Virus !! aidez-moi svp !!!Fermé

Question

Bonjour,

Ca fait maintenant quelques semaines que avast! me dit qu'il a trouvé un virus sur l'ordi mais il n'arrive pas a le supprimer ni a le mettre en quarantaine ! ce virus touche le fichier C://Windows/system32/dmban.dll/[UPX].
C'est un cheval de troie qui se nomme Win32:BHO-KD [Trj]

Voici le log que me donne HijackThis. Qu'est-ce que vous en pensez ? 
Merci d'avance pour vos réponses !



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:44:13, on 29/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWSunservice.exe
C:\WINDOWS\System32
vsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GUIGNA~1\LOCALS~1\Temp\Rar$EX02.055\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = https://www.bing.com/?FORM=TOOLBR&cc=fr&toHttps=1&redig=4527FFF1C12746FC9EDB535C75E80ECC
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {12B0EA79-D6C3-4EE0-B454-7D6031EE2806} - C:\WINDOWS\system32\dmban.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {41C29B07-6F91-4966-91BE-2E2841643C83} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS
pqtplugin.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS
pqtplugin.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://upgroups.univ-poitiers.fr/qp2.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f012.mail.caramail.lycos.fr/app/uploader/FileUploader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Environnement d'exécution Java 1.4.1_02) - 
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWSunservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
vsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

g!rly · Answer

salut gugui, 

l´infection est bien visible...

Télécharge combofix.exe (par sUBs) sur ton Bureau.

-> http://download.bleepingcomputer.com/sUBs/ComboFix.exe      

-> Double clique combofix.exe.
-> Tape sur la touche 1 (Yes) pour démarrer le scan.
-> Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse. 

