Tom's Guide > Forum > Sécurité - Virus > Problème avec cmdservice, pubs non sollicitées

Problème avec cmdservice, pubs non sollicitées

Forum Sécurité - Virus : Problème avec cmdservice, pubs non sollicitées

TomsGuide.com : 800 000 inscrits répondent à toutes vos questions high-tech et informatique. Pour obtenir de l'aide, inscrivez-vous gratuitement !
Créer un nouveau sujet Répondre
Mot :    Pseudo :           
 
Gildas33   24-02-2006 à 23:15:25

Bonjour à tous,

j'ai un soucis avec cmdservice que je n'arrive pas à virer malgré ad-aware, spybot, a² et SpywareBlaster.

J'ai lancé hijackthis et en voici le résultat:

Logfile of HijackThis v1.99.1
Scan saved at 00:05:37, on 24/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Sebastien\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: MFCOptimizeClass Object - {C25FA7CE-23EA-4271-A66D-06C4D5C22F78} - C:\WINDOWS\System32\gebcb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban10.exe
O4 - HKLM\..\Run: [AdobeReaderPro] svxhost.exe
O4 - HKLM\..\Run: [MICROSFT NT SUPPORT] vocyeordhm.EXE
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [AdobeReaderPro] svxhost.exe
O4 - HKLM\..\RunServices: [MICROSFT NT SUPPORT] vocyeordhm.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00009.exe"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/bina [...] b31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6 [...] /cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bina [...] b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activ [...] asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ [...] loader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: gebcb - C:\WINDOWS\System32\gebcb.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\h4l20e3oeh.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



Je suis allé sur hijackthis.de, j'ai fixé comme ils disent tous les vilains mais cmdservice est toujours actif et j'ai toujours des affichages sauvages de publicités non sollicitées qui commencent sérieusement à me biiiiiip :D

Je rajoute juste que les éléments que j'ai fixés sont à nouveau présents et que cmdservice ne s'affiche plus dans le fichier de hijackthis mais est toujours là quand je lance spybot et biensûr, impossible à virer.


Merci à tous ceux qui voudront bien m'aider.

Gildas

Répondre
Liens sponsorisés
Inscrivez-vous ou connectez-vous pour masquer ceci.
chercheur_   24-02-2006 à 23:18:50
- 0 +

Bonsoir

Plusieurs infections.

On commence.

Télécharge VundoFix.exe (par Atribune) sur ton Bureau.
http://www.atribune.org/ccount/click.php?id=4

* Double-clique VundoFix.exe afin de le lancer.
* Coche Run VundoFix as a task.
* Un message t'avertira que l'outil va se fermer et s'ouvrir à nouveau : clique Ok
* Clique sur le bouton Scan for Vundo.
* Lorsque le scan est complété, clique sur le bouton Remove Vundo.
* Une invite te demandera si tu veux supprimer les fichiers, clique YES
* Après avoir cliqué "Yes", le Bureau disparaîtra un moment lors de la suppression des fichiers.
* Tu verras une invite qui t'annonce que ton PC va s'éteindre ("shutdown" ); clique OK
* Démarre ton PC à nouveau.
* Copie/colle le contenu du rapport situé dans C:\vundofix.txt ainsi qu'un nouveau rapport HijackThis! dans ta prochaine réponse.

Répondre à chercheur_
Gildas33   24-02-2006 à 23:29:14
- 0 +

Rapport vundifix.txt


VundoFix V4.2.27
Scan started at 23:23:15 24/02/2006

Listing files found while scanning....

C:\WINDOWS\System32\awvvw.dll
C:\WINDOWS\System32\gebcb.dll
C:\WINDOWS\System32\bcbeg.ini
C:\WINDOWS\System32\bcbeg.bak1
C:\WINDOWS\System32\bcbeg.bak2
C:\WINDOWS\System32\bcbeg.ini2
C:\WINDOWS\System32\bcbeg.tmp

C:\WINDOWS\system32\bcbeg.bak1
C:\WINDOWS\system32\bcbeg.bak2
C:\WINDOWS\system32\bcbeg.tmp
C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\bcbeg.ini2
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\bcbeg.ini2
C:\WINDOWS\system32\bcbeg.bak2
C:\WINDOWS\system32\bcbeg.tmp
C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\bcbeg.ini2
C:\WINDOWS\system32\gebcb.dll

VundoFix V4.2.27
Scan started at 23:24:22 24/02/2006

Listing files found while scanning....

