Se connecter / S'enregistrer
Votre question

infection Win32 + probleme wowfx.dll

Tags :
  • Sécurité
Dernière réponse : dans Sécurité et virus
15 Décembre 2007 11:21:05

Bonjour,

Je me permets de faire appel à vous, connaisseurs, via ce forum. Je suis novice en informatique et j’aurais voulu avoir un diagnostic personnalisé (j’ai vu des sujets similaires sur le forum, mais non résolus).

Voilà, depuis hier, je rencontre de gros problèmes avec mon ordi. Mon antivirus avast me signale en permanence que je suis infestée pas des virus Win32. Je mets les fichiers infectés en quarantaine , mais rien n’y fait !
J’ai des messages (je crois qu’ils émanent de spyware) de Windows antivirus me signalant l’infection et me conseillant de télécharger un spyware remover (je me méfie !)

Sinon, j’ai des pop ups toutes les 30 secondes avec le message « L’application ou la DLL C:\WINDOWS\system32\wowfx.dll n’est pas une image Windows valide. Vérifiez à l’aide de votre disquette d’installation. »

Mon ordi est très instable. J’ai du mal à aller sur internet. Explorer se ferme, du coup, j’ai meme écrit ce sujet sous word et fait un copier-coller, car j’en ai eu marre de taper le même message toutes les 10 minutes !


Voilà mon dernier rapport HighjackThis :

Logfile of HijackThis v1.99.1
Scan saved at 00:23:03, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\shell.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\winter.exe
C:\WINDOWS\system32\newmaxxsv234.exe
C:\WINDOWS\taskmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\DOCUME~1\PROPRI~1\LOCALS~1\Temp\winlogon.exe
C:\WINDOWS\ntfyapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\shovth.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Windows
Live\WLLoginProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Proprietaire\Bureau\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://fr.rd.yahoo.com/customize/ie/defaults/stp/ymsgr6...*http://fr.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
= Liens
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670}
- C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_18_0.dll
O2 - BHO: Aide pour le lien d'Adobe PDF Reader -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers
communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) -
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet
Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {468942fe-1005-4739-b875-30dcbb59ef03} -
C:\WINDOWS\system32\kbdook.dll (file missing)
O2 - BHO: Google Module - {531BE052-76FC-4b05-9CCD-AF6AA265113C} -
strike12.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no
file)
O2 - BHO: Windows Live Sign-in Helper -
{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows
Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO -
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper -
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} -
C:\WINDOWS\system32\bronto.dll
O3 - Toolbar: &Yahoo! Companion -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_18_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar -
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program
Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default
Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch
Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software
Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers
communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WOOKIT] C:\Program Files\Wanadoo\Shell.exe
appLaunchClientZone.shl|DEFAULT=cnx|PARAM=
O4 - HKCU\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe"
/nosplash /minimized
O4 - HKCU\..\Run: [StartUp] C:\WINDOWS\trayicons.exe /optimize speed
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe
O4 - HKCU\..\Run: [Firewall auto setup]
C:\DOCUME~1\PROPRI~1\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [ntfyapp] C:\WINDOWS\ntfyapp.exe
O4 - Startup: findfast.exe
O4 - Startup: infos.exe
O4 - Startup: PartMetBackup.lnk = C:\Program
Files\Java\j2re1.4.2_03\bin\javaw.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers
communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: autos.exe
O4 - Global Startup: E-Compagnon.lnk = C:\Program
Files\ColiPoste\e-COMO\e-COMO.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program
Files\Google\Google Updater\GoogleUpdater.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,
DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System,
DisableRegedit=1
O8 - Extra context menu item: &Windows Live Search - res://C:\Program
Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xporter vers Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ouvrir dans un nouvel onglet
d'arrière-plan - res://C:\Program Files\Windows Live
Toolbar\Components\fr-fr\msntabres.dll.mui/229?94e8d2f2e1024c45b191546448b26f36
O8 - Extra context menu item: Ouvrir dans un nouvel onglet de premier
plan - res://C:\Program Files\Windows Live
Toolbar\Components\fr-fr\msntabres.dll.mui/230?94e8d2f2e1024c45b191546448b26f36
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} -
C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF:
START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&loca...
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
http://software-dl.real.com/081b8880e1721d142c00/netzip...
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader
Control) - http://www.photoservice.com/aurigma/ImageUploader4.cab
O16 - DPF: {983AB2CC-3D50-11D9-ADFE-00062919A34C}
(ActiveXUpload.UserCtrl) - http://www.photoservice.com/activeX/newUpload.CAB
O17 -
HKLM\System\CCS\Services\Tcpip\..\{BBD6A5B3-ED60-4B92-BFDF-D1DB4413FB10}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -
C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All
Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: kbdook - kbdook.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program
Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program
Files\Fichiers communs\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software
- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program
Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program
Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company -
C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Fichiers
communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZZZsvc_lich - Unknown owner - C:\lich.exe





Et le smitfraudfix :

SmitFraudFix v2.267

Rapport fait à 23:51:53,59, 14/12/2007
Executé à partir de C:\Documents and Settings\Proprietaire\Bureau\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est NTFS
Fix executé en mode sans echec

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

Fichier hosts corrompu !

10.18.250.4 download.microsoft.com
10.18.250.4 downloads.microsoft.com
10.18.250.4 go.microsoft.com
10.18.250.4 microsoft.com
10.18.250.4 msdn.microsoft.com
10.18.250.4 office.microsoft.com
10.18.250.4 support.microsoft.com
10.18.250.4 windowsupdate.microsoft.com
10.18.250.4 www.microsoft.com
10.18.250.4 pandasoftware.com
10.18.250.4 www.pandasoftware.com

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\shell.exe PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\bronto.dll PRESENT !
C:\WINDOWS\system32\printer.exe PRESENT !
C:\WINDOWS\system32\proper.exe PRESENT !
C:\WINDOWS\system32\spoolvs.exe PRESENT !
C:\WINDOWS\system32\winter.exe PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Proprietaire


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Proprietaire\Application Data

C:\Documents and Settings\Proprietaire\Application Data\Install.dat PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer

C:\DOCUME~1\PROPRI~1\MENUDM~1\PROGRA~1\DMARRA~1\infos.exe PRESENT !
C:\DOCUME~1\PROPRI~1\MENUDM~1\PROGRA~1\DMARRA~1\findfast.exe PRESENT !
C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1\DMARRA~1\autos.exe PRESENT !
C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1\DMARRA~1\autorun.exe PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PROPRI~1\Favoris


»»»»»»»»»»»»»»»»»»»»»»»» Bureau


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues


»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\wowfx.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2FB97B55-37BA-4364-8092-EA59E3C19665}: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BBD6A5B3-ED60-4B92-BFDF-D1DB4413FB10}: NameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2FB97B55-37BA-4364-8092-EA59E3C19665}: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BBD6A5B3-ED60-4B92-BFDF-D1DB4413FB10}: NameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BBD6A5B3-ED60-4B92-BFDF-D1DB4413FB10}: NameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252


»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll


»»»»»»»»»»»»»»»»»»»»»»»» Fin


Merci beaucoup d'avance! J'espère que ça peut vous éclairer un peu sur mon cas :( 

Autres pages sur : infection win32 probleme wowfx dll

15 Décembre 2007 11:27:35

Salut,

Tu es très infecté.
On va faire un bon nettoyage.

Redémarre en mode sans échec
/!\ Ne jamais démarrer en mode sans échec via MSCONFIG /!\
Relance SmitfraudFix.
Prends cette fois l’option 2. (Oui à toutes les questions)

Si tu dois redémarrer, ton ordi fais-le .
Poste le rapport qui se situe dans C:\rapport.txt .

+++++++++++++

Télécharge SDFix (d’Andy Manchesta)

Enregistre le sur ton le bureau.

Lance le.
Fais install afin qu’il puisse s’extraire.

Redémarre en mode sans échec
/!\ Ne jamais démarrer en mode sans échec via MSCONFIG /!\

Lance SDFix.
Double clique sur RunThis.bat . (L’extension bat peut ne pas apparaître)
Appuie sur Y pour le lancer.

Il te sera demandé d'appuyer sur une touche pour redemarrer , fais le
Il est probable que le redémarrage soit un peu plus long que d’habitude.
Une fois l’apparition de ton Bureau, il affichera Finished

Appuie sur une touche.

Un rapport est généré , poste le dans ta réponse.
Il se trouve également. dans le dossier SDFix >Report.txt<

++++++++++++++++++

Télécharge Combofix (de sUBs) sur ton Bureau.

Désactive temporairement toute protection résidente ! (Antivirus, antispywares..)
Double clique combofix.exe.
Tape sur la touche 1 (Yes) pour démarrer le scan.
Lorsque le scan sera complété, un rapport apparaîtra. Poste ce rapport dans ta prochaine réponse.

