Votre question

grosse infection par le trojan win32:tratbho

Tags :
  • Sécurité
Dernière réponse : dans Sécurité et virus
27 Janvier 2008 11:57:12

bonjour à tous...

depuis quelques jours je me suis apercue que mon PC (enfin celui de mon père) était infecté par le trojan win32:tratbho
288 fichiers mis en quarantaine par avast... je sais il faut que j'enlève avast...

mais comment se débarasser du virus...?? je vous poste ci dessous un rapport hijackthis... et c'est pour moi du chinois!!

je vous remercie par avance pour votre aide

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:03, on 27/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\DOCUME~1\dan\LOCALS~1\Temp\Répertoire temporaire 2 pour HiJackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\cbxwvut.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: XTN Monitor - {CB6BCBE2-79B4-4B72-BD1F-185FD5A651EB} - C:\WINDOWS\ddwlxtqlmr.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: The enqvwkp - {12A25CE9-0A93-4074-9516-A5B1A83141C9} - C:\WINDOWS\enqvwkp.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [fsc-reminder.exe] C:\windows\reminder\fsc-reminder.exe 2453624 10
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe /a /b
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://www2.ac-nancy-metz.fr/qp2.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - http://pictures.aol.com/ap/Resources/2.0.4.69/cab/aolpP...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Co...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall...
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.inoculer.com/antivirus/Msie/bitdefender.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.photoways.com/clients/uploader_v2.1.0.53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/fl...
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dan.dns
O17 - HKLM\Software\..\Telephony: DomainName = dan.dns
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E0C4D3C-6301-4CCA-87AE-4836BE0954ED}: NameServer = 85.255.114.92,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{A987444E-9EFF-45AF-BDA2-D0E79BFBCB22}: NameServer = 85.255.114.112,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4E0716B-C8D2-4D43-BFE3-D23207820826}: NameServer = 85.255.114.92,85.255.112.112
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dan.dns
O20 - Winlogon Notify: cbxwvut - C:\WINDOWS\SYSTEM32\cbxwvut.dll
O21 - SSODL: agrlmvp - {9259B34F-F8CD-4CD6-A4B4-8E00F4A7087F} - C:\WINDOWS\agrlmvp.dll
O21 - SSODL: bmlvqkn - {83BC218C-D436-4D07-BB56-03F05DE6BD20} - (no file)
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 8315 bytes

Autres pages sur : grosse infection trojan win32 tratbho

27 Janvier 2008 12:08:13

Salut,

Tu es bien infecté !

Télécharge FixWareout (de LonnyRJones) sur le Bureau.
>>Deuxième lien<<

Double clique sur FixWareout.exe, : clique sur Next puis Install.
Run fixit doit être coché, enfin clique sur Finish.
Suis les messages à l'écran. Ton ordinateur devra redémarrer, accepte. Le démarrage sera légèrement plus long que d’habitude.

Poste le rapport >C:\fixwareout\report.txt<
Accompagné d’un nouveau log HiJackThis.
27 Janvier 2008 12:13:57

salut!!!!

ben ca commence mal....
quand je clique sur une touche pour redémarrer, un message me disant "you need administrative privileges to run this rool" sauf que j'ai un seul compte sur cet ordinateur....
Contenus similaires
27 Janvier 2008 12:54:24

Re,

Essaie de le faire en mode sans échec.
Sinon on fera les manips dans un autre ordre.
27 Janvier 2008 13:10:34

Encore le meme problème en mode sans échec....
27 Janvier 2008 13:23:18

Ok.

Télécharge SDFix (d’Andy Manchesta)

Enregistre le sur ton le bureau.

Lance le.
Fais install afin qu’il puisse s’extraire.

Redémarre en mode sans échec
/!\ Ne jamais démarrer en mode sans échec via MSCONFIG /!\

Lance SDFix.
Double clique sur RunThis.bat . (L’extension bat peut ne pas apparaître)
Appuie sur Y pour le lancer.

Il te sera demandé d'appuyer sur une touche pour redemarrer , fais le
Il est probable que le redémarrage soit un peu plus long que d’habitude.
Une fois l’apparition de ton Bureau, il affichera Finished

Appuie sur une touche.

Un rapport est généré , poste le dans ta réponse.
Il se trouve également. dans le dossier SDFix >Report.txt<
29 Janvier 2008 10:50:59

bonjour...
me revoila, petit soucis avec le modem....
j'ai donc suivi la procédure ci dessus.... j'en suis a 327 fichiers infectés.... ca fait peur! lol

voici donc le scan ...

je vous remercie encore!


