Votre question

virus win32 detecte avec nod32

Tags :
  • Internet Explorer
  • Sécurité
Dernière réponse : dans Sécurité et virus
10 Février 2008 14:01:52

le meme pb que rencontre beaucoup de personnes avec antivirus nod 32, message incessant de virus sur des dll, voici le log apres scan hijackthis :

MERci pour vos aides ...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:51, on 10/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\guile\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.files-ftp.com/~unicorni/phpBB2/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.files-ftp.com/~unicorni/phpBB2/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {ad560057-9e42-2739-ee84-3764e08b8967} - {7698b80e-4673-48ee-9372-24e9750065da} - C:\WINDOWS\system32\brrtqivq.dll
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\cbxxvtq.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\rwkldsuo.dll (file missing)
O2 - BHO: (no name) - {AA7D118F-975B-432A-BD30-EE1DB0D129C7} - C:\WINDOWS\system32\ssqpq.dll
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\iifddby.dll
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [588b2ba3] rundll32.exe "C:\WINDOWS\system32\dnwatxid.dll",b
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\WINDOWS\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.files-ftp.com/~unicorni/phpBB2/index.php
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: cbxxvtq - cbxxvtq.dll (file missing)
O20 - Winlogon Notify: cbxyxvu - C:\WINDOWS\SYSTEM32\cbxyxvu.dll
O20 - Winlogon Notify: iifddby - C:\WINDOWS\SYSTEM32\iifddby.dll
O20 - Winlogon Notify: rwkldsuo - rwkldsuo.dll (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: EasyBoxApache - Apache Software Foundation - C:\Program Files\EasyBox\Apache\Apache.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5263 bytes

Autres pages sur : virus win32 detecte nod32

11 Février 2008 13:25:24

personne ne peut m'aider ?
SVP ...
11 Février 2008 18:44:44

pour etre plus parlant le nom exact du virus :

threat :

win32/adware.virtumonde.fr application

please help ...
Contenus similaires
12 Février 2008 15:12:09

Toujours personne pour me parler ????

j'ai fait un truc pas bien ou koi ?

SVP, aidez moi !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
12 Février 2008 15:29:20

bonjour
Télécharger sur le Bureau.
VundoFix

= Double-clic VundoFix.exe.
=Clic Scan for Vundo
= le scan t peut être assez long (1à2h) comme très rapide , à la fin
=Clic Remove Vundo
= Puis yes
= Le Bureau disparaît un moment lors de la suppression des fichiers.
=Message shutdown
=clic oui
=Redémarrage auto
Note : il peut y avoir plusieurs redémarrages
=copier le rapport qui est dans C:\vundofix.txt

et
Télécharger sur le bureau
VirtumondoBegone

=Double clic sur VirtumundoBeGone.exe
=clic Continue ==> clic Start
=clic Oui
=A la fin si Vundo est présent , le PC s’éteint et redémarre

Si Ecran bleu et message : Erreur fatale .. pas de problème

=Poster le rapport VBG.TXT qui est sur le bureau

puis refaire un rapport hijack
12 Février 2008 21:38:15

merci pour ta reponse :

pour info, lors de l'execution de virtumondobegone, bloquage lors du reboote sur l'ecran de fond de windows, j'ai redemarré à la main

le rapport de vundo (apparemment, il ne detecte rien.):

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 13:25:59 29/01/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 20:02:48 12/02/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...


le rapport de vbg :