Le rapport se trouve ici : C:\Combofix.txt

+++++++++++++

Puis tu me posteras un nouvel Hijackthis.
15 Décembre 2007 13:21:01

merci de la réponse... je me doutais que c'était critique :( 
j'ai mis du temps car je n'arrive pas à rester sur internet chez moi, du coup, je suis au boulot, et j'écris de mon Mac pro...

j'ai essayé de faire smitfraud... commande 2. sans succès!
il m'affiche... terminaison des processus (ou qq chose comme ça) et reste à ce stade tt le tps (j'ai patienté 30 min environ, peut-être est-ce plus long?)
le fait que j'ai toujours les pop ups wow.dll interromps peut-être le programme?

je vais réessayer du boulot.
je vous tiens au courant. je vous remercie beaucoup de m'avoir répondu!
j'espère qu'on va y arriver ensemble!!
Contenus similaires
15 Décembre 2007 13:54:27

idem... toujours "arrêt des processus"... je ne sais même pas si le programme tourne!

une idée?
merci d'avance en tout cas!
15 Décembre 2007 14:05:22

Tu l'as bien fait en mode sans échec ?
Sinon fais la suite.
15 Décembre 2007 14:17:28

on avance un peu... à force de cliquer 100 fois à la minute, j'ai pu fermer toutes les fenetres "wowfx.dll"... le nettoyage du registre est en court!

je vous tiens au courant!
15 Décembre 2007 14:37:30

ça y est smidfraudfix a fonctionné jusqu'au bout... en revanche, je suis revenu en mode normal et je n'ai plus de fond écran...

voilà le rapport... je passe à la suite!

SmitFraudFix v2.267

Rapport fait ‡ 14:09:32,99, 15/12/2007
ExecutÈ ‡ partir de C:\Documents and Settings\Proprietaire\Bureau\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du systËme de fichiers est NTFS
Fix executÈ en mode sans echec

ªªªªªªªªªªªªªªªªªªªªªªªª SharedTaskScheduler Avant SmitFraudFix
!!!Attention, les clÈs qui suivent ne sont pas forcÈment infectÈes!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

ªªªªªªªªªªªªªªªªªªªªªªªª Arret des processus


ªªªªªªªªªªªªªªªªªªªªªªªª hosts


ªªªªªªªªªªªªªªªªªªªªªªªª Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


ªªªªªªªªªªªªªªªªªªªªªªªª Generic Renos Fix

GenericRenosFix by S!Ri


ªªªªªªªªªªªªªªªªªªªªªªªª Suppression des fichiers infectÈs

C:\WINDOWS\shell.exe supprimÈ
C:\WINDOWS\system32\bronto.dll supprimÈ
C:\WINDOWS\system32\printer.exe supprimÈ
C:\WINDOWS\system32\proper.exe supprimÈ
C:\WINDOWS\system32\spoolvs.exe supprimÈ
C:\WINDOWS\system32\winter.exe supprimÈ
C:\Documents and Settings\Proprietaire\Application Data\Install.dat supprimÈ
C:\DOCUME~1\PROPRI~1\MENUDM~1\PROGRA~1\DMARRA~1\infos.exe supprimÈ
C:\DOCUME~1\PROPRI~1\MENUDM~1\PROGRA~1\DMARRA~1\findfast.exe supprimÈ
C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1\DMARRA~1\autorun.exe supprimÈ
C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1\DMARRA~1\autos.exe supprimÈ

ªªªªªªªªªªªªªªªªªªªªªªªª DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2FB97B55-37BA-4364-8092-EA59E3C19665}: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BBD6A5B3-ED60-4B92-BFDF-D1DB4413FB10}: NameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2FB97B55-37BA-4364-8092-EA59E3C19665}: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BBD6A5B3-ED60-4B92-BFDF-D1DB4413FB10}: NameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2FB97B55-37BA-4364-8092-EA59E3C19665}: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BBD6A5B3-ED60-4B92-BFDF-D1DB4413FB10}: NameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252


ªªªªªªªªªªªªªªªªªªªªªªªª Suppression Fichiers Temporaires


ªªªªªªªªªªªªªªªªªªªªªªªª Winlogon.System
!!!Attention, les clÈs qui suivent ne sont pas forcÈment infectÈes!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


ªªªªªªªªªªªªªªªªªªªªªªªª Nettoyage du registre

Nettoyage terminÈ.

ªªªªªªªªªªªªªªªªªªªªªªªª SharedTaskScheduler AprËs SmitFraudFix
!!!Attention, les clÈs qui suivent ne sont pas forcÈment infectÈes!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


ªªªªªªªªªªªªªªªªªªªªªªªª Fin
15 Décembre 2007 15:24:43

Continue ;) 
15 Décembre 2007 15:32:59

je suis en plein SDFix...
il y a du mieux... je n'ai plus les messages Windows antivirus ;) 
hormis les wowfx.dll (image incorrecte) tjs aussi nombreux et la disparition de mon fond d'écran!

merci du follow up!
15 Décembre 2007 16:27:24

voilà mon rapport SDFix:

SDFix: Version 1.118

Run by Proprietaire on 15/12/2007 at 15:17

Microsoft Windows XP [version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Driver
runtime
symavc32
SysLibrary
taskmon.sys
ZZZdrv_lich
ZZZsvc_lich

Path:
\??\C:\WINDOWS\system32\kernelw.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys
\??\C:\WINDOWS\system32\drivers\symavc32.sys
\??\C:\WINDOWS\system32\DefLib.sys
\??\C:\WINDOWS\system32\taskmon.sys
\??\C:\lich.sys
C:\lich.exe

Driver - Deleted
runtime - Deleted
symavc32 - Deleted
SysLibrary - Deleted
taskmon.sys - Deleted
ZZZdrv_lich - Deleted
ZZZsvc_lich - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\DLLGH8~1.EXE - Deleted
C:\Documents and Settings\All Users\Documents\Settings\bot.dll - Deleted
C:\WINDOWS\system32\away.exe.exe - Deleted
C:\autorun.inf - Deleted
C:\lich.exe - Deleted
C:\lich.sys - Deleted
C:\WINDOWS\ntfyapp.exe - Deleted
C:\WINDOWS\system32\4_exception.nls - Deleted
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\conf.dat - Deleted
C:\WINDOWS\system32\cookie1.dat - Deleted
C:\WINDOWS\system32\kr_done1 - Deleted
C:\WINDOWS\system32\lich.dat - Deleted
C:\WINDOWS\system32\newmaxxsv234.exe - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
C:\WINDOWS\system32\strike12.dll - Deleted
C:\WINDOWS\system32\strike45.dll - Deleted
C:\WINDOWS\system32\taskmon.sys - Deleted
C:\WINDOWS\system32\vedxg4am1et2.exe - Deleted
C:\WINDOWS\system32\vedxga1me4t1.exe - Deleted
C:\WINDOWS\system32\vedxga4m1et4.exe - Deleted
C:\WINDOWS\system32\vedxga4me1.exe - Deleted
C:\WINDOWS\taskmon.exe - Deleted



Folder C:\Documents and Settings\All Users\Documents\Settings - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 15:57:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Proprietaire\\Menu DÇmarrer\\Programmes\\DÇmarrage\\findfast.exe"="C:\\Documents and Settings\\Proprietaire\\Menu DÇmarrer\\Programmes\\DÇmarrage\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Menu DÇmarrer\\Programmes\\DÇmarrage\\autorun.exe"="C:\\Documents and Settings\\All Users\\Menu DÇmarrer\\Programmes\\DÇmarrage\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Proprietaire\\Application Data\\trant.exe"="C:\\Documents and Settings\\Proprietaire\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Proprietaire\\Application Data\\ppldr.exe"="C:\\Documents and Settings\\Proprietaire\\Application Data\\ppldr.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Proprietaire\\Menu DÇmarrer\\Programmes\\DÇmarrage\\findfast.exe"="C:\\Documents and Settings\\Proprietaire\\Menu DÇmarrer\\Programmes\\DÇmarrage\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Menu DÇmarrer\\Programmes\\DÇmarrage\\autorun.exe"="C:\\Documents and Settings\\All Users\\Menu DÇmarrer\\Programmes\\DÇmarrage\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Proprietaire\\Application Data\\trant.exe"="C:\\Documents and Settings\\Proprietaire\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Proprietaire\\Application Data\\ppldr.exe"="C:\\Documents and Settings\\Proprietaire\\Application Data\\ppldr.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 12 Dec 2007 89,088 ..SH. --- "C:\7E852180.exe"
Wed 12 Dec 2007 89,088 ..SH. --- "C:\WINDOWS\system32\shovth.exe"
Wed 12 Dec 2007 89,088 ..SH. --- "C:\WINDOWS\system32\winsn.exe"
Sat 8 Jan 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 8 Jan 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv16.bak"
Wed 12 Dec 2007 89,088 A.SH. --- "C:\Documents and Settings\Proprietaire\Bureau\SmitfraudFix\SmitfraudFix.exe"
Wed 19 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\778fd2fc3fe6b905e366b5ddbba384c8\BIT1.tmp"
Thu 14 Dec 2006 278,528 A.SH. --- "C:\Documents and Settings\Proprietaire\Local Settings\Temp\~rnsetup\pncrt.dll"

Finished!


je continue avec Combofix...
à+
15 Décembre 2007 17:04:05

ça y est! je n'ai plus les pops up depuis que mon ordi a redemarré... :) 

est-il clean?


rapport combofix:

ComboFix 07-12-15.5 - Proprietaire 2007-12-15 16:41:57.1 - NTFSx86
Microsoft Windows XP …dition familiale 5.1.2600.2.1252.1.1036.18.146 [GMT 1:00]
Running from: C:\Documents and Settings\Proprietaire\Bureau\ComboFix.exe
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_install.exe
C:\Autorun.inf
C:\Documents and Settings\Proprietaire\Application Data\inst.exe
C:\Documents and Settings\Proprietaire\Application Data\printer.exe
C:\Documents and Settings\Proprietaire\Application Data\trant.exe
C:\WINDOWS\system32\av.cpl
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\wowfx.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FOPN
-------\LEGACY_FWSVC
-------\LEGACY_SYMAVC32
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK
-------\FWSvc
-------\nm
-------\vspf
-------\vspf_hk


((((((((((((((((((((((((((((( Fichiers crÇÇs 2007-11-15 to 2007-12-15 ))))))))))))))))))))))))))))))))))))
.

