Infection virale?

Sécurité et insécurité. Virus, Trojans, Spywares, Failles etc. …

Modérateur: Modérateurs et Modératrices

Règles du forum
Assiste.com a suspendu l'assistance à la décontamination après presque 15 ans sur l'ancien forum puis celui-ci. Voir :

Procédure de décontamination 1 - Anti-malware
Décontamination anti-malwares

Procédure de décontamination 2 - Anti-malware et antivirus (La Manip)
La Manip - Procédure standard de décontamination

Entretien périodique d'un PC sous Windows
Entretien périodique d'un PC sous Windows

Protection des navigateurs, de la navigation et de la vie privée
Protéger le navigateur, la navigation et la vie privée

Infection virale?

Messagede DAFT » 16 Nov 2008, 21:28

Bonjour, j'ai réalisé la manip PAD.
Ma config est XP SP2 avec ZoneAlarm 7.0.462 et Avast 4.8

J'ai un PC qui rame et plante régulièrement.
Je n'ai pas pu executer KAV et Housecall, j'ai utilisé Panda via votre lien. Il reste des virus !

je vous poste le rapport Panda, HJT2 puis Nav1 :
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-11-16 18:23:17
PROTECTIONS: 1
MALWARE: 10
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Zone Alarm Security Suite 7.0.462.000 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00001888 adware/dyfuca Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8f4e5661-f99e-4b3e-8d85-0ea71c0748e4}
00039703 Application/Pskill.A HackTools No 0 Yes No C:\WINDOWS\RESTORE.INS[C:/OEMCUST/TOOLS/WIN32/PSKILL.EXE]
00039703 Application/Pskill.A HackTools No 0 Yes No C:\WINDOWS\system\RESTORE.INS[C:/OEMCUST/TOOLS/WIN32/PSKILL.EXE]
00040474 dialer.bew Dialers No 0 Yes No c:\windows\system32\search.html
00055747 dialer.yz Dialers No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02C20140-76F8-4763-83D5-B660107B7A90}
00134558 spyware/petro-line Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{22A88341-AFCB-45F0-A856-C2BAE74F878E}
00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\David\Cookies\david@weborama[1].txt
00519333 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\David\Bureau\VirtumundoBeGone.exe
03009106 W32/Xor-encoded.A Virus No 0 Yes Yes C:\Program Files\a-squared Anti-Malware\Quarantine\556eed9866d2845a4bdcb27257b10a0b.a2q[RECYCLER/S-1-5-21-2714024595-2061730480-3575341565-1007/Dc1/SmitfraudFix/Process.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes Yes C:\Program Files\a-squared Anti-Malware\Quarantine\22b5165494dea1502b44606d733b71b6.a2q[Documents and Settings/David/Bureau/SmitfraudFix/SmitfraudFix/Reboot.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes Yes C:\Program Files\a-squared Anti-Malware\Quarantine\ac5e7610fa28d4b99d30cf3d597c9e3b.a2q[Documents and Settings/David/Bureau/SmitfraudFix/SmitfraudFix/Process.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes Yes C:\Program Files\a-squared Anti-Malware\Quarantine\ac266f3bd725e5af20308e3d4bb5602c.a2q[Documents and Settings/David/Bureau/SDFix/apps/Process.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes Yes C:\Program Files\a-squared Anti-Malware\Quarantine\e2fcb36a3ff856700234376f4f7546d1.a2q[OEMCUST/TOOLS/WIN32/PSKILL.EXE]
03009106 W32/Xor-encoded.A Virus No 0 Yes Yes C:\Program Files\a-squared Anti-Malware\Quarantine\e656e4eedc81a2a0aeb85f529f1523b0.a2q[RECYCLER/S-1-5-21-2714024595-2061730480-3575341565-1007/Dc1/SmitfraudFix/Reboot.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes Yes C:\Program Files\a-squared Anti-Malware\Quarantine\f0b965672f05ebd276c188bf57390035.a2q[Documents and Settings/David/Bureau/clean/clean/pskill.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes Yes C:\Program Files\a-squared Anti-Malware\Quarantine\cf3353b083e00a74ec79c987dc5e84e0.a2q[System Volume Information/_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}/RP804/A0122087.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\WINDOWS\Downloaded Program Files\imloader.exe
03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\Documents and Settings\David\Bureau\SmitfraudFix.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location ,^
;===================================================================================================================================================================================
No C:\Documents and Settings\David\Bureau\SmitfraudFix\404Fix.exe ,^
No C:\Documents and Settings\David\Bureau\SmitfraudFix\IEDFix.C.exe ,^
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description ,^
;===================================================================================================================================================================================
;===================================================================================================================================================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:49:29, on 16/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Packard Bell EverSafe\TrayControl.exe
C:\apps\ABoard\AOSD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Teleca Shared\CapabilityManager.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\David\Bureau\HiJackThis.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.fr/
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [NovaNet-WEB Tray Control] C:\Program Files\Packard Bell EverSafe\TrayControl.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WOOKIT] C:\PROGRA~1\Wanadoo\Shell.exe appLaunchClientZone.shl|DEFAULT=cnx|PARAM=
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Packard Bell EverSafe Tray Control.lnk = C:\Program Files\Packard Bell EverSafe\TrayControl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6198438593
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.inoculer.com/antivirus/Msie/bitdefender.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5409 bytes