NOTE : Le rapport se trouve également ici : C:\Combofix.txt

@+

guigui · Answer

Voici le rapport de combofix : ComboFix 08-01-29.3 - Guignard Joël 2008-01-29 20:03:34.1 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.81 [GMT 1:00] Endroit: C:\Documents and Settings\Guignard Joël\Bureau\ComboFix.exe * Création d'un nouveau point de restauration [color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color] . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\cmd.exe C:\Documents and Settings\All Users\Application Data\salesmonitor . ((((((((((((((((((((((((((((( Fichiers créés 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))))))) . 2008-01-08 18:15 . 2008-01-08 18:15 d-------- C:\Program Files\Sports Interactive 2008-01-07 21:12 . 2008-01-08 18:42 d-------- C:\Program Files\VideoLAN 2008-01-01 16:56 . 2008-01-29 17:18 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-01-01 16:29 . 2008-01-29 20:00 d-------- C:\Program Files\Spyware Doctor 2008-01-01 16:03 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-12-30 15:37 . 2007-12-30 15:37 d-------- C:\WINDOWS\Output 2007-12-30 15:36 . 2003-09-29 11:37 497,266,688 --a------ C:\WINDOWS\DATA.PCK 2007-12-30 15:36 . 2002-11-25 14:04 974,848 --a------ C:\WINDOWS\vorbis.dll 2007-12-30 15:36 . 2003-02-11 14:02 377,856 --a------ C:\WINDOWS\binkw32.dll 2007-12-30 15:36 . 2002-11-25 14:04 49,152 --a------ C:\WINDOWS\ogg.dll 2007-12-30 15:36 . 2003-08-16 18:25 4,096 --a------ C:\WINDOWS\Data2.PCK 2007-12-30 15:36 . 2003-08-12 10:28 1,078 --a------ C:\WINDOWS\gamespy.ico 2007-12-30 13:54 . 2007-12-30 13:54 d-------- C:\Program Files\GameSpy Arcade . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-29 16:22 --------- d-----w C:\Documents and Settings\Guignard Joël\Application Data\OpenOffice.org2 2008-01-23 20:47 --------- d-----w C:\Program Files\eMule 2008-01-04 14:02 --------- d-----w C:\Documents and Settings\Guignard Joël\Application Data\Sports Interactive 2008-01-03 20:39 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-12-27 20:17 --------- d-----w C:\Program Files\LimeWire 2007-12-27 20:17 --------- d-----w C:\Program Files\Incomplete 2007-12-26 12:24 --------- d-----w C:\Program Files\Alcohol Soft 2007-12-21 22:12 --------- d-----w C:\Documents and Settings\Guignard Joël\Application Data\LimeWire 2007-12-15 15:34 --------- d-----w C:\Program Files\OpenOffice.org 2.3 2007-12-09 13:01 --------- d-----w C:\Program Files\Wanadoo 2007-12-09 13:01 --------- d-----w C:\Program Files\MSN Messenger 2007-12-09 12:43 --------- d-----w C:\Documents and Settings\Guignard Joël\Application Data\TuneUp Software 2007-12-09 12:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software 2007-12-07 17:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-12-06 18:34 19,456 ----a-w C:\WINDOWS\system32\drivers\sxkddwuz.dat 2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-12-04 12:54 95,608 -c--a-w C:\WINDOWS\system32\AvastSS.scr 2007-11-30 09:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-11-29 09:30 40,737 ----a-w C:\WINDOWS\system32\rightonadz-uninst.exe 2007-11-07 09:28 728,576 ----a-w C:\WINDOWS\system32\lsasrv.dll 2007-10-29 22:43 1,293,824 ----a-w C:\WINDOWS\system32\quartz.dll 2007-09-29 13:07 70,168 -c--a-w C:\Documents and Settings\Guignard Joël\Application Data\GDIPFONTCACHEV1.DAT 2007-09-07 16:30 17,012,488 ----a-w C:\Program Files\setupfre.exe 2006-07-20 17:23 560 -c--a-w C:\Documents and Settings\Guignard Joël\Application Data\ViewerApp.dat 2005-02-18 19:47 942,512 ----a-w C:\Program Files\7z313.exe 2005-02-01 19:28 9,133,216 ----a-w C:\Program Files\acrobat reader.exe 2004-12-05 19:31 10,156,943 ----a-w C:\Program Files\avg70free_289a392.exe . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12B0EA79-D6C3-4EE0-B454-7D6031EE2806}] 2004-08-20 00:09 107776 --a------ C:\WINDOWS\system32\dmban.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:09 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:09 15360] C:\Documents and Settings\Guignard Jo‰l\Menu D‚marrer\Programmes\D‚marrage\ OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe "HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe "NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize "postSetupCheck"=C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrt.dll" DllStart "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" R0 tdaalyux;tdaalyux;C:\WINDOWS\system32\drivers\sxkddwuz.dat [] R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2007-04-30 19:59] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d34c100-2939-11da-ab4b-0050fc4a104f}] \Shell\AutoRun\command - setupSNK.exe *Newly Created Service* - PROCEXP90 . Contenu du dossier 'Scheduled Tasks/Tâches planifiées' "2008-01-25 16:23:22 C:\WINDOWS\Tasks\Maintenance en 1 clic.job" - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-29 20:07:31 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . Temps d'accomplissement: 2008-01-29 20:09:14 ComboFix-quarantined-files.txt 2008-01-29 19:09:09 . 2008-01-11 06:57:30 --- E O F ---

g!rly · Answer

re,

peux tu reposter un hijack this

@+

guigui · Answer

Le nouveau log de HijackThis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:09:28, on 29/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWSunservice.exe
C:\WINDOWS\System32
vsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = https://www.bing.com/?FORM=TOOLBR&cc=fr&toHttps=1&redig=4527FFF1C12746FC9EDB535C75E80ECC
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {12B0EA79-D6C3-4EE0-B454-7D6031EE2806} - C:\WINDOWS\system32\dmban.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {41C29B07-6F91-4966-91BE-2E2841643C83} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS
pqtplugin.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS
pqtplugin.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://upgroups.univ-poitiers.fr/qp2.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f012.mail.caramail.lycos.fr/app/uploader/FileUploader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Environnement d'exécution Java 1.4.1_02) - 
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWSunservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
vsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

guigui · Answer

Alors ? ya encore un problème ???