[02/12/2008, 20:08:31] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\guile\Bureau\VirtumundoBeGone.exe" )
[02/12/2008, 20:08:42] - Detected System Information:
[02/12/2008, 20:08:42] - Windows Version: 5.1.2600, Service Pack 2
[02/12/2008, 20:08:42] - Current Username: guile (Admin)
[02/12/2008, 20:08:42] - Windows is in NORMAL mode.
[02/12/2008, 20:08:42] - Searching for Browser Helper Objects:
[02/12/2008, 20:08:42] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[02/12/2008, 20:08:42] - BHO 2: {0F2248D4-CD36-4098-90E6-0B3980ACA96C} ()
[02/12/2008, 20:08:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:42] - Checking for HKLM\...\Winlogon\Notify\ssqpq
[02/12/2008, 20:08:42] - Key not found: HKLM\...\Winlogon\Notify\ssqpq, continuing.
[02/12/2008, 20:08:42] - BHO 3: {7698b80e-4673-48ee-9372-24e9750065da} ()
[02/12/2008, 20:08:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:42] - Checking for HKLM\...\Winlogon\Notify\brrtqivq
[02/12/2008, 20:08:42] - Key not found: HKLM\...\Winlogon\Notify\brrtqivq, continuing.
[02/12/2008, 20:08:42] - BHO 4: {98663E21-9CCE-4CF6-863C-911A9523A66F} ()
[02/12/2008, 20:08:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:42] - Checking for HKLM\...\Winlogon\Notify\cbxxvtq
[02/12/2008, 20:08:42] - Found: HKLM\...\Winlogon\Notify\cbxxvtq - This is probably Virtumundo.
[02/12/2008, 20:08:42] - Assigning {98663E21-9CCE-4CF6-863C-911A9523A66F} MSEvents Object
[02/12/2008, 20:08:42] - BHO list has been changed! Starting over...
[02/12/2008, 20:08:42] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[02/12/2008, 20:08:42] - BHO 2: {0F2248D4-CD36-4098-90E6-0B3980ACA96C} ()
[02/12/2008, 20:08:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:42] - Checking for HKLM\...\Winlogon\Notify\ssqpq
[02/12/2008, 20:08:42] - Key not found: HKLM\...\Winlogon\Notify\ssqpq, continuing.
[02/12/2008, 20:08:42] - BHO 3: {7698b80e-4673-48ee-9372-24e9750065da} ()
[02/12/2008, 20:08:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:42] - Checking for HKLM\...\Winlogon\Notify\brrtqivq
[02/12/2008, 20:08:42] - Key not found: HKLM\...\Winlogon\Notify\brrtqivq, continuing.
[02/12/2008, 20:08:42] - BHO 4: {98663E21-9CCE-4CF6-863C-911A9523A66F} (MSEvents Object)
[02/12/2008, 20:08:42] - ALERT: Found MSEvents Object!
[02/12/2008, 20:08:42] - BHO 5: {A95B2816-1D7E-4561-A202-68C0DE02353A} ()
[02/12/2008, 20:08:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:42] - Checking for HKLM\...\Winlogon\Notify\rwkldsuo
[02/12/2008, 20:08:42] - Found: HKLM\...\Winlogon\Notify\rwkldsuo - This is probably Virtumundo.
[02/12/2008, 20:08:42] - Assigning {A95B2816-1D7E-4561-A202-68C0DE02353A} MSEvents Object
[02/12/2008, 20:08:42] - BHO list has been changed! Starting over...
[02/12/2008, 20:08:42] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[02/12/2008, 20:08:42] - BHO 2: {0F2248D4-CD36-4098-90E6-0B3980ACA96C} ()
[02/12/2008, 20:08:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:42] - Checking for HKLM\...\Winlogon\Notify\ssqpq
[02/12/2008, 20:08:42] - Key not found: HKLM\...\Winlogon\Notify\ssqpq, continuing.
[02/12/2008, 20:08:42] - BHO 3: {7698b80e-4673-48ee-9372-24e9750065da} ()
[02/12/2008, 20:08:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:42] - Checking for HKLM\...\Winlogon\Notify\brrtqivq
[02/12/2008, 20:08:42] - Key not found: HKLM\...\Winlogon\Notify\brrtqivq, continuing.
[02/12/2008, 20:08:42] - BHO 4: {98663E21-9CCE-4CF6-863C-911A9523A66F} (MSEvents Object)
[02/12/2008, 20:08:42] - ALERT: Found MSEvents Object!
[02/12/2008, 20:08:42] - BHO 5: {A95B2816-1D7E-4561-A202-68C0DE02353A} (MSEvents Object)
[02/12/2008, 20:08:42] - ALERT: Found MSEvents Object!
[02/12/2008, 20:08:42] - BHO 6: {C8CDF0B6-A3C3-4ABC-BBCA-EA772B562921} ()
[02/12/2008, 20:08:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:42] - Checking for HKLM\...\Winlogon\Notify\cbxyxvu
[02/12/2008, 20:08:42] - Found: HKLM\...\Winlogon\Notify\cbxyxvu - This is probably Virtumundo.
[02/12/2008, 20:08:42] - Assigning {C8CDF0B6-A3C3-4ABC-BBCA-EA772B562921} MSEvents Object
[02/12/2008, 20:08:42] - BHO list has been changed! Starting over...
[02/12/2008, 20:08:42] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[02/12/2008, 20:08:42] - BHO 2: {0F2248D4-CD36-4098-90E6-0B3980ACA96C} ()
[02/12/2008, 20:08:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:42] - Checking for HKLM\...\Winlogon\Notify\ssqpq
[02/12/2008, 20:08:42] - Key not found: HKLM\...\Winlogon\Notify\ssqpq, continuing.
[02/12/2008, 20:08:42] - BHO 3: {7698b80e-4673-48ee-9372-24e9750065da} ()
[02/12/2008, 20:08:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:42] - Checking for HKLM\...\Winlogon\Notify\brrtqivq
[02/12/2008, 20:08:42] - Key not found: HKLM\...\Winlogon\Notify\brrtqivq, continuing.
[02/12/2008, 20:08:42] - BHO 4: {98663E21-9CCE-4CF6-863C-911A9523A66F} (MSEvents Object)
[02/12/2008, 20:08:42] - ALERT: Found MSEvents Object!
[02/12/2008, 20:08:42] - BHO 5: {A95B2816-1D7E-4561-A202-68C0DE02353A} (MSEvents Object)
[02/12/2008, 20:08:42] - ALERT: Found MSEvents Object!
[02/12/2008, 20:08:42] - BHO 6: {C8CDF0B6-A3C3-4ABC-BBCA-EA772B562921} (MSEvents Object)
[02/12/2008, 20:08:42] - ALERT: Found MSEvents Object!
[02/12/2008, 20:08:42] - BHO 7: {E180F496-8A4B-44E2-9FE0-0364E345DB7F} ()
[02/12/2008, 20:08:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:42] - Checking for HKLM\...\Winlogon\Notify\iifddby
[02/12/2008, 20:08:42] - Found: HKLM\...\Winlogon\Notify\iifddby - This is probably Virtumundo.
[02/12/2008, 20:08:42] - Assigning {E180F496-8A4B-44E2-9FE0-0364E345DB7F} MSEvents Object
[02/12/2008, 20:08:42] - BHO list has been changed! Starting over...
[02/12/2008, 20:08:42] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[02/12/2008, 20:08:42] - BHO 2: {0F2248D4-CD36-4098-90E6-0B3980ACA96C} ()
[02/12/2008, 20:08:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:42] - Checking for HKLM\...\Winlogon\Notify\ssqpq
[02/12/2008, 20:08:42] - Key not found: HKLM\...\Winlogon\Notify\ssqpq, continuing.
[02/12/2008, 20:08:42] - BHO 3: {7698b80e-4673-48ee-9372-24e9750065da} ()
[02/12/2008, 20:08:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:42] - Checking for HKLM\...\Winlogon\Notify\brrtqivq
[02/12/2008, 20:08:42] - Key not found: HKLM\...\Winlogon\Notify\brrtqivq, continuing.
[02/12/2008, 20:08:42] - BHO 4: {98663E21-9CCE-4CF6-863C-911A9523A66F} (MSEvents Object)
[02/12/2008, 20:08:42] - ALERT: Found MSEvents Object!
[02/12/2008, 20:08:42] - BHO 5: {A95B2816-1D7E-4561-A202-68C0DE02353A} (MSEvents Object)
[02/12/2008, 20:08:42] - ALERT: Found MSEvents Object!
[02/12/2008, 20:08:42] - BHO 6: {C8CDF0B6-A3C3-4ABC-BBCA-EA772B562921} (MSEvents Object)
[02/12/2008, 20:08:42] - ALERT: Found MSEvents Object!
[02/12/2008, 20:08:42] - BHO 7: {E180F496-8A4B-44E2-9FE0-0364E345DB7F} (MSEvents Object)
[02/12/2008, 20:08:42] - ALERT: Found MSEvents Object!
[02/12/2008, 20:08:42] - Finished Searching Browser Helper Objects
[02/12/2008, 20:08:42] - *** Detected MSEvents Object
[02/12/2008, 20:08:42] - Trying to remove MSEvents Object...
[02/12/2008, 20:08:43] - Terminating Process: IEXPLORE.EXE
[02/12/2008, 20:08:46] - Terminating Process: RUNDLL32.EXE
[02/12/2008, 20:08:46] - Disabling Automatic Shell Restart
[02/12/2008, 20:08:47] - Terminating Process: EXPLORER.EXE
[02/12/2008, 20:08:48] - Suspending the NT Session Manager System Service
[02/12/2008, 20:08:48] - Terminating Windows NT Logon/Logoff Manager
[02/12/2008, 20:08:48] - Re-enabling Automatic Shell Restart
[02/12/2008, 20:08:48] - File to disable: C:\WINDOWS\system32\cbxxvtq.dll
[02/12/2008, 20:08:48] - Removing HKLM\...\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}
[02/12/2008, 20:08:55] - Removing HKCR\CLSID\{98663E21-9CCE-4CF6-863C-911A9523A66F}
[02/12/2008, 20:08:55] - Adding Kill Bit for ActiveX for GUID: {98663E21-9CCE-4CF6-863C-911A9523A66F}
[02/12/2008, 20:08:55] - Deleting ATLEvents/MSEvents Registry entries
[02/12/2008, 20:08:55] - Removing HKLM\...\Winlogon\Notify\cbxxvtq
[02/12/2008, 20:08:55] - Searching for Browser Helper Objects:
[02/12/2008, 20:08:55] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[02/12/2008, 20:08:55] - BHO 2: {0F2248D4-CD36-4098-90E6-0B3980ACA96C} ()
[02/12/2008, 20:08:55] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:55] - Checking for HKLM\...\Winlogon\Notify\ssqpq
[02/12/2008, 20:08:55] - Key not found: HKLM\...\Winlogon\Notify\ssqpq, continuing.
[02/12/2008, 20:08:55] - BHO 3: {7698b80e-4673-48ee-9372-24e9750065da} ()
[02/12/2008, 20:08:55] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:55] - Checking for HKLM\...\Winlogon\Notify\brrtqivq
[02/12/2008, 20:08:55] - Key not found: HKLM\...\Winlogon\Notify\brrtqivq, continuing.
[02/12/2008, 20:08:55] - BHO 4: {A95B2816-1D7E-4561-A202-68C0DE02353A} (MSEvents Object)
[02/12/2008, 20:08:55] - ALERT: Found MSEvents Object!
[02/12/2008, 20:08:55] - BHO 5: {C8CDF0B6-A3C3-4ABC-BBCA-EA772B562921} (MSEvents Object)
[02/12/2008, 20:08:55] - ALERT: Found MSEvents Object!
[02/12/2008, 20:08:55] - BHO 6: {E180F496-8A4B-44E2-9FE0-0364E345DB7F} (MSEvents Object)
[02/12/2008, 20:08:55] - ALERT: Found MSEvents Object!
[02/12/2008, 20:08:55] - Finished Searching Browser Helper Objects
[02/12/2008, 20:08:55] - *** Detected MSEvents Object
[02/12/2008, 20:08:55] - Trying to remove MSEvents Object...
[02/12/2008, 20:08:56] - Terminating Process: IEXPLORE.EXE
[02/12/2008, 20:08:56] - Terminating Process: RUNDLL32.EXE
[02/12/2008, 20:08:56] - Disabling Automatic Shell Restart
[02/12/2008, 20:08:56] - Terminating Process: EXPLORER.EXE
[02/12/2008, 20:08:56] - Suspending the NT Session Manager System Service
[02/12/2008, 20:08:56] - Terminating Windows NT Logon/Logoff Manager
[02/12/2008, 20:08:56] - Re-enabling Automatic Shell Restart
[02/12/2008, 20:08:56] - File to disable: C:\WINDOWS\system32\rwkldsuo.dll
[02/12/2008, 20:08:56] - Removing HKLM\...\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
[02/12/2008, 20:08:56] - Removing HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
[02/12/2008, 20:08:56] - Adding Kill Bit for ActiveX for GUID: {A95B2816-1D7E-4561-A202-68C0DE02353A}
[02/12/2008, 20:08:56] - Deleting ATLEvents/MSEvents Registry entries
[02/12/2008, 20:08:56] - Removing HKLM\...\Winlogon\Notify\rwkldsuo
[02/12/2008, 20:08:56] - Searching for Browser Helper Objects:
[02/12/2008, 20:08:56] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[02/12/2008, 20:08:56] - BHO 2: {0F2248D4-CD36-4098-90E6-0B3980ACA96C} ()
[02/12/2008, 20:08:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:56] - Checking for HKLM\...\Winlogon\Notify\ssqpq
[02/12/2008, 20:08:56] - Key not found: HKLM\...\Winlogon\Notify\ssqpq, continuing.
[02/12/2008, 20:08:56] - BHO 3: {7698b80e-4673-48ee-9372-24e9750065da} ()
[02/12/2008, 20:08:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:08:56] - Checking for HKLM\...\Winlogon\Notify\brrtqivq
[02/12/2008, 20:08:56] - Key not found: HKLM\...\Winlogon\Notify\brrtqivq, continuing.
[02/12/2008, 20:08:56] - BHO 4: {C8CDF0B6-A3C3-4ABC-BBCA-EA772B562921} (MSEvents Object)
[02/12/2008, 20:08:56] - ALERT: Found MSEvents Object!
[02/12/2008, 20:08:56] - BHO 5: {E180F496-8A4B-44E2-9FE0-0364E345DB7F} (MSEvents Object)
[02/12/2008, 20:08:56] - ALERT: Found MSEvents Object!
[02/12/2008, 20:08:56] - Finished Searching Browser Helper Objects
[02/12/2008, 20:08:56] - *** Detected MSEvents Object
[02/12/2008, 20:08:56] - Trying to remove MSEvents Object...
[02/12/2008, 20:08:57] - Terminating Process: IEXPLORE.EXE
[02/12/2008, 20:08:57] - Terminating Process: RUNDLL32.EXE
[02/12/2008, 20:08:57] - Disabling Automatic Shell Restart
[02/12/2008, 20:08:57] - Terminating Process: EXPLORER.EXE
[02/12/2008, 20:08:57] - Suspending the NT Session Manager System Service
[02/12/2008, 20:08:58] - Terminating Windows NT Logon/Logoff Manager
[02/12/2008, 20:08:58] - Re-enabling Automatic Shell Restart
[02/12/2008, 20:08:58] - File to disable: C:\WINDOWS\system32\cbxyxvu.dll
[02/12/2008, 20:08:58] - Renaming C:\WINDOWS\system32\cbxyxvu.dll -> C:\WINDOWS\system32\cbxyxvu.dll.vir
[02/12/2008, 20:09:00] - File successfully renamed!
[02/12/2008, 20:09:00] - Removing HKLM\...\Browser Helper Objects\{C8CDF0B6-A3C3-4ABC-BBCA-EA772B562921}
[02/12/2008, 20:09:00] - Removing HKCR\CLSID\{C8CDF0B6-A3C3-4ABC-BBCA-EA772B562921}
[02/12/2008, 20:09:00] - Adding Kill Bit for ActiveX for GUID: {C8CDF0B6-A3C3-4ABC-BBCA-EA772B562921}
[02/12/2008, 20:09:00] - Deleting ATLEvents/MSEvents Registry entries
[02/12/2008, 20:09:00] - Removing HKLM\...\Winlogon\Notify\cbxyxvu
[02/12/2008, 20:09:00] - Searching for Browser Helper Objects:
[02/12/2008, 20:09:00] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[02/12/2008, 20:09:00] - BHO 2: {0F2248D4-CD36-4098-90E6-0B3980ACA96C} ()
[02/12/2008, 20:09:00] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:09:00] - Checking for HKLM\...\Winlogon\Notify\ssqpq
[02/12/2008, 20:09:00] - Key not found: HKLM\...\Winlogon\Notify\ssqpq, continuing.
[02/12/2008, 20:09:00] - BHO 3: {7698b80e-4673-48ee-9372-24e9750065da} ()
[02/12/2008, 20:09:00] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:09:00] - Checking for HKLM\...\Winlogon\Notify\brrtqivq
[02/12/2008, 20:09:00] - Key not found: HKLM\...\Winlogon\Notify\brrtqivq, continuing.
[02/12/2008, 20:09:00] - BHO 4: {E180F496-8A4B-44E2-9FE0-0364E345DB7F} (MSEvents Object)
[02/12/2008, 20:09:00] - ALERT: Found MSEvents Object!
[02/12/2008, 20:09:00] - Finished Searching Browser Helper Objects
[02/12/2008, 20:09:00] - *** Detected MSEvents Object
[02/12/2008, 20:09:00] - Trying to remove MSEvents Object...
[02/12/2008, 20:09:01] - Terminating Process: IEXPLORE.EXE
[02/12/2008, 20:09:01] - Terminating Process: RUNDLL32.EXE
[02/12/2008, 20:09:01] - Disabling Automatic Shell Restart
[02/12/2008, 20:09:01] - Terminating Process: EXPLORER.EXE
[02/12/2008, 20:09:01] - Suspending the NT Session Manager System Service
[02/12/2008, 20:09:01] - Terminating Windows NT Logon/Logoff Manager
[02/12/2008, 20:09:01] - Re-enabling Automatic Shell Restart
[02/12/2008, 20:09:02] - File to disable: C:\WINDOWS\system32\iifddby.dll
[02/12/2008, 20:09:02] - Removing HKLM\...\Browser Helper Objects\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}
[02/12/2008, 20:09:02] - Removing HKCR\CLSID\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}
[02/12/2008, 20:09:02] - Adding Kill Bit for ActiveX for GUID: {E180F496-8A4B-44E2-9FE0-0364E345DB7F}
[02/12/2008, 20:09:02] - Deleting ATLEvents/MSEvents Registry entries
[02/12/2008, 20:09:02] - Removing HKLM\...\Winlogon\Notify\iifddby
[02/12/2008, 20:09:02] - Searching for Browser Helper Objects:
[02/12/2008, 20:09:02] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Aide pour le lien d'Adobe PDF Reader)
[02/12/2008, 20:09:02] - BHO 2: {0F2248D4-CD36-4098-90E6-0B3980ACA96C} ()
[02/12/2008, 20:09:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:09:02] - Checking for HKLM\...\Winlogon\Notify\ssqpq
[02/12/2008, 20:09:02] - Key not found: HKLM\...\Winlogon\Notify\ssqpq, continuing.
[02/12/2008, 20:09:02] - BHO 3: {7698b80e-4673-48ee-9372-24e9750065da} ()
[02/12/2008, 20:09:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/12/2008, 20:09:02] - Checking for HKLM\...\Winlogon\Notify\brrtqivq
[02/12/2008, 20:09:02] - Key not found: HKLM\...\Winlogon\Notify\brrtqivq, continuing.
[02/12/2008, 20:09:02] - Finished Searching Browser Helper Objects
[02/12/2008, 20:09:02] - Finishing up...
[02/12/2008, 20:09:02] - A restart is needed.
[02/12/2008, 20:09:10] - Attempting to Restart via STOP error (Blue Screen!)
13 Février 2008 16:36:19

