Se connecter / S'enregistrer
Votre question

infection virus win32:BHO-KD [Trj]

Tags :
  • Trojan
  • Sécurité
Dernière réponse : dans Sécurité et virus
15 Janvier 2008 12:00:10

Bonjour a vous, voila je suis infecté par le cheval de troie win32:BHO-KD qui refuse de se faire traiter.
Je joint un rapport Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:45, on 15/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
D:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wdfmgr.exe
D:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\RaUI.exe
C:\Program Files\Philips\VOIP080\VOIP080.exe
D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\MSN Messenger\usnsvc.exe
D:\Program Files\Maxthon\Maxthon.exe
C:\WINDOWS\explorer.exe
D:\Documents and Settings\Administrateur\Mes documents\telechargement\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://french.ircfast2.com/index.php?rvs=hompag
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {246665B1-C07F-4A5D-BBA7-204CB0C46262} - C:\WINDOWS\system32\comctl3.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] "D:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Free Download Manager] D:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe (User 'Default user')
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\WINDOWS\RaUI.exe
O4 - Global Startup: VOIP080.lnk = C:\Program Files\Philips\VOIP080\VOIP080.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\IMVU\Run IMVU.lnk
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F81E9F3-B524-4F66-9106-7E392D8CC7F8}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{554ABAA2-6116-4FFA-B801-4485FE285301}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F81E9F3-B524-4F66-9106-7E392D8CC7F8}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0F81E9F3-B524-4F66-9106-7E392D8CC7F8}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\Skype4COM.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDSched.exe

--
End of file - 6835 bytes

EDIT : J'ai oublié de préciser que le virus n'est détecté par avast que lors de l'ouverture de l'explorateur windows.

Autres pages sur : infection virus win32 bho trj

a b 8 Sécurité
15 Janvier 2008 12:11:10

Bonjour,

[#ff0000]Désactive tes protections résidentes (antivirus, Spybot...) ![/#f]

  • Télécharge Combofix ([#ff0000]sUBs[/#f]) sur ton Bureau.
  • Double clique sur combofix.exe afin de le lancer.
  • Tape sur la touche 1 (Yes) pour démarrer le scan.
  • Lorsque le scan sera complété, un rapport apparaîtra. Poste ce rapport dans ta prochaine réponse.
    15 Janvier 2008 13:02:07

    Voici le rapport de combofix

    ComboFix 08-01-09.2 - Administrateur 2008-01-15 12:50:03.2 - NTFSx86
    Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.564 [GMT 1:00]
    Running from: D:\Documents and Settings\Administrateur\Mes documents\telechargement\ComboFix.exe
    .

    ((((((((((((((((((((((((((((( Fichiers créés 2007-12-15 to 2008-01-15 ))))))))))))))))))))))))))))))))))))
    .

    2008-01-15 12:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-12-18 02:35 . 2007-12-18 02:37 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\U3
    2007-12-17 20:31 . 2007-12-17 20:31 <REP> d-------- C:\Program Files\Nicolas MERLET

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-15 11:50 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Free Download Manager
    2008-01-15 11:49 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Skype
    2008-01-06 16:59 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\LimeWire
    2007-12-17 19:13 --------- d-----w C:\Program Files\MSN Messenger
    2007-12-12 12:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
    2007-12-10 05:44 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Azureus
    2007-12-10 05:12 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\vlc
    2007-12-10 04:30 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\IMVU
    2007-12-06 18:57 19,456 ----a-w C:\WINDOWS\system32\drivers\wfhxlxdc.dat
    2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
    2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
    2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
    2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
    2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
    2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
    2007-12-04 12:54 95,608 -c--a-w C:\WINDOWS\system32\AVASTSS.scr
    2007-11-28 11:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-11-27 16:39 --------- d-----w C:\Program Files\Google
    2007-11-23 11:02 --------- d-----w C:\Program Files\Guitar FX BOX 2.6
    2007-11-19 20:27 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
    2007-11-19 20:27 --------- d-----w C:\Program Files\RALINK
    .