Merci d'avance pour vos réponses !

jimbob · Answer

salut!:
un conseil pour l’avenir su tu es sur XP
Pour ne  pas attraper de virus pas il ne faut jamais  utiliser XP en mode Administrateur
Windows XP crée un compte Administrateur pendant la procédure d'installation. La plupart des utilisateurs se simplifient la vie, croient-ils, en conservant ce compte pour exploiter leur machine. Un virus, un cheval de Troie ou  une fausse manipulation peut donner le contrôle à un attaquant extérieur qui en tant qu'Administrateur aura alors tous pouvoirs pour supprimer des comptes, changer les mots de passe, installer des logiciels, supprimer les fichiers, etc...
En revanche, si vous utilisez votre machine avec des droits réduits, Utilisateur ou Utilisateur avec pouvoir, les dégâts possibles seront très limités. Je vous conseille donc de créer un utilisateur et d'utiliser ce mode pour travailler. Il suffira de repasser en mode Administrateur le temps nécessaire pour installer de nouveaux logiciels ou pour faire des opérations sur le système. Pour ceux qui ont besoin de repasser souvent en mode Administrateur, il existe une commande Exécuter comme... (en faisant clic droit) qui permet d'exécuter un programme en mode administrateur sans changer de session.

Plus de précision ici :
https://www.figer.com/Publications/xpgroupes.htm

g!rly · Answer

re,

guigui, 

j´ai fais une pause pour dinner...

Copie le texte ci-dessous :

File::
C:\WINDOWS\system32\dmban.dll
C:\WINDOWS\system32\drivers\sxkddwuz.dat

Folder::

Driver::
tdaalyux

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12B0EA79-D6C3-4EE0-B454-7D6031EE2806}]


Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix, 

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.

S'il n'y a pas de rédémarrage, poste quand même les rapports.