2007-12-15 15:13 . 2007-12-15 15:13 <REP> d----c--- C:\WINDOWS\ERUNT
2007-12-15 09:13 . 2007-12-15 09:39 1,393 --a--c--- C:\WINDOWS\imsins.BAK
2007-12-14 20:39 . 2007-12-14 20:39 <REP> d----c--- C:\VundoFix Backups
2007-12-14 19:18 . 2007-09-05 23:22 289,144 --a--c--- C:\WINDOWS\system32\VCCLSID.exe
2007-12-14 19:18 . 2007-12-13 19:40 77,824 --a--c--- C:\WINDOWS\system32\IEDFix.exe
2007-12-14 19:18 . 2003-06-05 20:13 53,248 --a--c--- C:\WINDOWS\system32\Process.exe
2007-12-14 19:18 . 2004-07-31 17:50 51,200 --a--c--- C:\WINDOWS\system32\dumphive.exe
2007-12-14 19:18 . 2007-10-03 23:36 25,600 --a--c--- C:\WINDOWS\system32\WS2Fix.exe
2007-12-14 17:05 . 2007-12-15 16:23 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2007-12-14 17:05 . 2007-12-14 17:05 1,409 --a--c--- C:\WINDOWS\QTFont.for
2007-12-14 17:00 . 2007-12-14 17:35 <REP> d----c--- C:\Program Files\Navilog1
2007-12-14 13:36 . 2007-12-14 13:36 <REP> d----c--- C:\d7aa925514dbb47f61b4392344e6d8b4
2007-12-14 13:18 . 2007-12-14 13:19 <REP> d----c--- C:\Program Files\CCleaner
2007-12-13 07:27 . 2007-12-15 11:50 16,127 --a--c--- C:\WINDOWS\ntfyapp.config
2007-12-12 21:57 . 2007-12-12 21:57 27,136 --a--c--- C:\WINDOWS\load.exe
2007-12-12 21:57 . 2007-12-12 21:57 14,336 --a--c--- C:\WINDOWS\system32\drivers\dcbcg.exe
2007-12-12 21:56 . 2007-12-12 21:56 89,088 --a--c--- C:\WINDOWS\wsystmp_jmc.exe
2007-12-12 21:56 . 2007-12-12 21:56 89,088 ---hsc--- C:\WINDOWS\system32\winsn.exe
2007-12-12 21:56 . 2007-12-12 21:56 89,088 ---hsc--- C:\WINDOWS\system32\shovth.exe
2007-12-12 21:56 . 2007-12-12 21:56 89,088 ---hsc--- C:\7E852180.exe
2007-12-12 21:56 . 2007-12-12 21:56 39,798 --a--c--- C:\WINDOWS\system32\dllgh8jkd1q2.exe
2007-12-12 21:56 . 2007-12-15 16:35 28,929 --a--c--- C:\WINDOWS\system32\winsos.exe
2007-12-12 21:56 . 2007-12-12 21:56 18,294 --a--c--- C:\WINDOWS\system32\dllgh8jkd1q7.exe
2007-12-12 21:56 . 2007-12-12 21:56 17,782 --a--c--- C:\WINDOWS\system32\dllgh8jkd1q6.exe
2007-12-12 21:56 . 2007-12-12 21:56 16,758 --a--c--- C:\WINDOWS\system32\dllgh8jkd1q5.exe
2007-12-12 21:56 . 2007-12-12 21:56 15,734 --a--c--- C:\WINDOWS\system32\dllgh8jkd1q1.exe
2007-12-12 21:55 . 2007-12-12 21:55 29,184 --a--c--- C:\WINDOWS\wsystmp_fke.exe
2007-12-12 20:12 . 2007-12-12 20:12 16,384 --a--c--- C:\WINDOWS\windisk.dll
2007-12-12 19:54 . 2007-12-12 19:54 28,929 --a--c--- C:\WINDOWS\trayicons.exe
2007-12-12 19:54 . 2007-12-12 19:54 28,929 --a--c--- C:\Documents and Settings\Proprietaire\wn852.exe
2007-12-08 14:19 . 2007-12-13 22:53 <REP> d----c--- C:\Program Files\DivX
2007-12-02 10:02 . 2007-12-02 10:02 <REP> d----c--- C:\Program Files\Windows Live Favorites
2007-11-15 18:19 . 2007-11-15 18:19 <REP> d--hs---- C:\found.001

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-15 09:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-14 18:21 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 13:02 --------- dc----w C:\Program Files\ewido anti-malware
2007-12-13 21:53 --------- dc----w C:\Program Files\Windows Live Toolbar
2007-12-13 21:53 --------- dc----w C:\Program Files\Wanadoo Messager
2007-12-13 21:53 --------- dc----w C:\Program Files\Microsoft Works
2007-12-13 21:53 --------- dc----w C:\Program Files\MetFileRegenerator
2007-12-13 21:53 --------- dc----w C:\Program Files\K-Lite Codec Pack
2007-12-13 21:53 --------- dc----w C:\Program Files\Freeplayer
2007-12-13 21:53 --------- dc----w C:\Program Files\Easy Internet signup
2007-12-12 20:57 8,576 -c--a-w C:\WINDOWS\system32\drivers\alcan5wn.sys
2007-12-08 04:48 --------- dc----w C:\Program Files\eMule
2007-11-18 11:52 --------- dc----w C:\Documents and Settings\Proprietaire\Application Data\Skype
2007-11-13 10:25 20,480 -c--a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-05 18:27 47,360 -c--a-w C:\Documents and Settings\Proprietaire\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ÇlÇments vides & les ÇlÇments initiaux lÇgitimes ne sont pas listÇs

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{468942fe-1005-4739-b875-30dcbb59ef03}]
C:\WINDOWS\system32\kbdook.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:09]
"RecordNow!"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"WOOKIT"="C:\Program Files\Wanadoo\Shell.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 22:59]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 02:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-30 09:46]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-30 09:33]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-05-03 13:01]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-22 18:56]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-04-30 09:32]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-04-30 12:50]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2007-09-13 06:02]
"sis32"="C:\WINDOWS\system32\winsos.exe" [2007-12-15 16:54]
"winroot"="C:\WINDOWS\system32\winsn.exe" [2007-12-12 21:56]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:09]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbdook]
kbdook.dll

R3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S3 fbxusb;Carte rÈseau virtuelle FreeBox USB;C:\WINDOWS\system32\DRIVERS\fbxusb32.sys
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\
\Shell\open\Command - C:\7E852180.exe

.
Contenu du dossier 'Scheduled Tasks/TÉches planifiÇes'
"2007-12-05 17:52:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-15 15:48:00 C:\WINDOWS\Tasks\VÈrifier les mises ‡ jour de Windows Live Toolbar.job"
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 16:53:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????7?4?8?0??P???? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\windisk.dll
.
Completion time: 2007-12-15 16:56:40 - machine was rebooted
.
2007-12-15 08:59:45 --- E O F ---



mon dernier rapport HighjackThis:

Logfile of HijackThis v1.99.1
Scan saved at 16:59:58, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\shovth.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Proprietaire\Bureau\HijackThis\HijackThis.exe
C:\WINDOWS\system32\reg.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_18_0.dll
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {468942fe-1005-4739-b875-30dcbb59ef03} - C:\WINDOWS\system32\kbdook.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_18_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WOOKIT] C:\Program Files\Wanadoo\Shell.exe appLaunchClientZone.shl|DEFAULT=cnx|PARAM=
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: PartMetBackup.lnk = C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: E-Compagnon.lnk = C:\Program Files\ColiPoste\e-COMO\e-COMO.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Outil de mise ‡ jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ouvrir dans un nouvel onglet d'arriËre-plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/229?94e8d2f2e1024c45b191546448b26f36
O8 - Extra context menu item: Ouvrir dans un nouvel onglet de premier plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/230?94e8d2f2e1024c45b191546448b26f36
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&loca...
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/081b8880e1721d142c00/netzip...
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photoservice.com/aurigma/ImageUploader4.cab
O16 - DPF: {983AB2CC-3D50-11D9-ADFE-00062919A34C} (ActiveXUpload.UserCtrl) - http://www.photoservice.com/activeX/newUpload.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBD6A5B3-ED60-4B92-BFDF-D1DB4413FB10}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: kbdook - kbdook.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe



verdict? merci pour votre aide... elle m'est précieuse ;) 
15 Décembre 2007 17:36:52

C'est mieux ;) 

Mais il en reste.

