1C505AC8-5394-44AE-9A0E-F88F37591265}: NameServer = 85.255.113.122,85.255.112.169

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.122 85.255.112.169

Clique sur Fix Checked. Ferme HijackThis et clique sur OK pour continuer la procédure.

A la fin du fix, tu auras peut-être encore besoin de redémarrer le PC.

Au final, poste le contenu de C:\fixwareout\report.txt avec un nouveau rapport HijackThis.

A+
"J'avais rêvé d'un monde meilleur...Sans différence de couleurS...Egalité..."-MLK-

Salut Régis.

Voici les logs.
Merci beaucoup!

Fixwareout
Last edited 12/06/2006
Post this report in the forums please
...
Prerun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dmouz.exe"="C:\\WINDOWS\\System32\\dmouz.exe"

...
...
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F5C52170CF82-ACC8-5F74-9576-FF7AC3BA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\zuomd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Random Runs removed from HKLM
"dmouz.exe"=-
...
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSVEW.EXE 51.772 2006-12-01
C:\WINDOWS\SYSTEM32\DMOUZ.EXE 60.472 2002-08-29

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
...
Postrun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

...


Logfile of HijackThis v1.99.1
Scan saved at 18:59:45, on 27/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4C1.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Arescom\Adaptador ADSL ARESCOM USB\dslmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\update.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://farejador.ig.com.br/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://br.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://br.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer par NUMERICABLE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [EPSON Stylus C63 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4C1.EXE /P23 "EPSON Stylus C63 Series" /O6 "USB001" /M "Stylus C63"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [update] C:\Arquivos de programas\update.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: update.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesbr.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesbr.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/...
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)

Salut,

Rend toi sur ce site :
http://www.virustotal.com/xhtml/virustotal_en.html
Clik sur parcourir
Recherche ceci :
C:\WINDOWS\SYSTEM32\CSVEW.EXE

et aussi celui ci:
C:\WINDOWS\SYSTEM32\DMOUZ.EXE

Clik send et colle le rapport stp

A+
"J'avais rêvé d'un monde meilleur...Sans différence de couleurS...Egalité..."-MLK-

Salut Régis, voici le resultat sur virustotal

Merci beaucoup!

STATUS: FINISHEDComplete scanning result of "CSVEW.EXE", received in VirusTotal at 12.27.2006, 23:58:18 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 12.27.2006 TR/Dldr.Mohbpork.A.127
Authentium 4.93.8 12.27.2006 could be a corrupted executable file
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.27.2006 no virus found
BitDefender 7.2 12.27.2006 Trojan.Downloader.Mohbpork.A
CAT-QuickHeal 8.00 12.27.2006 TrojanDownloader.Agent.uj
ClamAV devel-20060426 12.27.2006 no virus found
DrWeb 4.33 12.27.2006 Trojan.DnsChange
eSafe 7.0.14.0 12.26.2006 Win32.Polipos.sus
eTrust-InoculateIT 23.73.99 12.27.2006 no virus found
eTrust-Vet 30.3.3283 12.27.2006 Win32/Alureon!generic
Ewido 4.0 12.27.2006 Downloader.Agent.uj
Fortinet 2.82.0.0 12.27.2006 PossibleThreat
F-Prot 3.16f 12.22.2006 Possibly a new variant of W32/new-malware!Maximus
F-Prot4 4.2.1.29 12.22.2006 W32/new-malware!Maximus
Ikarus T3.1.0.27 12.27.2006 Trojan-Downloader.Win32.Agent.uj
Kaspersky 4.0.2.24 12.27.2006 Trojan-Downloader.Win32.Agent.uj
McAfee 4927 12.27.2006 no virus found
Microsoft 1.1904 12.27.2006 Win32/Alureon.gen
NOD32v2 1940 12.27.2006 a variant of Win32/Small.FB
Norman 5.80.02 12.27.2006 W32/Agent.AUMV
Panda 9.0.0.4 12.27.2006 Trj/Ruins.CJ
Prevx1 V2 12.28.2006 Dropper.Payload
Sophos 4.13.0 12.26.2006 Troj/RuinDl-W
Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious
TheHacker 6.0.3.137 12.27.2006 no virus found
UNA 1.83 12.27.2006 no virus found
VBA32 3.11.1 12.27.2006 Trojan.DnsChange
VirusBuster 4.3.19:9 12.27.2006 novirus:Packed/PolyCrypt