@+

guigui · Answer

Voici le rapport Combofix : ComboFix 08-01-29.3 - Guignard Joël 2008-01-29 22:15:56.2 - NTFSx86 Endroit: C:\Documents and Settings\Guignard Joël\Bureau\ComboFix.exe Command switches used :: C:\Documents and Settings\Guignard Joël\Bureau\CFScript.txt * Création d'un nouveau point de restauration [color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color] FILE C:\WINDOWS\system32\dmban.dll C:\WINDOWS\system32\drivers\sxkddwuz.dat . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\dmban.dll C:\WINDOWS\system32\drivers\sxkddwuz.dat C:\WINDOWS\system32\dmban.dll C:\WINDOWS\system32\drivers\sxkddwuz.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_TDAALYUX ------- daalyux ((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))))))) . 2008-01-29 21:08 . 2008-01-29 21:08 d-------- C:\Program Files\Trend Micro 2008-01-08 18:15 . 2008-01-08 18:15 d-------- C:\Program Files\Sports Interactive 2008-01-07 21:12 . 2008-01-08 18:42 d-------- C:\Program Files\VideoLAN 2008-01-01 16:56 . 2008-01-29 17:18 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-01-01 16:03 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-12-30 15:37 . 2007-12-30 15:37 d-------- C:\WINDOWS\Output 2007-12-30 15:36 . 2003-09-29 11:37 497,266,688 --a------ C:\WINDOWS\DATA.PCK 2007-12-30 15:36 . 2002-11-25 14:04 974,848 --a------ C:\WINDOWS\vorbis.dll 2007-12-30 15:36 . 2003-02-11 14:02 377,856 --a------ C:\WINDOWS\binkw32.dll 2007-12-30 15:36 . 2002-11-25 14:04 49,152 --a------ C:\WINDOWS\ogg.dll 2007-12-30 15:36 . 2003-08-16 18:25 4,096 --a------ C:\WINDOWS\Data2.PCK 2007-12-30 15:36 . 2003-08-12 10:28 1,078 --a------ C:\WINDOWS\gamespy.ico 2007-12-30 13:54 . 2007-12-30 13:54 d-------- C:\Program Files\GameSpy Arcade . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-23 20:47 --------- d-----w C:\Program Files\eMule 2008-01-03 20:39 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-12-27 20:17 --------- d-----w C:\Program Files\LimeWire 2007-12-27 20:17 --------- d-----w C:\Program Files\Incomplete 2007-12-26 12:24 --------- d-----w C:\Program Files\Alcohol Soft 2007-12-15 15:34 --------- d-----w C:\Program Files\OpenOffice.org 2.3 2007-12-09 13:01 --------- d-----w C:\Program Files\Wanadoo 2007-12-09 13:01 --------- d-----w C:\Program Files\MSN Messenger 2007-12-09 12:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software 2007-12-07 17:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-11-30 09:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-09-07 16:30 17,012,488 ----a-w C:\Program Files\setupfre.exe 2005-02-18 19:47 942,512 ----a-w C:\Program Files\7z313.exe 2005-02-01 19:28 9,133,216 ----a-w C:\Program Files\acrobat reader.exe 2004-12-05 19:31 10,156,943 ----a-w C:\Program Files\avg70free_289a392.exe . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12B0EA79-D6C3-4EE0-B454-7D6031EE2806}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:09 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:09 15360] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion un-] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion un-] "NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe "HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe "NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize "postSetupCheck"=C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrt.dll" DllStart "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d34c100-2939-11da-ab4b-0050fc4a104f}] \Shell\AutoRun\command - setupSNK.exe . Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es' "2008-01-25 16:23:22 C:\WINDOWS\Tasks\Maintenance en 1 clic.job" - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-29 22:22:09 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cach‚s ... Balayage cach‚ autostart entries ... Balayage des fichiers cach‚s ... Scan termin‚ avec succŠs Les fichiers cach‚s: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS unservice.exe C:\WINDOWS\System32 vsvc32.exe C:\WINDOWS\System32\UAService7.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\OpenOffice.org 2.3\program\soffice.exe C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN . ************************************************************************** . Temps d'accomplissement: 2008-01-29 22:26:05 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-29 21:25:59 ComboFix2.txt 2008-01-29 19:09:16 . 2008-01-11 06:57:30 --- E O F --- Et le rapport HitjackThis : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:28:10, on 29/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS unservice.exe C:\WINDOWS\System32 vsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\UAService7.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\OpenOffice.org 2.3\program\soffice.exe C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = https://www.bing.com/?FORM=TOOLBR&cc=fr&toHttps=1&redig=4527FFF1C12746FC9EDB535C75E80ECC R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {41C29B07-6F91-4966-91BE-2E2841643C83} - (no file) O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS pqtplugin.dll O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS pqtplugin.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://upgroups.univ-poitiers.fr/qp2.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/... O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f012.mail.caramail.lycos.fr/app/uploader/FileUploader.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Environnement d'exécution Java 1.4.1_02) - O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS unservice.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32 vsvc32.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

g!rly · Answer

ok 

c´est mieux...

fais ceci maintenant :

a l´aide de hijack this coche et fix les lignes suivantes :

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)
O3 - Toolbar: (no name) - {41C29B07-6F91-4966-91BE-2E2841643C83} - (no file)
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Environnement d'exécution Java 1.4.1_02) -

comment fixer :

Tutoriel d´utilisation (video) :

-> http://pageperso.aol.fr/balltrap34/demohijack.htm

puis pour eviter ce genre de mesaventure dans le futur :

instales ceci :

par feu : kerio

http://www.malekal.com/kerio_firewall.php#mozTocId721480

https://www.vulgarisation-informatique.com/kerio.php

https://kerio.probb.fr/f2-sunbelt-kerio-personal-firewall

ou zone alarm plus facil a configurer mais moins performant

https://www.malekal.com/tutoriel-zonealarm-firewall/

et regarde ceci concernant avast :

antivir vs avast :

-> http://forum.malekal.com/ftopic3528.php

alors je te conseille de le desinstaller et d´installer antivir a la place

Telecharge et instal l'antivirus Antivir Personal Edition Classic :