    ((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{246665B1-C07F-4A5D-BBA7-204CB0C46262}]
    2004-08-04 01:54 92416 --a------ C:\WINDOWS\system32\comctl3.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55 5674352]
    "SuperCopier2.exe"="C:\Program Files\SuperCopier2\SuperCopier2.exe" [2006-07-07 17:45 1052672]
    "LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 13:44 196608]
    "Free Download Manager"="D:\Program Files\Free Download Manager\fdm.exe" [2006-08-20 23:24 2068527]
    "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-06-26 14:53 20005928]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:54 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-06-11 10:15 83968]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 14:28 577536 C:\WINDOWS\soundman.exe]
    "avast!"="D:\Program Files\Alwil Software\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

    C:\Documents and Settings\Administrateur\Menu D‚marrer\Programmes\D‚marrage\
    Yahoo! Widget Engine.lnk - D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-03-22 23:46:00]

    C:\Documents and Settings\Administrateur\Menu D‚marrer\Programmes\D‚marrage\
    Yahoo! Widget Engine.lnk - D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-03-22 23:46:00]

    C:\Documents and Settings\Administrateur\Menu D‚marrer\Programmes\D‚marrage\
    Yahoo! Widget Engine.lnk - D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-03-22 23:46:00]

    C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
    Ralink Wireless Utility.lnk - C:\WINDOWS\RaUI.exe [2007-09-30 20:42:30]
    VOIP080.lnk - C:\Program Files\Philips\VOIP080\VOIP080.exe [2006-06-29 08:47:46]

    R0 Defrag32b;Defrag32Boot;C:\WINDOWS\system32\drivers\Defrag32b.sys [2004-10-23 08:01]
    R0 xhpfycsx;xhpfycsx;C:\WINDOWS\system32\drivers\wfhxlxdc.dat []
    R2 Defrag32;Defrag32;C:\WINDOWS\system32\drivers\Defrag32.sys [2004-10-23 08:01]
    R2 PDSched;PDScheduler;"D:\Program Files\Raxco\PerfectDisk\PDSched.exe" [2004-11-01 11:56]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
    \Shell\AutoRun\command - K:\LaunchU3.exe -a

    *Newly Created Service* - PROCEXP90
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-15 12:51:46
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    **************************************************************************
    .
    Completion time: 2008-01-15 12:53:29
    ComboFix-quarantined-files.txt 2008-01-15 11:52:33
    ComboFix2.txt 2008-01-15 11:46:27
    Contenus similaires
    a b 8 Sécurité
    15 Janvier 2008 13:06:14

    Re,

    [#ff0000]Désactive tes protections résidentes (antivirus...) ![/#f]
    Copie (Ctrl+C) le texte se situant dans le cadre ci-dessous :

    Driver::
    xhpfycsx

    File::
    C:\WINDOWS\system32\comctl3.dll
    C:\WINDOWS\system32\drivers\wfhxlxdc.dat

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{246665B1-C07F-4A5D-BBA7-204CB0C46262}]


    Ouvre le Bloc-Notes puis colle (Ctrl+V) le texte précedemment copié.
    Sauvegarde ce fichier sous le nom de CFScript.txt.

    Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :


    Cela va relancer Combofix, tape sur 1 puis valide. Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.
    [#ff0000]NOTE : S'il n'y a pas de rédémarrage, poste quand même les rapports demandés.[/#f]
    15 Janvier 2008 18:53:26

    voici le rapport de combofix (j'espère que la protection résidente c'est bien désactivé cette fois)

    ComboFix 08-01-09.2 - Administrateur 2008-01-15 18:30:36.3 - NTFSx86
    Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.546 [GMT 1:00]
    Running from: D:\Documents and Settings\Administrateur\Mes documents\telechargement\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Administrateur\Bureau\CFScript.txt
    * Created a new restore point

    FILE
    C:\WINDOWS\system32\comctl3.dll
    C:\WINDOWS\system32\drivers\wfhxlxdc.dat
    .

    (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\comctl3.dll
    C:\WINDOWS\system32\drivers\wfhxlxdc.dat

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_XHPFYCSX
    -------\xhpfycsx


    ((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-12-15 to 2008-01-15 ))))))))))))))))))))))))))))))))))))
    .

