TR\PANDEX et Worm\NTECH.Z.4 (AGENT DWA) A l'AIDE !!!

Sécurité et insécurité. Virus, Trojans, Spywares, Failles etc. …

Modérateur: Modérateurs et Modératrices

Règles du forum
Assiste.com a suspendu l'assistance à la décontamination après presque 15 ans sur l'ancien forum puis celui-ci. Voir :

Procédure de décontamination 1 - Anti-malware
Décontamination anti-malwares

Procédure de décontamination 2 - Anti-malware et antivirus (La Manip)
La Manip - Procédure standard de décontamination

Entretien périodique d'un PC sous Windows
Entretien périodique d'un PC sous Windows

Protection des navigateurs, de la navigation et de la vie privée
Protéger le navigateur, la navigation et la vie privée

TR\PANDEX et Worm\NTECH.Z.4 (AGENT DWA) A l'AIDE !!!

Messagede kekess » 22 Jan 2008, 19:54

Bonjour à toutes et à tous,

Une grosse galère que ces Trojans et Virus... Pouvez-vous me venir en aide SVP ? Je vous lis et je vous trouve très efficace... De mon côté je suis perdu...

Symptôme : messages d'Antivir
C:\Windows\Temp\BN7.tmp > infecté par WORM\NTECH.Z.4 (AGENT DWA) je crois...
C:\Windows\system32\smtprdv.exe > infecté par TR\PANDEX.L.2

Voici mon Hijack :

"Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:29:55, on 22/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\secours\Bureau\eradication trojan\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://meteo81.free.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
O24 - Desktop Component 0: (no name) - http://www.meteox.com/images.aspx?jaar= ... 0071051523
O24 - Desktop Component 1: (no name) - http://www.sat24.com/images.php?country=fr&rnd=59987
O24 - Desktop Component 2: (no name) - http://meteo81.free.fr/Observation%20St ... isplay.gif
O24 - Desktop Component 3: (no name) - http://meteoalerte.com/france/france.gif?1199700314

--
End of file - 7292 bytes"

Merci pour votre aide !

Paul-Frédéric
kekess
 
Messages: 6
Inscription: 22 Jan 2008, 19:33
Localisation: Castres (81)

Messagede nickW » 23 Jan 2008, 01:00

Bonsoir,

Peux-tu me confirmer le nom du fichier infecté: C:\Windows\system32\smtprdv.exe
Ne serait-ce pas C:\Windows\system32\drivers\smtpdrv.sys?



Le log HijackThis n'affiche pas assez de détails.

Création de deux autres logs:

Note: Ces manips doivent être effectuées en ayant ouvert une session avec les "droits Administrateur" (ne pas utiliser le profil utilisateur nommé "Administrateur" visible en mode sans échec)
Sous Windows XP, pour vérifier si un compte a les droits "Administrateur":
Démarrer---->Paramètres---->Panneau de configuration---->Comptes d'utilisateurs
A côté de l'icône représentant certains comptes (hormis celui nommé "Administrateur"), il est indiqué "Administrateur de l'ordinateur"
C'est l'un de ces comptes qu'il faudra utiliser en mode sans échec.


Étape 1: Deckard's System Scanner (DSS) (de Deckard)
Télécharger Deckard's System Scanner (DSS) depuis http://deckard.geekstogo.com/dss.exe
Enregistrer ce fichier sur le Bureau.


Étape 2: Deckard's System Scanner (DSS) (de Deckard)
Fermer toutes les fenêtres de programme ouvertes.
Faire un double clic sur dss.exe situé sur le Bureau pour lancer l'installation et l'exécution de l'outil.

Cliquer sur OK lorsque cela est demandé (de 1 à 3 fois).
Lorsque l'outil a terminé le balayage, une ou deux fenêtres du Bloc-notes vont s'ouvrir, affichant le(s) rapport(s):
main.txt <- ouvert dans une fenêtre plein-écran
extra.txt <- ouvert dans une fenêtre réduite (ce fichier n'est pas créé à chaque fois)
Fermer cette (ces deux) fenêtre(s) du Bloc-notes.


Étape 3: Résultats
Envoyer en réponse:
*- les rapports de Deckard's System Scanner (contenu des fichiers main.txt et extra.txt situés dans le dossier C:\Deckard\System Scanner).

A suivre,
nickW - Image
30/07/2012: Plus de désinfection de PC jusqu'à nouvel ordre.
Pas de demande d'analyse de log en MP (Message Privé)
Mes configs
Avatar de l’utilisateur
nickW
Modérateur
 
Messages: 21698
Inscription: 20 Mai 2004, 17:41
Localisation: Dordogne/Île de France

Messagede kekess » 23 Jan 2008, 08:58

Bonjour et merci pour la réponse rapide,

Effectivement le fichier infecté est C:\Windows\system32\drivers\smtpdrv.sys (désolé :oops: )

Voici mes rapports, j'ai anticipé, je les ai fait hier soir...

D'abord l'extra :

"Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professionnel (build 2600) SP 2.0
Architecture: X86; Language: French

CPU 0: AMD Athlon(tm) 64 Processor 3000+
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 1023.48 MiB / 511.37 MiB
Pagefile Memory (total/avail): 2460 MiB / 2068.88 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.5 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 127.99 GiB total, 107.33 GiB free.
D: is Fixed (NTFS) - 114.49 GiB total, 23.12 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is CDROM (No Media)
H: is CDROM (No Media)
I: is Fixed (NTFS) - 298.09 GiB total, 91.12 GiB free.

\\.\PHYSICALDRIVE0 - Maxtor 6L200P0 - 189.92 GiB - 1 partition
\PARTITION0 (bootable) - Système de fichiers installable - 127.99 GiB - C:

\\.\PHYSICALDRIVE1 - Maxtor 6Y120P0 - 114.49 GiB - 1 partition
\PARTITION0 (bootable) - Système de fichiers installable - 114.49 GiB - D:

\\.\PHYSICALDRIVE2 - Ext Hard Disk USB Device - 298.09 GiB - 1 partition
\PARTITION0 - Système de fichiers installable - 298.09 GiB - I:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
AUState says computer is in an unknown state.
Windows Internal Firewall is enabled.

AV: Avira AntiVir PersonalEdition v 7.0.2.26
(Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Perl\\bin\\perl.exe"="C:\\Perl\\bin\\perl.exe:*:Enabled:Perl Command Line Interpreter"
"C:\\Program Files\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza"
"C:\\Program Files\\Webcamfirst\\WF_FTP.exe"="C:\\Program Files\\Webcamfirst\\WF_FTP.exe:*:Enabled:WF FTP"
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"="C:\\Program Files\\SightSpeed\\SightSpeed.exe:*:Enabled:SightSpeed"
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"="C:\\Program Files\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"="C:\\Program Files\\IncrediMail\\bin\\ImLc.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\Visicom Media\\FTP Expert 3\\ftpxpert3.exe"="C:\\Program Files\\Visicom Media\\FTP Expert 3\\ftpxpert3.exe:*:Enabled:AceFTP v3"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\TribalWeb\\tribalweb.exe"="C:\\Program Files\\TribalWeb\\tribalweb.exe:*:Enabled:tribalweb"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"="C:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe:*:Enabled:BF1942"
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"C:\\Team17\\Worms World Party\\wwp.exe"="C:\\Team17\\Worms World Party\\wwp.exe:*:Enabled:Worms World Party"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\EA GAMES\\Need for Speed Underground 2\\speed2.exe"="C:\\Program Files\\EA GAMES\\Need for Speed Underground 2\\speed2.exe:*:Enabled:speed2"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\secours\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Fichiers communs
COMPUTERNAME=DOMICILE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\secours
LOGONSERVER=\\DOMICILE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=c:\Perl\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\secours\LOCALS~1\Temp
TMP=C:\DOCUME~1\secours\LOCALS~1\Temp
USERDOMAIN=DOMICILE
USERNAME=secours
USERPROFILE=C:\Documents and Settings\secours
windir=C:\WINDOWS
__COMPAT_LAYER=DisableNXShowUI