->https://www.malekal.com/avira-free-security-antivirus-gratuit/

https://www.avira.com/en/prime

http://mickael.barroux.free.fr/securite/antivir.php <- tutoriel configuration du scanner...

une fois antivir ouvert click surconfiguration et coche la case "expert mode" puis sur l´onglet scanner dans la fenetre du dessous tu va voir : rootkit search click sur le petit + pour deployer et coche la case a coté de ton disk dur
puis click sur configuration en haut a droite puis dans la nouvelle fenetre a gauche >scanner > scan all files et en dessous >scanner priority = High
toujours a gauche > scan > deploie > heuristique > macrovirus heuristic = coché et en dessous > win32 heuristic la case coché et high detection level

je te dis ca pour antivir car j´aimerais que tu performe un scan complet  avec ce dernier et post le rapport ici stp

@+

guigui · Answer

Voici le rapport de antivir :



AntiVir PersonalEdition Classic
Report file date: mercredi 30 janvier 2008  18:20

Scanning for 1085232 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version:  (Service Pack 2)  [5.1.2600]
Username:         ....
Computer name:    ....

Version information:
BUILD.DAT    : 270           15603 Bytes  19/09/2007 13:32:00
AVSCAN.EXE   : 7.0.6.1      290856 Bytes  23/08/2007 13:16:29
AVSCAN.DLL   : 7.0.6.0       49192 Bytes  16/08/2007 12:23:51
LUKE.DLL     : 7.0.5.3      147496 Bytes  14/08/2007 15:32:47
LUKERES.DLL  : 7.0.6.1       10280 Bytes  21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0    11030528 Bytes  18/07/2007 12:26:34
ANTIVIR1.VDF : 7.0.1.95    3367424 Bytes  14/12/2007 12:26:34
ANTIVIR2.VDF : 7.0.2.49    1339904 Bytes  25/01/2008 12:26:35
ANTIVIR3.VDF : 7.0.2.71     203264 Bytes  30/01/2008 12:26:35
AVEWIN32.DLL : 7.6.0.57    3215872 Bytes  30/01/2008 12:26:36
AVWINLL.DLL  : 1.0.0.7       14376 Bytes  26/02/2007 10:36:26
AVPREF.DLL   : 7.0.2.2       25640 Bytes  18/07/2007 07:39:17
AVREP.DLL    : 7.0.0.1      155688 Bytes  16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3      360488 Bytes  30/01/2008 12:26:37
AVREG.DLL    : 7.0.1.6       30760 Bytes  18/07/2007 07:17:06
AVARKT.DLL   : 1.0.0.20     278568 Bytes  28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20      86056 Bytes  18/07/2007 07:10:18
NETNT.DLL    : 7.0.0.0        7720 Bytes  08/03/2007 11:09:42
RCIMAGE.DLL  : 7.0.1.30    2342952 Bytes  07/08/2007 12:38:13
RCTEXT.DLL   : 7.0.62.0      86056 Bytes  21/08/2007 12:50:37
SQLITE3.DLL  : 3.3.17.1     339968 Bytes  23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Rootkit search
Configuration file...............: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\PROFILES\rootkit.avp
Logging..........................: high
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Scan memory......................: off
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: high
Expanded search settings.........: 0x00300922

Start of the scan: mercredi 30 janvier 2008  18:20

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\1
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\2
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\3
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\1
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\2
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\3
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\4
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\5
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\6
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\7
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\8
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\9
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\18
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\10
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\11
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\12
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\13
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\14
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\24
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\26
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\27
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\19
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\22
      [NOTE]      The registry entry is invisible.
'330365' objects were checked, '23' hidden objects were found.


End of the scan: mercredi 30 janvier 2008  18:26
Used time: 05:41 min

The scan has been done completely.