refait un hijack
13 Février 2008 19:54:53

voili, caLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:54, on 13/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\guile\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.files-ftp.com/~unicorni/phpBB2/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.files-ftp.com/~unicorni/phpBB2/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {ad560057-9e42-2739-ee84-3764e08b8967} - {7698b80e-4673-48ee-9372-24e9750065da} - C:\WINDOWS\system32\brrtqivq.dll
O2 - BHO: (no name) - {C569CB57-B8DD-4051-A107-272F336B2285} - C:\WINDOWS\system32\ssqpq.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [588b2ba3] rundll32.exe "C:\WINDOWS\system32\dnwatxid.dll",b
O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\WINDOWS\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.files-ftp.com/~unicorni/phpBB2/index.php
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4115 bytes
13 Février 2008 19:55:58

pardon, j'ai envoye le message avant que je termine de taper...
ca s'annonce comment ?
14 Février 2008 20:21:01

???
15 Février 2008 11:18:38

est-ce que quelqu'un peut m'aider SVP ???
Soyez mignons ...
15 Février 2008 11:22:02

Télécharger et enregistrer sur le bureau
Combofix

---------------
relancer hijack
"Do A System Scan Only"

cocher ces lignes et clic ensuite sur FIX CHECKED

O2 - BHO: {ad560057-9e42-2739-ee84-3764e08b8967} - {7698b80e-4673-48ee-9372-24e9750065da} - C:\WINDOWS\system32\brrtqivq.dll
O2 - BHO: (no name) - {C569CB57-B8DD-4051-A107-272F336B2285} - C:\WINDOWS\system32\ssqpq.dll
O4 - HKLM\..\Run: [588b2ba3] rundll32.exe "C:\WINDOWS\system32\dnwatxid.dll",b
O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe
-------------
============
= Copier ce texte qui est en gras


File::
C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\brrtqivq.dll
C:\WINDOWS\system32\dnwatxid.dll



------------------------------

= Ouvrir le Bloc-Notes
= Clic-droit ==> coller
= Faire ==> fichier ==> enregistrer sous ==> choisir Bureau
= Le nommer CFScript.txt
= Fermer le bloc-note
= prendre ce Bloc-note qui est sur le bureau par un clic-gauche continu
= L'amener dans Combofix et relacher le clic
= Combofix se relance seul
= Choisir 1
= mettre le rapport dans la réponse

il est aussi dans C:\Combofix.txt à mettre dans la réponse

et nouveau hijack
15 Février 2008 18:53:36

le rapport combofix :