-- User Profiles ---------------------------------------------------------------

secours (admin)
Administrateur (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\Fichiers communs\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\UNIN040C.EXE -f"C:\Program Files\Adobe\Illustrator 8.0\DeIsL1.isu" -c"C:\Program Files\Adobe\Illustrator 8.0\Uninst.dll"
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
--> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D0803DB-8FC8-4C97-AE1F-1C3DCA357B01}\setup.exe" -l0x40c
--> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x40c
--> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{80426743-0CC7-4967-BFEC-10DE08D1B6F3}\setup.exe" -l0x40c
--> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{80426743-0CC7-4967-BFEC-10DE08D1B6F3}\setup.exe" -l0x40c /remove
--> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x40c
--> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADC07715-D995-45EE-8810-0F1A733D580D}\SETUP.EXE" -l0x40c
--> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x40c
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACE Mega CoDecS Pack --> "C:\Program Files\ACE Mega CoDecS Pack\unins000.exe"
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUN040C.EXE -f"C:\Program Files\Fichiers communs\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Fichiers communs\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8.1.1 - Français --> MsiExec.exe /I{AC76BA86-7AD7-1036-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Anti-Blaxx 1.16 --> "C:\Program Files\Anti-Blaxx\unins000.exe"
AnyScreenToVideo --> C:\PROGRA~1\ANYSCR~1\UNWISE.EXE C:\PROGRA~1\ANYSCR~1\INSTALL.LOG
Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Archiveur WinRAR --> C:\Program Files\WinRAR\uninstall.exe
ArcSoft PhotoStudio 5.5 --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85309D89-7BE9-4094-BB17-24999C6118FC}\SETUP.EXE" -l0x40c
Art Plus Calendar Designer LE 2.0.2 --> "C:\Program Files\Common Files\Art Plus Uninstall\apuinst3.exe" "C:\Program Files\Art Plus\CalDsgn\CalDsgn.ui3"
ATI - Utilitaire de désinstallation du logiciel --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.2.4 --> "C:\Program Files\Audacity\unins000.exe"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Avira AntiVir PersonalEdition Classic --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
Battlefield 1942 --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}\setup.exe" -l0x40c
Call of Duty(R) 2 --> C:\PROGRA~1\FICHIE~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D0A05794-48C2-4424-A15A-9F20FCFDD374}
Canon MP Navigator 2.0 --> "C:\Program Files\Canon\MP Navigator 2.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator 2.0\uninst.ini
Canon MP150 --> "C:\WINDOWS\system32\CanonMP Uninstaller Information\{CA9A3609-3ECC-4574-8824-A8161A71A603}\DelDrv.exe" /U:{CA9A3609-3ECC-4574-8824-A8161A71A603} /L0x000c
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Clic d'Api N°9 --> C:\PROGRA~1\ClicApi9\UNWISE.EXE C:\PROGRA~1\ClicApi9\INSTALL.LOG
Cobian Backup 8 --> C:\Program Files\Cobian Backup 8\cbUninstall.exe
Creative Photo Manager --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x40c /remove
Creative WebCam Center --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x40c /remove
Creative WebCam Instant Driver (1.03.02.0425) --> C:\WINDOWS\CtDrvIns.exe -uninstall -script PD0620.uns -unsext NT -plugin P0620Pin.dll -pluginres CtCamPin.crl
DesertCombat 0.6F --> C:\WINDOWS\iun6002.exe "C:\Program Files\EA GAMES\Battlefield 1942\irunin.ini"
DFX for RealNetworks --> MsiExec.exe /I{4fdc0019-01b3-4435-b7c5-3312d7e6419c}
Easy-WebPrint --> C:\WINDOWS\IsUn040c.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
EasyBarcodelabelPro --> "C:\Program Files\Easybarcodeprosha\unins000.exe"
EasyCleaner --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
EasyPHP 1.8 --> "C:\Program Files\EasyPHP1-8\unins000.exe"
eMule --> "C:\Program Files\eMule\Uninstall.exe"
Enregistrement du produit WebCam Instant --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADC07715-D995-45EE-8810-0F1A733D580D}\SETUP.EXE" -l0x40c /remove
FTP Expert 3 --> "C:\Program Files\Visicom Media\FTP Expert 3\uninst-ftp.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2 --> "C:\Documents and Settings\secours\Bureau\eradication trojan\HiJackThis\HijackThis.exe" /uninstall
IncrediMail Xe --> C:\PROGRA~1\INCRED~1\bin\imsetup.exe /remove /addon:IncrediMail /log:IncMail.log
iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
Jasc Animation Shop 3 --> MsiExec.exe /I{7C4196CA-CA41-4F34-9C08-7724E7705D52}
Jasc Paint Shop Pro 9 --> MsiExec.exe /I{F843C6A3-224D-4615-94F8-3C461BD9AEA0}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
K!TV --> C:\Program Files\K!TV\UninstKTV.exe
L&H TTS3000 Français --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\LHTTSFRF.inf, Uninstall
Macromedia Dreamweaver 8 --> MsiExec.exe /I{5FD788ED-1A37-4496-9BDD-463F493B27FA}
Macromedia Extension Manager --> MsiExec.exe /I{3C8C9FB3-5FDF-40B4-B314-EAD722728C76}
Macromedia Flash MX 2004 --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F353D44-73BB-4971-B31D-F7642E9E9531}\Setup.exe" -l0x40c UNINSTALL
Manuel d'utilisation de Creative WebCam Instant (Français) --> C:\WINDOWS\IsUn040c.exe -f"C:\Program Files\Creative\Creative WebCam Instant\Manuel d'utilisation de Creative WebCam Instant\French\CTManual.isu"
MeuhMeuhTV (désinstallation uniquement) --> C:\Program Files\MeuhMeuhTV\UninstMMTV.exe
Microsoft Office XP Professional avec FrontPage --> MsiExec.exe /I{9028040C-6000-11D3-8CFE-0050048383C9}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190409-6000-11D3-8CFE-0050048383C9}
MixMeister BPM Analyzer 1.0 --> "C:\Program Files\MixMeister BPM Analyzer\unins000.exe"
Mozilla Firefox (2.0.0.11) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Need for Speed Underground 2 --> C:\Program Files\EA GAMES\Need for Speed Underground 2\EAUninstall.exe
Nero Suite --> C:\Program Files\Fichiers communs\Ahead\Uninstall\Setup.exe /uninstall
OmniPage SE 2.0 --> MsiExec.exe /I{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}
Online Radio Tuner Standard Edition --> MsiExec.exe /I{87F3614D-1A12-4440-B39D-807C1F3A7CA3}
OpenOffice.org 2.0 --> MsiExec.exe /I{752783F5-0CFC-44C3-9E1F-CAF17C4508E7}
Outil de mise à jour Google --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
pdfFactory Pro --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppinst3.exe /uninstall
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Pinnacle PCTV --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3C02ED4F-46B0-4E9E-87F7-47AEBA4031C8}\Setup.exe" -l0x40c -L0x40c UNINSTALL
PowerProducer --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Fichiers communs\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rename-It! --> C:\Program Files\Rename-It!\Uninst.exe
Shareaza version 2.2.1.0 --> "C:\Program Files\Shareaza\Uninstall\unins000.exe"
SightSpeed (remove only) --> "C:\Program Files\SightSpeed\uninst.exe"
Sony Ericsson PC Suite --> MsiExec.exe /I{50F90522-2ACE-434E-9987-F42A5F06208F}
SWiSH v2.01 FRA --> C:\WINDOWS\unvise32.exe C:\Program Files\SWiSH v2.01 FRA\uninstal.log
TestLAB 2003 Express --> "C:\Program Files\TestLAB 2003 Express\unins000.exe"
Torino 2006 --> "C:\Program Files\2K Sports\Torino 2006\setup.exe" -u
TribalWeb 2.41 --> "C:\Program Files\TribalWeb\unins000.exe"
Utilitaire Effets vidéos avancés --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D0803DB-8FC8-4C97-AE1F-1C3DCA357B01}\setup.exe" -l0x40c /remove
Vidalia 0.0.11 --> "C:\Program Files\Vidalia\uninstall.exe"
Virtua Tennis --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EADF648F-1711-11D6-AFAD-0040052179B6}\setup.exe"
Virtual DJ - Atomix Productions --> C:\PROGRA~1\VIRTUA~1\UNWISE.EXE C:\PROGRA~1\VIRTUA~1\INSTALL.LOG
Webcamfirst 3.1.8 --> "C:\Program Files\Webcamfirst\uninstall.exe"
Windows Live Messenger --> MsiExec.exe /I{F6326B60-1B1D-4ABF-BFCD-7B7404F44411}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Worms World Party --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A200E68-D5F4-4E70-910F-2871753A0E2B}\setup.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type4747 / Warning
Event Submitted/Written: 01/22/2008 07:42:33 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Pandex.L.2'
in the file
C:\WINDOWS\system32\drivers\smtpdrv.sys

Event Record #/Type4746 / Warning
Event Submitted/Written: 01/22/2008 07:41:46 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'WORM/Ntech.Z.4'
in the file
C:\WINDOWS\Temp\BN7.tmp

Event Record #/Type4649 / Success
Event Submitted/Written: 01/22/2008 07:41:05 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type4642 / Warning
Event Submitted/Written: 01/22/2008 04:19:30 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Pandex.L.2'
in the file
C:\WINDOWS\system32\drivers\smtpdrv.sys

Event Record #/Type4641 / Warning
Event Submitted/Written: 01/22/2008 04:19:11 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'WORM/Ntech.Z.4'
in the file
C:\WINDOWS\Temp\BN8.tmp



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6403 / Warning
Event Submitted/Written: 01/22/2008 11:10:42 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.