      0 Scanning directories
      0 Files were scanned
      0 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      0 Files cannot be scanned
      0 Files not concerned
      0 Archives were scanned
      0 Warnings
      0 Notes
 330365 Objects were scanned with rootkit scan
     23 Hidden objects were found

g!rly · Answer

re,

peux tu faire ceci :

Télécharge OAD http://sosvirus.changelog.fr/OAD.exe
- Enregistre le sur ton bureau

Double clique sur le OAD pour le lancer

- nom de fichier à rechercher tape ou fais un copier coller de :

[HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\1]

- Type de recherche : sélectionne l'option 6 puis valide


OAD va maintenant rechercher le fichier. Laisse le travailler jusqu'à ce qu'il en ait terminé.
Le rapport de recherche s'affichera automatiquement à l’écran dès qu'il aura terminé.

- Fais un copier / coller de ce rapport dans ton prochain post.

Note importante : Suivant la taille des disques durs cette recherche peut prendre plusieurs minutes. Sois patient

@+

guigui · Answer

Rapport OAD :

 30/01/2008 ---- 21:34:51,70  

----------------------------------
§§§§§§ [[HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\1] ] §§§§§§
----------------------------------
[X] Registre
 
-------------- [  ] rapide
-- Fichier --- [  ] disque systeme
 ------------- [X] complete


********************
     [Registre] 
********************

Aucune entrée détectée

*******************
     [Fichier] 
*******************



*********************
     [Même date] 
*********************

Aucun fichier créé à la même date détecté


Outil Aide Diagnostic By !aur3n7 Version 1.1
----------------------------------
§§§§§ Fin Rapport §§§§§ 
----------------------------------

g!rly · Answer

re,

on va faire ceci :

sauvegarde la base de registre comme ceci :

https://www.zebulon.fr/astuces/securite-systeme/sauvegarde-de-la-base-de-registre.html

puis 

a l´aide de combofix :

Copie le texte ci-dessous :

Registry::
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\1]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\2]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\3]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\1]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\2]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\3]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\4]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\5]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\6]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\7]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\8]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\9]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\18]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\10]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\11]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\12]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\13]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\14]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\24]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\26]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\27]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\19]
[-HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78 EB6EE53CA2196E4D0A2\22] 

Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix, 

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage

refais un scan complet avec antivir

@+

guigui · Answer

J'ai un problème car je n'arrive pas asauvegarder la base de registre. J'ai bien suivi les conseils de zebulon.fr mais quand ils disent qu''après avoir cliqué sur poste de travail en haut de la colonne de gauche il faut aller dans le menu registre je ne trouve pas ce menu registre !! Où il est ce menu ??

g!rly · Answer

salut

oui ce n´est pas super bien expliqué en effet.

click sur demarrer > executer > dans la boite de dialogue tape > regedit et valide par ok

la fenetre du registre va s´ouvrir

la en faite veille a ce que aucun dossier ne soit devellopé et click sur " mon ordinateur" l´icone tout en haut avec le dessin d´un ordinateur

puis click sur registre en haut a gauche dans la barre du haut de la fenetre dans le menu contextuel  click sur exporter > tu donne un nom au .reg et le mets a un endroit ou tu pourras le retrouver si jamais apres combofix quelque chose n´allais pas.

j´espere que c´est plus claire...