SDFix: Version 1.131

Run by dan on 29/01/2008 at 10:24

Microsoft Windows XP [version 5.1.2600]

Running From: C:\DOCUME~1\dan\Bureau\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\SIRENA~1.DLL - Deleted
C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\Program Files\Setup.exe - Deleted
C:\DOCUME~1\dan\LOCALS~1\Temp\ac8zt2.dat - Deleted
C:\explorer.exe - Deleted
C:\WINDOWS\agrlmvp.dll - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\ddwlxtqlmr.dll - Deleted
C:\WINDOWS\enqvwkp.dll - Deleted
C:\WINDOWS\fxtqdrl.exe - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\xpupdate.exe - Deleted


Could Not Remove C:\autorun.inf

Folder C:\WINDOWS\privacy_danger - Removed


Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\explorer.exe
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 10:37:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\eMule\emule.exe"="C:\Program Files\eMule\emule.exe:*:Enabled:eMule"
"C:\Program Files\Microsoft Office\Office\WINWORD.EXE"="C:\Program Files\Microsoft Office\Office\WINWORD.EXE:*:Enabled:Microsoft Word for Windows"
"C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe"="C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Fichiers communs\AOL\ACS\AOLAcsd.exe"="C:\Program Files\Fichiers communs\AOL\ACS\AOLAcsd.exe:*:Enabled:AOL"
"C:\Program Files\AOL 9.0 VR\waol.exe"="C:\Program Files\AOL 9.0 VR\waol.exe:*:Enabled:AOL"
"C:\Program Files\Fichiers communs\AOL\TopSpeed\3.0\aoltpsd3.exe"="C:\Program Files\Fichiers communs\AOL\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\Program Files\AOL 9.0 VRa\waol.exe"="C:\Program Files\AOL 9.0 VRa\waol.exe:*:Enabled:AOL"
"C:\Program Files\AOL 9.0\waol.exe"="C:\Program Files\AOL 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\AOL 9.0a\waol.exe"="C:\Program Files\AOL 9.0a\waol.exe:*:Enabled:AOL"
"C:\Program Files\AOL 9.0b\waol.exe"="C:\Program Files\AOL 9.0b\waol.exe:*:Enabled:AOL"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\OneClick\\OneClick.exe"="C:\\Program Files\\OneClick\\OneClick.exe:*:Enabled:o neClick"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Fichiers communs\\AOL\\1141531365\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Fichiers communs\\AOL\\1141531365\\ee\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Fichiers communs\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Fichiers communs\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Fichiers communs\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Fichiers communs\\AOL\\System Information\\sinf.exe:*:Enabled:AOL System Information"
"C:\\Documents and Settings\\dan\\Bureau\\Jeux\\Dames.exe"="C:\\Documents and Settings\\dan\\Bureau\\Jeux\\Dames.exe:*:Enabled:Application MFC Dames"
"C:\\Program Files\\Fichiers communs\\AOL\\1141531365\\ee\\aolsoftware.exe"="C:\\Program Files\\Fichiers communs\\AOL\\1141531365\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\eChanblard\\emule.exe"="C:\\Program Files\\eChanblard\\emule.exe:*:Enabled:eChanblard"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AOL 9.0e\\waol.exe"="C:\\Program Files\\AOL 9.0e\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\AOL 9.0h\\waol.exe"="C:\\Program Files\\AOL 9.0h\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\AOL 9.0i\\waol.exe"="C:\\Program Files\\AOL 9.0i\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Fichiers communs\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Fichiers communs\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Fichiers communs\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Fichiers communs\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\AOL 9.0a\\waol.exe"="C:\\Program Files\\AOL 9.0a\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\AOL 9.0b\\waol.exe"="C:\\Program Files\\AOL 9.0b\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------
C:\autorun.inf Found