C:\WINDOWS\System32\awvvw.dll
C:\WINDOWS\System32\gebcb.dll
C:\WINDOWS\System32\bcbeg.ini
C:\WINDOWS\System32\bcbeg.bak1
C:\WINDOWS\System32\bcbeg.bak2
C:\WINDOWS\System32\bcbeg.ini2
C:\WINDOWS\System32\bcbeg.tmp

C:\WINDOWS\system32\bcbeg.bak1
C:\WINDOWS\system32\bcbeg.bak2
C:\WINDOWS\system32\bcbeg.tmp
C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\bcbeg.ini2
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\bcbeg.ini2
C:\WINDOWS\system32\bcbeg.bak2
C:\WINDOWS\system32\bcbeg.tmp
C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\bcbeg.ini2
C:\WINDOWS\system32\gebcb.dll
Attempting to delete C:\WINDOWS\System32\awvvw.dll
C:\WINDOWS\System32\awvvw.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\gebcb.dll
C:\WINDOWS\System32\gebcb.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\bcbeg.ini
C:\WINDOWS\System32\bcbeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\bcbeg.bak1
C:\WINDOWS\System32\bcbeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\bcbeg.bak2
C:\WINDOWS\System32\bcbeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\bcbeg.ini2
C:\WINDOWS\System32\bcbeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\bcbeg.tmp
C:\WINDOWS\System32\bcbeg.tmp Has been deleted!

Performing Repairs to the registry.
Done!


Rapport hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 23:28:51, on 24/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\a-squared\a2guard.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Sebastien\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeReaderPro] svxhost.exe
O4 - HKLM\..\Run: [MICROSFT NT SUPPORT] vocyeordhm.EXE
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [AdobeReaderPro] svxhost.exe
O4 - HKLM\..\RunServices: [MICROSFT NT SUPPORT] vocyeordhm.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00009.exe"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/bina [...] b31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6 [...] /cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bina [...] b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activ [...] asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ [...] loader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\enl0l13m1.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Et voilà!
:)

Répondre à Gildas33
chercheur_   24-02-2006 à 23:47:37
- 0 +

Bien, on continue.

Prière d'imprimer ces instructions, ou de les coller dans un fichier texte, pour lecture durant ce fix. Regarde bien les trois petites notes au bas, avant de débuter.
Télécharge Look2Me-Destroyer.exe sur ton Bureau.
http://www.atribune.org/ccount/click.php?id=7

* Ferme toutes les fenêtres actives avant de passer à l'étape suivante.
* Double-clique Look2Me-Destroyer.exe afin de lancer l'outil.
* Coche Run this program as a task
* Un message s'affichera, te disant ceci : "Look2Me-Destroyer will close and re-open in approximately 10 seconds". Clique OK
* Il se relancera après les 10 secondes, puis clique sur le bouton Scan for L2M; les icônes de ton Bureau vont disparaître : c'est normal.
* Lorsque le scan termine, clique sur le bouton Remove L2M
* Un message Done Scanning apparaîtra, clique OK.
* Un nouveau message s'affichera : Done removing infected files! Look2Me-Destroyer will now shutdown your computer; clique OK.
* Ton PC va maintenant s'éteindre.
* Démarre ton PC normalement.
* Colle le rapport généré, situé ici : C:\Look2Me-Destroyer.txt , ainsi qu'un nouveau rapport HijackThis! dans ta prochaine réponse.

#Si Look2Me-Destroyer ne se relance pas automatiquement après les 10 secondes, redémarre et essaie à nouveau.

##Si tu reçois un message de ton parefeu que l'outil tente d'accéder à l'internet : accepte.