Event Record #/Type6402 / Warning
Event Submitted/Written: 01/22/2008 09:21:26 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.

Event Record #/Type6400 / Warning
Event Submitted/Written: 01/22/2008 08:26:49 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.

Event Record #/Type6399 / Warning
Event Submitted/Written: 01/22/2008 07:59:31 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.

Event Record #/Type6398 / Warning
Event Submitted/Written: 01/22/2008 07:43:56 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.



-- End of Deckard's System Scanner: finished at 2008-01-22 23:56:35 ------------"

Puis le Main :

"Deckard's System Scanner v20071014.68
Run by secours on 2008-01-22 23:54:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-01-22 22:54:53 UTC - RP1 - Point de vérification système


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as secours.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:55:58, on 22/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\secours\Bureau\eradication trojan\dss.exe
C:\DOCUME~1\secours\Bureau\ERADIC~1\HIJACK~1\secours.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://meteo81.free.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
O24 - Desktop Component 0: (no name) - http://www.meteox.com/images.aspx?jaar= ... 0071051523
O24 - Desktop Component 1: (no name) - http://www.sat24.com/images.php?country=fr&rnd=59987
O24 - Desktop Component 2: (no name) - http://meteo81.free.fr/Observation%20St ... isplay.gif
O24 - Desktop Component 3: (no name) - http://meteoalerte.com/france/france.gif?1199700314

--
End of file - 7365 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Gkm82 - c:\windows\system32\drivers\gkm82.sys
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not>

S1 smtpdrv - c:\windows\system32\drivers\smtpdrv.sys (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not>
R2 Apple Mobile Device - "c:\program files\fichiers communs\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not>
R2 CobBMService (Cobian Backup 8 service) - c:\program files\cobian backup 8\cbservice.exe <Not>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-21 21:24:30 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-12-22 and 2008-01-22 -----------------------------

2008-01-22 21:08:00 0 d-------- C:\WINDOWS\report
2008-01-22 21:07:21 0 d-------- C:\WINDOWS\AU_Backup
2008-01-22 21:07:20 1163344 --a------ C:\WINDOWS\vsapi32.dll <Not>
2008-01-22 21:07:20 267845 --a------ C:\WINDOWS\tsc.exe <Not>
2008-01-22 21:07:20 71749 --a------ C:\WINDOWS\hcextoutput.dll
2008-01-22 21:07:20 86094 --a------ C:\WINDOWS\BPMNT.dll <Not>
2008-01-22 20:59:44 0 d-------- C:\WINDOWS\AU_Temp
2008-01-22 20:59:44 0 d-------- C:\WINDOWS\AU_Log
2008-01-22 20:59:41 507904 --a------ C:\WINDOWS\TMUPDATE.DLL <Not>
2008-01-22 20:59:40 69689 --a------ C:\WINDOWS\UNZIP.DLL <Not>
2008-01-22 20:59:40 286720 --a------ C:\WINDOWS\PATCH.EXE <Not>
2008-01-22 16:11:06 0 d-------- C:\Program Files\ToniArts
2008-01-22 10:55:41 0 d--h----- C:\Documents and Settings\Administrateur\Voisinage d'impression
2008-01-22 10:55:41 0 dr-h----- C:\Documents and Settings\Administrateur\SendTo
2008-01-22 10:55:41 0 d--h----- C:\Documents and Settings\Administrateur\Recent
2008-01-22 10:55:41 0 d--h----- C:\Documents and Settings\Administrateur\Modèles
2008-01-22 10:55:41 0 d-------- C:\Documents and Settings\Administrateur\Mes documents
2008-01-22 10:55:41 0 dr------- C:\Documents and Settings\Administrateur\Menu Démarrer
2008-01-22 10:55:41 0 d--h----- C:\Documents and Settings\Administrateur\Local Settings
2008-01-22 10:55:41 0 d-------- C:\Documents and Settings\Administrateur\Favoris
2008-01-22 10:55:41 0 d---s---- C:\Documents and Settings\Administrateur\Cookies
2008-01-22 10:55:41 0 d-------- C:\Documents and Settings\Administrateur\Bureau
2008-01-22 10:55:41 0 dr-h----- C:\Documents and Settings\Administrateur\Application Data
2008-01-22 10:55:41 0 d---s---- C:\Documents and Settings\Administrateur\Application Data\Microsoft
2008-01-22 10:55:41 0 d-------- C:\Documents and Settings\Administrateur\Application Data\Macromedia
2008-01-22 10:55:40 0 d--h----- C:\Documents and Settings\Administrateur\Voisinage réseau
2008-01-22 10:55:40 786432 --ah----- C:\Documents and Settings\Administrateur\NTUSER.DAT
2008-01-22 10:49:34 0 d-------- C:\Program Files\Avira
2008-01-22 10:49:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-21 17:55:10 0 d-------- C:\Documents and Settings\secours\Application Data\Grisoft
2008-01-21 17:54:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-21 17:44:03 25984 --a------ C:\WINDOWS\system32\drivers\Gkm82.sys
2008-01-09 11:33:33 0 d-------- C:\Program Files\Fichiers communs\DirectX
2008-01-07 19:36:22 143360 -----n--- C:\WINDOWS\system32\RALMain.dll <Not>
2008-01-07 19:36:22 32768 -----n--- C:\WINDOWS\system32\MLPagAx.dll <Not>
2008-01-07 19:36:22 14604 -----n--- C:\WINDOWS\system32\drivers\pfc.sys <Not>
2008-01-07 19:36:22 450641 -----n--- C:\WINDOWS\system32\DiskIO.dll <Not>
2008-01-07 19:36:22 32838 -----n--- C:\WINDOWS\system32\Cachex.dll <Not>
2008-01-07 19:36:20 61440 -----n--- C:\WINDOWS\system32\pclepim1.dll <Not>
2008-01-07 19:36:20 49152 -----n--- C:\WINDOWS\system32\PCLEGetGuid.dll <Not>
2008-01-07 19:36:20 138752 -----n--- C:\WINDOWS\system32\Mase32.dll
2008-01-07 19:36:20 57856 -----n--- C:\WINDOWS\system32\Masd32.dll
2008-01-07 19:36:20 136192 -----n--- C:\WINDOWS\system32\Mamc32.dll <Not>
2008-01-07 19:36:20 196096 -----n--- C:\WINDOWS\system32\Macd32.dll <Not>
2008-01-07 19:36:20 27648 -----n--- C:\WINDOWS\system32\Ma32.dll


-- Find3M Report ---------------------------------------------------------------

2008-01-22 16:11:06 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-22 08:44:01 0 d-------- C:\Documents and Settings\secours\Application Data\U3
2008-01-21 19:23:16 0 d-------- C:\Documents and Settings\secours\Application Data\Creative
2008-01-17 16:53:36 79280 --a------ C:\Documents and Settings\secours\Application Data\GDIPFONTCACHEV1.DAT
2008-01-09 11:33:33 0 d-------- C:\Program Files\Fichiers communs
2008-01-09 11:25:55 0 d-------- C:\Program Files\EA GAMES
2008-01-07 19:35:59 0 d-------- C:\Program Files\Pinnacle
2008-01-07 19:07:47 0 d-------- C:\Program Files\Yahoo!
2008-01-07 19:07:31 0 d-------- C:\Program Files\Weather Watcher
2008-01-07 19:07:18 0 d-------- C:\Program Files\IDM Computer Solutions
2008-01-07 19:07:15 0 d-------- C:\Documents and Settings\secours\Application Data\IDMComp
2008-01-04 13:39:44 0 d-------- C:\Documents and Settings\secours\Application Data\Canon
2007-12-20 13:42:46 0 d-------- C:\Documents and Settings\secours\Application Data\Bassic Technologies
2007-12-20 13:41:55 0 d-------- C:\Program Files\Bassic Technologies
2007-12-20 12:51:51 458230 --a------ C:\WINDOWS\system32\perfh00C.dat
2007-12-20 12:51:51 71248 --a------ C:\WINDOWS\system32\perfc00C.dat
2007-12-13 23:04:26 0 d-------- C:\Documents and Settings\secours\Application Data\MSN6
2007-12-02 15:51:04 0 d-------- C:\Documents and Settings\secours\Application Data\OpenOffice.org2
2007-11-25 00:08:42 0 d-------- C:\Program Files\Fichiers communs\Adobe
2007-10-30 21:20:44 724992 --a------ C:\WINDOWS\iun6002.exe <Not>
2007-10-30 18:28:55 533 --a------ C:\WINDOWS\eReg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [18/06/2004 09:31 C:\WINDOWS\SOUNDMAN.EXE]
"PD0620 STISvc"="P0620Pin.dll" [10/05/2005 18:03 C:\WINDOWS\system32\P0620Pin.dll]
"pdfFactory Pro Dispatcher v3"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [26/09/2006 21:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 00:11]
"Cobian Backup 8 interface"="C:\Program Files\Cobian Backup 8\cbInterface.exe" [27/09/2007 11:37]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [15/09/2007 09:41]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 10:25]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [22/01/2008 10:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [29/06/2007 05:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [15/04/2007 16:14]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [19/01/2007 12:55]