File Backups: - C:\DOCUME~1\dan\Bureau\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 16 Apr 2007 960 A.SH. --- "C:\taw4a0ma.sys"
Wed 7 Jun 2006 304,640 A..H. --- "C:\PROCN\INSTALL\INSTALL.EXE"
Thu 5 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 13 Dec 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 7 Jan 2008 1,627,648 ...H. --- "C:\Documents and Settings\dan\Mes documents\~WRL0001.tmp"
Tue 18 Dec 2007 98,816 ...H. --- "C:\Documents and Settings\dan\Mes documents\~WRL1747.tmp"
Mon 7 Jan 2008 1,654,272 ...H. --- "C:\Documents and Settings\dan\Mes documents\~WRL3830.tmp"
Tue 5 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Tue 13 Dec 2005 4,348 ...H. --- "C:\Documents and Settings\dan\Mes documents\Ma musique\Sauvegarde de la licence\drmv1key.bak"
Tue 13 Dec 2005 20 A..H. --- "C:\Documents and Settings\dan\Mes documents\Ma musique\Sauvegarde de la licence\drmv1lic.bak"
Tue 13 Dec 2005 400 A.SH. --- "C:\Documents and Settings\dan\Mes documents\Ma musique\Sauvegarde de la licence\drmv2key.bak"
Wed 20 Sep 2006 69,632 ...H. --- "C:\Documents and Settings\dan\Mes documents\My Viewlets\cours\GUIDE DE CONDUITE\~WRL0002.tmp"
Wed 22 Nov 2006 221,184 A..H. --- "C:\Documents and Settings\dan\Bureau\polizzi\polizzi\bin\Debug\polizzi.exe"

Finished!
29 Janvier 2008 18:53:04

pas de nouvelle alerte cet apres midi mais est ce fini...?
29 Janvier 2008 20:38:07

Re,

Il doit en rester.
Reposte un Hijackthis ;) 
30 Janvier 2008 12:59:27

donc voila la nouveau rapport!! encore merci


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:49, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\dan\LOCALS~1\Temp\Répertoire temporaire 1 pour HiJackThis(2).zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\cbxwvut.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [fsc-reminder.exe] C:\windows\reminder\fsc-reminder.exe 2453624 10
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://www2.ac-nancy-metz.fr/qp2.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - http://pictures.aol.com/ap/Resources/2.0.4.69/cab/aolpP...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Co...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall...
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.inoculer.com/antivirus/Msie/bitdefender.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.photoways.com/clients/uploader_v2.1.0.53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/fl...
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dan.dns
O17 - HKLM\Software\..\Telephony: DomainName = dan.dns
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E0C4D3C-6301-4CCA-87AE-4836BE0954ED}: NameServer = 85.255.114.92,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{A987444E-9EFF-45AF-BDA2-D0E79BFBCB22}: NameServer = 85.255.114.112,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4E0716B-C8D2-4D43-BFE3-D23207820826}: NameServer = 85.255.114.92,85.255.112.112
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dan.dns
O20 - Winlogon Notify: cbxwvut - C:\WINDOWS\SYSTEM32\cbxwvut.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: .NET Runtime Optimization Service v2.0.50215_X86 (clr_optimization_v2.0.50215_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50215\mscorsvw.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 7822 bytes
30 Janvier 2008 14:02:46

Re,

Il reste deux infections importantes.

Peux-tu ressayer fixwareout ?
30 Janvier 2008 14:14:42

re!

encore le meme probleme que dimanche,
il me redit que je n'ai pas les droits d'utilisateur...
30 Janvier 2008 14:17:01

On finira bien par l'avoir de toute façon :p 

On s'occupe de l'autre infection.

Télécharge Combofix (de sUBs) sur ton Bureau.

Désactive temporairement toute protection résidente ! (Antivirus, antispywares..)
Double clique combofix.exe.
Tape sur la touche 1 (Yes) pour démarrer le scan.
Lorsque le scan sera complété, un rapport apparaîtra. Poste ce rapport dans ta prochaine réponse.

Le rapport se trouve ici : C:\Combofix.txt
30 Janvier 2008 14:35:26

voila le nouveu rapport






ComboFix 08-01-30.6 - dan 2008-01-30 14:21:42.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.605 [GMT 1:00]
Endroit: C:\Documents and Settings\dan\Bureau\ComboFix.exe
* Création d'un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cbxwvut.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\dan\Application Data\DriveCleaner Free
C:\Documents and Settings\dan\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\dan\Application Data\ShoppingReport
C:\Documents and Settings\dan\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\dan\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\dan\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\dan\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\dan\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\dan\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\dan\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
C:\Program Files\ShoppingReport\Uninst.exe
C:\setup.exe
C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\cbxwvut.dll
C:\WINDOWS\system32\qtstv.ini
C:\WINDOWS\system32\qtstv.ini2
C:\WINDOWS\system32\qynlwf.dat
C:\WINDOWS\system32\qynlwf_nav.dat
C:\WINDOWS\system32\qynlwf_navps.dat
C:\WINDOWS\system32\regsvr32.dll
C:\WINDOWS\system32\rklgxvnf.dat
C:\WINDOWS\system32\rklgxvnf_nav.dat
C:\WINDOWS\system32\rklgxvnf_navps.dat
C:\WINDOWS\system32\stera.log

----- BITS: Possible sites infect‚s -----

hxxp://softworldnetwork.com
hxxp://softworldnetwork2.com
.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-12-28 to 2008-01-30 ))))))))))))))))))))))))))))))))))))
.