ComboFix 08-02-15.2 - guile 2008-02-15 18:44:24.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.1358 [GMT 1:00]
Endroit: C:\Documents and Settings\guile\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\guile\Bureau\CFScript.txt
* Création d'un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awtspoo.dll
C:\WINDOWS\system32\awtsspm.dll
C:\WINDOWS\system32\awtuutr.dll
C:\WINDOWS\system32\bnflgwlp.ini
C:\WINDOWS\system32\brrtqivq.dll
C:\WINDOWS\system32\byxuvww.dll
C:\WINDOWS\system32\byxvsqp.dll
C:\WINDOWS\system32\cbxyxwv.dll
C:\WINDOWS\system32\ddcdayv.dll
C:\WINDOWS\system32\dixtawnd.ini
C:\WINDOWS\system32\dnwatxid.dll
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\efcdbay.dll
C:\WINDOWS\system32\efcywww.dll
C:\WINDOWS\system32\fccbyyx.dll
C:\WINDOWS\system32\gebaaxv.dll
C:\WINDOWS\system32\gebbbcd.dll
C:\WINDOWS\system32\gebyayw.dll
C:\WINDOWS\system32\hggdbya.dll
C:\WINDOWS\system32\iifddec.dll
C:\WINDOWS\system32\iiffgde.dll
C:\WINDOWS\system32\ilbdlwjv.dll
C:\WINDOWS\system32\khfddcb.dll
C:\WINDOWS\system32\kjgmdlif.ini
C:\WINDOWS\system32\ktyqqrup.ini
C:\WINDOWS\system32\mljhgec.dll
C:\WINDOWS\system32\mljjhhf.dll
C:\WINDOWS\system32\nnnlkhf.dll
C:\WINDOWS\system32\nnnmnmj.dll
C:\WINDOWS\system32\nnnoppp.dll
C:\WINDOWS\system32\opnlihh.dll
C:\WINDOWS\system32\pmnkhfd.dll
C:\WINDOWS\system32\pmnmmlk.dll
C:\WINDOWS\system32\qomjihh.dll
C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\qpqss.ini2
C:\WINDOWS\system32\rqrpnop.dll
C:\WINDOWS\system32\rqrpqqq.dll
C:\WINDOWS\system32\rqrsssq.dll
C:\WINDOWS\system32\rwkldsuo.dllbox
C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\tuvstrr.dll
C:\WINDOWS\system32\tuvvtsp.dll
C:\WINDOWS\system32\urqrrsr.dll
C:\WINDOWS\system32\vtustrp.dll
C:\WINDOWS\system32\wvuspnn.dll
C:\WINDOWS\system32\wvusrom.dll
C:\WINDOWS\system32\wvuttro.dll
C:\WINDOWS\system32\xalbshnt.ini
C:\WINDOWS\system32\xfwirjob.dll
C:\WINDOWS\system32\xqyppjfi.dll
C:\WINDOWS\system32\yayxyxw.dll

.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-01-15 to 2008-02-15 ))))))))))))))))))))))))))))))))))))
.

2008-02-14 20:22 . 2000-05-22 17:58 647,872 --a------ C:\WINDOWS\system32\mscomct2.ocx
2008-02-14 20:22 . 1999-03-26 00:00 101,888 --a------ C:\WINDOWS\system32\vb6stkit.dll
2008-02-14 01:22 . 2008-02-14 01:22 <REP> d-------- C:\Documents and Settings\guile\Application Data\RegistryBot
2008-02-14 01:21 . 2008-02-14 20:24 <REP> d-------- C:\Program Files\RegistryBot
2008-02-10 19:26 . 2008-02-10 19:27 <REP> d-------- C:\Program Files\Super macro
2008-02-10 13:41 . 2008-02-10 13:41 39,424 --a------ C:\WINDOWS\system32\cbxyxvu.dll.vir
2008-02-10 02:37 . 2008-02-10 02:37 <REP> d-------- C:\Program Files\AC3Filter
2008-02-10 02:34 . 2008-02-10 02:34 <REP> d-------- C:\Program Files\AviSynth 2.5
2008-02-10 02:33 . 2008-02-10 02:34 <REP> d-------- C:\Program Files\Converio 2.0
2008-02-10 01:29 . 2008-02-10 01:29 <REP> d-------- C:\Program Files\Fichiers communs\Blizzard Entertainment
2008-02-09 19:44 . 2008-02-09 19:44 <REP> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-09 14:43 . 2008-02-09 14:43 <REP> d-------- C:\Program Files\Bonjour
2008-02-09 14:36 . 2008-02-09 14:36 <REP> d-------- C:\Program Files\Fichiers communs\Macrovision Shared
2008-02-09 12:38 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-02-09 12:18 . 2008-02-09 12:18 <REP> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-02-09 12:16 . 2008-02-09 12:22 <REP> d-------- C:\Program Files\DAEMON Tools Pro
2008-02-03 21:36 . 2008-02-03 21:36 <REP> d-------- C:\Program Files\COMODO
2008-02-03 21:36 . 2008-02-03 21:36 <REP> d-------- C:\Documents and Settings\guile\Application Data\Comodo
2008-02-03 21:36 . 2008-02-03 21:40 <REP> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-02-03 21:36 . 2008-02-14 20:35 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2008-02-03 21:36 . 2008-02-14 20:35 83,704 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-02-03 21:36 . 2008-02-14 20:35 23,800 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-02-03 21:00 . 2008-02-03 20:58 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-02-03 21:00 . 2008-02-03 20:58 299,392 --a------ C:\WINDOWS\system32\imon.dll
2008-02-03 21:00 . 2008-02-03 20:58 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-02-03 20:58 . 2008-02-08 13:01 <REP> d-------- C:\Program Files\ESET
2008-01-29 13:25 . 2008-01-29 13:25 <REP> d-------- C:\VundoFix Backups
2008-01-28 21:36 . 2008-02-09 14:43 <REP> d-------- C:\Program Files\Fichiers communs\Adobe
2008-01-28 21:36 . 2008-01-28 21:36 <REP> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-28 21:35 . 2008-01-28 21:35 <REP> d-------- C:\WINDOWS\system32\AGEIA
2008-01-28 21:35 . 2008-01-28 21:35 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-01-28 21:35 . 2008-01-28 21:35 <REP> d-------- C:\Program Files\AGEIA Technologies
2008-01-28 21:35 . 2008-02-09 12:39 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-01-28 21:35 . 2008-01-28 21:35 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-01-28 21:34 . 2004-08-09 06:04 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-01-28 21:32 . 2008-01-28 21:32 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2008-01-28 21:00 . 2008-02-09 12:22 <REP> d-------- C:\Documents and Settings\guile\Application Data\DAEMON Tools Pro
2008-01-28 19:47 . 2008-01-28 19:48 <REP> d-------- C:\Documents and Settings\guile\Application Data\GetRightToGo
2008-01-28 19:42 . 2008-02-03 21:24 <REP> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-28 19:42 . 2008-01-28 19:42 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-01-28 19:31 . 2008-01-28 19:31 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-28 18:57 . 2008-02-13 08:16 <REP> d-------- C:\Program Files\EasyBox
2008-01-28 18:57 . 2008-01-28 18:57 <REP> d-------- C:\Documents and Settings\guile\Application Data\vlc
2008-01-28 13:17 . 2008-02-14 04:18 <REP> d-------- C:\Program Files\eMule
2008-01-28 13:13 . 2008-01-28 13:13 <REP> d-------- C:\Temp
2008-01-28 08:13 . 2008-01-28 08:13 <REP> d-------- C:\Program Files\VideoLAN
2008-01-27 23:46 . 2008-01-27 23:46 <REP> d-------- C:\Documents and Settings\guile\Application Data\BitTorrent
2008-01-27 22:30 . 2008-01-28 19:08 <REP> d-------- C:\Documents and Settings\guile\Application Data\GrabIt
2008-01-27 22:26 . 2008-01-27 22:26 <REP> d-------- C:\Program Files\GrabIt
2008-01-27 22:04 . 2008-01-27 22:04 <REP> d-------- C:\Program Files\Alwil Software
2008-01-25 18:16 . 2008-01-25 18:16 <REP> d-------- C:\Documents and Settings\sandrine\Application Data\Talkback
2008-01-25 18:14 . 2008-01-24 21:31 <REP> d--h----- C:\Documents and Settings\sandrine\Voisinage r‚seau
2008-01-25 18:14 . 2008-01-24 21:31 <REP> d--h----- C:\Documents and Settings\sandrine\Voisinage d'impression
2008-01-25 18:14 . 2008-01-24 20:35 <REP> d--h----- C:\Documents and Settings\sandrine\ModŠles
2008-01-25 18:14 . 2008-01-25 18:14 <REP> dr------- C:\Documents and Settings\sandrine\Mes documents
2008-01-25 18:14 . 2008-01-24 21:31 <REP> dr------- C:\Documents and Settings\sandrine\Menu D‚marrer
2008-01-25 18:14 . 2008-01-25 18:14 <REP> dr------- C:\Documents and Settings\sandrine\Favoris
2008-01-25 18:14 . 2008-01-24 21:31 <REP> d-------- C:\Documents and Settings\sandrine\Bureau
2008-01-25 13:19 . 2007-03-16 16:06 1,822,720 -r------- C:\WINDOWS\SkyTel.exe
2008-01-25 13:19 . 2007-01-16 11:39 1,191,936 -r------- C:\WINDOWS\RtlUpd.exe
2008-01-25 13:19 . 2006-08-18 07:58 282,624 -r------- C:\WINDOWS\system32\RTSndMgr.cpl
2008-01-25 13:19 . 2006-07-21 17:14 86,016 -r------- C:\WINDOWS\SoundMan.exe
2008-01-25 13:19 . 2006-08-01 16:02 49,152 -r------- C:\WINDOWS\system32\ChCfg.exe
2008-01-25 13:18 . 2008-01-25 13:18 <REP> d-------- C:\Program Files\Realtek
2008-01-25 13:18 . 2007-03-21 15:49 16,126,464 -r------- C:\WINDOWS\RTHDCPL.exe
2008-01-25 13:18 . 2007-03-23 20:19 9,715,200 -r------- C:\WINDOWS\RTLCPL.exe
2008-01-25 13:18 . 2007-03-26 20:21 4,395,008 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-25 13:18 . 2006-05-04 17:26 2,808,832 -r------- C:\WINDOWS\alcwzrd.exe
2008-01-25 13:18 . 2006-10-11 18:42 2,157,568 -r------- C:\WINDOWS\MicCal.exe
2008-01-25 13:18 . 2007-01-12 17:54 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-01-25 13:18 . 2005-09-21 11:25 299,008 -r------- C:\WINDOWS\system32\ALSndMgr.cpl
2008-01-25 13:18 . 2005-05-03 19:43 69,632 -r------- C:\WINDOWS\Alcmtr.exe
2008-01-25 13:10 . 2008-02-10 21:22 <REP> d-------- C:\Program Files\Yahoo!
2008-01-25 13:10 . 2008-01-25 13:10 <REP> d-------- C:\Program Files\CCleaner
2008-01-24 23:25 . 2008-01-24 23:25 <REP> d-------- C:\Program Files\ma-config.com
2008-01-24 23:25 . 2008-01-24 23:25 <REP> d-------- C:\Documents and Settings\guile\Application Data\ma-config.com
2008-01-24 23:08 . 2008-02-13 12:35 <REP> d--h----- C:\WINDOWS\$hf_mig$
2008-01-24 22:47 . 2008-01-24 23:01 <REP> d-------- C:\Program Files\Fichiers communs\Symantec Shared
2008-01-24 22:47 . 2008-01-24 23:52 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-24 22:34 . 2008-01-24 22:34 <REP> d-------- C:\Documents and Settings\guile\Application Data\Talkback
2008-01-24 22:33 . 2008-01-24 22:33 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 11:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 20:34 --------- d-----w C:\Program Files\Fichiers communs\InstallShield
2008-01-24 20:31 --------- d-----w C:\Program Files\Fichiers communs\SpeechEngines
2008-01-24 20:31 --------- d-----w C:\Program Files\Fichiers communs\ODBC
2008-01-24 20:24 --------- d-----w C:\Program Files\Attansic
2008-01-24 20:13 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-01-24 19:58 --------- d-----w C:\Program Files\Intel
2008-01-24 19:53 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-24 19:53 --------- d-----w C:\Program Files\RALINK
2008-01-24 19:38 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-24 19:37 --------- d-----w C:\Program Files\Services en ligne
2008-01-24 19:36 --------- d-----w C:\Program Files\Fichiers communs\MSSoap
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 15:36 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-03-21 17:23 1953792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-09 08:36 8527872]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-09 08:36 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 15:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-03 20:58 950664]
"RegistryBot"="C:\Program Files\RegistryBot\RegistryBot.exe" [2006-07-11 15:39 6524928]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-02-14 20:34 1500928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-14 20:35]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-14 20:35]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 15:12]