@+

guigui · Answer

Merci pour cette meilleure explication !!! et voilà le rapport de combofix : ComboFix 08-02.01.1 - Guignard Joël 2008-01-31 21:07:34.3 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.86 [GMT 1:00]Endroit: C:\Documents and Settings\Guignard Joël\Bureau\ComboFix.exe Command switches used :: C:\Documents and Settings\Guignard Joël\Bureau\CFScript.txt * Création d'un nouveau point de restauration [color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color] . ((((((((((((((((((((((((((((( Fichiers créés 2008-01-01 to 2008-02.01 )))))))))))))))))))))))))))))))))))) . 2008-01-31 21:02 . 2008-01-31 21:02 84,903,772 --a------ C:\Documents and Settings\Guignard Joël\registre1.reg 2008-01-31 21:02 . 2008-01-31 21:02 84,903,772 --a------ C:\Documents and Settings\Guignard Joël\registre1.reg 2008-01-31 17:40 . 2008-01-31 17:40 84,669,472 --a------ C:\Documents and Settings\Guignard Joël\reg.reg 2008-01-31 17:40 . 2008-01-31 17:40 84,669,472 --a------ C:\Documents and Settings\Guignard Joël\reg.reg 2008-01-30 13:19 . 2008-01-30 13:19 d-------- C:\Program Files\Avira 2008-01-30 13:19 . 2008-01-30 13:19 d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-01-29 21:08 . 2008-01-29 21:08 d-------- C:\Program Files\Trend Micro 2008-01-08 18:15 . 2008-01-08 18:15 d-------- C:\Program Files\Sports Interactive 2008-01-07 21:12 . 2008-01-08 18:42 d-------- C:\Program Files\VideoLAN 2008-01-01 16:56 . 2008-01-29 17:18 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-01-01 16:03 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-31 16:29 --------- d-----w C:\Documents and Settings\Guignard Joël\Application Data\OpenOffice.org2 2008-01-23 20:47 --------- d-----w C:\Program Files\eMule 2008-01-04 14:02 --------- d-----w C:\Documents and Settings\Guignard Joël\Application Data\Sports Interactive 2008-01-03 20:39 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-12-30 12:54 --------- d-----w C:\Program Files\GameSpy Arcade 2007-12-27 20:17 --------- d-----w C:\Program Files\LimeWire 2007-12-27 20:17 --------- d-----w C:\Program Files\Incomplete 2007-12-26 12:24 --------- d-----w C:\Program Files\Alcohol Soft 2007-12-21 22:12 --------- d-----w C:\Documents and Settings\Guignard Joël\Application Data\LimeWire 2007-12-15 15:34 --------- d-----w C:\Program Files\OpenOffice.org 2.3 2007-12-09 13:01 --------- d-----w C:\Program Files\Wanadoo 2007-12-09 13:01 --------- d-----w C:\Program Files\MSN Messenger 2007-12-09 12:43 --------- d-----w C:\Documents and Settings\Guignard Joël\Application Data\TuneUp Software 2007-12-09 12:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software 2007-12-07 17:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-29 09:30 40,737 ----a-w C:\WINDOWS\system32\rightonadz-uninst.exe 2007-11-07 09:28 728,576 ----a-w C:\WINDOWS\system32\lsasrv.dll 2007-09-29 13:07 70,168 -c--a-w C:\Documents and Settings\Guignard Joël\Application Data\GDIPFONTCACHEV1.DAT 2007-09-07 16:30 17,012,488 ----a-w C:\Program Files\setupfre.exe 2006-07-20 17:23 560 -c--a-w C:\Documents and Settings\Guignard Joël\Application Data\ViewerApp.dat 2005-02-18 19:47 942,512 ----a-w C:\Program Files\7z313.exe 2005-02-01 19:28 9,133,216 ----a-w C:\Program Files\acrobat reader.exe 2004-12-05 19:31 10,156,943 ----a-w C:\Program Files\avg70free_289a392.exe . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:09 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-30 13:26 249896] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:09 15360] C:\Documents and Settings\Guignard Jo‰l\Menu D‚marrer\Programmes\D‚marrage\ OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe "HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe "NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize "postSetupCheck"=C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrt.dll" DllStart "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2007-04-30 19:59] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d34c100-2939-11da-ab4b-0050fc4a104f}] \Shell\AutoRun\command - setupSNK.exe . Contenu du dossier 'Scheduled Tasks/Tâches planifiées' "2008-01-25 16:23:22 C:\WINDOWS\Tasks\Maintenance en 1 clic.job" - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-01 21:11:24 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . Temps d'accomplissement: 2008-02-01 21:15:40 ComboFix-quarantined-files.txt 2008-02-01 20:15:30 ComboFix2.txt 2008-01-29 21:26:05 ComboFix3.txt 2008-01-29 19:09:16 . 2008-01-30 16:53:58 --- E O F ---

g!rly · Answer

re,

en faite il faudrait refaire un scan complet avec antivir pour voir le resultat...

post le rapport une fois effectué.