Repasse SDFIx, poste le rapport et de même pour Combofix .
A toute
15 Décembre 2007 18:38:48

here it comes ;) 

SDFix:

SDFix: Version 1.118

Run by Proprietaire on 15/12/2007 at 17:51

Microsoft Windows XP [version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\autorun.inf - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 18:03:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 12 Dec 2007 89,088 ..SH. --- "C:\7E852180.exe"
Wed 12 Dec 2007 89,088 ..SH. --- "C:\WINDOWS\system32\shovth.exe"
Wed 12 Dec 2007 89,088 ..SH. --- "C:\WINDOWS\system32\winsn.exe"
Sat 8 Jan 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 8 Jan 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv16.bak"
Wed 12 Dec 2007 89,088 A.SH. --- "C:\Documents and Settings\Proprietaire\Bureau\SmitfraudFix\SmitfraudFix.exe"
Wed 19 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\778fd2fc3fe6b905e366b5ddbba384c8\BIT1.tmp"

Finished!


Combofix:

ComboFix 07-12-15.5 - Proprietaire 2007-12-15 18:30:52.2 - NTFSx86
Running from: C:\Documents and Settings\Proprietaire\Bureau\ComboFix.exe
.

((((((((((((((((((((((((((((( Fichiers crÈÈs 2007-11-15 to 2007-12-15 ))))))))))))))))))))))))))))))))))))
.

2007-12-15 18:28 . 2007-12-15 18:28 93 -r-hsc--- C:\autorun.inf
2007-12-15 15:13 . 2007-12-15 15:13 <REP> d----c--- C:\WINDOWS\ERUNT
2007-12-15 09:13 . 2007-12-15 09:39 1,393 --a--c--- C:\WINDOWS\imsins.BAK
2007-12-14 20:39 . 2007-12-14 20:39 <REP> d----c--- C:\VundoFix Backups
2007-12-14 19:18 . 2007-09-05 23:22 289,144 --a--c--- C:\WINDOWS\system32\VCCLSID.exe
2007-12-14 19:18 . 2007-12-13 19:40 77,824 --a--c--- C:\WINDOWS\system32\IEDFix.exe
2007-12-14 19:18 . 2003-06-05 20:13 53,248 --a--c--- C:\WINDOWS\system32\Process.exe
2007-12-14 19:18 . 2004-07-31 17:50 51,200 --a--c--- C:\WINDOWS\system32\dumphive.exe
2007-12-14 19:18 . 2007-10-03 23:36 25,600 --a--c--- C:\WINDOWS\system32\WS2Fix.exe
2007-12-14 17:05 . 2007-12-15 18:28 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2007-12-14 17:05 . 2007-12-14 17:05 1,409 --a--c--- C:\WINDOWS\QTFont.for
2007-12-14 17:00 . 2007-12-14 17:35 <REP> d----c--- C:\Program Files\Navilog1
2007-12-14 13:36 . 2007-12-14 13:36 <REP> d----c--- C:\d7aa925514dbb47f61b4392344e6d8b4
2007-12-14 13:18 . 2007-12-14 13:19 <REP> d----c--- C:\Program Files\CCleaner
2007-12-13 07:27 . 2007-12-15 11:50 16,127 --a--c--- C:\WINDOWS\ntfyapp.config
2007-12-12 21:57 . 2007-12-12 21:57 27,136 --a--c--- C:\WINDOWS\load.exe
2007-12-12 21:57 . 2007-12-12 21:57 14,336 --a--c--- C:\WINDOWS\system32\drivers\dcbcg.exe
2007-12-12 21:56 . 2007-12-12 21:56 89,088 --a--c--- C:\WINDOWS\wsystmp_jmc.exe
2007-12-12 21:56 . 2007-12-12 21:56 89,088 ---hsc--- C:\WINDOWS\system32\winsn.exe
2007-12-12 21:56 . 2007-12-12 21:56 89,088 ---hsc--- C:\WINDOWS\system32\shovth.exe
2007-12-12 21:56 . 2007-12-12 21:56 89,088 ---hsc--- C:\7E852180.exe
2007-12-12 21:56 . 2007-12-12 21:56 39,798 --a--c--- C:\WINDOWS\system32\dllgh8jkd1q2.exe
2007-12-12 21:56 . 2007-12-15 18:28 28,929 --a--c--- C:\WINDOWS\system32\winsos.exe
2007-12-12 21:56 . 2007-12-12 21:56 18,294 --a--c--- C:\WINDOWS\system32\dllgh8jkd1q7.exe
2007-12-12 21:56 . 2007-12-12 21:56 17,782 --a--c--- C:\WINDOWS\system32\dllgh8jkd1q6.exe
2007-12-12 21:56 . 2007-12-12 21:56 16,758 --a--c--- C:\WINDOWS\system32\dllgh8jkd1q5.exe
2007-12-12 21:56 . 2007-12-12 21:56 15,734 --a--c--- C:\WINDOWS\system32\dllgh8jkd1q1.exe
2007-12-12 21:55 . 2007-12-12 21:55 29,184 --a--c--- C:\WINDOWS\wsystmp_fke.exe
2007-12-12 20:12 . 2007-12-12 20:12 16,384 --a--c--- C:\WINDOWS\windisk.dll
2007-12-12 19:54 . 2007-12-12 19:54 28,929 --a--c--- C:\WINDOWS\trayicons.exe
2007-12-12 19:54 . 2007-12-12 19:54 28,929 --a--c--- C:\Documents and Settings\Proprietaire\wn852.exe
2007-12-08 14:19 . 2007-12-13 22:53 <REP> d----c--- C:\Program Files\DivX
2007-12-02 10:02 . 2007-12-02 10:02 <REP> d----c--- C:\Program Files\Windows Live Favorites
2007-11-15 18:19 . 2007-11-15 18:19 <REP> d--hs---- C:\found.001

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-15 09:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-14 18:21 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 13:02 --------- dc----w C:\Program Files\ewido anti-malware
2007-12-13 21:53 --------- dc----w C:\Program Files\Windows Live Toolbar
2007-12-13 21:53 --------- dc----w C:\Program Files\Wanadoo Messager
2007-12-13 21:53 --------- dc----w C:\Program Files\Microsoft Works
2007-12-13 21:53 --------- dc----w C:\Program Files\MetFileRegenerator
2007-12-13 21:53 --------- dc----w C:\Program Files\K-Lite Codec Pack
2007-12-13 21:53 --------- dc----w C:\Program Files\Freeplayer
2007-12-13 21:53 --------- dc----w C:\Program Files\Easy Internet signup
2007-12-12 20:57 8,576 -c--a-w C:\WINDOWS\system32\drivers\alcan5wn.sys
2007-12-08 04:48 --------- dc----w C:\Program Files\eMule
2007-11-18 11:52 --------- dc----w C:\Documents and Settings\Proprietaire\Application Data\Skype
2007-11-13 10:25 20,480 -c--a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,293,824 -c--a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 09:00 230,912 -c--a-w C:\WINDOWS\system32\wmasf.dll
2007-10-20 00:56 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2007-10-05 18:27 47,360 -c--a-w C:\Documents and Settings\Proprietaire\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-15_16.55.48.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-15 14:13:59 14,868,480 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-15 16:50:46 14,856,192 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2007-12-15 14:13:59 40,960 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-15 16:50:46 40,960 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-15 17:02:04 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_5b8.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ÈlÈments vides & les ÈlÈments initiaux lÈgitimes ne sont pas listÈs

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{468942fe-1005-4739-b875-30dcbb59ef03}]
C:\WINDOWS\system32\kbdook.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:09]
"RecordNow!"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"WOOKIT"="C:\Program Files\Wanadoo\Shell.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 22:59]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 02:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-30 09:46]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-30 09:33]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-05-03 13:01]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-22 18:56]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-04-30 09:32]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-04-30 12:50]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2007-09-13 06:02]
"sis32"="C:\WINDOWS\system32\winsos.exe" [2007-12-15 18:28]
"winroot"="C:\WINDOWS\system32\winsn.exe" [2007-12-12 21:56]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:09]

C:\Documents and Settings\Proprietaire\Menu DÇmarrer\Programmes\DÇmarrage\
PartMetBackup.lnk - C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe [2003-05-03 13:01:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbdook]
kbdook.dll

R3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S3 fbxusb;Carte rÈseau virtuelle FreeBox USB;C:\WINDOWS\system32\DRIVERS\fbxusb32.sys
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\
\Shell\open\Command - C:\7E852180.exe

.
Contenu du dossier 'Scheduled Tasks/T‚ches planifiÈes'
"2007-12-05 17:52:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-15 15:48:00 C:\WINDOWS\Tasks\VÈrifier les mises ‡ jour de Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 18:34:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????7?4?8?0??????? ???B???????????????B? ??????

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-15 18:36:20
C:\ComboFix2.txt ... 2007-12-15 16:56
.
2007-12-15 08:59:45 --- E O F ---


alors? il en reste toujours?

15 Décembre 2007 19:11:21

Re,

On attaque.

Copie le texte se situant dans le cadre ci-dessous :

File::
C:\7E852180.exe
C:\WINDOWS\system32\winsn.exe
C:\WINDOWS\system32\winsos.exe
C:\WINDOWS\system32\kbdook.dll
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\ntfyapp.config
C:\WINDOWS\load.exe
C:\WINDOWS\system32\drivers\dcbcg.exe
C:\WINDOWS\wsystmp_jmc.exe
C:\WINDOWS\system32\shovth.exe
C:\7E852180.exe
C:\WINDOWS\system32\dllgh8jkd1q2.exe
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\WINDOWS\system32\dllgh8jkd1q6.exe
C:\WINDOWS\system32\dllgh8jkd1q5.exe
C:\WINDOWS\system32\dllgh8jkd1q1.exe
C:\WINDOWS\wsystmp_fke.exe
C:\WINDOWS\windisk.dll
C:\WINDOWS\trayicons.exe
C:\Documents and Settings\Proprietaire\wn852.exe

Folder::
C:\found.001
C:\autorun.inf
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbdook]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-
"iTunesHelper"=-
"TkBellExe"=-
"sis32"=-
"winroot"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{468942fe-1005-4739-b875-30dcbb59ef03}]


Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :


Cela va relancer Combofix, tape sur 1 puis valide. Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.
S'il n'y a pas de rédémarrage, poste quand même les rapports.
15 Décembre 2007 20:02:09

bon, c'est reparti...