______________________________________________________________________________________________________

Search Navipromo version 3.6.9 commencé le 16/11/2008 à 18:55:28,82

!!! Attention,ce rapport peut indiquer des fichiers/programmes légitimes!!!
!!! Postez ce rapport sur le forum pour le faire analyser !!!
!!! Ne lancez pas la partie désinfection sans l'avis d'un spéblurpte !!!

Outil exécuté depuis C:\Program Files\navilog1
Session actuelle : "David"

Mise à jour le 05.11.2008 à 21h00 par IL-MAFIOSO


Microsoft Windows XP [version 5.1.2600]
Internet Explorer : 6.0.2900.2180
Système de fichiers : NTFS

Recherche executé en mode normal

*** Recherche Programmes installés ***


*** Recherche dossiers dans "C:\WINDOWS" ***


*** Recherche dossiers dans "C:\Program Files" ***


*** Recherche dossiers dans "C:\Documents and Settings\All Users\menudm~1\progra~1" ***


*** Recherche dossiers dans "C:\Documents and Settings\All Users\menudm~1" ***


*** Recherche dossiers dans "c:\docume~1\alluse~1\applic~1" ***


*** Recherche dossiers dans "C:\Documents and Settings\David\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\ADMINI~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\INVIT~1\applic~1" ***


*** Recherche dossiers dans "C:\Documents and Settings\David\locals~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\ADMINI~1\locals~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\INVIT~1\locals~1\applic~1" ***


*** Recherche dossiers dans "C:\Documents and Settings\David\menudm~1\progra~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\ADMINI~1\menudm~1\progra~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\INVIT~1\menudm~1\progra~1" ***


*** Recherche avec Catchme-rootkit/stealth malware detector par gmer ***
pour + d'infos : http://www.gmer.net



*** Recherche avec GenericNaviSearch ***
!!! Tous ces résultats peuvent révéler des fichiers légitimes !!!
!!! A vérifier impérativement avant toute suppression manuelle !!!

* Recherche dans "C:\WINDOWS\system32" *

* Recherche dans "C:\Documents and Settings\David\locals~1\applic~1" *

* Recherche dans "C:\DOCUME~1\ADMINI~1\locals~1\applic~1" *

* Recherche dans "C:\DOCUME~1\INVIT~1\locals~1\applic~1" *



*** Recherche fichiers ***



*** Recherche clés spécifiques dans le Registre ***


*** Module de Recherche complémentaire ***
(Recherche fichiers spécifiques)

1)Recherche nouveaux fichiers Instant Access :


2)Recherche Heuristique :

* Dans "C:\WINDOWS\system32" :


* Dans "C:\Documents and Settings\David\locals~1\applic~1" :


* Dans "C:\DOCUME~1\ADMINI~1\locals~1\applic~1" :


* Dans "C:\DOCUME~1\INVIT~1\locals~1\applic~1" :


3)Recherche Certificats :

Certificat Egroup absent !
Certificat Electronic-Group absent !
Certificat Montorgueil absent !
Certificat OOO-Favorit absent !
Certificat Sunny-Day-Design-Ltd absent !