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Pinnacle Scheduler.lnk - C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe [07/01/2008 19:36:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gkm82.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Outil de mise à jour Google.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Outil de mise à jour Google.lnk
backup=C:\WINDOWS\pss\Outil de mise à jour Google.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Privoxy.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Privoxy.lnk
backup=C:\WINDOWS\pss\Privoxy.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^secours^Menu Démarrer^Programmes^Démarrage^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\secours\Menu Démarrer\Programmes\Démarrage\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^secours^Menu Démarrer^Programmes^Démarrage^TribalWeb.lnk]
path=C:\Documents and Settings\secours\Menu Démarrer\Programmes\Démarrage\TribalWeb.lnk
backup=C:\WINDOWS\pss\TribalWeb.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager]
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
"C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Packard Bell Data Secure]
C:\Program Files\Packard Bell Data Secure\PBDataSecure.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
"C:\Program Files\Vidalia\vidalia.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a03a5f80-a355-11dc-9067-806d6172696f}]
AutoRun\command- J:\Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-01-22 23:56:35 ------------"

Merci pour votre aide,

P.F
kekess
 
Messages: 6
Inscription: 22 Jan 2008, 19:33
Localisation: Castres (81)

Messagede kekess » 23 Jan 2008, 08:58

Bonjour et merci pour la réponse rapide,

Effectivement le fichier infecté est C:\Windows\system32\drivers\smtpdrv.sys (désolé :oops: )

Voici mes rapports, j'ai anticipé, je les ai fait hier soir...

D'abord l'extra :

"Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professionnel (build 2600) SP 2.0
Architecture: X86; Language: French

CPU 0: AMD Athlon(tm) 64 Processor 3000+
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 1023.48 MiB / 511.37 MiB
Pagefile Memory (total/avail): 2460 MiB / 2068.88 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.5 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 127.99 GiB total, 107.33 GiB free.
D: is Fixed (NTFS) - 114.49 GiB total, 23.12 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is CDROM (No Media)
H: is CDROM (No Media)
I: is Fixed (NTFS) - 298.09 GiB total, 91.12 GiB free.

\\.\PHYSICALDRIVE0 - Maxtor 6L200P0 - 189.92 GiB - 1 partition
\PARTITION0 (bootable) - Système de fichiers installable - 127.99 GiB - C:

\\.\PHYSICALDRIVE1 - Maxtor 6Y120P0 - 114.49 GiB - 1 partition
\PARTITION0 (bootable) - Système de fichiers installable - 114.49 GiB - D:

\\.\PHYSICALDRIVE2 - Ext Hard Disk USB Device - 298.09 GiB - 1 partition
\PARTITION0 - Système de fichiers installable - 298.09 GiB - I:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
AUState says computer is in an unknown state.
Windows Internal Firewall is enabled.

AV: Avira AntiVir PersonalEdition v 7.0.2.26
(Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Perl\\bin\\perl.exe"="C:\\Perl\\bin\\perl.exe:*:Enabled:Perl Command Line Interpreter"
"C:\\Program Files\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza"
"C:\\Program Files\\Webcamfirst\\WF_FTP.exe"="C:\\Program Files\\Webcamfirst\\WF_FTP.exe:*:Enabled:WF FTP"
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"="C:\\Program Files\\SightSpeed\\SightSpeed.exe:*:Enabled:SightSpeed"
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"="C:\\Program Files\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"="C:\\Program Files\\IncrediMail\\bin\\ImLc.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\Visicom Media\\FTP Expert 3\\ftpxpert3.exe"="C:\\Program Files\\Visicom Media\\FTP Expert 3\\ftpxpert3.exe:*:Enabled:AceFTP v3"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\TribalWeb\\tribalweb.exe"="C:\\Program Files\\TribalWeb\\tribalweb.exe:*:Enabled:tribalweb"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"="C:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe:*:Enabled:BF1942"
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"C:\\Team17\\Worms World Party\\wwp.exe"="C:\\Team17\\Worms World Party\\wwp.exe:*:Enabled:Worms World Party"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\EA GAMES\\Need for Speed Underground 2\\speed2.exe"="C:\\Program Files\\EA GAMES\\Need for Speed Underground 2\\speed2.exe:*:Enabled:speed2"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\secours\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Fichiers communs
COMPUTERNAME=DOMICILE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\secours
LOGONSERVER=\\DOMICILE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=c:\Perl\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\secours\LOCALS~1\Temp
TMP=C:\DOCUME~1\secours\LOCALS~1\Temp
USERDOMAIN=DOMICILE
USERNAME=secours
USERPROFILE=C:\Documents and Settings\secours
windir=C:\WINDOWS
__COMPAT_LAYER=DisableNXShowUI