###Si un message runtime error '339' s'affiche : télécharge MSWINSCK.OCX du lien ci-bas, et place-le dans le dossier C:\Windows\System32.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Répondre à chercheur_
Gildas33   25-02-2006 à 00:05:58
- 0 +

Rapport de Look2Me-Destroyer.txt:


Look2Me-Destroyer V1.0.6

Scanning for infected files.....
Scan started at 24/02/2006 23:58:09

Infected! C:\WINDOWS\system32\enl0l13m1.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0015528.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0015529.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015539.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015550.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015551.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015653.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015665.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015704.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015714.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015725.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015737.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015744.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015764.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0015779.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0015786.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0016784.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017813.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017814.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017825.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017837.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017838.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017847.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017848.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017889.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017901.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017918.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0018918.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0019918.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0019931.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019938.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019950.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019951.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019959.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019960.dll
Infected! C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019970.dll
Infected! C:\WINDOWS\system32\cnmodem.dll
Infected! C:\WINDOWS\system32\dnro0193e.dll
Infected! C:\WINDOWS\system32\enl0l13m1.dll
Infected! C:\WINDOWS\system32\f42m0ef1eh2.dll
Infected! C:\WINDOWS\system32\f42mlef11h2.dll
Infected! C:\WINDOWS\system32\fpjo0313e.dll
Infected! C:\WINDOWS\system32\ir62l5jo1.dll
Infected! C:\WINDOWS\system32\kgdtuf.dll
Infected! C:\WINDOWS\system32\l60ulgd9160.dll
Infected! C:\WINDOWS\system32\nkdeapi.dll
Infected! C:\WINDOWS\system32\nntapi32.dll
Infected! C:\WINDOWS\system32\p0p60a7sed.dll
Infected! C:\WINDOWS\system32\u8ru0i99e8.dll
Infected! C:\WINDOWS\System32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\enl0l13m1.dll
C:\WINDOWS\system32\enl0l13m1.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0015528.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0015528.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0015529.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0015529.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015539.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015539.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015550.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015550.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015551.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015551.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015653.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015653.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015665.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015665.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015704.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015704.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015714.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015714.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015725.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015725.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015737.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015737.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015744.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015744.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015764.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015764.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0015779.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0015779.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0015786.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0015786.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0016784.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0016784.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017813.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017813.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017814.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017814.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017825.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017825.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017837.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017837.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017838.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017838.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017847.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017847.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017848.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017848.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017889.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017889.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017901.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017901.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017918.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017918.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0018918.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0018918.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0019918.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0019918.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0019931.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0019931.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019938.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019938.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019950.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019950.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019951.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019951.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019959.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019959.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019960.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019960.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019970.dll
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP124\A0019970.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\cnmodem.dll
C:\WINDOWS\system32\cnmodem.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dnro0193e.dll
C:\WINDOWS\system32\dnro0193e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\enl0l13m1.dll
C:\WINDOWS\system32\enl0l13m1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\f42m0ef1eh2.dll
C:\WINDOWS\system32\f42m0ef1eh2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\f42mlef11h2.dll
C:\WINDOWS\system32\f42mlef11h2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fpjo0313e.dll
C:\WINDOWS\system32\fpjo0313e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ir62l5jo1.dll
C:\WINDOWS\system32\ir62l5jo1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kgdtuf.dll
C:\WINDOWS\system32\kgdtuf.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l60ulgd9160.dll
C:\WINDOWS\system32\l60ulgd9160.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nkdeapi.dll
C:\WINDOWS\system32\nkdeapi.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nntapi32.dll
C:\WINDOWS\system32\nntapi32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\p0p60a7sed.dll
C:\WINDOWS\system32\p0p60a7sed.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\u8ru0i99e8.dll
C:\WINDOWS\system32\u8ru0i99e8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrateurs - Succeeded



Rapport de Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 00:05:07, on 25/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\a-squared\a2guard.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sebastien\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeReaderPro] svxhost.exe
O4 - HKLM\..\Run: [MICROSFT NT SUPPORT] vocyeordhm.EXE
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [AdobeReaderPro] svxhost.exe
O4 - HKLM\..\RunServices: [MICROSFT NT SUPPORT] vocyeordhm.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00009.exe"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/bina [...] b31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6 [...] /cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bina [...] b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activ [...] asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ [...] loader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Heureusement que ça n'arrive pas tous les jours :-D

Répondre à Gildas33
chercheur_   25-02-2006 à 00:20:11
- 0 +

Re

Le plus gros a été fait, mais il en reste.