4)Recherche fichiers connus :



*** Analyse terminée le 16/11/2008 à 19:29:44,95 ***
DAFT
 
Messages: 3
Inscription: 16 Nov 2008, 20:48

Messagede Mido » 17 Nov 2008, 13:26

DAFT,

Désinstallez la protection résidente de SpybotSD (réactivez la après la désinfection)
• Lancez Spybot > Mode avancé > Outils >> Résident
• Décochez la case résident "tea timer" et refermez Spybot
____________________________________________________________

Afficher les fichiers et répertoires cachés.
Accessible à partir de l’Explorer --> Outil -->)
Image
____________________________________________________________

Les infections répertoriées lors du scan en ligne.

• 8 fichiers identifiés comme des infections, qui sont issue de la quarantaine de a2, purger cette quarantaine.

• Pour PSKILL.EXE : Désactiver et réactivez la restauration du système : http://support.microsoft.com/kb/310405/fr

• Recherchez et supprimer (search.html) : c:\windows\system32\search.html

• imloader.exe : vient avec IncrediMail (À propos d'IncrediMail : http://assiste.com.free.fr/p/logitheque ... imail.html )

• Ouvrez le Bloc-note (Démarrer --> Tout les programmes --> Accessoires)
Copier/ coller le contenu "exact" dans la citation suivante,
Sauvegarder sous FixReg.Reg,
Double-cliquer sur le fichier FixReg.Reg et valider.
Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8f4e5661-f99e-4b3e-8d85-0ea71c0748e4}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02C20140-76F8-4763-83D5-B660107B7A90}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{22A88341-AFCB-45F0-A856-C2BAE74F878E}]

____________________________________________________________

Votre rapport HijackThis ne montre aucune infection.

Par contre le fait que vous ne puissiez faire de scan en ligne chez Kaspersky et..

Est-ce que Avast fonctionne correctement ?

Changez "temporairement" Avast pour Antivir.
Téléchargement Antivir : http://www.free-av.com/en/download/1/do ... virus.html
Tutoriel (français) : http://www.pcinfo-web.com/tutoriaux/42- ... lassic.php.

Deux antivirus ne pouvant être installés ensemble :
• Télécharger Antivir
• Désinstaller Avast,
• Installer Antivir,
• Faites la màj,
• Lancer un scan "Complet" en mode sans échec
Affichez le rapport.
__________________________________________________________________

Avant de procéder à toutes suppression de lignes dans HijackThis,
vous devez impérativement créer un répertoire exclusif pour Hijackthis.
Ex. dans C:\Program Files\Hjt\..


Sachant que les lignes 04- d'un rapport HijackThis correspondent à des programmes/sous-programmes lancés automatiquement au démarrage du PC.
Optimisation des performances : la suppression de lignes correspondantes à des prog. non-nécessaires au démarrage améliore les performances d'un PC.


Relancer HijackThis,
• Appuyer sur [Do a system scan only],
• Cocher Image toutes les lignes suivantes et
>>> Fermer les navigateurs, logiciels.. <<<
• Appuyer sur [Fix Checked] pour les supprimer.

Image O4 - HKLM\..\Run: [NovaNet-WEB Tray Control] C:\Program Files\Packard Bell EverSafe\TrayControl.exe
Image O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
Image O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
Image O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
__________________________________________________________________

Téléchargement Malwarebytes : http://www.malwarebytes.org/mbam.php
Tutoriel : http://www.pcinfo-web.com/tutoriaux/54- ... alware.php
• Dans [Paramètre] vous pouvez mettre en Français.
• Installer et mettez à jours Malwarebytes.
• Redémarrer en mode sans échec (au logo du Bios appuyer à répétition sur F8).
• Entrez dans votre Compte utilisateur usuel,
• Lancer Malwarebytes et [Exécuter un examen Complet],
• Lorsque terminé appuyer sur [Supprimer la sélection].
Afficher le rapport Malwarebytes sur votre prochain post.
__________________________________________________________________

Le fichier Hosts.
Télécharger et installer la liste MVP : http://www.mvps.org/winhelp2002/hosts.zip
Dézipper et double-cliquer sur le fichier .bat
__________________________________________________________________

Téléchargement CCleaner : http://www.ccleaner.com/download/builds ... ading-slim
Tutoriel: http://pagesperso-orange.fr/jesses/Docs ... leaner.htm
• Installer et lancer CCleaner.
• Appuyer sur [Analyse] et [Lancer le Nettoyage].