.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2008-02-15 02:30:00 C:\WINDOWS\Tasks\RegistryBot Scheduled Scan.job"
- C:\Program Files\RegistryBot\RegistryBot.ex
- C:\Program Files\RegistryBot
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 18:49:33
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs
Les fichiers cach‚s: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
.
**************************************************************************
.
Temps d'accomplissement: 2008-02-15 18:50:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 17:50:37
.
2008-02-14 00:10:18 --- E O F ---


le rapport hijack :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:53, on 15/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\guile\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.files-ftp.com/~unicorni/phpBB2/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.files-ftp.com/~unicorni/phpBB2/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RegistryBot] "C:\Program Files\RegistryBot\RegistryBot.exe" -boot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\WINDOWS\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.files-ftp.com/~unicorni/phpBB2/index.php
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3647 bytes
17 Février 2008 21:13:36

je pense que c'est quasi regle, nod32 ne detecte plus le virus au demarrage, redis moi ce que t'en pense mais en tout cas grand merci pour ta réactivité...
(Comment tu fais pour savoir les lignes à fixer dans hickjack ???)
18 Février 2008 10:40:07

autant pour moi, il le redetecte ... ce matin ...
18 Février 2008 11:48:08

Poste au cas où mogadon ne revient pas.
Sois patient gdoub ;) 
18 Février 2008 12:31:29

OK, scuzi ...
21 Février 2008 10:22:46

faut-il que je persevere dans ma patience ?
21 Février 2008 13:26:29

Re,

Relance Combofix, poste son rapport .
21 Février 2008 19:31:01

merci pour ta reponse, voici le rapport :

ComboFix 08-02-15.2 - guile 2008-02-21 19:28:39.3 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.1516 [GMT 1:00]
Endroit: C:\Documents and Settings\guile\Bureau\ComboFix.exe

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((((((( Fichiers créés 2008-01-21 to 2008-02-21 ))))))))))))))))))))))))))))))))))))
.