1 Télécharge
CCleaner.
http://www.filehippo.com/download_ccleaner.html
Installe le dans un répertoire dédié.

Ewido
http://www.ewido.net/fr/download/
Tu l'installes et tu le mets à jour.

2 Redémarre en mode sans echec. Attention, tu n'as pas accès à internet dans ce mode, note bien ce que tu as à faire.
Démarre l'ordinateur.
Une fois le chargement du BIOS terminé, il y a un écran noir. Appuye sur la touche F8 jusqu'à l'affichage du menu des options avancées de Windows.
En utilisant les touches du curseur, sélectionne Mode sans échec et appuye sur Entrée.

3 Relance un scan HijackThis et coche les lignes ci-dessous :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about :blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeReaderPro] svxhost.exe
O4 - HKLM\..\Run: [MICROSFT NT SUPPORT] vocyeordhm.EXE
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\RunServices: [AdobeReaderPro] svxhost.exe
O4 - HKLM\..\RunServices: [MICROSFT NT SUPPORT] vocyeordhm.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00009.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/bina [...] b31267.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6 [...] /cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bina [...] b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ [...] loader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)

Ferme toutes les fenêtres Windows, Internet explorer, Outlook,sauf le logiciel Hijackthis et clique sur « Fix checked »

4 Assure toi d'avoir accés à tous les fichiers.
Démarrer, Poste de travail ou autre dossier, Menu Outils, Option des dossiers, onglet Affichage :
Activer la case : Afficher les fichiers et dossiers cachés
Désactiver la case : Masquer les extensions des fichiers dont le type est connu
Désactiver la case : Masquer les fichiers protégés du système d'exploitation
Puis Appliquer

5 Tu clique sur Démarrer puis Exécuter, tu tapes services.msc et tu cliques sur OK.

Dans la liste des services, cherche et sélectionne
"Windows Logon Process Service" / double clique sur la ligne
/ vérifie dans Chemin d'accès des fichiers exécutables qu'il
s'agit bien de "C:\WINDOWS\winlogon.exe" / dans Type de démarrage,
sélectionne Désactiver / valide la modification.

6 Supprime les fichiers/dossiers incriminés (s'ils existent encore) :

C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00009.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\winlogon.exe
svxhost.exe
vocyeordhm.EXE
Pour ces deux derniers, probablement dans C:\WINDOWS\system32 ou C:\WINDOWS

7 Lance le nettoyage avec CCleaner.

Recache les fichiers systeme afin de ne pas faire d'erreur à l'avenir en sélectionnant ne pas afficher les fichiers cachés ou les fichiers système.

8 Lance Ewido.
Fais un scan en mode complet.
Sauvegardes le rapport.

9 Redémarre normalement et poste un nouveau log HijackThis avec le rapport d'Ewido.

Répondre à chercheur_
Gildas33   25-02-2006 à 01:08:40
- 0 +

Rapport hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 01:07:02, on 25/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\System32\rmctrl.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sebastien\Bureau\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activ [...] asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



Rapport Ewido:

---------------------------------------------------------
ewido anti-malware - Rapport de scan
---------------------------------------------------------

+ Créé le: 01:01:48, 25/02/2006
+ Somme de contrôle: AB7A5D80

+ Résultats du scan:

HKU\.DEFAULT\Software\DNS -> Adware.Shorty : Nettoyer et sauvegarder
HKU\S-1-5-18\Software\DNS -> Adware.Shorty : Nettoyer et sauvegarder
C:\WINDOWS\system32\awvvw.dll -> Adware.Virtumonde : Nettoyer et sauvegarder


::Fin du rapport

Répondre à Gildas33
chercheur_   25-02-2006 à 01:15:00
- 0 +

Re

HijackThis est propre.
Ewido a complété le nettoyage.

On finalise avec une analyse antivirus en ligne sur Kaspersky
http://www.kaspersky.com/downloads/kws/kavwebscan.html

Colle son rapport ici.

Répondre à chercheur_
Gildas33   25-02-2006 à 01:33:31
- 0 +

Ca va être plutôt long non ?
Je ferai ça demain au lever.