Combofix:

ComboFix 07-12-15.5 - Proprietaire 2007-12-15 19:44:40.3 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.167 [GMT 1:00]
Running from: C:\Documents and Settings\Proprietaire\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Proprietaire\Bureau\CFScript.txt
* Created a new restore point

FILE
C:\7E852180.exe
C:\WINDOWS\load.exe
C:\WINDOWS\ntfyapp.config
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\dllgh8jkd1q1.exe
C:\WINDOWS\system32\dllgh8jkd1q2.exe
C:\WINDOWS\system32\dllgh8jkd1q5.exe
C:\WINDOWS\system32\dllgh8jkd1q6.exe
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\WINDOWS\system32\drivers\dcbcg.exe
C:\WINDOWS\system32\kbdook.dll
C:\WINDOWS\system32\shovth.exe
C:\WINDOWS\system32\winsn.exe
C:\WINDOWS\system32\winsos.exe
C:\WINDOWS\trayicons.exe
C:\WINDOWS\windisk.dll
C:\WINDOWS\wsystmp_fke.exe
C:\WINDOWS\wsystmp_jmc.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\7E852180.exe
C:\Autorun.inf
C:\autorun.inf\
C:\found.001
C:\found.001\file0000.chk
C:\WINDOWS\load.exe
C:\WINDOWS\ntfyapp.config
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\dllgh8jkd1q1.exe
C:\WINDOWS\system32\dllgh8jkd1q2.exe
C:\WINDOWS\system32\dllgh8jkd1q5.exe
C:\WINDOWS\system32\dllgh8jkd1q6.exe
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\WINDOWS\system32\drivers\dcbcg.exe
C:\WINDOWS\system32\shovth.exe
C:\WINDOWS\system32\winsn.exe
C:\WINDOWS\system32\winsos.exe
C:\WINDOWS\trayicons.exe
C:\WINDOWS\windisk.dll
C:\WINDOWS\wsystmp_fke.exe
C:\WINDOWS\wsystmp_jmc.exe

.
((((((((((((((((((((((((((((( Fichiers créés 2007-11-15 to 2007-12-15 ))))))))))))))))))))))))))))))))))))
.

2007-12-15 15:13 . 2007-12-15 15:13 <REP> d----c--- C:\WINDOWS\ERUNT
2007-12-15 09:13 . 2007-12-15 09:39 1,393 --a--c--- C:\WINDOWS\imsins.BAK
2007-12-14 20:39 . 2007-12-14 20:39 <REP> d----c--- C:\VundoFix Backups
2007-12-14 19:18 . 2007-09-05 23:22 289,144 --a--c--- C:\WINDOWS\system32\VCCLSID.exe
2007-12-14 19:18 . 2007-12-13 19:40 77,824 --a--c--- C:\WINDOWS\system32\IEDFix.exe
2007-12-14 19:18 . 2003-06-05 20:13 53,248 --a--c--- C:\WINDOWS\system32\Process.exe
2007-12-14 19:18 . 2004-07-31 17:50 51,200 --a--c--- C:\WINDOWS\system32\dumphive.exe
2007-12-14 19:18 . 2007-10-03 23:36 25,600 --a--c--- C:\WINDOWS\system32\WS2Fix.exe
2007-12-14 17:00 . 2007-12-14 17:35 <REP> d----c--- C:\Program Files\Navilog1
2007-12-14 13:36 . 2007-12-14 13:36 <REP> d----c--- C:\d7aa925514dbb47f61b4392344e6d8b4
2007-12-14 13:18 . 2007-12-14 13:19 <REP> d----c--- C:\Program Files\CCleaner
2007-12-12 19:54 . 2007-12-12 19:54 28,929 --a--c--- C:\Documents and Settings\Proprietaire\wn852.exe
2007-12-08 14:19 . 2007-12-13 22:53 <REP> d----c--- C:\Program Files\DivX
2007-12-02 10:02 . 2007-12-02 10:02 <REP> d----c--- C:\Program Files\Windows Live Favorites

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-15 09:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-14 18:21 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 13:02 --------- dc----w C:\Program Files\ewido anti-malware
2007-12-13 21:53 --------- dc----w C:\Program Files\Windows Live Toolbar
2007-12-13 21:53 --------- dc----w C:\Program Files\Wanadoo Messager
2007-12-13 21:53 --------- dc----w C:\Program Files\Microsoft Works
2007-12-13 21:53 --------- dc----w C:\Program Files\MetFileRegenerator
2007-12-13 21:53 --------- dc----w C:\Program Files\K-Lite Codec Pack
2007-12-13 21:53 --------- dc----w C:\Program Files\Freeplayer
2007-12-13 21:53 --------- dc----w C:\Program Files\Easy Internet signup
2007-12-12 20:57 8,576 -c--a-w C:\WINDOWS\system32\drivers\alcan5wn.sys
2007-12-08 04:48 --------- dc----w C:\Program Files\eMule
2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 -c--a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 -c--a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 -c--a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 -c--a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 -c--a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 -c--a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-18 11:52 --------- dc----w C:\Documents and Settings\Proprietaire\Application Data\Skype
2007-11-13 10:25 20,480 -c--a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,293,824 -c--a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 09:00 230,912 -c--a-w C:\WINDOWS\system32\wmasf.dll
2007-10-20 00:56 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2007-10-05 18:27 47,360 -c--a-w C:\Documents and Settings\Proprietaire\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-15_16.55.48.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-15 14:13:59 14,868,480 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-15 16:50:46 14,856,192 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2007-12-15 14:13:59 40,960 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-15 16:50:46 40,960 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-15 18:34:55 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_5c0.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{468942fe-1005-4739-b875-30dcbb59ef03}]
C:\WINDOWS\system32\kbdook.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:09]
"RecordNow!"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"WOOKIT"="C:\Program Files\Wanadoo\Shell.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 22:59]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 02:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-30 09:46]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-30 09:33]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-05-03 13:01]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-22 18:56]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-04-30 09:32]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-04-30 12:50]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2007-09-13 06:02]
"sis32"="C:\WINDOWS\system32\winsos.exe" []
"winroot"="C:\WINDOWS\system32\winsn.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:09]

C:\Documents and Settings\Proprietaire\Menu D‚marrer\Programmes\D‚marrage\
PartMetBackup.lnk - C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe [2003-05-03 13:01:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbdook]
kbdook.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\
\Shell\open\Command - C:\7E852180.exe

.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2007-12-05 17:52:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-15 18:48:00 C:\WINDOWS\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 19:50:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????2????|?????? ???B???????????????B? ??????

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-15 19:52:06
C:\ComboFix2.txt ... 2007-12-15 18:36
C:\ComboFix3.txt ... 2007-12-15 16:56
.
2007-12-15 08:59:45 --- E O F ---


puis HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 19:54:09, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Proprietaire\Bureau\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_18_0.dll
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {468942fe-1005-4739-b875-30dcbb59ef03} - C:\WINDOWS\system32\kbdook.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_18_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WOOKIT] C:\Program Files\Wanadoo\Shell.exe appLaunchClientZone.shl|DEFAULT=cnx|PARAM=
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: PartMetBackup.lnk = C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: E-Compagnon.lnk = C:\Program Files\ColiPoste\e-COMO\e-COMO.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ouvrir dans un nouvel onglet d'arrière-plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/229?94e8d2f2e1024c45b191546448b26f36
O8 - Extra context menu item: Ouvrir dans un nouvel onglet de premier plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/230?94e8d2f2e1024c45b191546448b26f36
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&loca...
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/081b8880e1721d142c00/netzip...
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photoservice.com/aurigma/ImageUploader4.cab
O16 - DPF: {983AB2CC-3D50-11D9-ADFE-00062919A34C} (ActiveXUpload.UserCtrl) - http://www.photoservice.com/activeX/newUpload.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBD6A5B3-ED60-4B92-BFDF-D1DB4413FB10}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: kbdook - kbdook.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe



what's next? ça s'améliore quand même? en tout cas, j'ai accès à internet et je n'ai pas des messages d'erreur toutes les 30 secondes... merci beaucoup déjà pour ça! je n'aurais jamais réussi seule :( 
15 Décembre 2007 22:26:29

Re,

Repasse Combofix avec le même script que précédemment (je l'ai édité), et peux-tu me dire le contenu de ce dossier ? : C:\d7aa925514dbb47f61b4392344e6d8b4
15 Décembre 2007 23:31:37

salut!

combofix:

ComboFix 07-12-15.5 - Proprietaire 2007-12-15 23:10:09.4 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.229 [GMT 1:00]
Running from: C:\Documents and Settings\Proprietaire\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Proprietaire\Bureau\CFScript.txt
* Created a new restore point

FILE
C:\7E852180.exe
C:\Documents and Settings\Proprietaire\wn852.exe
C:\WINDOWS\load.exe
C:\WINDOWS\ntfyapp.config
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\dllgh8jkd1q1.exe
C:\WINDOWS\system32\dllgh8jkd1q2.exe
C:\WINDOWS\system32\dllgh8jkd1q5.exe
C:\WINDOWS\system32\dllgh8jkd1q6.exe
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\WINDOWS\system32\drivers\dcbcg.exe
C:\WINDOWS\system32\kbdook.dll
C:\WINDOWS\system32\shovth.exe
C:\WINDOWS\system32\winsn.exe
C:\WINDOWS\system32\winsos.exe
C:\WINDOWS\trayicons.exe
C:\WINDOWS\windisk.dll
C:\WINDOWS\wsystmp_fke.exe
C:\WINDOWS\wsystmp_jmc.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Proprietaire\wn852.exe
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn

.
((((((((((((((((((((((((((((( Fichiers créés 2007-11-15 to 2007-12-15 ))))))))))))))))))))))))))))))))))))
.