    2008-01-15 12:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-12-18 02:35 . 2007-12-18 02:37 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\U3
    2007-12-17 20:31 . 2007-12-17 20:31 <REP> d-------- C:\Program Files\Nicolas MERLET

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-15 17:33 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Free Download Manager
    2008-01-15 17:27 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Skype
    2008-01-06 16:59 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\LimeWire
    2007-12-17 19:13 --------- d-----w C:\Program Files\MSN Messenger
    2007-12-12 12:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
    2007-12-10 05:44 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Azureus
    2007-12-10 05:12 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\vlc
    2007-12-10 04:30 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\IMVU
    2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
    2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
    2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
    2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
    2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
    2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
    2007-12-04 12:54 95,608 -c--a-w C:\WINDOWS\system32\AVASTSS.scr
    2007-11-28 11:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-11-27 16:39 --------- d-----w C:\Program Files\Google
    2007-11-23 11:02 --------- d-----w C:\Program Files\Guitar FX BOX 2.6
    2007-11-19 20:27 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
    2007-11-19 20:27 --------- d-----w C:\Program Files\RALINK
    .

    ((((((((((((((((((((((((((((( snapshot@2008-01-15_12.45.02,40 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-15 11:41:58 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
    + 2008-01-15 17:30:26 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
    - 2008-01-15 11:41:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
    + 2008-01-15 17:30:26 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
    - 2008-01-15 11:41:58 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
    + 2008-01-15 17:30:26 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
    - 2008-01-15 11:41:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
    + 2008-01-15 17:30:26 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
    - 2008-01-15 11:41:58 5,382,144 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
    + 2008-01-15 17:30:27 5,419,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
    - 2008-01-15 11:41:58 258,048 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
    + 2008-01-15 17:30:27 258,048 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
    + 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
    + 2008-01-15 17:36:59 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_640.dat
    .
    ((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55 5674352]
    "SuperCopier2.exe"="C:\Program Files\SuperCopier2\SuperCopier2.exe" [2006-07-07 17:45 1052672]
    "LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 13:44 196608]
    "Free Download Manager"="D:\Program Files\Free Download Manager\fdm.exe" [2006-08-20 23:24 2068527]
    "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-06-26 14:53 20005928]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:54 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-06-11 10:15 83968]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 14:28 577536 C:\WINDOWS\soundman.exe]
    "avast!"="D:\Program Files\Alwil Software\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

    R0 Defrag32b;Defrag32Boot;C:\WINDOWS\system32\drivers\Defrag32b.sys [2004-10-23 08:01]
    R2 Defrag32;Defrag32;C:\WINDOWS\system32\drivers\Defrag32.sys [2004-10-23 08:01]
    R2 PDSched;PDScheduler;"D:\Program Files\Raxco\PerfectDisk\PDSched.exe" [2004-11-01 11:56]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
    \Shell\AutoRun\command - K:\LaunchU3.exe -a

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-15 18:37:38
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-15 18:41:18 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-15 17:40:50
    ComboFix2.txt 2008-01-15 11:53:30
    ComboFix3.txt 2008-01-15 11:46:27


    Puis le rapport HijackThis

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:46, on 15/01/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    D:\Program Files\Raxco\PerfectDisk\PDSched.exe
    C:\WINDOWS\system32\nvraidservice.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\SuperCopier2\SuperCopier2.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\alg.exe
    D:\Program Files\Free Download Manager\fdm.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\RaUI.exe
    C:\Program Files\Philips\VOIP080\VOIP080.exe
    C:\WINDOWS\system32\notepad.exe
    D:\Documents and Settings\Administrateur\Mes documents\telechargement\HiJackThis.exe
    D:\Program Files\Maxthon\Maxthon.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://french.ircfast2.com/index.php?rvs=hompag
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Program Files\Free Download Manager\iefdmcks.dll
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast!] "D:\Program Files\Alwil Software\Avast4\ashDisp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [Free Download Manager] D:\Program Files\Free Download Manager\fdm.exe -autorun
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - S-1-5-18 Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe (User 'Default user')
    O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    O4 - Global Startup: Ralink Wireless Utility.lnk = C:\WINDOWS\RaUI.exe
    O4 - Global Startup: VOIP080.lnk = C:\Program Files\Philips\VOIP080\VOIP080.exe
    O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\IMVU\Run IMVU.lnk
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0F81E9F3-B524-4F66-9106-7E392D8CC7F8}: NameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{554ABAA2-6116-4FFA-B801-4485FE285301}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0F81E9F3-B524-4F66-9106-7E392D8CC7F8}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0F81E9F3-B524-4F66-9106-7E392D8CC7F8}: NameServer = 192.168.1.1
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\Skype4COM.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDSched.exe

    --
    End of file - 6247 bytes
    15 Janvier 2008 21:27:24

    voici le rapport de antivir (qui juste comme ca a trouvé d'autre saleté que avast ne trouvait pas ... vive avast)



    AntiVir PersonalEdition Classic
    Report file date: mardi 15 janvier 2008 19:34

    Scanning for 1041443 virus strains and unwanted programs.