2008-01-29 10:21 . 2008-01-29 10:21 <REP> d-------- C:\WINDOWS\ERUNT
2008-01-27 13:03 . 2005-07-23 09:28 <REP> d--h----- C:\Documents and Settings\Administrateur\Voisinage r‚seau
2008-01-27 13:03 . 2005-07-23 09:28 <REP> d--h----- C:\Documents and Settings\Administrateur\Voisinage d'impression
2008-01-27 13:03 . 2006-03-06 11:26 <REP> d--h----- C:\Documents and Settings\Administrateur\ModŠles
2008-01-27 13:03 . 2005-07-23 07:37 <REP> dr------- C:\Documents and Settings\Administrateur\Mes documents
2008-01-27 13:03 . 2005-07-23 08:05 <REP> dr------- C:\Documents and Settings\Administrateur\Menu D‚marrer
2008-01-27 13:03 . 2005-07-23 07:37 <REP> dr------- C:\Documents and Settings\Administrateur\Favoris
2008-01-27 13:03 . 2006-06-07 13:12 <REP> d-------- C:\Documents and Settings\Administrateur\Bureau
2008-01-26 04:45 . 2008-01-26 04:45 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Prism
2008-01-21 16:20 . 2008-01-25 06:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-21 16:20 . 2008-01-21 16:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-20 13:11 . 2008-01-20 13:11 <REP> d-------- C:\WINDOWS\AU_Temp
2008-01-20 13:11 . 2008-01-20 13:11 <REP> d-------- C:\WINDOWS\AU_Log
2008-01-20 13:11 . 2008-01-20 13:11 170 --a------ C:\WINDOWS\GetServer.ini
2008-01-04 01:10 . 2007-12-04 18:58 1,360 --a------ C:\time.wav
2008-01-03 06:20 . 2008-01-14 06:59 472 --a------ C:\demineur.ini

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 09:40 8 ----a-w C:\Documents and Settings\dan\.bztarotcumul.dat
2008-01-28 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-28 16:29 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-01-28 16:07 --------- d-----w C:\Program Files\Visicom Media
2008-01-27 11:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-27 10:42 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-01-22 01:34 --------- d-----w C:\Program Files\SolidWorks EE
2008-01-20 23:27 --------- d-----w C:\Program Files\eChanblard
2008-01-20 12:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 14:23 --------- d-----w C:\Program Files\ODS
2007-12-26 11:29 --------- d-----w C:\Program Files\Fichiers communs\AOL
2007-12-26 11:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-26 11:26 --------- d-----w C:\Documents and Settings\dan\Application Data\AOL
2007-12-26 11:21 --------- d-----w C:\Program Files\Yahoo!
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-01-25 18:57 278,528 ----a-w C:\Program Files\Fichiers communs\FDEUnInstaller.exe
2007-01-02 15:43 1,274 -c--a-w C:\Documents and Settings\dan\Application Data\wklnhst.dat
2006-09-30 19:09 15,895,440 ----a-w C:\Program Files\DivXPlay.exe
2006-08-15 09:22 8,867,328 ----a-w C:\Program Files\winhotpot60.exe
2006-07-25 17:09 64,428,992 ----a-w C:\Program Files\Visual Basic 5.0 Enterprise Edition.exe
2006-07-24 18:08 228,706 ----a-w C:\Program Files\oc97eval.zip
2006-07-24 17:52 992,864 ----a-w C:\Program Files\Msvbvm50.exe
2006-07-24 17:10 1,044,168 ----a-w C:\Program Files\Visual Basic 6.0 -Vb6- Runtime Sp5.exe
2006-07-20 01:39 2,990,272 ----a-w C:\Program Files\vbsetup.exe
2006-06-17 15:54 12,527,920 ----a-w C:\Program Files\IE7BETA2-WindowsXP-x86-enu.exe
2006-05-01 19:54 1,235,711 ----a-w C:\Program Files\egifan3.exe
2006-03-04 21:48 1,483,616 ----a-w C:\Program Files\Windows-KB890830-V1.13.exe
2005-09-15 08:21 10,913 ----a-w C:\Program Files\Uninst.isu
2003-08-15 23:22 83,208 ----a-w C:\Program Files\S32EVNT1.DLL
2003-05-28 17:00 276 ----a-w C:\Program Files\Readme.txt
2000-05-02 07:20 59,174 ------w C:\Program Files\SETUP.INS
2000-05-02 07:20 488,886 ----a-w C:\Program Files\DATA.Z
2000-05-02 07:20 35,630 ----a-w C:\Program Files\_SETUP.LIB
2000-05-02 07:20 198 ----a-w C:\Program Files\SETUP.PKG
2000-05-02 07:20 15,712 ----a-w C:\Program Files\FONT.Z
1998-09-01 07:43 475 ----a-w C:\Program Files\SCHACH!2.INI
1998-08-31 16:56 977,664 ----a-w C:\Program Files\ECHECS.EXE
1996-11-20 15:48 35 ----a-w C:\Program Files\Setup.ini
1996-07-10 01:15 280,481 ----a-w C:\Program Files\_INST16.EX_
1996-06-12 16:36 9,728 ----a-w C:\Program Files\_SETUP.DLL
1996-03-14 23:39 76 ----a-r C:\Program Files\MATT7.SC
1996-03-04 20:25 160 ----a-r C:\Program Files\MATT10.SC
1995-09-07 19:22 8,192 ----a-w C:\Program Files\_ISDEL.EXE
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fsc-reminder.exe"="C:\windows\reminder\fsc-reminder.exe" [2005-01-19 16:10 28672]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 13:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 12:09 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2007-04-15 04:34 180269]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 13:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Adobe Reader 7.0.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Adobe Reader 7.0.lnk
backup=C:\WINDOWS\pss\Adobe Reader 7.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^dan^Menu Démarrer^Programmes^Démarrage^Aide mémoire.lnk]
path=C:\Documents and Settings\dan\Menu Démarrer\Programmes\Démarrage\Aide mémoire.lnk
backup=C:\WINDOWS\pss\Aide mémoire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-04-15 04:34 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-05-17 17:48 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"snpstd"=C:\WINDOWS\vsnpstd.exe