Peux-tu me dire ce qu'il est bon d'avoir et de ne pas avoir comme logiciels ?

C'est l'ordi de mon coloc, il a XP SP1, Antivir et Kerio.

Sur mon ordi, j'ai XP Pro SP2, Bitdefender 9, pas de firewall hors mis celui de XP et je lance régulièrement Ad-Aware et Spybot.

Je laisserai le résultat du scan en ligne dès demain.

Merci

:-)

Répondre à Gildas33
Gildas33   25-02-2006 à 09:57:20
- 0 +

Rapport Kaspersky de hier soir :

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, February 25, 2006 01:32:27
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/02/2006
Kaspersky Anti-Virus database records: 167594
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 13763
Number of viruses found: 7
Number of infected objects: 16
Number of suspicious objects: 6
Duration of the scan process: 644 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/MTE3NDI6ODoxNg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip/MTE3NDI6ODoxNg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC17.zip/drsmartload1.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC17.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IYWHQKIM\ad7[1].exe/stream/data0001 Infected: Trojan-Downloader.Win32.Small.ckj
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IYWHQKIM\ad7[1].exe/stream/data0002 Infected: Trojan-Downloader.Win32.Adload.s
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IYWHQKIM\ad7[1].exe/stream/data0004/data0001 Infected: Trojan-Downloader.NSIS.Agent.p
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IYWHQKIM\ad7[1].exe/stream/data0004 Infected: Trojan-Downloader.NSIS.Agent.p
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IYWHQKIM\ad7[1].exe/stream Infected: Trojan-Downloader.NSIS.Agent.p
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IYWHQKIM\ad7[1].exe Infected: Trojan-Downloader.NSIS.Agent.p
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KCX3BTBV\tool2[1].txt Infected: Packed.Win32.Tibs
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S3C9A9W3\drsmartload[1].exe Infected: Trojan-Downloader.Win32.VB.xg
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S3C9A9W3\harvest[1].exe Infected: Trojan-PSW.Win32.VB.hu
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0012022.exe Infected: Trojan-Downloader.Win32.VB.xg
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0012026.exe/stream/data0001 Infected: Trojan-Downloader.Win32.Small.ckj
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0012026.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Adload.s
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0012026.exe/stream/data0004/data0001 Infected: Trojan-Downloader.NSIS.Agent.p
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0012026.exe/stream/data0004 Infected: Trojan-Downloader.NSIS.Agent.p
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0012026.exe/stream Infected: Trojan-Downloader.NSIS.Agent.p
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0012026.exe Infected: Trojan-Downloader.NSIS.Agent.p

Scan was interrupted by user!