2007-12-15 15:13 . 2007-12-15 15:13 <REP> d----c--- C:\WINDOWS\ERUNT
2007-12-15 09:13 . 2007-12-15 09:39 1,393 --a--c--- C:\WINDOWS\imsins.BAK
2007-12-14 20:39 . 2007-12-14 20:39 <REP> d----c--- C:\VundoFix Backups
2007-12-14 19:18 . 2007-09-05 23:22 289,144 --a--c--- C:\WINDOWS\system32\VCCLSID.exe
2007-12-14 19:18 . 2007-12-13 19:40 77,824 --a--c--- C:\WINDOWS\system32\IEDFix.exe
2007-12-14 19:18 . 2003-06-05 20:13 53,248 --a--c--- C:\WINDOWS\system32\Process.exe
2007-12-14 19:18 . 2004-07-31 17:50 51,200 --a--c--- C:\WINDOWS\system32\dumphive.exe
2007-12-14 19:18 . 2007-10-03 23:36 25,600 --a--c--- C:\WINDOWS\system32\WS2Fix.exe
2007-12-14 17:00 . 2007-12-14 17:35 <REP> d----c--- C:\Program Files\Navilog1
2007-12-14 13:36 . 2007-12-14 13:36 <REP> d----c--- C:\d7aa925514dbb47f61b4392344e6d8b4
2007-12-14 13:18 . 2007-12-14 13:19 <REP> d----c--- C:\Program Files\CCleaner
2007-12-08 14:19 . 2007-12-13 22:53 <REP> d----c--- C:\Program Files\DivX
2007-12-02 10:02 . 2007-12-02 10:02 <REP> d----c--- C:\Program Files\Windows Live Favorites

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-15 09:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-14 18:21 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 13:02 --------- dc----w C:\Program Files\ewido anti-malware
2007-12-13 21:53 --------- dc----w C:\Program Files\Windows Live Toolbar
2007-12-13 21:53 --------- dc----w C:\Program Files\Wanadoo Messager
2007-12-13 21:53 --------- dc----w C:\Program Files\Microsoft Works
2007-12-13 21:53 --------- dc----w C:\Program Files\MetFileRegenerator
2007-12-13 21:53 --------- dc----w C:\Program Files\K-Lite Codec Pack
2007-12-13 21:53 --------- dc----w C:\Program Files\Freeplayer
2007-12-13 21:53 --------- dc----w C:\Program Files\Easy Internet signup
2007-12-12 20:57 8,576 -c--a-w C:\WINDOWS\system32\drivers\alcan5wn.sys
2007-12-08 04:48 --------- dc----w C:\Program Files\eMule
2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 -c--a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 -c--a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 -c--a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 -c--a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 -c--a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 -c--a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-18 11:52 --------- dc----w C:\Documents and Settings\Proprietaire\Application Data\Skype
2007-11-13 10:25 20,480 -c--a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,293,824 -c--a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 09:00 230,912 -c--a-w C:\WINDOWS\system32\wmasf.dll
2007-10-20 00:56 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2007-10-05 18:27 47,360 -c--a-w C:\Documents and Settings\Proprietaire\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-15_16.55.48.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-15 14:13:59 14,868,480 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-15 16:50:46 14,856,192 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2007-12-15 14:13:59 40,960 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-15 16:50:46 40,960 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-15 18:57:42 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_5ac.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{468942fe-1005-4739-b875-30dcbb59ef03}]
C:\WINDOWS\system32\kbdook.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:09]
"RecordNow!"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"WOOKIT"="C:\Program Files\Wanadoo\Shell.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 22:59]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 02:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-30 09:46]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-30 09:33]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-05-03 13:01]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-22 18:56]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-04-30 09:32]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-04-30 12:50]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2007-09-13 06:02]
"sis32"="C:\WINDOWS\system32\winsos.exe" []
"winroot"="C:\WINDOWS\system32\winsn.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:09]

C:\Documents and Settings\Proprietaire\Menu D‚marrer\Programmes\D‚marrage\
PartMetBackup.lnk - C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe [2003-05-03 13:01:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbdook]
kbdook.dll

S3 fbxusb;Carte réseau virtuelle FreeBox USB;C:\WINDOWS\system32\DRIVERS\fbxusb32.sys
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\
\Shell\open\Command - C:\7E852180.exe

.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2007-12-05 17:52:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-15 21:48:03 C:\WINDOWS\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 23:14:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????7?4?8?0??????? ???B???????????????B? ??????

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-15 23:16:33
C:\ComboFix2.txt ... 2007-12-15 19:52
C:\ComboFix3.txt ... 2007-12-15 18:36
.
2007-12-15 08:59:45 --- E O F ---




dossier C:\d7aa925514dbb47f61b4392344e6d8b4

mrt.exe._p (fichier _P)
mrtstub (Malicious Software Removal Tool Update Stub)


je vais me coucher... à demain et merci encore pour tout ;) 


16 Décembre 2007 11:32:43

Re,

Je ne pense pas que ce soit infectieux mais on va vérifier à tout hasard.

Fais analyser ces fichier sur ce site >> Virustotal <<

Clique sur Parcourir en haut, choisis Poste de travail et cherche ce fichier : mrt.exe._p
Clique maintenant sur envoyer le fichier.
Poste le rapport (De Fichier *** reçu le *** jusqu’à SHA1 : ***)

+++++++++++++++

Télécharge sur ton bureau : Clean (de Malekal) >Tuto<
Dézippe le sur ton bureau. Double-clic sur ce dossier clean.
Double-clic sur clean.cmd. (L’extension cmd peut ne pas apparaître) Cela va ouvrir une fenêtre noire.
Un menu va apparaître, choisis l'option 1 puis entrée. Ensuite appuies sur une touche comme il te sera demandé et poste le rapport ici.
Le rapport se trouve ici : C:\rapport_clean.txt

Si tu obtiens un fichier C:\upload_moi.zip, merci de faire ceci.

++++++++++++++++++

Désinstalle avast, redémarre et supprime ~~>C:\Program Files\Alwil Software

Télécharge ccleaner (>>tuto à lire !<<), tu download «the latest version » puis installe le en décochant - Ajouter la Barre d'Outils Yahoo! CCleaner
Puis lance le nettoyage, puis fais chercher des erreurs et sauvegardes si tu le souhaites.

Télécharge et installe Antivir. (tuto)
Pourquoi changer ? Avast vs Antivir
Vérifie qu’il soit bien à jour ! Fais une analyse complète, poste le rapport.
16 Décembre 2007 12:35:04

bonjour,

analyse virustotal:

Fichier mrt.exe._p reçu le 2007.12.16 12:05:13 (CET)
Situation actuelle: en cours de chargement ... mis en file d'attente en attente en cours d'analyse terminé NON TROUVE ARRETE


Résultat: 0/32 (0%)
en train de charger les informations du serveur...
Votre fichier est dans la file d'attente, en position: 6.
L'heure estimée de démarrage est entre 56 et 80 secondes.
Ne fermez pas la fenêtre avant la fin de l'analyse.
L'analyseur qui traitait votre fichier est actuellement stoppé, nous allons attendre quelques secondes pour tenter de récupérer vos résultats.
Si vous attendez depuis plus de cinq minutes, vous devez renvoyer votre fichier.
Votre fichier est, en ce moment, en cours d'analyse par VirusTotal,
les résultats seront affichés au fur et à mesure de leur génération.
Formaté Impression des résultats
Votre fichier a expiré ou n'existe pas.
Le service est en ce moment, stoppé, votre fichier attend d'être analysé (position : ) depuis une durée indéfinie.
Vous pouvez attendre une réponse du Web (re-chargement automatique) ou taper votre e-mail dans le formulaire ci-dessous et cliquer "Demande" pour que le système vous envoie une notification quand l'analyse sera terminée.
Email:


AntivirusVersionDernière mise à jourRésultat
AhnLab-V32007.12.15.102007.12.14-
AntiVir7.6.0.452007.12.14-
Authentium4.93.82007.12.16-
Avast4.7.1098.02007.12.15-
AVG7.5.0.5032007.12.15-
BitDefender7.22007.12.16-
CAT-QuickHeal9.002007.12.15-
ClamAV0.91.22007.12.16-
DrWeb4.44.0.091702007.12.15-
eSafe7.0.15.02007.12.13-
eTrust-Vet31.3.53772007.12.15-
Ewido4.02007.12.15-
FileAdvisor12007.12.16-
Fortinet3.14.0.02007.12.16-
F-Prot4.4.2.542007.12.16-
F-Secure6.70.13030.02007.12.14-
IkarusT3.1.1.152007.12.16-
Kaspersky7.0.0.1252007.12.16-
McAfee51862007.12.14-
Microsoft1.31092007.12.16-
NOD32v227232007.12.14-
Norman5.80.022007.12.13-
Panda9.0.0.42007.12.15-
Prevx1V22007.12.16-
Rising20.22.41.002007.12.14-
Sophos4.24.02007.12.15-
Sunbelt2.2.907.02007.12.15-
Symantec102007.12.15-
TheHacker6.2.9.1602007.12.14-
VBA323.12.2.52007.12.15-
VirusBuster4.3.26:92007.12.16-
Webwasher-Gateway6.6.22007.12.16-
Information additionnelle
File size: 312986 bytes
MD5: 6060254920ada66b015a62442a42b733
SHA1: a92c9e338646372f3b4fcda8b24d694506d95e44


je fais la suite... à+
16 Décembre 2007 13:13:05

bon, clean... n'est pas allé jusqu'au bout, je crois :(  voilà le rapport:

16/12/2007 a 13:03:32,48

*** Recherche des fichiers dans C:

*** Recherche des fichiers dans C:\WINDOWS\

*** Recherche des fichiers dans C:\WINDOWS\system32

*** Recherche des fichiers dans C:\Program Files



en plus, j'ai essayé d'uploader plusieurs fois le fichier indiqué... à chaque fois, j'obtiens vous n'avez pas choisi de fichier!

je passe à la suite...
16 Décembre 2007 20:46:14

bon... je suis de retour... j'ai fait un scan complet antivir. Ne sachant pas trop quoi faire, je me suis contentée de mettre en quarantaine les fichiers menaçants (j'ai eu peur de faire une bêtise et de supprimer des choses que je n'aurais pas dû!!)

Y-a-t-il des choses à faire quand même?

voici le rapport:



AntiVir PersonalEdition Classic
Report file date: dimanche 16 décembre 2007 14:21

Scanning for 1036370 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: YOUR-4RVNYK84X5

Version information:
BUILD.DAT : 269 15604 Bytes 10/09/2007 14:31:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 31/05/2006 12:32:40
ANTIVIR1.VDF : 6.39.0.129 7251968 Bytes 10/07/2007 12:32:46
ANTIVIR2.VDF : 6.39.1.43 1542656 Bytes 25/08/2007 17:21:02
ANTIVIR3.VDF : 6.39.1.51 29696 Bytes 28/08/2007 07:22:36
AVEWIN32.DLL : 7.6.0.5 2789888 Bytes 29/08/2007 17:09:10
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 03/08/2007 08:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: dimanche 16 décembre 2007 14:21

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'AcroRd32.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'javaw.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdater.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'hpqwmi.exe' - '1' Module(s) have been scanned
Scan process 'Skype.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'eabservr.exe' - '1' Module(s) have been scanned
Scan process 'hphmon05.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
37 processes with 37 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '29' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\upload_moi_YOUR-4RVNYK84X5.tar.gz
[0] Archive type: GZ
--> upload_moi.tar
[1] Archive type: TAR (tape archiver)
--> qoobox/Quarantine/C/7E852180.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
--> qoobox/Quarantine/C/Documents and Settings/Proprietaire/Application Data/printer.exe.vir
[DETECTION] Contains suspicious code HEUR/Malware
--> qoobox/Quarantine/C/Documents and Settings/Proprietaire/Application Data/trant.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
--> qoobox/Quarantine/C/Documents and Settings/Proprietaire/wn852.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
--> qoobox/Quarantine/C/WINDOWS/system32/drivers/dcbcg.exe.vir
[DETECTION] Contains suspicious code HEUR/Malware
--> qoobox/Quarantine/C/WINDOWS/system32/shovth.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
--> qoobox/Quarantine/C/WINDOWS/system32/winsn.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
--> qoobox/Quarantine/C/WINDOWS/system32/winsos.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
--> qoobox/Quarantine/C/WINDOWS/trayicons.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
--> qoobox/Quarantine/C/WINDOWS/windisk.dll.vir
[DETECTION] Contains suspicious code HEUR/Malware
--> qoobox/Quarantine/C/WINDOWS/wsystmp_jmc.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
--> qoobox/Quarantine/catchme2007-12-15_165239.41.zip
[2] Archive type: ZIP
--> taskmon.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '47d12733.qua'!
C:\Documents and Settings\Proprietaire\Bureau\SmitfraudFix\SmitfraudFix.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47ce281d.qua'!
C:\Program Files\Navilog1\navilog1.bat
[DETECTION] Contains suspicious code HEUR/Exploit.HTML
[WARNING] The file was ignored!
C:\qoobox\Quarantine\catchme2007-12-15_165239.41.zip
[0] Archive type: ZIP
--> taskmon.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '47d9716f.qua'!
C:\qoobox\Quarantine\C\7E852180.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479d715d.qua'!
C:\qoobox\Quarantine\C\Documents and Settings\Proprietaire\wn852.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479d718b.qua'!
C:\qoobox\Quarantine\C\Documents and Settings\Proprietaire\Application Data\printer.exe.vir
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47ce7195.qua'!
C:\qoobox\Quarantine\C\Documents and Settings\Proprietaire\Application Data\trant.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47c67199.qua'!
C:\qoobox\Quarantine\C\WINDOWS\trayicons.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47c6719e.qua'!
C:\qoobox\Quarantine\C\WINDOWS\windisk.dll.vir
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47d3719b.qua'!
C:\qoobox\Quarantine\C\WINDOWS\wsystmp_jmc.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47de71a9.qua'!
C:\qoobox\Quarantine\C\WINDOWS\system32\shovth.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47d471a7.qua'!
C:\qoobox\Quarantine\C\WINDOWS\system32\winsn.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47d371ab.qua'!
C:\qoobox\Quarantine\C\WINDOWS\system32\winsos.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47d371ad.qua'!
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\dcbcg.exe.vir
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47c771ab.qua'!
C:\SDFix\backups_old1\backups.zip
[0] Archive type: ZIP
--> backups/lich.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
--> backups/taskmon.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> backups/vedxga4me1.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '47c871b2.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP653\A0295743.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479772eb.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP653\A0295744.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479772ee.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP653\A0295745.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479772f0.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP653\A0295746.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479772f3.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP653\A0295748.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479772f6.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP653\A0295749.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479772f8.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP653\A0295751.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479772fa.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP653\A0295752.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479772fd.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0295753.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479772fe.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0295754.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977302.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0295755.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977304.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0295756.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977305.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0295757.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977308.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0295764.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '4797730b.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0295768.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '4797730e.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0296743.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977313.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0296744.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977315.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0296745.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977317.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0296746.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977319.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0296750.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4797731c.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0296752.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4797731e.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0296753.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47977320.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0296754.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47977322.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0297743.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977325.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0297744.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977327.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0297745.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977329.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0297746.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4797732a.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0297748.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '47977336.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0297750.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47977338.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0298744.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4797733b.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP654\A0298746.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4797733e.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP655\A0298748.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47977341.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP655\A0298749.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977343.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP655\A0298750.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977346.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP655\A0298752.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977349.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP655\A0298753.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4797734c.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP655\A0298754.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4797734e.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP655\A0298755.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47977351.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP655\A0299743.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977355.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP655\A0299744.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977357.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP655\A0299745.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977359.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP655\A0299746.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4797735b.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP655\A0299750.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4797735d.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP655\A0299753.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4797735f.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP655\A0299754.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47977361.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP655\A0299755.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47977363.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299756.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47977366.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299757.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977368.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299758.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4797736a.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299759.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4797736c.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299760.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4797736e.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299763.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47977371.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299764.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47977373.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299765.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47977376.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299768.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.AB
[INFO] The file was moved to '47977377.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299778.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4797737a.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299779.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4797737c.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299780.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4797737e.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299781.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977380.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299782.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '47977383.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299784.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '47977384.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299785.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47977386.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299786.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '47977388.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299788.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4797738a.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP656\A0299789.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4797738c.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0299833.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977392.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0299834.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977395.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0299835.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977397.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0299836.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47977399.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0299837.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4797739b.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0299839.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4797739d.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0299840.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4797739f.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0299841.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479773a1.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0299842.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479773a2.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0299844.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479773a4.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0300834.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873a7.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0300835.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873a9.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0300836.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873ab.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0300837.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873ad.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0300838.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479873af.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0300839.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479873b1.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0300841.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479873b3.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0300842.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479873b4.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0300843.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479873b6.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0300844.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479873b8.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0301833.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873bb.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0301834.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873bd.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0301835.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873c0.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0301836.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873c2.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0301838.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479873c4.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0301839.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479873c6.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0301841.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479873c8.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0301842.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479873ca.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0302834.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479873cc.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0302835.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '479873ce.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0302836.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479873d0.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0302837.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479873d1.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0302838.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479873d3.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0302839.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873d6.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0302840.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873d8.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0303834.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479873da.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0303835.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '479873dc.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0303836.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479873de.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0303837.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479873df.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0303838.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479873e1.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0303840.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479873e2.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0303841.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873e5.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0303842.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873e7.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0303843.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873e9.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0303844.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873eb.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0303845.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479873ee.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0304835.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479873f0.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0304836.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479873f1.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0304837.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479873f3.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0304839.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873f5.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0304840.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '479873f8.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0304841.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479873fa.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0304842.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479873fc.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0304844.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479873fe.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0304845.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987400.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0304846.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987402.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP657\A0304847.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987405.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0306829.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4798740d.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0306830.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987410.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0306831.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987412.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0306832.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987414.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0306833.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987416.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0306834.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987419.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0306835.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4798741a.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0306836.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4798741c.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309836.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '47987488.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309837.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '4798748a.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309838.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4798748c.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309839.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4798748e.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309841.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987490.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309842.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987492.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309843.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987494.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309844.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987496.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309845.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987498.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309846.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4798749b.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309847.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4798749e.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309858.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479874a0.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309859.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '479874a2.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309860.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874a3.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309861.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874a5.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0309862.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874a7.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0310855.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479874a9.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0310856.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479874ab.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0310857.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479874ac.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0310859.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479874af.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0310860.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '479874b1.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0310861.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479874b4.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0310862.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874b6.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0310863.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479874b9.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0310864.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874bc.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0310865.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874be.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0312856.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479874c0.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0312857.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '479874c2.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0312858.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479874c7.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0312859.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874c9.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0312860.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479874cb.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0312862.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479874cd.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0312863.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479874d0.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0312864.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874d3.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0312865.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479874d5.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0312866.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479874d7.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0312867.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874da.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0312869.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874dc.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313856.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479874de.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313857.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479874e1.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313858.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479874e3.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313859.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '479874e5.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313860.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479874e8.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313861.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '479874ea.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313862.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479874ec.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313863.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874ee.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313864.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479874ef.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313866.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874f1.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313867.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874f3.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313868.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874f5.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313877.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479874f7.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313878.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '479874f9.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313879.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874fc.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313880.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479874fe.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313881.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987501.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313882.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987503.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313883.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987505.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313884.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987508.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0313885.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4798750a.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314877.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4798750d.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314878.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '4798750e.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314879.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987510.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314880.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987512.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314882.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987515.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314883.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987517.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314885.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987519.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314886.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4798751c.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314887.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4798751e.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314897.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987521.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314898.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987523.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314899.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987525.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314900.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987528.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314901.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4798752a.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314902.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4798752c.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314903.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4798752e.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0314904.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4798752f.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0315899.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987532.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0315900.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987534.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0315901.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987537.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0315902.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987539.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0315904.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4798753c.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0315905.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '4798753e.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0315906.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987540.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0315907.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987542.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0315908.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987544.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0315909.sys
[DETECTION] Is the Trojan horse TR/Agent.asu.1
[INFO] The file was moved to '47987546.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316897.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987549.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316898.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4798754b.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316899.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4798754e.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316900.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987550.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316913.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987552.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316914.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987554.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316916.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987557.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316917.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987559.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316918.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4798755f.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316919.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '47987561.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316920.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '47987563.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316921.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987564.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316922.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987566.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316923.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4798756a.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316924.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4798756c.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316934.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4798756d.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316935.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4798756f.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316936.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987571.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316937.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987573.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316938.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987577.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316939.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4798757a.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316940.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4798757e.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316942.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4798757f.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316943.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46089d88.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316950.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987581.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316951.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987580.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316952.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '46089d89.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316953.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987582.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316962.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '46089d8a.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316963.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987583.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316965.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '46089d8c.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316966.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987585.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316967.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '46089d8b.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316968.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '47987584.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316969.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46089d8d.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316970.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '47987586.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316971.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46089d8e.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0316972.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47987587.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0317963.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '46089d8f.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0317964.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987598.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0317965.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '46089d91.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0317966.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4798759a.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0317967.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46089d80.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0317968.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47987589.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0317969.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46089d93.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0317970.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4798759c.qua'!
C:\System Volume Information\_restore{67EFE51A-F497-48AD-8DD5-8EEC54528088}\RP658\A0317972.exe
[DETECTION] Is the Trojan horse TR/Small.Crypted.Gen
[INFO] The file was moved to '46089d95.qua'!
C:\System Volume Information\_restore{67EFE51
16 Décembre 2007 20:48:54