-- User Profiles ---------------------------------------------------------------

secours (admin)
Administrateur (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\Fichiers communs\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\UNIN040C.EXE -f"C:\Program Files\Adobe\Illustrator 8.0\DeIsL1.isu" -c"C:\Program Files\Adobe\Illustrator 8.0\Uninst.dll"
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
--> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D0803DB-8FC8-4C97-AE1F-1C3DCA357B01}\setup.exe" -l0x40c
--> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x40c
--> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{80426743-0CC7-4967-BFEC-10DE08D1B6F3}\setup.exe" -l0x40c
--> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{80426743-0CC7-4967-BFEC-10DE08D1B6F3}\setup.exe" -l0x40c /remove
--> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x40c
--> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADC07715-D995-45EE-8810-0F1A733D580D}\SETUP.EXE" -l0x40c
--> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x40c
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACE Mega CoDecS Pack --> "C:\Program Files\ACE Mega CoDecS Pack\unins000.exe"
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUN040C.EXE -f"C:\Program Files\Fichiers communs\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Fichiers communs\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8.1.1 - Français --> MsiExec.exe /I{AC76BA86-7AD7-1036-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Anti-Blaxx 1.16 --> "C:\Program Files\Anti-Blaxx\unins000.exe"
AnyScreenToVideo --> C:\PROGRA~1\ANYSCR~1\UNWISE.EXE C:\PROGRA~1\ANYSCR~1\INSTALL.LOG
Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Archiveur WinRAR --> C:\Program Files\WinRAR\uninstall.exe
ArcSoft PhotoStudio 5.5 --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85309D89-7BE9-4094-BB17-24999C6118FC}\SETUP.EXE" -l0x40c
Art Plus Calendar Designer LE 2.0.2 --> "C:\Program Files\Common Files\Art Plus Uninstall\apuinst3.exe" "C:\Program Files\Art Plus\CalDsgn\CalDsgn.ui3"
ATI - Utilitaire de désinstallation du logiciel --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.2.4 --> "C:\Program Files\Audacity\unins000.exe"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Avira AntiVir PersonalEdition Classic --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
Battlefield 1942 --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}\setup.exe" -l0x40c
Call of Duty(R) 2 --> C:\PROGRA~1\FICHIE~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D0A05794-48C2-4424-A15A-9F20FCFDD374}
Canon MP Navigator 2.0 --> "C:\Program Files\Canon\MP Navigator 2.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator 2.0\uninst.ini
Canon MP150 --> "C:\WINDOWS\system32\CanonMP Uninstaller Information\{CA9A3609-3ECC-4574-8824-A8161A71A603}\DelDrv.exe" /U:{CA9A3609-3ECC-4574-8824-A8161A71A603} /L0x000c
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Clic d'Api N°9 --> C:\PROGRA~1\ClicApi9\UNWISE.EXE C:\PROGRA~1\ClicApi9\INSTALL.LOG
Cobian Backup 8 --> C:\Program Files\Cobian Backup 8\cbUninstall.exe
Creative Photo Manager --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x40c /remove
Creative WebCam Center --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x40c /remove
Creative WebCam Instant Driver (1.03.02.0425) --> C:\WINDOWS\CtDrvIns.exe -uninstall -script PD0620.uns -unsext NT -plugin P0620Pin.dll -pluginres CtCamPin.crl
DesertCombat 0.6F --> C:\WINDOWS\iun6002.exe "C:\Program Files\EA GAMES\Battlefield 1942\irunin.ini"
DFX for RealNetworks --> MsiExec.exe /I{4fdc0019-01b3-4435-b7c5-3312d7e6419c}
Easy-WebPrint --> C:\WINDOWS\IsUn040c.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
EasyBarcodelabelPro --> "C:\Program Files\Easybarcodeprosha\unins000.exe"
EasyCleaner --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
EasyPHP 1.8 --> "C:\Program Files\EasyPHP1-8\unins000.exe"
eMule --> "C:\Program Files\eMule\Uninstall.exe"
Enregistrement du produit WebCam Instant --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADC07715-D995-45EE-8810-0F1A733D580D}\SETUP.EXE" -l0x40c /remove
FTP Expert 3 --> "C:\Program Files\Visicom Media\FTP Expert 3\uninst-ftp.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2 --> "C:\Documents and Settings\secours\Bureau\eradication trojan\HiJackThis\HijackThis.exe" /uninstall
IncrediMail Xe --> C:\PROGRA~1\INCRED~1\bin\imsetup.exe /remove /addon:IncrediMail /log:IncMail.log
iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
Jasc Animation Shop 3 --> MsiExec.exe /I{7C4196CA-CA41-4F34-9C08-7724E7705D52}
Jasc Paint Shop Pro 9 --> MsiExec.exe /I{F843C6A3-224D-4615-94F8-3C461BD9AEA0}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
K!TV --> C:\Program Files\K!TV\UninstKTV.exe
L&H TTS3000 Français --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\LHTTSFRF.inf, Uninstall
Macromedia Dreamweaver 8 --> MsiExec.exe /I{5FD788ED-1A37-4496-9BDD-463F493B27FA}
Macromedia Extension Manager --> MsiExec.exe /I{3C8C9FB3-5FDF-40B4-B314-EAD722728C76}
Macromedia Flash MX 2004 --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F353D44-73BB-4971-B31D-F7642E9E9531}\Setup.exe" -l0x40c UNINSTALL
Manuel d'utilisation de Creative WebCam Instant (Français) --> C:\WINDOWS\IsUn040c.exe -f"C:\Program Files\Creative\Creative WebCam Instant\Manuel d'utilisation de Creative WebCam Instant\French\CTManual.isu"
MeuhMeuhTV (désinstallation uniquement) --> C:\Program Files\MeuhMeuhTV\UninstMMTV.exe
Microsoft Office XP Professional avec FrontPage --> MsiExec.exe /I{9028040C-6000-11D3-8CFE-0050048383C9}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190409-6000-11D3-8CFE-0050048383C9}
MixMeister BPM Analyzer 1.0 --> "C:\Program Files\MixMeister BPM Analyzer\unins000.exe"
Mozilla Firefox (2.0.0.11) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Need for Speed Underground 2 --> C:\Program Files\EA GAMES\Need for Speed Underground 2\EAUninstall.exe
Nero Suite --> C:\Program Files\Fichiers communs\Ahead\Uninstall\Setup.exe /uninstall
OmniPage SE 2.0 --> MsiExec.exe /I{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}
Online Radio Tuner Standard Edition --> MsiExec.exe /I{87F3614D-1A12-4440-B39D-807C1F3A7CA3}
OpenOffice.org 2.0 --> MsiExec.exe /I{752783F5-0CFC-44C3-9E1F-CAF17C4508E7}
Outil de mise à jour Google --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
pdfFactory Pro --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppinst3.exe /uninstall
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Pinnacle PCTV --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3C02ED4F-46B0-4E9E-87F7-47AEBA4031C8}\Setup.exe" -l0x40c -L0x40c UNINSTALL
PowerProducer --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Fichiers communs\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rename-It! --> C:\Program Files\Rename-It!\Uninst.exe
Shareaza version 2.2.1.0 --> "C:\Program Files\Shareaza\Uninstall\unins000.exe"
SightSpeed (remove only) --> "C:\Program Files\SightSpeed\uninst.exe"
Sony Ericsson PC Suite --> MsiExec.exe /I{50F90522-2ACE-434E-9987-F42A5F06208F}
SWiSH v2.01 FRA --> C:\WINDOWS\unvise32.exe C:\Program Files\SWiSH v2.01 FRA\uninstal.log
TestLAB 2003 Express --> "C:\Program Files\TestLAB 2003 Express\unins000.exe"
Torino 2006 --> "C:\Program Files\2K Sports\Torino 2006\setup.exe" -u
TribalWeb 2.41 --> "C:\Program Files\TribalWeb\unins000.exe"
Utilitaire Effets vidéos avancés --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D0803DB-8FC8-4C97-AE1F-1C3DCA357B01}\setup.exe" -l0x40c /remove
Vidalia 0.0.11 --> "C:\Program Files\Vidalia\uninstall.exe"
Virtua Tennis --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EADF648F-1711-11D6-AFAD-0040052179B6}\setup.exe"
Virtual DJ - Atomix Productions --> C:\PROGRA~1\VIRTUA~1\UNWISE.EXE C:\PROGRA~1\VIRTUA~1\INSTALL.LOG
Webcamfirst 3.1.8 --> "C:\Program Files\Webcamfirst\uninstall.exe"
Windows Live Messenger --> MsiExec.exe /I{F6326B60-1B1D-4ABF-BFCD-7B7404F44411}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Worms World Party --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A200E68-D5F4-4E70-910F-2871753A0E2B}\setup.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type4747 / Warning
Event Submitted/Written: 01/22/2008 07:42:33 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Pandex.L.2'
in the file
C:\WINDOWS\system32\drivers\smtpdrv.sys

Event Record #/Type4746 / Warning
Event Submitted/Written: 01/22/2008 07:41:46 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'WORM/Ntech.Z.4'
in the file
C:\WINDOWS\Temp\BN7.tmp

Event Record #/Type4649 / Success
Event Submitted/Written: 01/22/2008 07:41:05 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type4642 / Warning
Event Submitted/Written: 01/22/2008 04:19:30 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Pandex.L.2'
in the file
C:\WINDOWS\system32\drivers\smtpdrv.sys

Event Record #/Type4641 / Warning
Event Submitted/Written: 01/22/2008 04:19:11 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'WORM/Ntech.Z.4'
in the file
C:\WINDOWS\Temp\BN8.tmp



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6403 / Warning
Event Submitted/Written: 01/22/2008 11:10:42 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.

Event Record #/Type6402 / Warning
Event Submitted/Written: 01/22/2008 09:21:26 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.

Event Record #/Type6400 / Warning
Event Submitted/Written: 01/22/2008 08:26:49 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.

Event Record #/Type6399 / Warning
Event Submitted/Written: 01/22/2008 07:59:31 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.

Event Record #/Type6398 / Warning
Event Submitted/Written: 01/22/2008 07:43:56 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.



-- End of Deckard's System Scanner: finished at 2008-01-22 23:56:35 ------------"

Puis le Main :

"Deckard's System Scanner v20071014.68
Run by secours on 2008-01-22 23:54:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-01-22 22:54:53 UTC - RP1 - Point de vérification système


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as secours.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:55:58, on 22/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\secours\Bureau\eradication trojan\dss.exe
C:\DOCUME~1\secours\Bureau\ERADIC~1\HIJACK~1\secours.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://meteo81.free.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
O24 - Desktop Component 0: (no name) - http://www.meteox.com/images.aspx?jaar= ... 0071051523
O24 - Desktop Component 1: (no name) - http://www.sat24.com/images.php?country=fr&rnd=59987
O24 - Desktop Component 2: (no name) - http://meteo81.free.fr/Observation%20St ... isplay.gif
O24 - Desktop Component 3: (no name) - http://meteoalerte.com/france/france.gif?1199700314

--
End of file - 7365 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Gkm82 - c:\windows\system32\drivers\gkm82.sys
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not>

S1 smtpdrv - c:\windows\system32\drivers\smtpdrv.sys (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not>
R2 Apple Mobile Device - "c:\program files\fichiers communs\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not>
R2 CobBMService (Cobian Backup 8 service) - c:\program files\cobian backup 8\cbservice.exe <Not>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-21 21:24:30 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-12-22 and 2008-01-22 -----------------------------