Utiliser CCleaner après chaque session sur le net, installation de logiciels et/ou avant de fermer le PC.
__________________________________________________________________

Réessayer un des 2 scan en ligne essayés précédemment.
Mido
 
Messages: 19
Inscription: 27 Sep 2007, 01:32

Messagede DAFT » 19 Nov 2008, 10:51

Merci pour les conseils,

:?: le fixreg.reg n'a pas fonctionné, j'ai eu un message d'erreur : "... n'est pas un script du registre, vous pouvez uniquement importer des fichiers du registre binaire ..."

:D La MAJ de host a permis d'installer JAVA et scanner avec KAV

je poste le rapport antivir puis malwarebytes puis KAV et enfin un nouveau HJT et navilog pour diagnostic car selon KAV il reste des contaminations.


***********************************************************************************************************
Avira AntiVir Personal
Report file date: lundi 17 novembre 2008 22:38

Scanning for 1038808 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Save mode
Username: David
Computer name: DAVID

Version information:
BUILD.DAT : 8.2.0.336 16933 Bytes 30/10/2008 11:40:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 26/06/2008 09:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 26/05/2008 08:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 12/06/2008 13:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 26/05/2008 08:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 21:25:42
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 09/11/2008 21:26:15
ANTIVIR2.VDF : 7.1.0.89 221184 Bytes 16/11/2008 21:26:17
ANTIVIR3.VDF : 7.1.0.97 45056 Bytes 17/11/2008 21:26:28
Engineversion : 8.2.0.31
AEVDF.DLL : 8.1.0.6 102772 Bytes 14/10/2008 11:05:56
AESCRIPT.DLL : 8.1.1.15 332156 Bytes 17/11/2008 21:26:40
AESCN.DLL : 8.1.1.5 123251 Bytes 17/11/2008 21:26:39
AERDL.DLL : 8.1.1.3 438645 Bytes 17/11/2008 21:26:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 17/11/2008 21:26:37
AEOFFICE.DLL : 8.1.0.30 196986 Bytes 17/11/2008 21:26:36
AEHEUR.DLL : 8.1.0.71 1487222 Bytes 17/11/2008 21:26:35
AEHELP.DLL : 8.1.1.3 119157 Bytes 17/11/2008 21:26:33
AEGEN.DLL : 8.1.1.0 319859 Bytes 17/11/2008 21:26:32
AEEMU.DLL : 8.1.0.9 393588 Bytes 14/10/2008 11:05:56
AECORE.DLL : 8.1.4.1 172405 Bytes 17/11/2008 21:26:30
AEBB.DLL : 8.1.0.3 53618 Bytes 14/10/2008 11:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 09/07/2008 09:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 16/05/2008 10:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 17/11/2008 21:26:29
AVREG.DLL : 8.0.0.1 33537 Bytes 09/05/2008 12:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 09:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12/06/2008 13:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 18:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12/06/2008 13:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 13:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12/06/2008 14:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 27/06/2008 14:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: lundi 17 novembre 2008 22:38

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
11 processes with 11 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: Le périphérique n'est pas prêt.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '53' files ).