R2 UxTuneUp;TuneUp Extension de thème;C:\WINDOWS\System32\svchost.exe [2004-08-05 13:00]
R3 usbstor;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-05 13:00]
S3 ATWPKT;ATWPKT;C:\WINDOWS\system32\Drivers\ATWPKT.SYS [2002-05-10 11:50]
S3 SQLWriter;Enregistreur VSS SQL Server;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 01:53]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2007-12-28 16:17:12 C:\WINDOWS\Tasks\Maintenance en 1 clic.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-30 02:27:21 C:\WINDOWS\Tasks\User_Feed_Synchronization-{CC35DECA-5803-4AD0-B675-90C082CD2A14}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 14:29:10
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs
Les fichiers cach‚s: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-01-30 14:32:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 13:32:31
.
2007-12-12 05:33:21 --- E O F ---
30 Janvier 2008 14:42:29

Et ben dis donc ..

Télécharge Navilog (de Il-Mafioso)

Enregistre-le sur ton Bureau.
Installe-le en double cliquant sur navilog.exe.
Une fois l'installation terminée, l'utilitaire s'exécutera automatiquement.
(Si ce n'est pas le cas, double clique sur le raccourci présent sur le Bureau)

Laisse-toi guider par l'utilitaire. Choisis l'option 1 puis valide.
! N'utilise pas l'option 2,3 et 4 sans notre accord !
Patiente jusqu'à l'apparition de ce message :
"*** Analyse Termine le ..... ***"
Appuie sur une touche comme demandé. Le Bloc-notes va s'ouvrir. Poste le rapport ici.

Le rapport se trouve ici :C:\fixnavi.txt
30 Janvier 2008 15:09:42

voila la suite!!!



Search Navipromo version 3.4.2 commencé le 30/01/2008 à 14:50:00,14

!!! Attention,ce rapport peut indiquer des fichiers/programmes légitimes!!!
!!! Postez ce rapport sur le forum pour le faire analyser !!!
!!! Ne lancez pas la partie désinfection sans l'avis d'un spécialiste !!!

Outil exécuté depuis C:\Program Files\navilog1
Mise à jour le 27.01.2008 à 17h00 par IL-MAFIOSO


Microsoft Windows XP [version 5.1.2600]
Internet Explorer : 7.0.5730.11
Système de fichiers : NTFS

Executé en mode normal

*** Recherche Programmes installés ***




*** Recherche dossiers dans C:\WINDOWS ***



*** Recherche dossiers dans C:\Program Files ***



*** Recherche dossiers dans C:\DOCUME~1\ALLUSE~1\APPLIC~1 ***




*** Recherche dossiers dans "C:\Documents and Settings\dan\application data" ***



*** Recherche dossiers dans "C:\Documents and Settings\dan\local settings\application data" ***



*** Recherche dossiers dans "C:\Documents and Settings\dan\MENUDM~1\PROGRA~1" ***


*** Recherche dossiers dans C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1 ***


*** Recherche avec Catchme-rootkit/stealth malware detector par gmer ***
pour + d'infos : http://www.gmer.net

Aucun Fichier trouvé



*** Recherche avec GenericNaviSearch ***
!!! Tous ces résultats peuvent révéler des fichiers légitimes !!!
!!! A vérifier impérativement avant toute suppression manuelle !!!