2008-02-18 23:18 . 2008-02-19 12:53 <REP> d-------- C:\Program Files\PKR
2008-02-14 20:22 . 2000-05-22 17:58 647,872 --a------ C:\WINDOWS\system32\mscomct2.ocx
2008-02-14 20:22 . 1999-03-26 00:00 101,888 --a------ C:\WINDOWS\system32\vb6stkit.dll
2008-02-14 01:22 . 2008-02-14 01:22 <REP> d-------- C:\Documents and Settings\guile\Application Data\RegistryBot
2008-02-14 01:21 . 2008-02-14 20:24 <REP> d-------- C:\Program Files\RegistryBot
2008-02-10 19:26 . 2008-02-10 19:27 <REP> d-------- C:\Program Files\Super macro
2008-02-10 13:41 . 2008-02-10 13:41 39,424 --a------ C:\WINDOWS\system32\cbxyxvu.dll.vir
2008-02-10 02:37 . 2008-02-10 02:37 <REP> d-------- C:\Program Files\AC3Filter
2008-02-10 02:34 . 2008-02-10 02:34 <REP> d-------- C:\Program Files\AviSynth 2.5
2008-02-10 02:33 . 2008-02-10 02:34 <REP> d-------- C:\Program Files\Converio 2.0
2008-02-10 01:29 . 2008-02-10 01:29 <REP> d-------- C:\Program Files\Fichiers communs\Blizzard Entertainment
2008-02-09 19:44 . 2008-02-09 19:44 <REP> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-09 14:43 . 2008-02-09 14:43 <REP> d-------- C:\Program Files\Bonjour
2008-02-09 14:36 . 2008-02-09 14:36 <REP> d-------- C:\Program Files\Fichiers communs\Macrovision Shared
2008-02-09 12:38 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-02-09 12:18 . 2008-02-09 12:18 <REP> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-02-09 12:16 . 2008-02-09 12:22 <REP> d-------- C:\Program Files\DAEMON Tools Pro
2008-02-03 21:36 . 2008-02-03 21:36 <REP> d-------- C:\Program Files\COMODO
2008-02-03 21:36 . 2008-02-03 21:36 <REP> d-------- C:\Documents and Settings\guile\Application Data\Comodo
2008-02-03 21:36 . 2008-02-03 21:40 <REP> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-02-03 21:36 . 2008-02-14 20:35 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2008-02-03 21:36 . 2008-02-14 20:35 83,704 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-02-03 21:36 . 2008-02-14 20:35 23,800 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-02-03 21:00 . 2008-02-03 20:58 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-02-03 21:00 . 2008-02-03 20:58 299,392 --a------ C:\WINDOWS\system32\imon.dll
2008-02-03 21:00 . 2008-02-03 20:58 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-02-03 20:58 . 2008-02-08 13:01 <REP> d-------- C:\Program Files\ESET
2008-01-29 13:25 . 2008-01-29 13:25 <REP> d-------- C:\VundoFix Backups
2008-01-28 21:36 . 2008-02-09 14:43 <REP> d-------- C:\Program Files\Fichiers communs\Adobe
2008-01-28 21:36 . 2008-01-28 21:36 <REP> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-28 21:35 . 2008-01-28 21:35 <REP> d-------- C:\WINDOWS\system32\AGEIA
2008-01-28 21:35 . 2008-01-28 21:35 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-01-28 21:35 . 2008-01-28 21:35 <REP> d-------- C:\Program Files\AGEIA Technologies
2008-01-28 21:35 . 2008-02-09 12:39 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-01-28 21:35 . 2008-01-28 21:35 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-01-28 21:34 . 2004-08-09 06:04 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-01-28 21:32 . 2008-01-28 21:32 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2008-01-28 21:00 . 2008-02-09 12:22 <REP> d-------- C:\Documents and Settings\guile\Application Data\DAEMON Tools Pro
2008-01-28 19:47 . 2008-01-28 19:48 <REP> d-------- C:\Documents and Settings\guile\Application Data\GetRightToGo
2008-01-28 19:42 . 2008-02-03 21:24 <REP> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-28 19:42 . 2008-01-28 19:42 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-01-28 19:31 . 2008-01-28 19:31 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-28 18:57 . 2008-02-20 08:09 <REP> d-------- C:\Program Files\EasyBox
2008-01-28 18:57 . 2008-01-28 18:57 <REP> d-------- C:\Documents and Settings\guile\Application Data\vlc
2008-01-28 13:17 . 2008-02-20 20:43 <REP> d-------- C:\Program Files\eMule
2008-01-28 13:13 . 2008-01-28 13:13 <REP> d-------- C:\Temp
2008-01-28 08:13 . 2008-01-28 08:13 <REP> d-------- C:\Program Files\VideoLAN
2008-01-27 23:46 . 2008-01-27 23:46 <REP> d-------- C:\Documents and Settings\guile\Application Data\BitTorrent
2008-01-27 22:30 . 2008-01-28 19:08 <REP> d-------- C:\Documents and Settings\guile\Application Data\GrabIt
2008-01-27 22:26 . 2008-01-27 22:26 <REP> d-------- C:\Program Files\GrabIt
2008-01-27 22:04 . 2008-01-27 22:04 <REP> d-------- C:\Program Files\Alwil Software
2008-01-25 18:16 . 2008-01-25 18:16 <REP> d-------- C:\Documents and Settings\sandrine\Application Data\Talkback
2008-01-25 18:14 . 2008-01-24 21:31 <REP> d--h----- C:\Documents and Settings\sandrine\Voisinage réseau
2008-01-25 18:14 . 2008-01-24 21:31 <REP> d--h----- C:\Documents and Settings\sandrine\Voisinage d'impression
2008-01-25 18:14 . 2008-01-24 20:35 <REP> d--h----- C:\Documents and Settings\sandrine\Modèles
2008-01-25 18:14 . 2008-01-25 18:14 <REP> dr------- C:\Documents and Settings\sandrine\Mes documents
2008-01-25 18:14 . 2008-01-24 21:31 <REP> dr------- C:\Documents and Settings\sandrine\Menu Démarrer
2008-01-25 18:14 . 2008-01-25 18:14 <REP> dr------- C:\Documents and Settings\sandrine\Favoris
2008-01-25 18:14 . 2008-01-24 21:31 <REP> d-------- C:\Documents and Settings\sandrine\Bureau
2008-01-25 13:19 . 2007-03-16 16:06 1,822,720 -r------- C:\WINDOWS\SkyTel.exe
2008-01-25 13:19 . 2007-01-16 11:39 1,191,936 -r------- C:\WINDOWS\RtlUpd.exe
2008-01-25 13:19 . 2006-08-18 07:58 282,624 -r------- C:\WINDOWS\system32\RTSndMgr.cpl
2008-01-25 13:19 . 2006-07-21 17:14 86,016 -r------- C:\WINDOWS\SoundMan.exe
2008-01-25 13:19 . 2006-08-01 16:02 49,152 -r------- C:\WINDOWS\system32\ChCfg.exe
2008-01-25 13:18 . 2008-01-25 13:18 <REP> d-------- C:\Program Files\Realtek
2008-01-25 13:18 . 2007-03-21 15:49 16,126,464 -r------- C:\WINDOWS\RTHDCPL.exe
2008-01-25 13:18 . 2007-03-23 20:19 9,715,200 -r------- C:\WINDOWS\RTLCPL.exe
2008-01-25 13:18 . 2007-03-26 20:21 4,395,008 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-25 13:18 . 2006-05-04 17:26 2,808,832 -r------- C:\WINDOWS\alcwzrd.exe
2008-01-25 13:18 . 2006-10-11 18:42 2,157,568 -r------- C:\WINDOWS\MicCal.exe
2008-01-25 13:18 . 2007-01-12 17:54 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-01-25 13:18 . 2005-09-21 11:25 299,008 -r------- C:\WINDOWS\system32\ALSndMgr.cpl
2008-01-25 13:18 . 2005-05-03 19:43 69,632 -r------- C:\WINDOWS\Alcmtr.exe
2008-01-25 13:10 . 2008-02-10 21:22 <REP> d-------- C:\Program Files\Yahoo!
2008-01-25 13:10 . 2008-01-25 13:10 <REP> d-------- C:\Program Files\CCleaner
2008-01-24 23:25 . 2008-01-24 23:25 <REP> d-------- C:\Program Files\ma-config.com
2008-01-24 23:25 . 2008-01-24 23:25 <REP> d-------- C:\Documents and Settings\guile\Application Data\ma-config.com
2008-01-24 23:08 . 2008-02-13 12:35 <REP> d--h----- C:\WINDOWS\$hf_mig$
2008-01-24 22:47 . 2008-01-24 23:01 <REP> d-------- C:\Program Files\Fichiers communs\Symantec Shared
2008-01-24 22:47 . 2008-01-24 23:52 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-24 22:34 . 2008-01-24 22:34 <REP> d-------- C:\Documents and Settings\guile\Application Data\Talkback
2008-01-24 22:33 . 2008-01-24 22:33 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 11:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 20:49 40,448 ----a-w C:\WINDOWS\system32\NTSpool.exe
2008-01-28 20:34 --------- d-----w C:\Program Files\Fichiers communs\InstallShield
2008-01-24 20:31 --------- d-----w C:\Program Files\Fichiers communs\SpeechEngines
2008-01-24 20:31 --------- d-----w C:\Program Files\Fichiers communs\ODBC
2008-01-24 20:24 --------- d-----w C:\Program Files\Attansic
2008-01-24 20:13 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-01-24 19:58 --------- d-----w C:\Program Files\Intel
2008-01-24 19:53 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-24 19:53 --------- d-----w C:\Program Files\RALINK
2008-01-24 19:38 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-24 19:37 --------- d-----w C:\Program Files\Services en ligne
2008-01-24 19:36 --------- d-----w C:\Program Files\Fichiers communs\MSSoap
2007-12-07 01:07 663,552 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2006-06-23 22:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 15:36 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-03-21 17:23 1953792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-09 08:36 8527872]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-09 08:36 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 15:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-03 20:58 950664]
"RegistryBot"="C:\Program Files\RegistryBot\RegistryBot.exe" [2006-07-11 15:39 6524928]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-02-14 20:34 1500928]

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Ralink Wireless Utility.lnk - C:\WINDOWS\RaUI.exe [2008-01-24 20:53:52 598016]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-02-09 19:44:19 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-14 20:35]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-14 20:35]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 15:12]

.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-02-21 02:32:00 C:\WINDOWS\Tasks\RegistryBot Scheduled Scan.job"
- C:\Program Files\RegistryBot\RegistryBot.ex
- C:\Program Files\RegistryBot
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 19:29:33
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs a chargé sous des processus courants ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Temps d'accomplissement: 2008-02-21 19:29:46
ComboFix-quarantined-files.txt 2008-02-21 18:29:44
ComboFix2.txt 2008-02-15 17:50:40
.
2008-02-14 00:10:18 --- E O F ---
21 Février 2008 19:55:51

Re,

Copie le texte se situant dans le cadre ci-dessous :

File::
C:\WINDOWS\system32\NTSpool.exe
C:\WINDOWS\nsreg.dat
C:\WINDOWS\Alcmtr.exe
C:\WINDOWS\RTLCPL.exe
C:\WINDOWS\system32\cbxyxvu.dll.vir

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""


Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :


Cela va relancer Combofix, tape sur 1 puis valide. Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.
S'il n'y a pas de rédémarrage, poste quand même les rapports.
22 Février 2008 12:45:06

le rapport comboFix : (pour info, je n'ai pas eu a appuyer sur 1 et valider lors de l'exec de combofix)

ComboFix 08-02-15.2 - guile 2008-02-22 12:41:49.4 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.1550 [GMT 1:00]
Endroit: C:\Documents and Settings\guile\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\guile\Bureau\CFScript.txt
* Création d'un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!