Re,

- "Démarrer" >> "Exécuter" >> colle ceci dans la boîte :

ComboFix /u

- Clique "Ok".


Puis reposte un Hijackthis.
16 Décembre 2007 22:14:54

Re,

hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 22:14:02, on 16/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cscript.exe
C:\Documents and Settings\Proprietaire\Bureau\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_18_0.dll
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {468942fe-1005-4739-b875-30dcbb59ef03} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_18_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: PartMetBackup.lnk = C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: E-Compagnon.lnk = C:\Program Files\ColiPoste\e-COMO\e-COMO.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ouvrir dans un nouvel onglet d'arrière-plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/229?94e8d2f2e1024c45b191546448b26f36
O8 - Extra context menu item: Ouvrir dans un nouvel onglet de premier plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/230?94e8d2f2e1024c45b191546448b26f36
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&loca...
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/081b8880e1721d142c00/netzip...
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photoservice.com/aurigma/ImageUploader4.cab
O16 - DPF: {983AB2CC-3D50-11D9-ADFE-00062919A34C} (ActiveXUpload.UserCtrl) - http://www.photoservice.com/activeX/newUpload.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBD6A5B3-ED60-4B92-BFDF-D1DB4413FB10}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: kbdook - kbdook.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe



sinon, je fais qq chose pour les fichiers en quarantaine... excuse-moi d'insister mais je ne suis pas sûre d'agir correctement avec l'antivirus (supprimer, isoler le fichier infecté?)

merci de ton suivi...
16 Décembre 2007 23:02:18

Tu peux vider la quarantaine ;) 

Relance HiJackThis, do a system scan only, coche ces lignes :
O2 - BHO: (no name) - {468942fe-1005-4739-b875-30dcbb59ef03} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O20 - Winlogon Notify: kbdook - kbdook.dll (file missing)

Puis Fix Checked !

Télécharge sur ton bureau : Clean (de Malekal) >Tuto<
Dézippe le sur ton bureau. Double-clic sur ce dossier clean.
Double-clic sur clean.cmd. (L’extension cmd peut ne pas apparaître) Cela va ouvrir une fenêtre noire.
Un menu va apparaître, choisis l'option 1 puis entrée. Ensuite appuies sur une touche comme il te sera demandé et poste le rapport ici.
Le rapport se trouve ici : C:\rapport_clean.txt

Si tu obtiens un fichier C:\upload_moi.zip, merci de faire ceci.
17 Décembre 2007 08:13:51

Bonjour,


OK ;) 

comme la dernière fois, je ne sais pas si le programme clean est allé jusqu'au bout!
je n'ai pas pu uploader... cette fois-ci il m'indique que le fichier est invalide...

voilà le rapport:

17/12/2007 a 8:04:22,04

*** Recherche des fichiers dans C:

*** Recherche des fichiers dans C:\WINDOWS\

*** Recherche des fichiers dans C:\WINDOWS\system32

*** Recherche des fichiers dans C:\Program Files


??
17 Décembre 2007 18:35:12

Désolé, j'avais du me tromper.. Toujours des problèmes ?
Reposte un Hijackthis
17 Décembre 2007 18:51:24

de mon point de vue, plus de problème ;)  merci beaucoup d'ailleurs!!!
mais, je ne sais pas ce qui peux se cacher derrière!?!

hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 18:51:09, on 17/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Proprietaire\Bureau\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_18_0.dll
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_18_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: PartMetBackup.lnk = C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: E-Compagnon.lnk = C:\Program Files\ColiPoste\e-COMO\e-COMO.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ouvrir dans un nouvel onglet d'arrière-plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/229?94e8d2f2e1024c45b191546448b26f36
O8 - Extra context menu item: Ouvrir dans un nouvel onglet de premier plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/230?94e8d2f2e1024c45b191546448b26f36
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&loca...
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/081b8880e1721d142c00/netzip...
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photoservice.com/aurigma/ImageUploader4.cab
O16 - DPF: {983AB2CC-3D50-11D9-ADFE-00062919A34C} (ActiveXUpload.UserCtrl) - http://www.photoservice.com/activeX/newUpload.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBD6A5B3-ED60-4B92-BFDF-D1DB4413FB10}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe



???
17 Décembre 2007 19:49:39

je ne veut pas m'incruster mais a vue d'oeil plus de probleme
17 Décembre 2007 19:54:08

Re,

Désinstalle, supprime tous les logiciels utilisés pour la désinfection ainsi que les dossiers créés correspondants.. Garde ccleaner, avg et antivir si nous les avons installé..
Rapporte ton infection sur Malware Complaints >Tuto<
Ton(tes) infection(s) : Smitfraud, trojans

Puis regarde ces pages :

Sécuriser son Ordinateur
cracks/P2P

Bonne soirée
18 Décembre 2007 20:40:29

Bonjour,

OK... je tenais à vous remercier pour m'avoir aidée à désinfecter mon ordinateur. je n'y serais jamais arrivée seule ;) 

Bonne soirée
Tom's guide dans le monde
  • Allemagne
  • Italie
  • Irlande
  • Royaume Uni
  • Etats Unis
Suivre Tom's Guide
Inscrivez-vous à la Newsletter
  • ajouter à twitter
  • ajouter à facebook
  • ajouter un flux RSS