* Recherche dans C:\WINDOWS\system32 *

* Recherche dans "C:\Documents and Settings\dan\local settings\application data" *



*** Recherche fichiers ***




*** Recherche clés spécifiques dans le Registre ***


*** Module de Recherche complémentaire ***
(Recherche fichiers spécifiques)

1)Recherche nouveaux fichiers Instant Access :


2)Recherche Heuristique :

* Dans C:\WINDOWS\system32 :


* Dans "C:\Documents and Settings\dan\local settings\application data" :


3)Recherche Certificats :

Certificat Egroup absent !

4)Recherche fichiers connus :



*** Analyse terminée le 30/01/2008 à 15:07:29,95 ***
30 Janvier 2008 18:09:13

Reposte un Hijackthis.

30 Janvier 2008 18:30:41

VOICI donc le rapport hijachthis


merci encore!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:29:29, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\dan\LOCALS~1\Temp\Répertoire temporaire 1 pour HiJackThis(2).zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [fsc-reminder.exe] C:\windows\reminder\fsc-reminder.exe 2453624 10
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://www2.ac-nancy-metz.fr/qp2.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - http://pictures.aol.com/ap/Resources/2.0.4.69/cab/aolpP...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Co...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall...
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.inoculer.com/antivirus/Msie/bitdefender.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.photoways.com/clients/uploader_v2.1.0.53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/fl...
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dan.dns
O17 - HKLM\Software\..\Telephony: DomainName = dan.dns
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E0C4D3C-6301-4CCA-87AE-4836BE0954ED}: NameServer = 85.255.114.92,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{A987444E-9EFF-45AF-BDA2-D0E79BFBCB22}: NameServer = 85.255.114.112,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4E0716B-C8D2-4D43-BFE3-D23207820826}: NameServer = 85.255.114.92,85.255.112.112
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dan.dns
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: .NET Runtime Optimization Service v2.0.50215_X86 (clr_optimization_v2.0.50215_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50215\mscorsvw.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 7233 bytes
30 Janvier 2008 18:55:51

Bien,
ressaie fixwareout :p 
30 Janvier 2008 19:36:06

le logiciel a enfin bien voulu marché....
c'est beaucoup plus facile d'infecter un pc que de le nettoyer....
:sweat: 

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{6E0C4D3C-6301-4CCA-87AE-4836BE0954ED}
"nameserver"="85.255.114.92,85.255.112.112" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A987444E-9EFF-45AF-BDA2-D0E79BFBCB22}
"nameserver"="85.255.114.112,85.255.112.112" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D4E0716B-C8D2-4D43-BFE3-D23207820826}
"nameserver"="85.255.114.92,85.255.112.112" <Value cleared.

Cache de résolution DNS vidé.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"TkBellExe"="\"C:\\Program Files\\Fichiers communs\\Real\\Update_OB\\realsched.exe\" -osboot"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fsc-reminder.exe"="C:\\windows\\reminder\\fsc-reminder.exe 2453624 10"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
30 Janvier 2008 19:45:38

Et ben voila, l'infection devait bloquer les accès :) 
Reposte un Hijackthis
30 Janvier 2008 20:01:53

la suite...merci!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:00:51, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\ea27c4a36a629b694ed9fcb4e7bddb53\update\update.exe
C:\DOCUME~1\dan\LOCALS~1\Temp\Répertoire temporaire 1 pour HiJackThis(3).zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [fsc-reminder.exe] C:\windows\reminder\fsc-reminder.exe 2453624 10
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://www2.ac-nancy-metz.fr/qp2.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - http://pictures.aol.com/ap/Resources/2.0.4.69/cab/aolpP...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Co...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall...
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.inoculer.com/antivirus/Msie/bitdefender.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.photoways.com/clients/uploader_v2.1.0.53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/fl...
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dan.dns
O17 - HKLM\Software\..\Telephony: DomainName = dan.dns
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dan.dns
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: .NET Runtime Optimization Service v2.0.50215_X86 (clr_optimization_v2.0.50215_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50215\mscorsvw.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 7002 bytes
30 Janvier 2008 21:17:42