Aditional Information
File size: 51772 bytes
MD5: 675c050e05ca75465c38b18cba956b15
SHA1: 5b09a9a49bf004817d25ffa314471cf5e03112ec
packers: PECRYPT
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=4d1d43611436
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
-x-x-
STATUS: FINISHEDComplete scanning result of "DMOUZ.EXE_", received in VirusTotal at 12.28.2006, 00:04:43 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 12.27.2006 TR/Dldr.DNSChanger.Gen
Authentium 4.93.8 12.27.2006 could be a corrupted executable file
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.27.2006 Generic2.NJH
BitDefender 7.2 12.27.2006 MemScan:Trojan.Agent.AER
CAT-QuickHeal 8.00 12.27.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 12.27.2006 no virus found
DrWeb 4.33 12.27.2006 Trojan.DnsChange
eSafe 7.0.14.0 12.26.2006 Win32.Polipos.sus
eTrust-InoculateIT 23.73.99 12.27.2006 no virus found
eTrust-Vet 30.3.3283 12.27.2006 Win32/Alureon!generic
Ewido 4.0 12.27.2006 Trojan.Small.fb
Fortinet 2.82.0.0 12.27.2006 W32/RuinDl.FB!tr
F-Prot 3.16f 12.22.2006 Possibly a new variant of W32/new-malware!Maximus
F-Prot4 4.2.1.29 12.22.2006 W32/new-malware!Maximus
Ikarus T3.1.0.27 12.27.2006 Trojan.Win32.Small.fb
Kaspersky 4.0.2.24 12.27.2006 Trojan.Win32.Small.fb
McAfee 4927 12.27.2006 no virus found
Microsoft 1.1904 12.27.2006 Win32/Alureon.gen
NOD32v2 1940 12.27.2006 a variant of Win32/Small.FB
Norman 5.80.02 12.27.2006 no virus found
Panda 9.0.0.4 12.27.2006 Trj/Ruins.MB
Prevx1 V2 12.28.2006 Covert.Sys.Exec
Sophos 4.13.0 12.26.2006 Troj/RuinDl-Gen
Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious
TheHacker 6.0.3.137 12.27.2006 no virus found
UNA 1.83 12.27.2006 no virus found
VBA32 3.11.1 12.27.2006 Trojan.DnsChange
VirusBuster 4.3.19:9 12.27.2006 novirus:Packed/PolyCrypt

Re,

Ils sont inféctés, supprime ceci:

C:\WINDOWS\SYSTEM32\CSVEW.EXE
C:\WINDOWS\SYSTEM32\DMOUZ.EXE

Puis installe ceci:

AVG Anti-Spyware :
http://www.malekal.com/tutorial_AVG_AntiSpyware.php

Copie colle le rapport.

A+ "J'avais rêvé d'un monde meilleur...Sans différence de couleurS...Egalité..."-MLK-

[09/23/2008, 13:35:24] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\hajer\Bureau\VirtumundoBeGone.exe" )
[09/23/2008, 13:36:43] - Detected System Information:
[09/23/2008, 13:36:43] - Windows Version: 5.1.2600, Service Pack 2
[09/23/2008, 13:36:43] - Current Username: hajer (Admin)
[09/23/2008, 13:36:43] - Windows is in NORMAL mode.
[09/23/2008, 13:36:43] - Searching for Browser Helper Objects:
[09/23/2008, 13:36:43] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/23/2008, 13:36:43] - BHO 2: {72A128E0-2240-40c8-9E92-5387D64F839E} (XMLDP Class)
[09/23/2008, 13:36:43] - Finished Searching Browser Helper Objects
[09/23/2008, 13:36:43] - Finishing up...
[09/23/2008, 13:36:43] - Nothing found! Exiting...