@+

guigui · Answer

AntiVir PersonalEdition Classic
Report file date: samedi 2 février 2008  17:36

Scanning for 1089295 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version:  (Service Pack 2)  [5.1.2600]
Username:         Guignard Joël
Computer name:    GUIGNARDJOEL

Version information:
BUILD.DAT    : 270           15603 Bytes  19/09/2007 13:32:00
AVSCAN.EXE   : 7.0.6.1      290856 Bytes  23/08/2007 13:16:29
AVSCAN.DLL   : 7.0.6.0       49192 Bytes  16/08/2007 12:23:51
LUKE.DLL     : 7.0.5.3      147496 Bytes  14/08/2007 15:32:47
LUKERES.DLL  : 7.0.6.1       10280 Bytes  21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0    11030528 Bytes  18/07/2007 12:26:34
ANTIVIR1.VDF : 7.0.1.95    3367424 Bytes  14/12/2007 12:26:34
ANTIVIR2.VDF : 7.0.2.49    1339904 Bytes  25/01/2008 12:26:35
ANTIVIR3.VDF : 7.0.2.82     259072 Bytes  01/02/2008 16:36:01
AVEWIN32.DLL : 7.6.0.62    3240448 Bytes  02/02/2008 16:36:01
AVWINLL.DLL  : 1.0.0.7       14376 Bytes  26/02/2007 10:36:26
AVPREF.DLL   : 7.0.2.2       25640 Bytes  18/07/2007 07:39:17
AVREP.DLL    : 7.0.0.1      155688 Bytes  16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3      360488 Bytes  30/01/2008 12:26:37
AVREG.DLL    : 7.0.1.6       30760 Bytes  18/07/2007 07:17:06
AVARKT.DLL   : 1.0.0.20     278568 Bytes  28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20      86056 Bytes  18/07/2007 07:10:18
NETNT.DLL    : 7.0.0.0        7720 Bytes  08/03/2007 11:09:42
RCIMAGE.DLL  : 7.0.1.30    2342952 Bytes  07/08/2007 12:38:13
RCTEXT.DLL   : 7.0.62.0      86056 Bytes  21/08/2007 12:50:37
SQLITE3.DLL  : 3.3.17.1     339968 Bytes  23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Rootkit search
Configuration file...............: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\PROFILES\rootkit.avp
Logging..........................: high
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Scan memory......................: off
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: high
Expanded search settings.........: 0x00300922

Start of the scan: samedi 2 février 2008  17:36

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\1
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\2
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\3
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\1
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\2
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\3
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\4
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\5
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\6
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\7
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\8
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\9
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\18
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\10
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\11
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\12
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\13
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\14
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\24
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\26
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\27
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\19
      [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\LicCtrl\LicCtrl\LicCtrl\LicCtrl\EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2\22
      [NOTE]      The registry entry is invisible.
'329608' objects were checked, '23' hidden objects were found.


End of the scan: samedi 2 février 2008  17:44
Used time: 08:03 min

The scan has been done completely.

      0 Scanning directories
      0 Files were scanned
      0 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      0 Files cannot be scanned
      0 Files not concerned
      0 Archives were scanned
      0 Warnings
      0 Notes
 329608 Objects were scanned with rootkit scan
     23 Hidden objects were found

g!rly · Answer

re,

combofix n´as pas pu supprimer les entrées, elles sont invisibles, c´est tout la le probleme...

de plus je n´ai aucune idée,  a quoi elles correspondent...

mais j´ai vu sur google que les autres helpers n´y portaient guerre attention ?!

Ce n´est certe pas une réponse de qualité que je te fourni là, mais on va laisser ceci de coté...

dis moi comment se comporte ton pc ?

@+

guigui · Answer

Ben pour l'instant il a l'air de très bien se comporter. Le cheval de troie a disparu et mon ordi rame moins et va donc plus vite donc ca va pour le moment !!

g!rly · Answer

re,

ok bon on reste comme ca pour le moment, fais moi signe dans quelques jours pour confirmer

bon week end ;.)

@+

Virus !! aidez-moi svp !!!

21 réponses

Discussions similaires

Newsletters