Re,

Télécharge sur ton bureau : Clean (de Malekal) >Tuto<
Dézippe le sur ton bureau. Double-clic sur ce dossier clean.
Double-clic sur clean.cmd. (L’extension cmd peut ne pas apparaître) Cela va ouvrir une fenêtre noire.
Un menu va apparaître, choisis l'option 1 puis entrée. Ensuite appuies sur une touche comme il te sera demandé et poste le rapport ici.
Le rapport se trouve ici : C:\rapport_clean.txt

Si tu obtiens un fichier C:\upload_moi.zip, merci de faire ceci.
16 Février 2008 09:58:57

bonjour,
me revoila avec énormément de retard....

j'ai donc télécharché clean et voici le rapport
en faite le logiciel démarre, me demande de choisir entre 1 2 ou 3, je choisi 1.
il me dit ensuite de patienter quelques minutes puis la fenetre se ferme et je ne sais pas si il a vraiment travaillé!
j'ai essayé une dizaine de fois mais toujours la meme chose....


encore merci!!!!


16/02/2008 a 9:49:50,50

*** Recherche des fichiers dans C:
C:\autorun.inf FOUND

*** Recherche des fichiers dans C:\WINDOWS\

*** Recherche des fichiers dans C:\WINDOWS\system32
16 Février 2008 11:45:09

Re,

Clique sur démarrer --> exécuter, tape CMD puis valide par ok.
Colle ligne par ligne en validant entre deux (par entrée) les lignes suivantes dans la fenêtre noire qui apparaît.
cd \
rd /s /q autorun.inf


**********

Désinstalle avast, redémarre et supprime ~~>C:\Program Files\Alwil Software

Télécharge ccleaner (>>tuto à lire !<<), tu download «the latest version » puis installe le en décochant - Ajouter la Barre d'Outils Yahoo! CCleaner
Puis lance le nettoyage, puis fais chercher des erreurs et sauvegardes si tu le souhaites.

Télécharge et installe Antivir. (tuto)
Pourquoi changer ? Avast vs Antivir
Vérifie qu’il soit bien à jour ! Fais une analyse complète, poste le rapport.

*********

Télécharge AVG Anti-Spyware Installes-le.
Si le lien ne fonctionne pas : >Clique ici<
Lance AVG et fais une mise à jour.
Clique sur le bouton Analyse (de la barre d'outils)
Puis sur l'onglet comment réagir, clique sur Actions recommandées. Choisis Quarantaine.
Ne fais pas d’analyse pour le moment.
Redémarre en mode sans échec
/!\ Ne jamais démarrer en mode sans échec via MSCONFIG /!\
Relance Avg.
Reviens à l'onglet Analyse. Clique sur Analyse complète du système.
A la fin du scan, choisis l'option " Appliquer toutes les actions " en bas.
Clique sur "Enregistrer le rapport". Ceci génère un rapport qui se trouve dans le dossier Reports du dossier d'AVG Anti-Spyware.
Poste le ici.
17 Février 2008 14:30:32

voici le scan antivir... merci!

AntiVir PersonalEdition Classic
Report file date: dimanche 17 février 2008 10:58

Scanning for 1110678 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: NOM-7CDEC717282

Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 09:57:40
ANTIVIR2.VDF : 7.0.2.113 1673728 Bytes 08/02/2008 09:57:40
ANTIVIR3.VDF : 7.0.2.148 201216 Bytes 15/02/2008 09:57:40
AVEWIN32.DLL : 7.6.0.67 3293696 Bytes 17/02/2008 09:57:42
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 17/02/2008 09:57:42
AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: dimanche 17 février 2008 10:58

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'ntvdm.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'snmp.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'CDAC11BA.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '26' files ).


Starting the file scan:

Begin scan in 'C:\' <427646>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\fichiers téléchargés\VideoAccessCodecInstall.exe
[DETECTION] Contains detection pattern of the dropper DR/Zlob.Gen
[INFO] The file was moved to '481c107c.qua'!
C:\Program Files\Macrogaming\SweetIM\mgcommunication.dll
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '481b164e.qua'!
C:\Program Files\OneClick\OneClick.exe
[DETECTION] Is the Trojan horse TR/Dldr.ClickMe.A.3
[INFO] The file was moved to '481d1eef.qua'!
C:\QooBox\Quarantine\catchme2008-01-30_142904.09.zip
[0] Archive type: ZIP
--> cbxwvut.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482c2444.qua'!
C:\QooBox\Quarantine\C\Program Files\ShoppingReport\Uninst.exe.vir
[DETECTION] Contains detection pattern of the dropper DR/MartShop.2
[INFO] The file was moved to '48212454.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\awvvu.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482e245f.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\cbxwvut.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '4830244c.qua'!
C:\System Volume Information\_restore{DA7FD61A-8A4C-431C-8627-E9069FBA0753}\RP524\A0210791.exe
[DETECTION] Contains detection pattern of the dropper DR/180Solutions.BJ.9
[INFO] The file was moved to '47ea2cb2.qua'!
C:\System Volume Information\_restore{DA7FD61A-8A4C-431C-8627-E9069FBA0753}\RP570\A0232757.exe
[DETECTION] Contains detection pattern of the dropper DR/180Solutions.BJ.9
[INFO] The file was moved to '47ea2d9d.qua'!
C:\System Volume Information\_restore{DA7FD61A-8A4C-431C-8627-E9069FBA0753}\RP590\A0252175.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47ea2e0a.qua'!
C:\System Volume Information\_restore{DA7FD61A-8A4C-431C-8627-E9069FBA0753}\RP597\A0254768.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47ea2e1b.qua'!
C:\System Volume Information\_restore{DA7FD61A-8A4C-431C-8627-E9069FBA0753}\RP604\A0262798.dll
[DETECTION] Is the Trojan horse TR/Zlob.DCG
[INFO] The file was moved to '47ea2e6c.qua'!
C:\System Volume Information\_restore{DA7FD61A-8A4C-431C-8627-E9069FBA0753}\RP604\A0262799.dll
[DETECTION] Is the Trojan horse TR/Zlob.DCH
[INFO] The file was moved to '47ea2e6e.qua'!
C:\System Volume Information\_restore{DA7FD61A-8A4C-431C-8627-E9069FBA0753}\RP604\A0262808.dll
[DETECTION] Is the Trojan horse TR/Zlob.DCG
[INFO] The file was moved to '47ea2e72.qua'!
C:\System Volume Information\_restore{DA7FD61A-8A4C-431C-8627-E9069FBA0753}\RP604\A0262809.dll
[DETECTION] Is the Trojan horse TR/Zlob.DCH
[INFO] The file was moved to '47ea2e74.qua'!
C:\System Volume Information\_restore{DA7FD61A-8A4C-431C-8627-E9069FBA0753}\RP606\A0263885.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47ea2e78.qua'!
C:\System Volume Information\_restore{DA7FD61A-8A4C-431C-8627-E9069FBA0753}\RP606\A0263887.exe
[DETECTION] Contains detection pattern of the dropper DR/MartShop.2
[INFO] The file was moved to '47ea2e7a.qua'!
C:\System Volume Information\_restore{DA7FD61A-8A4C-431C-8627-E9069FBA0753}\RP606\A0263894.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47ea2e7c.qua'!
C:\System Volume Information\_restore{DA7FD61A-8A4C-431C-8627-E9069FBA0753}\RP624\A0272358.exe
[DETECTION] Contains detection pattern of the dropper DR/Zlob.Gen
[INFO] The file was moved to '47ea2eba.qua'!
C:\System Volume Information\_restore{DA7FD61A-8A4C-431C-8627-E9069FBA0753}\RP624\A0272360.dll
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47ea2ebd.qua'!
C:\System Volume Information\_restore{DA7FD61A-8A4C-431C-8627-E9069FBA0753}\RP624\A0272362.exe
[DETECTION] Is the Trojan horse TR/Dldr.ClickMe.A.3
[INFO] The file was moved to '47ea2ec0.qua'!


End of the scan: dimanche 17 février 2008 14:11
Used time: 3:13:32 min

The scan has been done completely.

17317 Scanning directories
772980 Files were scanned
19 viruses and/or unwanted programs were found
2 Files were classified as suspicious:
0 files were deleted
0 files were repaired
21 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
772961 Files not concerned
14958 Archives were scanned
2 Warnings
20 Notes

17 Février 2008 14:50:55

Re,

Désinstalle via ajout/suppr de programmes :
  • Macromaging
  • SweetIM
  • One Click

    Supprime dans "C:\Program Files" les dossiers suivants :
  • C:\Program Files\Macrogaming
  • C:\Program Files\OneClick

    *****

    Attends la suite ;) 
    Tom's guide dans le monde
    • Allemagne
    • Italie
    • Irlande
    • Royaume Uni
    • Etats Unis
    Suivre Tom's Guide
    Inscrivez-vous à la Newsletter
    • ajouter à twitter
    • ajouter à facebook
    • ajouter un flux RSS