FILE
C:\WINDOWS\Alcmtr.exe
C:\WINDOWS\nsreg.dat
C:\WINDOWS\RTLCPL.exe
C:\WINDOWS\system32\cbxyxvu.dll.vir
C:\WINDOWS\system32\guard32.dll
C:\WINDOWS\system32\guard32.dll.vir
C:\WINDOWS\system32\NTSpool.exe
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Alcmtr.exe
C:\WINDOWS\nsreg.dat
C:\WINDOWS\RTLCPL.exe
C:\WINDOWS\system32\cbxyxvu.dll.vir
C:\WINDOWS\system32\guard32.dll.vir
C:\WINDOWS\system32\NTSpool.exe

.
((((((((((((((((((((((((((((( Fichiers créés 2008-01-22 to 2008-02-22 ))))))))))))))))))))))))))))))))))))
.

2008-02-18 23:18 . 2008-02-19 12:53 <REP> d-------- C:\Program Files\PKR
2008-02-14 20:22 . 2000-05-22 17:58 647,872 --a------ C:\WINDOWS\system32\mscomct2.ocx
2008-02-14 20:22 . 1999-03-26 00:00 101,888 --a------ C:\WINDOWS\system32\vb6stkit.dll
2008-02-14 01:22 . 2008-02-14 01:22 <REP> d-------- C:\Documents and Settings\guile\Application Data\RegistryBot
2008-02-14 01:21 . 2008-02-14 20:24 <REP> d-------- C:\Program Files\RegistryBot
2008-02-10 19:26 . 2008-02-10 19:27 <REP> d-------- C:\Program Files\Super macro
2008-02-10 02:37 . 2008-02-10 02:37 <REP> d-------- C:\Program Files\AC3Filter
2008-02-10 02:34 . 2008-02-10 02:34 <REP> d-------- C:\Program Files\AviSynth 2.5
2008-02-10 02:33 . 2008-02-10 02:34 <REP> d-------- C:\Program Files\Converio 2.0
2008-02-10 01:29 . 2008-02-10 01:29 <REP> d-------- C:\Program Files\Fichiers communs\Blizzard Entertainment
2008-02-09 19:44 . 2008-02-09 19:44 <REP> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-09 14:43 . 2008-02-09 14:43 <REP> d-------- C:\Program Files\Bonjour
2008-02-09 14:36 . 2008-02-09 14:36 <REP> d-------- C:\Program Files\Fichiers communs\Macrovision Shared
2008-02-09 12:38 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-02-09 12:18 . 2008-02-09 12:18 <REP> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-02-09 12:16 . 2008-02-09 12:22 <REP> d-------- C:\Program Files\DAEMON Tools Pro
2008-02-03 21:36 . 2008-02-03 21:36 <REP> d-------- C:\Program Files\COMODO
2008-02-03 21:36 . 2008-02-03 21:36 <REP> d-------- C:\Documents and Settings\guile\Application Data\Comodo
2008-02-03 21:36 . 2008-02-03 21:40 <REP> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-02-03 21:36 . 2008-02-22 12:40 84,856 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-02-03 21:36 . 2008-02-14 20:35 23,800 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-02-03 21:00 . 2008-02-03 20:58 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-02-03 21:00 . 2008-02-03 20:58 299,392 --a------ C:\WINDOWS\system32\imon.dll
2008-02-03 21:00 . 2008-02-03 20:58 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-02-03 20:58 . 2008-02-08 13:01 <REP> d-------- C:\Program Files\ESET
2008-01-29 13:25 . 2008-01-29 13:25 <REP> d-------- C:\VundoFix Backups
2008-01-28 21:36 . 2008-02-09 14:43 <REP> d-------- C:\Program Files\Fichiers communs\Adobe
2008-01-28 21:36 . 2008-01-28 21:36 <REP> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-28 21:35 . 2008-01-28 21:35 <REP> d-------- C:\WINDOWS\system32\AGEIA
2008-01-28 21:35 . 2008-01-28 21:35 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-01-28 21:35 . 2008-01-28 21:35 <REP> d-------- C:\Program Files\AGEIA Technologies
2008-01-28 21:35 . 2008-02-09 12:39 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-01-28 21:35 . 2008-01-28 21:35 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-01-28 21:34 . 2004-08-09 06:04 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-01-28 21:32 . 2008-01-28 21:32 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2008-01-28 21:00 . 2008-02-09 12:22 <REP> d-------- C:\Documents and Settings\guile\Application Data\DAEMON Tools Pro
2008-01-28 19:47 . 2008-01-28 19:48 <REP> d-------- C:\Documents and Settings\guile\Application Data\GetRightToGo
2008-01-28 19:42 . 2008-02-03 21:24 <REP> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-28 19:42 . 2008-01-28 19:42 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-01-28 19:31 . 2008-01-28 19:31 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-28 18:57 . 2008-02-22 08:21 <REP> d-------- C:\Program Files\EasyBox
2008-01-28 18:57 . 2008-01-28 18:57 <REP> d-------- C:\Documents and Settings\guile\Application Data\vlc
2008-01-28 13:17 . 2008-02-20 20:43 <REP> d-------- C:\Program Files\eMule
2008-01-28 13:13 . 2008-01-28 13:13 <REP> d-------- C:\Temp
2008-01-28 08:13 . 2008-01-28 08:13 <REP> d-------- C:\Program Files\VideoLAN
2008-01-27 23:46 . 2008-01-27 23:46 <REP> d-------- C:\Documents and Settings\guile\Application Data\BitTorrent
2008-01-27 22:30 . 2008-01-28 19:08 <REP> d-------- C:\Documents and Settings\guile\Application Data\GrabIt
2008-01-27 22:26 . 2008-01-27 22:26 <REP> d-------- C:\Program Files\GrabIt
2008-01-27 22:04 . 2008-01-27 22:04 <REP> d-------- C:\Program Files\Alwil Software
2008-01-25 18:16 . 2008-01-25 18:16 <REP> d-------- C:\Documents and Settings\sandrine\Application Data\Talkback
2008-01-25 18:14 . 2008-01-24 21:31 <REP> d--h----- C:\Documents and Settings\sandrine\Voisinage réseau
2008-01-25 18:14 . 2008-01-24 21:31 <REP> d--h----- C:\Documents and Settings\sandrine\Voisinage d'impression
2008-01-25 18:14 . 2008-01-24 20:35 <REP> d--h----- C:\Documents and Settings\sandrine\Modèles
2008-01-25 18:14 . 2008-01-25 18:14 <REP> dr------- C:\Documents and Settings\sandrine\Mes documents
2008-01-25 18:14 . 2008-01-24 21:31 <REP> dr------- C:\Documents and Settings\sandrine\Menu Démarrer
2008-01-25 18:14 . 2008-01-25 18:14 <REP> dr------- C:\Documents and Settings\sandrine\Favoris
2008-01-25 18:14 . 2008-01-24 21:31 <REP> d-------- C:\Documents and Settings\sandrine\Bureau
2008-01-25 13:19 . 2007-03-16 16:06 1,822,720 -r------- C:\WINDOWS\SkyTel.exe
2008-01-25 13:19 . 2007-01-16 11:39 1,191,936 -r------- C:\WINDOWS\RtlUpd.exe
2008-01-25 13:19 . 2006-08-18 07:58 282,624 -r------- C:\WINDOWS\system32\RTSndMgr.cpl
2008-01-25 13:19 . 2006-07-21 17:14 86,016 -r------- C:\WINDOWS\SoundMan.exe
2008-01-25 13:19 . 2006-08-01 16:02 49,152 -r------- C:\WINDOWS\system32\ChCfg.exe
2008-01-25 13:18 . 2008-01-25 13:18 <REP> d-------- C:\Program Files\Realtek
2008-01-25 13:18 . 2007-03-21 15:49 16,126,464 -r------- C:\WINDOWS\RTHDCPL.exe
2008-01-25 13:18 . 2007-03-26 20:21 4,395,008 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-25 13:18 . 2006-05-04 17:26 2,808,832 -r------- C:\WINDOWS\alcwzrd.exe
2008-01-25 13:18 . 2006-10-11 18:42 2,157,568 -r------- C:\WINDOWS\MicCal.exe
2008-01-25 13:18 . 2007-01-12 17:54 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-01-25 13:18 . 2005-09-21 11:25 299,008 -r------- C:\WINDOWS\system32\ALSndMgr.cpl
2008-01-25 13:10 . 2008-02-10 21:22 <REP> d-------- C:\Program Files\Yahoo!
2008-01-25 13:10 . 2008-01-25 13:10 <REP> d-------- C:\Program Files\CCleaner
2008-01-24 23:25 . 2008-01-24 23:25 <REP> d-------- C:\Program Files\ma-config.com
2008-01-24 23:25 . 2008-01-24 23:25 <REP> d-------- C:\Documents and Settings\guile\Application Data\ma-config.com
2008-01-24 23:08 . 2008-02-13 12:35 <REP> d--h----- C:\WINDOWS\$hf_mig$
2008-01-24 22:47 . 2008-01-24 23:01 <REP> d-------- C:\Program Files\Fichiers communs\Symantec Shared
2008-01-24 22:47 . 2008-01-24 23:52 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-24 22:34 . 2008-01-24 22:34 <REP> d-------- C:\Documents and Settings\guile\Application Data\Talkback