Starting the file scan:

Begin scan in 'C:\' <HDD>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\111C7705.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\111C7705.exe
[DETECTION] Is the TR/Small.gq.1 Trojan
[NOTE] The file was moved to '4952e757.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\112C48F3.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\112C48F3.exe
[DETECTION] Is the TR/Favadd.an.2 Trojan
[NOTE] The file was moved to '4953e75e.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\23723ED8.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\23723ED8.exe
[DETECTION] Is the TR/DelProx.A Trojan
[NOTE] The file was moved to '4958e769.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\238964BF.exe
[DETECTION] Contains HEUR/Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4959e789.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24A10742.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24A10742.dll
[DETECTION] Is the TR/Dldr.Agent.BA Trojan
[NOTE] The file was moved to '4962e793.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\28B123FE.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\28B123FE.exe
[DETECTION] Is the TR/Dldr.Small.byj.1 Trojan
[NOTE] The file was moved to '4963e79b.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34C47F80.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34C47F80.dll
[DETECTION] Is the TR/Dldr.Agent.BA Trojan
[NOTE] The file was moved to '4964e79b.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\35234118.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\35234118.exe
[DETECTION] Is the TR/Dldr.Small.byj.1 Trojan
[NOTE] The file was moved to '4953e79f.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\35291511.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\35291511.exe
[DETECTION] Is the TR/Dldr.Small.byj.1 Trojan
[NOTE] The file was moved to '4953e7a3.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\352C3F0D.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\352C3F0D.exe
[DETECTION] Is the TR/Dldr.Small.byj.1 Trojan
[NOTE] The file was moved to '4953e7a7.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\35306909.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\35306909.exe
[DETECTION] Is the TR/Dldr.Small.byj.1 Trojan
[NOTE] The file was moved to '4954e7aa.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4E124283.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4E124283.exe
[DETECTION] Is the TR/StartPage.BN Trojan
[NOTE] The file was moved to '4952e7c0.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\64A41942.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\64A41942.exe
[DETECTION] Is the TR/Renos.28160 Trojan
[NOTE] The file was moved to '4962e7b2.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\725638D9.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\725638D9.dll
[DETECTION] Is the TR/Dialer.OJ Trojan
[NOTE] The file was moved to '4956e7b4.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\785D5EB1.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\785D5EB1.exe
[DETECTION] Is the TR/Renos.28160 Trojan
[NOTE] The file was moved to '4956e7bc.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7B05090C.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7B05090C.exe
[DETECTION] Is the TR/Dldr.Small.byj.1 Trojan
[NOTE] The file was moved to '4951e7c8.qua'!
C:\Documents and Settings\David\Bureau\SmitfraudFix.exe
[DETECTION] Contains recognition pattern of the DR/Tool.Reboot.F.19 dropper
[NOTE] The file was moved to '498ae97c.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165837.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165837.exe
[DETECTION] Is the TR/Small.gq.1 Trojan
[NOTE] The file was moved to '4952f25b.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165838.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165838.exe
[DETECTION] Is the TR/Favadd.an.2 Trojan
[NOTE] The file was moved to '4952f261.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165839.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165839.exe
[DETECTION] Is the TR/DelProx.A Trojan
[NOTE] The file was moved to '4952f266.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165840.exe
[DETECTION] Contains HEUR/Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4952f26b.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165841.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165841.dll
[DETECTION] Is the TR/Dldr.Agent.BA Trojan
[NOTE] The file was moved to '4952f26e.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165842.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165842.exe
[DETECTION] Is the TR/Dldr.Small.byj.1 Trojan
[NOTE] The file was moved to '4952f271.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165843.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165843.dll
[DETECTION] Is the TR/Dldr.Agent.BA Trojan
[NOTE] The file was moved to '4952f274.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165844.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165844.exe
[DETECTION] Is the TR/Dldr.Small.byj.1 Trojan
[NOTE] The file was moved to '4952f276.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165845.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165845.exe
[DETECTION] Is the TR/Dldr.Small.byj.1 Trojan
[NOTE] The file was moved to '4952f279.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165846.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165846.exe
[DETECTION] Is the TR/Dldr.Small.byj.1 Trojan
[NOTE] The file was moved to '4952f27b.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165847.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165847.exe
[DETECTION] Is the TR/Dldr.Small.byj.1 Trojan
[NOTE] The file was moved to '4952f27f.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165848.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165848.exe
[DETECTION] Is the TR/StartPage.BN Trojan
[NOTE] The file was moved to '4952f281.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165849.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165849.exe
[DETECTION] Is the TR/Renos.28160 Trojan
[NOTE] The file was moved to '4952f283.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165850.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165850.dll
[DETECTION] Is the TR/Dialer.OJ Trojan
[NOTE] The file was moved to '4952f286.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165851.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165851.exe
[DETECTION] Is the TR/Renos.28160 Trojan
[NOTE] The file was moved to '4952f288.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165852.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165852.exe
[DETECTION] Is the TR/Dldr.Small.byj.1 Trojan
[NOTE] The file was moved to '4952f28a.qua'!
C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP1449\A0165853.exe
[DETECTION] Contains recognition pattern of the DR/Tool.Reboot.F.19 dropper
[NOTE] The file was moved to '4952f28f.qua'!
C:\WINDOWS\system32\mjhalrjd.ylo
[DETECTION] Is the TR/Agent.MD.2 Trojan
[NOTE] The file was moved to '4989fb56.qua'!
C:\WINDOWS\system32\securityID=817093-MS03-011&privacyAPI32=x292.html
[DETECTION] Is the TR/Dldr.Delf.KS.2 Trojan
[NOTE] The file was moved to '4984fb8e.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KX0DMPKP\WebInstall[1].dll
[DETECTION] Is the TR/Dldr.WebInstall Trojan
[NOTE] The file was moved to '4983fbf9.qua'!