    Licensed to: Avira AntiVir PersonalEdition Classic
    Serial number: 0000149996-ADJIE-0001
    Platform: Windows XP
    Windows version: (Service Pack 2) [5.1.2600]
    Username: SYSTEM
    Computer name: PUMBA

    Version information:
    BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
    AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
    AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
    LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
    LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
    ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15
    ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 18:34:00
    ANTIVIR2.VDF : 7.0.2.0 948736 Bytes 15/01/2008 18:34:00
    ANTIVIR3.VDF : 7.0.2.1 2048 Bytes 15/01/2008 18:34:00
    AVEWIN32.DLL : 7.6.0.48 3080704 Bytes 15/01/2008 18:34:00
    AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
    AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
    AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
    AVPACK32.DLL : 7.6.0.3 360488 Bytes 15/01/2008 18:34:00
    AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
    AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
    AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
    NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
    RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
    RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
    SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

    Configuration settings for the scan:
    Jobname..........................: Complete system scan
    Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
    Logging..........................: low
    Primary action...................: interactive
    Secondary action.................: ignore
    Scan master boot sector..........: off
    Scan boot sector.................: on
    Boot sectors.....................: D:,
    Scan memory......................: on
    Process scan.....................: on
    Scan registry....................: on
    Search for rootkits..............: off
    Scan all files...................: All files
    Scan archives....................: on
    Recursion depth..................: 20
    Smart extensions.................: on
    Macro heuristic..................: on
    File heuristic...................: medium

    Start of the scan: mardi 15 janvier 2008 19:34

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'usnsvc.exe' - '1' Module(s) have been scanned
    Scan process 'RaUI.exe' - '1' Module(s) have been scanned
    Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
    Scan process 'Skype.exe' - '1' Module(s) have been scanned
    Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
    Scan process 'fdm.exe' - '1' Module(s) have been scanned
    Scan process 'SuperCopier2.exe' - '1' Module(s) have been scanned
    Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
    Scan process 'jusched.exe' - '1' Module(s) have been scanned
    Scan process 'soundman.exe' - '1' Module(s) have been scanned
    Scan process 'nvraidservice.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'PDSched.exe' - '1' Module(s) have been scanned
    Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    36 processes with 36 modules were scanned

    Start scanning boot sectors:
    Boot sector 'C:\'
    [NOTE] No virus was found!
    Boot sector 'D:\'
    [NOTE] No virus was found!

    Starting to scan the registry.
    The registry was scanned ( '33' files ).


    Starting the file scan:

    Begin scan in 'C:\'
    C:\pagefile.sys
    [WARNING] The file could not be opened!
    C:\Documents and Settings\Administrateur\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-41d6c211
    [0] Archive type: ZIP
    --> BnnnnBaa.class
    [DETECTION] Is the Trojan horse TR/Java.Downloader.Gen
    --> VaannnaaBaa.class
    [DETECTION] Is the Trojan horse TR/ClassLoader
    --> Dnnny.class
    [DETECTION] Contains detection pattern of the Java virus JAVA/Exploit.Bytverify.5
    --> Bnnnnn.class
    [DETECTION] Is the Trojan horse TR/Java.ClassLoader.AS
    --> Den.class
    [DETECTION] Is the Trojan horse TR/Exploit.Bytverify
    --> Din.class
    [DETECTION] Is the Trojan horse TR/Exploit.Bytverify.A
    --> Dun.class
    [DETECTION] Is the Trojan horse TR/Exploit.Bytverify.B
    [INFO] The file was moved to '47bffd58.qua'!
    C:\QooBox\Quarantine\catchme2008-01-15_183726.95.zip
    [0] Archive type: ZIP
    --> comctl3.dll
    [DETECTION] Is the Trojan horse TR/BHO.abo.5
    --> wfhxlxdc.dat
    [DETECTION] Is the Trojan horse TR/Rootkit.Gen
    [INFO] The file was moved to '480103f8.qua'!
    C:\QooBox\Quarantine\C\WINDOWS\love30.zip.vir
    [0] Archive type: ZIP
    --> love30.scr
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '4803040c.qua'!
    C:\QooBox\Quarantine\C\WINDOWS\system32\comctl3.dll.vir
    [DETECTION] Is the Trojan horse TR/Trash.Gen
    [INFO] The file was moved to '47fa0411.qua'!
    C:\System Volume Information\_restore{077C2248-D735-4F4C-AA78-96D9E37D85D3}\RP3\A0000072.dll
    [DETECTION] Is the Trojan horse TR/Trash.Gen
    [INFO] The file was moved to '47bd03dc.qua'!
    C:\WINDOWS\system32\comctl3.1
    [DETECTION] Is the Trojan horse TR/Spy.BZub.NGP
    [INFO] The file was moved to '47fa0612.qua'!
    C:\WINDOWS\system32\drivers\sptd.sys
    [WARNING] The file could not be opened!
    Begin scan in 'D:\' <Disque local>