2008-01-22 21:08:00 0 d-------- C:\WINDOWS\report
2008-01-22 21:07:21 0 d-------- C:\WINDOWS\AU_Backup
2008-01-22 21:07:20 1163344 --a------ C:\WINDOWS\vsapi32.dll <Not>
2008-01-22 21:07:20 267845 --a------ C:\WINDOWS\tsc.exe <Not>
2008-01-22 21:07:20 71749 --a------ C:\WINDOWS\hcextoutput.dll
2008-01-22 21:07:20 86094 --a------ C:\WINDOWS\BPMNT.dll <Not>
2008-01-22 20:59:44 0 d-------- C:\WINDOWS\AU_Temp
2008-01-22 20:59:44 0 d-------- C:\WINDOWS\AU_Log
2008-01-22 20:59:41 507904 --a------ C:\WINDOWS\TMUPDATE.DLL <Not>
2008-01-22 20:59:40 69689 --a------ C:\WINDOWS\UNZIP.DLL <Not>
2008-01-22 20:59:40 286720 --a------ C:\WINDOWS\PATCH.EXE <Not>
2008-01-22 16:11:06 0 d-------- C:\Program Files\ToniArts
2008-01-22 10:55:41 0 d--h----- C:\Documents and Settings\Administrateur\Voisinage d'impression
2008-01-22 10:55:41 0 dr-h----- C:\Documents and Settings\Administrateur\SendTo
2008-01-22 10:55:41 0 d--h----- C:\Documents and Settings\Administrateur\Recent
2008-01-22 10:55:41 0 d--h----- C:\Documents and Settings\Administrateur\Modèles
2008-01-22 10:55:41 0 d-------- C:\Documents and Settings\Administrateur\Mes documents
2008-01-22 10:55:41 0 dr------- C:\Documents and Settings\Administrateur\Menu Démarrer
2008-01-22 10:55:41 0 d--h----- C:\Documents and Settings\Administrateur\Local Settings
2008-01-22 10:55:41 0 d-------- C:\Documents and Settings\Administrateur\Favoris
2008-01-22 10:55:41 0 d---s---- C:\Documents and Settings\Administrateur\Cookies
2008-01-22 10:55:41 0 d-------- C:\Documents and Settings\Administrateur\Bureau
2008-01-22 10:55:41 0 dr-h----- C:\Documents and Settings\Administrateur\Application Data
2008-01-22 10:55:41 0 d---s---- C:\Documents and Settings\Administrateur\Application Data\Microsoft
2008-01-22 10:55:41 0 d-------- C:\Documents and Settings\Administrateur\Application Data\Macromedia
2008-01-22 10:55:40 0 d--h----- C:\Documents and Settings\Administrateur\Voisinage réseau
2008-01-22 10:55:40 786432 --ah----- C:\Documents and Settings\Administrateur\NTUSER.DAT
2008-01-22 10:49:34 0 d-------- C:\Program Files\Avira
2008-01-22 10:49:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-21 17:55:10 0 d-------- C:\Documents and Settings\secours\Application Data\Grisoft
2008-01-21 17:54:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-21 17:44:03 25984 --a------ C:\WINDOWS\system32\drivers\Gkm82.sys
2008-01-09 11:33:33 0 d-------- C:\Program Files\Fichiers communs\DirectX
2008-01-07 19:36:22 143360 -----n--- C:\WINDOWS\system32\RALMain.dll <Not>
2008-01-07 19:36:22 32768 -----n--- C:\WINDOWS\system32\MLPagAx.dll <Not>
2008-01-07 19:36:22 14604 -----n--- C:\WINDOWS\system32\drivers\pfc.sys <Not>
2008-01-07 19:36:22 450641 -----n--- C:\WINDOWS\system32\DiskIO.dll <Not>
2008-01-07 19:36:22 32838 -----n--- C:\WINDOWS\system32\Cachex.dll <Not>
2008-01-07 19:36:20 61440 -----n--- C:\WINDOWS\system32\pclepim1.dll <Not>
2008-01-07 19:36:20 49152 -----n--- C:\WINDOWS\system32\PCLEGetGuid.dll <Not>
2008-01-07 19:36:20 138752 -----n--- C:\WINDOWS\system32\Mase32.dll
2008-01-07 19:36:20 57856 -----n--- C:\WINDOWS\system32\Masd32.dll
2008-01-07 19:36:20 136192 -----n--- C:\WINDOWS\system32\Mamc32.dll <Not>
2008-01-07 19:36:20 196096 -----n--- C:\WINDOWS\system32\Macd32.dll <Not>
2008-01-07 19:36:20 27648 -----n--- C:\WINDOWS\system32\Ma32.dll


-- Find3M Report ---------------------------------------------------------------

2008-01-22 16:11:06 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-22 08:44:01 0 d-------- C:\Documents and Settings\secours\Application Data\U3
2008-01-21 19:23:16 0 d-------- C:\Documents and Settings\secours\Application Data\Creative
2008-01-17 16:53:36 79280 --a------ C:\Documents and Settings\secours\Application Data\GDIPFONTCACHEV1.DAT
2008-01-09 11:33:33 0 d-------- C:\Program Files\Fichiers communs
2008-01-09 11:25:55 0 d-------- C:\Program Files\EA GAMES
2008-01-07 19:35:59 0 d-------- C:\Program Files\Pinnacle
2008-01-07 19:07:47 0 d-------- C:\Program Files\Yahoo!
2008-01-07 19:07:31 0 d-------- C:\Program Files\Weather Watcher
2008-01-07 19:07:18 0 d-------- C:\Program Files\IDM Computer Solutions
2008-01-07 19:07:15 0 d-------- C:\Documents and Settings\secours\Application Data\IDMComp
2008-01-04 13:39:44 0 d-------- C:\Documents and Settings\secours\Application Data\Canon
2007-12-20 13:42:46 0 d-------- C:\Documents and Settings\secours\Application Data\Bassic Technologies
2007-12-20 13:41:55 0 d-------- C:\Program Files\Bassic Technologies
2007-12-20 12:51:51 458230 --a------ C:\WINDOWS\system32\perfh00C.dat
2007-12-20 12:51:51 71248 --a------ C:\WINDOWS\system32\perfc00C.dat
2007-12-13 23:04:26 0 d-------- C:\Documents and Settings\secours\Application Data\MSN6
2007-12-02 15:51:04 0 d-------- C:\Documents and Settings\secours\Application Data\OpenOffice.org2
2007-11-25 00:08:42 0 d-------- C:\Program Files\Fichiers communs\Adobe
2007-10-30 21:20:44 724992 --a------ C:\WINDOWS\iun6002.exe <Not>
2007-10-30 18:28:55 533 --a------ C:\WINDOWS\eReg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [18/06/2004 09:31 C:\WINDOWS\SOUNDMAN.EXE]
"PD0620 STISvc"="P0620Pin.dll" [10/05/2005 18:03 C:\WINDOWS\system32\P0620Pin.dll]
"pdfFactory Pro Dispatcher v3"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [26/09/2006 21:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 00:11]
"Cobian Backup 8 interface"="C:\Program Files\Cobian Backup 8\cbInterface.exe" [27/09/2007 11:37]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [15/09/2007 09:41]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 10:25]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [22/01/2008 10:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [29/06/2007 05:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [15/04/2007 16:14]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [19/01/2007 12:55]

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Pinnacle Scheduler.lnk - C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe [07/01/2008 19:36:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gkm82.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Outil de mise à jour Google.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Outil de mise à jour Google.lnk
backup=C:\WINDOWS\pss\Outil de mise à jour Google.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Privoxy.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Privoxy.lnk
backup=C:\WINDOWS\pss\Privoxy.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^secours^Menu Démarrer^Programmes^Démarrage^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\secours\Menu Démarrer\Programmes\Démarrage\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^secours^Menu Démarrer^Programmes^Démarrage^TribalWeb.lnk]
path=C:\Documents and Settings\secours\Menu Démarrer\Programmes\Démarrage\TribalWeb.lnk
backup=C:\WINDOWS\pss\TribalWeb.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager]
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
"C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Packard Bell Data Secure]
C:\Program Files\Packard Bell Data Secure\PBDataSecure.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
"C:\Program Files\Vidalia\vidalia.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a03a5f80-a355-11dc-9067-806d6172696f}]
AutoRun\command- J:\Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-01-22 23:56:35 ------------"

Merci pour votre aide,

P.F
kekess
 
Messages: 6
Inscription: 22 Jan 2008, 19:33
Localisation: Castres (81)

Messagede kekess » 26 Jan 2008, 01:13

Bonsoir,

Là je vous relance parce que je ne sais plus quoi faire ! J'ai même reçu un message de mon fournisseur d'accès qui me menace de suspendre mon compte car ils ont reçu des plaintes de personnes ayant réceptionné des messages émanant de mon P.C... A l'aide !