Et repris ce matin:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, February 25, 2006 09:53:29
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/02/2006
Kaspersky Anti-Virus database records: 167662
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 33932
Number of viruses found: 12
Number of infected objects: 33
Number of suspicious objects: 6
Duration of the scan process: 1164 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/MTE3NDI6ODoxNg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip/MTE3NDI6ODoxNg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC17.zip/drsmartload1.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC17.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IYWHQKIM\ad7[1].exe/stream/data0001 Infected: Trojan-Downloader.Win32.Small.ckj
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IYWHQKIM\ad7[1].exe/stream/data0002 Infected: Trojan-Downloader.Win32.Adload.s
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IYWHQKIM\ad7[1].exe/stream/data0004/data0001 Infected: Trojan-Downloader.NSIS.Agent.p
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IYWHQKIM\ad7[1].exe/stream/data0004 Infected: Trojan-Downloader.NSIS.Agent.p
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IYWHQKIM\ad7[1].exe/stream Infected: Trojan-Downloader.NSIS.Agent.p
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IYWHQKIM\ad7[1].exe Infected: Trojan-Downloader.NSIS.Agent.p
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KCX3BTBV\tool2[1].txt Infected: Packed.Win32.Tibs
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S3C9A9W3\drsmartload[1].exe Infected: Trojan-Downloader.Win32.VB.xg
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S3C9A9W3\harvest[1].exe Infected: Trojan-PSW.Win32.VB.hu
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0012022.exe Infected: Trojan-Downloader.Win32.VB.xg
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0012026.exe/stream/data0001 Infected: Trojan-Downloader.Win32.Small.ckj
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0012026.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Adload.s
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0012026.exe/stream/data0004/data0001 Infected: Trojan-Downloader.NSIS.Agent.p
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0012026.exe/stream/data0004 Infected: Trojan-Downloader.NSIS.Agent.p
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0012026.exe/stream Infected: Trojan-Downloader.NSIS.Agent.p
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0012026.exe Infected: Trojan-Downloader.NSIS.Agent.p
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0013096.exe Infected: Trojan-Downloader.Win32.VB.xg
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0013352.exe Infected: Trojan-Downloader.Win32.VB.xg
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0013373.exe Infected: Trojan-Downloader.Win32.VB.xg
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0013401.exe Infected: Trojan-Downloader.Win32.VB.xg
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0013471.exe Infected: Trojan.Win32.Agent.pj
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0014398.exe Infected: Trojan-Downloader.Win32.VB.xg
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0014422.exe Infected: Trojan-Downloader.Win32.VB.xg
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0014425.exe Infected: Packed.Win32.Tibs
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0014426.exe Infected: Packed.Win32.Tibs
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0015426.exe Infected: Packed.Win32.Tibs
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP121\A0015530.exe Infected: SpamTool.Win32.Mailbot.an
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP122\A0015568.sys Infected: SpamTool.Win32.Mailbot.an
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017821.sys Infected: SpamTool.Win32.Mailbot.ap
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0017873.exe Infected: Trojan-Spy.Win32.Sters.j
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0019927.exe Infected: Packed.Win32.Tibs
C:\System Volume Information\_restore{BE3D847C-9219-40D9-AAC5-88039F7B9C44}\RP123\A0019928.exe Infected: Trojan-Downloader.Win32.VB.xg
C:\WINDOWS\system32\drivers\etc\hosts.20060222-143417.backup Infected: Trojan.Win32.Qhost.fs

Scan process completed.

Je trouve que le nombre d'objets infectés et de virus trouvés est bien élevé après toutes ces manips.

:-?

Répondre à Gildas33
Gildas33   25-02-2006 à 10:14:10
- 0 +

J'ai aussi fait un scan des parties "fragiles" :

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, February 25, 2006 10:11:36
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/02/2006
Kaspersky Anti-Virus database records: 167662
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\SEBAST~1\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 10049
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 296 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\drivers\etc\hosts.20060222-143417.backup Infected: Trojan.Win32.Qhost.fs

Scan process completed.


Par contre, j'ai un soucis, on dirait que ces manips ont provoqué la désinstallation de l'exécutable de mozilla, du coup, je n'ai plus que Internet Explorer pour l'instant.

Puis-je réinstaller mozilla sans risque ?

Répondre à Gildas33
chercheur_   25-02-2006 à 22:49:21
- 0 +

Bonjour

Ce qui se trouve dans Spybot n'est pas infectieux. D'autres se trouve dans le système de restauration. D'autres se trouvent dans les fichiers temporaires.

Clique sur Démarrer - Clic droit sur le Poste de Travail - Propriétés - Restauration du systéme - Cocher la case Désactiver la restauration du systéme et cliquer sur Appliquer.

Puis redémarrer l'ordinateur.

Clique sur Démarrer - Clic droit sur le Poste de Travail - Propriétés - Restauration du systéme - Décocher la case Désactiver la restauration du systéme et cliquer sur Appliquer.

Lance le nettoyage avec CCleaner.

Oui, tu peux réinstaller Mozilla.

Répondre à chercheur_
Créer un nouveau sujet Répondre
Tom's Guide > Forum > Sécurité - Virus > Problème avec cmdservice, pubs non sollicitées
Aller à :

Il y a 451 utilisateurs connus et inconnus. Pour voir la liste des connectés connus, cliquez ici.

Plan du forum
Forum Bestofmedia ©
2000-2009 Bestofmedia Group
Page générée en 0,284 secondes
Attention

Vous allez répondre sur un sujet resté inactif pendant plus de 6 mois.
Assurez-vous d'apporter des éléments nouveaux à la discussion avant de poursuivre.

Répondre Annuler
Liens