    End of the scan: mardi 15 janvier 2008 21:10
    Used time: 1:35:36 min

    The scan has been done completely.

    6147 Scanning directories
    241918 Files were scanned
    12 viruses and/or unwanted programs were found
    1 Files were classified as suspicious:
    0 files were deleted
    0 files were repaired
    6 files were moved to quarantine
    0 files were renamed
    2 Files cannot be scanned
    241906 Files not concerned
    2031 Archives were scanned
    2 Warnings
    49 Notes




    PS : merci beaucoup angeldark pour tte l'aide que tu me donne
    a b 8 Sécurité
    15 Janvier 2008 21:39:28

    Reposte un nouveau rapport Hijackthis.
    15 Janvier 2008 21:46:39

    Voici le rapport demandé.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:46, on 15/01/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    D:\Program Files\Raxco\PerfectDisk\PDSched.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\nvraidservice.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\SuperCopier2\SuperCopier2.exe
    D:\Program Files\Free Download Manager\fdm.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\RaUI.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    D:\Program Files\Maxthon\Maxthon.exe
    C:\WINDOWS\system32\rsvp.exe
    D:\Documents and Settings\Administrateur\Mes documents\telechargement\HiJackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://french.ircfast2.com/index.php?rvs=hompag
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Program Files\Free Download Manager\iefdmcks.dll
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [Free Download Manager] D:\Program Files\Free Download Manager\fdm.exe -autorun
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - S-1-5-18 Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe (User 'Default user')
    O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    O4 - Global Startup: Ralink Wireless Utility.lnk = C:\WINDOWS\RaUI.exe
    O4 - Global Startup: VOIP080.lnk = C:\Program Files\Philips\VOIP080\VOIP080.exe
    O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\IMVU\Run IMVU.lnk
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0F81E9F3-B524-4F66-9106-7E392D8CC7F8}: NameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{554ABAA2-6116-4FFA-B801-4485FE285301}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0F81E9F3-B524-4F66-9106-7E392D8CC7F8}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0F81E9F3-B524-4F66-9106-7E392D8CC7F8}: NameServer = 192.168.1.1
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\Skype4COM.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDSched.exe

    --
    End of file - 6337 bytes
    a b 8 Sécurité
    15 Janvier 2008 21:49:09

    C'est mieux ?
    15 Janvier 2008 21:53:08

    oui c beaucoup mieux j'ai plus d'alerte maintenant ^^

    Merci beaucoup !!! infiniment merci !!!!
    a b 8 Sécurité
    16 Janvier 2008 13:03:14

    Bon surf :) 

  • Télécharge ToolsCleaner sur ton Bureau.
  • Clique sur Recherche et laisse le scan se terminer.
  • Clique sur Suppression pour finaliser.
  • Clique sur Quitter, pour que le rapport puisse se créer.
  • Poste le rapport (TCleaner.txt) qui se trouve à la racine de ton disque dur (C:\)

    Désactive puis réactive la restauration du système : Voir aide

    Ajoute maintenant [Résolu] au titre. Pour cela :
    * Clique, dans ton premier message, sur le bouton "Editer"
    * Rajoute la mention [Résolu] au titre
    * Clique ensuite sur "Valider votre message"

    Lis le dossier dossier sur la prévention et la protection pour ne plus avoir ce genre de problème en cliquant sur l'image ci-dessous :

    Tom's guide dans le monde
    • Allemagne
    • Italie
    • Irlande
    • Royaume Uni
    • Etats Unis
    Suivre Tom's Guide
    Inscrivez-vous à la Newsletter
    • ajouter à twitter
    • ajouter à facebook
    • ajouter un flux RSS