Merci de prendre mon message en compte

P.F
kekess
 
Messages: 6
Inscription: 22 Jan 2008, 19:33
Localisation: Castres (81)

Messagede nickW » 26 Jan 2008, 01:13

Bonsoir,

Nettoyage:

Au vu de la longueur de la procédure, je te conseille de l'imprimer, d'enregistrer la page dans un fichier HTML (c'est la meilleure solution), ou d'en sélectionner toutes les lignes puis de copier cette sélection dans un fichier texte sur ton PC (Note: tu n'auras pas accès à Internet à partir de l'étape 3).
Il faut exécuter toutes les étapes, sans interruption, dans l'ordre exact indiqué ci-dessous.
Si un élément te paraît obscur, demande des explications avant de commencer la désinfection.


Note: Ces manips doivent être effectuées en ayant ouvert une session avec les "droits Administrateur" (ne pas utiliser le profil utilisateur nommé "Administrateur" visible en mode sans échec).
Sous Windows XP, pour vérifier si un compte a les droits "Administrateur":
Démarrer---->Paramètres---->Panneau de configuration---->Comptes d'utilisateurs
A côté de l'icône représentant certains comptes (hormis celui nommé "Administrateur"), il est indiqué "Administrateur de l'ordinateur"
C'est l'un de ces comptes qu'il faudra utiliser en mode sans échec.



Étape 1: The Avenger (de Swandog46), téléchargement
Télécharger The Avenger depuis http://swandog46.geekstogo.com/avenger.zip
Enregistrer ce fichier sur le Bureau.
Extraire de l'archive Avenger.zip le fichier avenger.exe et le placer sur le Bureau.


Étape 2: Création du fichier tuer-pandex.txt
Faire un copier/coller des lignes ci-dessous (dans la zone "Code") dans le Bloc-notes (alias Notepad).
Dans le Bloc-notes, vérifier (dans le menu Format) que "Retour automatique à ligne" n'est pas actif (pas coché).
Enregistrer le fichier sur le Bureau sous le nom de tuer-pandex.txt

Code: Tout sélectionner
Drivers to unload:
smtpdrv

Files to delete:
c:\windows\system32\drivers\smtpdrv.sys


Note: Le code ci-dessus a été créé exclusivement pour CET utilisateur.
si vous n'êtes pas CET utilisateur, il ne faut pas les utiliser: elles pourraient endommager votre système.



Étape 3: The Avenger (de Swandog46), exécution
Fermer toutes les fenêtres de programme (il va y avoir redémarrage du PC).
Lancer The Avenger en cliquant sur son icône située sur le Bureau.
Cliquer sur OK sur le message d'avertissement.
Sous "Script file to execute" choisir "Load script from file:".
Puis cliquer sur le bouton représentant un dossier jaune, ce qui va ouvrir une nouvelle fenêtre "Open script file"
Dans cette fenêtre, naviguer jusqu'au Bureau et sélectionner (double clic) le fichier tuer-pandex.txt
Ensuite cliquer sur le bouton représentant un feu vert pour lancer l'exécution du script.
Répondre "Oui/Yes" deux fois quand demandé.
Il va y avoir un ou deux redémarrages (avec une brève apparition d'une fenêtre de commande à fond noir).
En fin d'exécution, le rapport s'affichera dans le Bloc-notes.
Fermer le Bloc-notes.


Étape 4: Deckard's System Scanner (DSS) (de Deckard)
Fermer toutes les fenêtres de programme ouvertes.
Faire un double clic sur dss.exe situé sur le Bureau pour lancer l'installation et l'exécution de l'outil.

Cliquer sur OK lorsque cela est demandé (de 1 à 3 fois).
Lorsque l'outil a terminé le balayage, une ou deux fenêtres du Bloc-notes vont s'ouvrir, affichant le(s) rapport(s):
main.txt <- ouvert dans une fenêtre plein-écran
extra.txt <- ouvert dans une fenêtre réduite (ce fichier n'est pas créé à chaque fois)
Fermer cette (ces deux) fenêtre(s) du Bloc-notes.


Étape 5: Résultats
Envoyer en réponse:
*- le rapport de The Avenger (contenu du fichier C:\avenger.txt)
*- le rapport principal de Deckard's System Scanner (contenu du fichier main.txt situé dans le dossier C:\Deckard\System Scanner).

A suivre,
nickW - Image
30/07/2012: Plus de désinfection de PC jusqu'à nouvel ordre.
Pas de demande d'analyse de log en MP (Message Privé)
Mes configs
Avatar de l’utilisateur
nickW
Modérateur
 
Messages: 21698
Inscription: 20 Mai 2004, 17:41
Localisation: Dordogne/Île de France

Messagede kekess » 26 Jan 2008, 01:40

Merci pour cette réponse extrêmement rapide !

Voila j'ai effectué les opérations demandées. Antivir m'indique toujours, au démarrage, la présence de Worm/ntechz4 et de TR/PandexMon pare-feu Zone Alarm m'indique en permanence des demande de connection de "svchost.exe" et je refuse systématiquement

Voici les rapports :


Avenger


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ojjkbexc

*******************

Script file located at: \??\C:\jtmvwvkt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver smtpdrv unloaded successfully.


File c:\windows\system32\drivers\smtpdrv.sys not found!
Deletion of file c:\windows\system32\drivers\smtpdrv.sys failed!

Could not process line:
c:\windows\system32\drivers\smtpdrv.sys
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate."

Deckards

Deckard's System Scanner v20071014.68
Run by secours on 2008-01-26 01:34:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as secours.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:34:21, on 26/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mobsync.exe
C:\Program Files\Hercules\WiFi Station\WifiStation.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\secours\Bureau\dss.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\secours\Bureau\ERADIC~1\HIJACK~1\secours.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://meteo81.free.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WiFi Station.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1206075062
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://www.meteox.com/images.aspx?jaar= ... 0071051523
O24 - Desktop Component 1: (no name) - http://meteoalerte.com/france/france.gif?1199700314
O24 - Desktop Component 2: (no name) - http://meteo81.free.fr/Observation%20St ... isplay.gif
O24 - Desktop Component 3: (no name) - http://www.sat24.com/images.php?country=fr&rnd=59987