End of the scan: mardi 18 novembre 2008 00:20
Used time: 1:42:15 Hour(s)

The scan has been done completely.

7810 Scanning directories
278647 Files were scanned
35 viruses and/or unwanted programs were found
2 Files were classified as suspicious:
0 files were deleted
0 files were repaired
37 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
278609 Files not concerned
7156 Archives were scanned
2 Warnings
37 Notes
*****************************************************************************************************
Malwarebytes' Anti-Malware 1.30
Version de la base de données: 1405
Windows 5.1.2600 Service Pack 2

18/11/2008 06:17:13
mbam-log-2008-11-18 (06-17-01).txt

Type de recherche: Examen complet (C:\|)
Eléments examinés: 140613
Temps écoulé: 2 hour(s), 35 minute(s), 44 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 4
Valeur(s) du Registre infectée(s): 1
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 1

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8f4e5661-f99e-4b3e-8d85-0ea71c0748e4} (Adware.NetOptimizer) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/uninst.bat (Trojan.Agent) -> No action taken.

Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\uninst.bat (Trojan.Agent) -> No action taken.

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
C:\WINDOWS\Downloaded Program Files\uninst.bat (Trojan.Agent) -> No action taken.
**********************************************************************************************************
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, November 19, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, November 18, 2008 20:05:17
Records in database: 1392277


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
N:\

Scan statistics
Files scanned 94320
Threat name 9
Infected objects 14
Suspicious objects 0
Duration of the scan 02:16:22

File name Threat name Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1CAA1FDD.exe Infected: not-a-virus:AdWare.Win32.FindSpy.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D517D25.exe Infected: not-a-virus:AdWare.Win32.Msnagent.b 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\239362B4.exe Infected: not-a-virus:AdWare.Win32.180Solutions 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\371658F2.dll Infected: not-a-virus:AdWare.Win32.SBSoft.h 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3B49237F.tmp Infected: Email-Worm.Win32.NetSky.d 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D9F26ED.tmp Infected: Email-Worm.Win32.NetSky.d 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DBC20CD.tmp Infected: Email-Worm.Win32.NetSky.d 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DED1697.tmp Infected: Email-Worm.Win32.NetSky.d 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C6A2649.tmp Infected: Email-Worm.Win32.NetSky.d 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7B155AFA.exe Infected: Backdoor.Win32.Agent.rw 1

C:\Documents and Settings\David\Bureau\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\WINDOWS\Installer\4605f.msi Infected: Email-Worm.Win32.Sowsat.j 1