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 11:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 20:34 --------- d-----w C:\Program Files\Fichiers communs\InstallShield
2008-01-24 20:31 --------- d-----w C:\Program Files\Fichiers communs\SpeechEngines
2008-01-24 20:31 --------- d-----w C:\Program Files\Fichiers communs\ODBC
2008-01-24 20:24 --------- d-----w C:\Program Files\Attansic
2008-01-24 20:13 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-01-24 19:58 --------- d-----w C:\Program Files\Intel
2008-01-24 19:53 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-24 19:53 --------- d-----w C:\Program Files\RALINK
2008-01-24 19:38 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-24 19:37 --------- d-----w C:\Program Files\Services en ligne
2008-01-24 19:36 --------- d-----w C:\Program Files\Fichiers communs\MSSoap
2007-12-07 01:07 663,552 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2006-06-23 22:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 15:36 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-03-21 17:23 1953792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-09 08:36 8527872]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-09 08:36 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 15:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-03 20:58 950664]
"RegistryBot"="C:\Program Files\RegistryBot\RegistryBot.exe" [2006-07-11 15:39 6524928]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-02-22 12:39 1502976]

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Ralink Wireless Utility.lnk - C:\WINDOWS\RaUI.exe [2008-01-24 20:53:52 598016]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-02-09 19:44:19 389120]

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-22 12:40]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-14 20:35]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 15:12]

.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-02-22 02:32:00 C:\WINDOWS\Tasks\RegistryBot Scheduled Scan.job"
- C:\Program Files\RegistryBot\RegistryBot.ex
- C:\Program Files\RegistryBot
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 12:42:35
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs a chargé sous des processus courants ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Temps d'accomplissement: 2008-02-22 12:42:48
ComboFix-quarantined-files.txt 2008-02-22 11:42:46
ComboFix2.txt 2008-02-21 18:29:47
ComboFix3.txt 2008-02-15 17:50:40
.
2008-02-14 00:10:18 --- E O F ---


Le rapport Hijackthis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44, on 22/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PKR\pkrpal.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\guile\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.files-ftp.com/~unicorni/phpBB2/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.files-ftp.com/~unicorni/phpBB2/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RegistryBot] "C:\Program Files\RegistryBot\RegistryBot.exe" -boot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\WINDOWS\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.files-ftp.com/~unicorni/phpBB2/index.php
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3503 bytes
22 Février 2008 12:58:26

Re,

Télécharge sur ton bureau : Clean (de Malekal) >Tuto<
Dézippe le sur ton bureau. Double-clic sur ce dossier clean.
Double-clic sur clean.cmd. (L’extension cmd peut ne pas apparaître) Cela va ouvrir une fenêtre noire.
Un menu va apparaître, choisis l'option 1 puis entrée. Ensuite appuies sur une touche comme il te sera demandé et poste le rapport ici.
Le rapport se trouve ici : C:\rapport_clean.txt

Si tu obtiens un fichier C:\upload_moi.zip, merci de faire ceci.
22 Février 2008 19:23:49

je ne peux pas uploader le fichier :
(chez moi il se nomme upload_moi_UNICORNI-D6DD94.tar.gz)

"format de fichier invalide "

de plus plantouille sur une dll quand je lance clean.cmd (j'ai fait ignorer et le traitement est ensuite aller jusqu'à l'upload du fichier)

je te joins quand meme le rapport :

22/02/2008 a 18:55:49,90

*** Recherche des fichiers dans C:

*** Recherche des fichiers dans C:\WINDOWS\

*** Recherche des fichiers dans C:\WINDOWS\system32

*** Recherche des fichiers dans C:\Program Files
*** Fin du rapport !

22 Février 2008 20:23:21

Re,

Toujours des problèmes ?

Sélectionne l’intégralité du cadre ci-dessous :
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

Copie/colle le dans le Bloc Notes (Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Enregistre le sous sur ton bureau sous le nom de Correction.reg
Double-clique dessus, accepte l’inscription des données.

Puis reposte un Hijackthis.
23 Février 2008 03:33:23

voila mon hickjack apres l'execution du .reg :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:32, on 23/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\GrabIt\GrabIt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\guile\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.files-ftp.com/~unicorni/phpBB2/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.files-ftp.com/~unicorni/phpBB2/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\WINDOWS\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.files-ftp.com/~unicorni/phpBB2/index.php
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3421 bytes
23 Février 2008 03:35:23

j'vais relancer un scan de mon post avec l'antivirus pour voir s'il detecte toujours quelque chose... depuis 2 boot, il ne me lance plus la boite de dialogue qui me dit qu'il detecte le virus ... je te redis
Merci en tout cas !
23 Février 2008 12:10:31

Re,

Peux-tu désinstaller/réinstaller Comodo?
23 Février 2008 12:55:59

je peux ! pourquoi ?
23 Février 2008 13:00:46

Parce que j'ai fait une erreur tout à l'heure et je m'en excuse, il est préférable de le réinstaller pour être sûr qu'il fonctionne parfaitement :) 
23 Février 2008 13:11:00

OK, j'ai fait le scan avec nod32, il me trouve tjrs des virus :
sous :

c:\qoobox\quarantine\C\Windows\system32\bywuvww.dll.vir infected by win32/adware.Virtumonde

idem sur:

c:\systeme volume information\_restore{06DAA05F-C2C1-49A2-B08E-289AD8A8E777}\RP50\A0011540.dll

et

c:\systeme volume Information\_restore{06DAA05F-C2C1-49A2-B08E-289AD8A8E777}\RP50\A0011587.dll

23 Février 2008 13:23:25

je viens de réinstaller comodo ... je rejoins un hijackthis ... dans le doute :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:22, on 23/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\guile\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.files-ftp.com/~unicorni/phpBB2/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.files-ftp.com/~unicorni/phpBB2/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\WINDOWS\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.files-ftp.com/~unicorni/phpBB2/index.php
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3473 bytes
23 Février 2008 13:25:08

Re,

C'est rien :) 

premier -> Quarantaine Combofix, tu vois d'ailleurs la dll renommée en vir.

Et après, c'est la restauration système.

Désactive-réactive la restauration système

Plus de problèmes ?

Tu peux fixer cette ligne dans Hijackthis :
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Télécharge ToolsCleaner2( de A.Rothstein)

Installe le sur ton Bureau
Clique sur [Recherche] pour lancer le scan
Clique sur [Supprimer] pour nettoyer les outils utilisés
Clique sur [Quitter],
Poste ce rapport ~>C:\TCleaner.txt<~

Garde ccleaner, avg et antivir si nous les avons installé..
Rapporte ton infection sur Malware Complaints >Tuto<
Ton(tes) infection(s) : Vundo

Puis regarde ce dossier :

Sécurité/Prévention
23 Février 2008 14:08:00

voila le rapport :


22/02/2008 a 18:55:49,90

*** Recherche des fichiers dans C:

*** Recherche des fichiers dans C:\WINDOWS\

*** Recherche des fichiers dans C:\WINDOWS\system32

*** Recherche des fichiers dans C:\Program Files
*** Fin du rapport !

je fait le reste plus tard, tchao et encore merci
Tom's guide dans le monde
  • Allemagne
  • Italie
  • Irlande
  • Royaume Uni
  • Etats Unis
Suivre Tom's Guide
Inscrivez-vous à la Newsletter
  • ajouter à twitter
  • ajouter à facebook
  • ajouter un flux RSS