--
End of file - 7937 bytes

-- Files created between 2007-12-26 and 2008-01-26 -----------------------------

2008-01-26 00:50:20 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-26 00:50:08 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-26 00:49:57 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not>
2008-01-26 00:49:52 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-26 00:49:52 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-26 00:49:48 127008 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-26 00:49:14 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-26 00:48:40 0 d-------- C:\WINDOWS\Internet Logs
2008-01-25 10:03:14 0 d-------- C:\Program Files\XoftSpySE
2008-01-25 09:55:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-25 09:54:23 0 d-------- C:\Program Files\Lavasoft
2008-01-25 09:54:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-25 01:04:20 21419 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not>
2008-01-25 01:03:31 432128 --a------ C:\WINDOWS\system32\drivers\rt73u98.sys <Not>
2008-01-25 01:03:31 429440 --a------ C:\WINDOWS\system32\drivers\rt73.sys <Not>
2008-01-25 01:03:31 2048 --a------ C:\WINDOWS\system32\drivers\rt73.bin
2008-01-25 01:03:31 242816 --a------ C:\WINDOWS\system32\drivers\rt25u98.sys <Not>
2008-01-25 01:03:31 240384 --a------ C:\WINDOWS\system32\drivers\rt2500usb.sys <Not>
2008-01-25 01:03:30 0 d-------- C:\Program Files\Hercules
2008-01-25 01:02:56 0 d-------- C:\Documents and Settings\secours\Application Data\InstallShield
2008-01-24 23:56:53 0 d-------- C:\WINDOWS\system32\fr-fr
2008-01-24 23:53:53 0 d--h----- C:\WINDOWS\$hf_mig$
2008-01-23 23:05:56 0 d-------- C:\Program Files\Navilog1
2008-01-23 18:43:42 3120 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-23 18:43:16 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-23 18:43:16 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not>
2008-01-23 18:43:16 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not>
2008-01-23 18:43:16 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not>
2008-01-23 18:43:16 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-22 21:08:00 0 d-------- C:\WINDOWS\report
2008-01-22 21:07:21 0 d-------- C:\WINDOWS\AU_Backup
2008-01-22 21:07:20 1163344 --a------ C:\WINDOWS\vsapi32.dll <Not>
2008-01-22 21:07:20 267845 --a------ C:\WINDOWS\tsc.exe <Not>
2008-01-22 21:07:20 71749 --a------ C:\WINDOWS\hcextoutput.dll
2008-01-22 21:07:20 86094 --a------ C:\WINDOWS\BPMNT.dll <Not>
2008-01-22 20:59:44 0 d-------- C:\WINDOWS\AU_Temp
2008-01-22 20:59:44 0 d-------- C:\WINDOWS\AU_Log
2008-01-22 20:59:41 507904 --a------ C:\WINDOWS\TMUPDATE.DLL <Not>
2008-01-22 20:59:40 69689 --a------ C:\WINDOWS\UNZIP.DLL <Not>
2008-01-22 20:59:40 286720 --a------ C:\WINDOWS\PATCH.EXE <Not>
2008-01-22 16:11:06 0 d-------- C:\Program Files\ToniArts
2008-01-22 10:55:41 0 d--h----- C:\Documents and Settings\Administrateur\Voisinage d'impression
2008-01-22 10:55:41 0 dr-h----- C:\Documents and Settings\Administrateur\SendTo
2008-01-22 10:55:41 0 d--h----- C:\Documents and Settings\Administrateur\Recent
2008-01-22 10:55:41 0 d--h----- C:\Documents and Settings\Administrateur\Modèles
2008-01-22 10:55:41 0 d-------- C:\Documents and Settings\Administrateur\Mes documents
2008-01-22 10:55:41 0 dr------- C:\Documents and Settings\Administrateur\Menu Démarrer
2008-01-22 10:55:41 0 d--h----- C:\Documents and Settings\Administrateur\Local Settings
2008-01-22 10:55:41 0 d-------- C:\Documents and Settings\Administrateur\Favoris
2008-01-22 10:55:41 0 d---s---- C:\Documents and Settings\Administrateur\Cookies
2008-01-22 10:55:41 0 d-------- C:\Documents and Settings\Administrateur\Bureau
2008-01-22 10:55:41 0 dr-h----- C:\Documents and Settings\Administrateur\Application Data
2008-01-22 10:55:41 0 d---s---- C:\Documents and Settings\Administrateur\Application Data\Microsoft
2008-01-22 10:55:41 0 d-------- C:\Documents and Settings\Administrateur\Application Data\Macromedia
2008-01-22 10:55:40 0 d--h----- C:\Documents and Settings\Administrateur\Voisinage réseau
2008-01-22 10:55:40 786432 --ah----- C:\Documents and Settings\Administrateur\NTUSER.DAT
2008-01-22 10:49:34 0 d-------- C:\Program Files\Avira
2008-01-22 10:49:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-21 17:55:10 0 d-------- C:\Documents and Settings\secours\Application Data\Grisoft
2008-01-21 17:54:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-21 17:44:03 25984 --a------ C:\WINDOWS\system32\drivers\Gkm82.sys
2008-01-09 11:33:33 0 d-------- C:\Program Files\Fichiers communs\DirectX
2008-01-07 19:36:22 143360 -----n--- C:\WINDOWS\system32\RALMain.dll <Not>
2008-01-07 19:36:22 32768 -----n--- C:\WINDOWS\system32\MLPagAx.dll <Not>
2008-01-07 19:36:22 14604 -----n--- C:\WINDOWS\system32\drivers\pfc.sys <Not>
2008-01-07 19:36:22 450641 -----n--- C:\WINDOWS\system32\DiskIO.dll <Not>
2008-01-07 19:36:22 32838 -----n--- C:\WINDOWS\system32\Cachex.dll <Not>
2008-01-07 19:36:20 61440 -----n--- C:\WINDOWS\system32\pclepim1.dll <Not>
2008-01-07 19:36:20 49152 -----n--- C:\WINDOWS\system32\PCLEGetGuid.dll <Not>
2008-01-07 19:36:20 138752 -----n--- C:\WINDOWS\system32\Mase32.dll
2008-01-07 19:36:20 57856 -----n--- C:\WINDOWS\system32\Masd32.dll
2008-01-07 19:36:20 136192 -----n--- C:\WINDOWS\system32\Mamc32.dll <Not>
2008-01-07 19:36:20 196096 -----n--- C:\WINDOWS\system32\Macd32.dll <Not>
2008-01-07 19:36:20 27648 -----n--- C:\WINDOWS\system32\Ma32.dll


-- Find3M Report ---------------------------------------------------------------

2008-01-25 18:46:16 0 d-------- C:\Documents and Settings\secours\Application Data\Canon
2008-01-25 13:26:16 79672 --a------ C:\Documents and Settings\secours\Application Data\GDIPFONTCACHEV1.DAT
2008-01-25 09:54:07 0 d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-01-25 01:05:13 458230 --a------ C:\WINDOWS\system32\perfh00C.dat
2008-01-25 01:05:13 71248 --a------ C:\WINDOWS\system32\perfc00C.dat
2008-01-25 01:03:29 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-24 17:47:26 0 d-------- C:\Documents and Settings\secours\Application Data\U3
2008-01-21 19:23:16 0 d-------- C:\Documents and Settings\secours\Application Data\Creative
2008-01-09 11:33:33 0 d-------- C:\Program Files\Fichiers communs
2008-01-09 11:25:55 0 d-------- C:\Program Files\EA GAMES
2008-01-07 19:35:59 0 d-------- C:\Program Files\Pinnacle
2008-01-07 19:07:31 0 d-------- C:\Program Files\Weather Watcher
2008-01-07 19:07:15 0 d-------- C:\Documents and Settings\secours\Application Data\IDMComp
2007-12-20 13:42:46 0 d-------- C:\Documents and Settings\secours\Application Data\Bassic Technologies
2007-12-20 13:41:55 0 d-------- C:\Program Files\Bassic Technologies
2007-12-13 23:04:26 0 d-------- C:\Documents and Settings\secours\Application Data\MSN6
2007-12-02 15:51:04 0 d-------- C:\Documents and Settings\secours\Application Data\OpenOffice.org2
2007-10-30 21:20:44 724992 --a------ C:\WINDOWS\iun6002.exe <Not>
2007-10-30 18:28:55 533 --a------ C:\WINDOWS\eReg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [18/06/2004 09:31 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 00:11]
"Cobian Backup 8 interface"="C:\Program Files\Cobian Backup 8\cbInterface.exe" [27/09/2007 11:37]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 10:25]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [22/01/2008 10:52]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [19/08/2004 15:09]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [29/06/2007 05:24]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [21/06/2007 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [15/04/2007 16:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [19/08/2004 15:09]

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
WiFi Station.lnk - C:\Program Files\Hercules\WiFi Station\WifiStation.exe [25/01/2008 01:03:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gkm82.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Outil de mise à jour Google.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Outil de mise à jour Google.lnk
backup=C:\WINDOWS\pss\Outil de mise à jour Google.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Pinnacle Scheduler.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Pinnacle Scheduler.lnk
backup=C:\WINDOWS\pss\Pinnacle Scheduler.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Privoxy.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Privoxy.lnk
backup=C:\WINDOWS\pss\Privoxy.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^secours^Menu Démarrer^Programmes^Démarrage^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\secours\Menu Démarrer\Programmes\Démarrage\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^secours^Menu Démarrer^Programmes^Démarrage^TribalWeb.lnk]
path=C:\Documents and Settings\secours\Menu Démarrer\Programmes\Démarrage\TribalWeb.lnk
backup=C:\WINDOWS\pss\TribalWeb.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager]
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
"C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Packard Bell Data Secure]
C:\Program Files\Packard Bell Data Secure\PBDataSecure.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0620 STISvc]
RunDLL32.exe P0620Pin.dll,RunDLL32EP 513

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Pro Dispatcher v3]
"C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
"C:\Program Files\Vidalia\vidalia.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61c20f6d-5eb7-11dc-b764-001109a91c6c}]
Setup\command- setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a03a5f80-a355-11dc-9067-806d6172696f}]
AutoRun\command- J:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df9864fc-5ab7-11dc-b75e-001109a91c6c}]
Setup\command- setup.exe




-- End of Deckard's System Scanner: finished at 2008-01-26 01:35:05 ------------

Merci pour l'analyse

P.F
kekess
 
Messages: 6
Inscription: 22 Jan 2008, 19:33
Localisation: Castres (81)

Messagede kekess » 26 Jan 2008, 11:54

Bonjour, bien dormi ? pas moi !

J'ai du nouveau, voici une nouvelle fenêtre qui apparaît au démarrage. Pourtant je n'ai pas le Vert Blaster ! ?

Image

et voici les programmes bloqués ou non pas Zone Alarme

Image

Merci pour votre aide

P.F
kekess
 
Messages: 6
Inscription: 22 Jan 2008, 19:33
Localisation: Castres (81)


Retourner vers Sécurité (Contamination - Décontamination)

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 28 invités