C:\WINDOWS\RESTORE.INS Infected: not-a-virus:NetTool.Win32.PsKill.a 1

C:\WINDOWS\system\RESTORE.INS Infected: not-a-virus:NetTool.Win32.PsKill.a 1

The selected area was scanned.
**********************************************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:59:57, on 19/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Packard Bell EverSafe\TrayControl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hjt\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.fr/
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WOOKIT] C:\PROGRA~1\Wanadoo\Shell.exe appLaunchClientZone.shl|DEFAULT=cnx|PARAM=
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Packard Bell EverSafe Tray Control.lnk = C:\Program Files\Packard Bell EverSafe\TrayControl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6198438593
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.inoculer.com/antivirus/Msie/bitdefender.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=24931
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5103 bytes
**********************************************************************************************************
Search Navipromo version 3.6.9 commencé le 19/11/2008 à 10:02:01,18

!!! Attention,ce rapport peut indiquer des fichiers/programmes légitimes!!!
!!! Postez ce rapport sur le forum pour le faire analyser !!!
!!! Ne lancez pas la partie désinfection sans l'avis d'un spéblurpte !!!

Outil exécuté depuis C:\Program Files\navilog1
Session actuelle : "David"

Mise à jour le 05.11.2008 à 21h00 par IL-MAFIOSO


Microsoft Windows XP [version 5.1.2600]
Internet Explorer : 6.0.2900.2180
Système de fichiers : NTFS

Recherche executé en mode normal

*** Recherche Programmes installés ***


*** Recherche dossiers dans "C:\WINDOWS" ***


*** Recherche dossiers dans "C:\Program Files" ***


*** Recherche dossiers dans "C:\Documents and Settings\All Users\menudm~1\progra~1" ***


*** Recherche dossiers dans "C:\Documents and Settings\All Users\menudm~1" ***


*** Recherche dossiers dans "c:\docume~1\alluse~1\applic~1" ***


*** Recherche dossiers dans "C:\Documents and Settings\David\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\ADMINI~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\INVIT~1\applic~1" ***


*** Recherche dossiers dans "C:\Documents and Settings\David\locals~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\ADMINI~1\locals~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\INVIT~1\locals~1\applic~1" ***


*** Recherche dossiers dans "C:\Documents and Settings\David\menudm~1\progra~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\ADMINI~1\menudm~1\progra~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\INVIT~1\menudm~1\progra~1" ***


*** Recherche avec Catchme-rootkit/stealth malware detector par gmer ***
pour + d'infos : http://www.gmer.net



*** Recherche avec GenericNaviSearch ***
!!! Tous ces résultats peuvent révéler des fichiers légitimes !!!
!!! A vérifier impérativement avant toute suppression manuelle !!!

* Recherche dans "C:\WINDOWS\system32" *

* Recherche dans "C:\Documents and Settings\David\locals~1\applic~1" *

* Recherche dans "C:\DOCUME~1\ADMINI~1\locals~1\applic~1" *

* Recherche dans "C:\DOCUME~1\INVIT~1\locals~1\applic~1" *



*** Recherche fichiers ***



*** Recherche clés spécifiques dans le Registre ***


*** Module de Recherche complémentaire ***
(Recherche fichiers spécifiques)

1)Recherche nouveaux fichiers Instant Access :


2)Recherche Heuristique :

* Dans "C:\WINDOWS\system32" :


* Dans "C:\Documents and Settings\David\locals~1\applic~1" :


* Dans "C:\DOCUME~1\ADMINI~1\locals~1\applic~1" :


* Dans "C:\DOCUME~1\INVIT~1\locals~1\applic~1" :


3)Recherche Certificats :

Certificat Egroup absent !
Certificat Electronic-Group absent !
Certificat Montorgueil absent !
Certificat OOO-Favorit absent !
Certificat Sunny-Day-Design-Ltd absent !

4)Recherche fichiers connus :



*** Analyse terminée le 19/11/2008 à 10:32:35,14 ***
**********************************************************************************************************

Merci de votre aide car je nage.
DAFT
 
Messages: 3
Inscription: 16 Nov 2008, 20:48

Messagede DAFT » 22 Nov 2008, 19:04

Merci.
DAFT
 
Messages: 3
Inscription: 16 Nov 2008, 20:48


Retourner vers Sécurité (Contamination - Décontamination)

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 50 invités