problème systemdoctor 2006

jbpa

20 Septembre 2006 09:34:44

je suis dérangé systématiquement par des fenêtres "systemdoctor 2006", pour l'instant je les ignore...peut on les supprimer?

Autres pages sur : probleme systemdoctor 2006

| Etre averti des réponses
| Alerter

Répondre à jbpa

chercheur_

20 Septembre 2006 09:51:44

Bonjour

Bonjour

1 Télécharge
CCleaner.
http://www.filehippo.com/download_ccleaner.html
Installe le dans un répertoire dédié.

Ewido
http://www.ewido.net/en/download/
Lance Ewido et clique sur le bouton Update (barre d'outils - au haut).
Sous Manual Update clique Start update. Patiente jusqu'à l'affichage "Update successful".

2 Redémarre en mode sans echec. Attention, tu n'as pas accès à internet dans ce mode, note bien ce que tu as à faire.
Démarre l'ordinateur.
Une fois le chargement du BIOS terminé, il y a un écran noir. Appuye sur la touche F8 jusqu'à l'affichage du menu des options avancées de Windows.
En utilisant les touches du curseur, sélectionne Mode sans échec et appuye sur Entrée.

3 Lance le nettoyage avec CCleaner.

4 Lance Ewido.
Clique sur le bouton Scanner (de la barre d'outils)
Puis sur l'onglets Settings, pour How to Act. Clique sur Recommanded Actions. Sélectionne Quarantine.
Reviens a l'onglet Scan. Clique Complete system Scan
A la fin du scan, choisis l'option " Apply All Actions " en bas.
Clique sur "Save Report", puis "Save Report As". Ceci génère un rapport en fichier texte. Assure-toi de le sauvegarder dans un endroit facile à retrouver.

5 Redémarre normalement et poste le rapport d'Ewido avec un log HijackThis v1.99.1
http://pchelpbordeaux.free.fr/logiciels.html
Tutorial
http://pchelpbordeaux.free.fr/tuto.html
Démo en image
http://pageperso.aol.fr/balltrap34/demohijack.htm

Poste aussi ce rapport.
Télécharge Blacklight (de F-Secure) et sauvegarde le sur ton Bureau.
https://europe.f-secure.com/blacklight/try.shtml
Clique sur "I ACCEPT" au bas de la page. Sauvegarde le sur ton Bureau.

Double-clique blbeta.exe et accepte la licence; clique Scan puis Next

Tu verras une liste de fichiers détectés apparaître. Tu verras également un rapport, sur ton Bureau, nommé fsbl.xxxxxxx.log (les xxxxxxx sont des chiffres).

Copie et colle le contenu de ce rapport dans ta prochaine réponse

| Alerter

Répondre à chercheur_

akred3

20 Septembre 2006 09:54:52

EDIT: bonjour, trop tard :lol:

| Alerter

Répondre à akred3

jbpa

20 Septembre 2006 17:48:46

ok pour la phase 1

je n'arrive pas à redémarrer en mode sans échec!!

| Alerter

Répondre à jbpa

Angeldark

20 Septembre 2006 18:37:53

Bonsoir,

Redémarrer en mode sans échec

| Alerter

Répondre à Angeldark

jbpa

20 Septembre 2006 18:54:19

je tente
merci

| Alerter

Répondre à jbpa

jbpa

20 Septembre 2006 20:03:18

rapport ewido

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:46:02 20/09/2006

+ Scan result:

C:\WINDOWS\cdgjefap.exe.tmp -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\WINDOWS\dcj.exe.tmp -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\WINDOWS\fgpkt.exe.tmp -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\WINDOWS\vqjwf.exe.tmp -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\WINDOWS\xapaz.exe.tmp -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\WINDOWS\yjkpsbal.exe.tmp -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\180SAInstaller.180SAInstaller -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\180SAInstaller.180SAInstaller.1 -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\180SAInstaller.180SAInstaller\CLSID -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\180SAInstaller.180SAInstaller\CurVer -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CLSID -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DailyToolbar -> Adware.DailyToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\NIX Solutions -> Adware.DailyToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\NIX Solutions\DailyToolbar -> Adware.DailyToolbar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\NIX Solutions -> Adware.DailyToolbar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\NIX Solutions\DailyToolbar -> Adware.DailyToolbar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\NIX Solutions\DailyToolbar\Search -> Adware.DailyToolbar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\NIX Solutions\DailyToolbar\Search\MRU -> Adware.DailyToolbar : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\HDPlugin1018.dll -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\AppInfo -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\CMEII -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\GInternet -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\GInternet\Proxy -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HBInstIE.HbInstObj -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HBInstIE.HbInstObj.1 -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HBInstIE.HbInstObj\CLSID -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\HBInstIE.HbInstObj\CurVer -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Hotbar -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Hotbar\Hotbar -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Hotbar\Hotbar\Install -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Hotbar\Hotbar\Install\cmpmap -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Hotbar\Hotbar\MachineInfo -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Hotbar\Hotbar\PI -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Hotbar\Hotbar\PI\3.2 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Hotbar -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Hotbar\Common -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Hotbar\Common\Time -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Hotbar\Hotbar -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Hotbar\Hotbar\Install -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Hotbar\Hotbar\InstallDate -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Hotbar\Hotbar\PI -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Hotbar\Hotbar\PI\3.2 -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Hotbar\Hotbar\UEUI -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Hotbar\Hotbar\UserInfo -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Hotbar\Hotbar\options -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Hotbar\Hotbar\updates -> Adware.HotBar : Cleaned with backup (quarantined).
C:\Program Files\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\Program Files\Internet Optimizer\optimize.exe -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\Program Files\Internet Optimizer\update -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\Program Files\Internet Optimizer\update\optimize313.exe -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\Program Files\Internet Optimizer\update\optimize314.exe -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\Program Files\Internet Optimizer\update\rogue.exe -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\WSE -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\WSE\cf1 -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\WSE\cf2 -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\WSE\cf4 -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\anything -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\anything\cf1 -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\Program Files\ISTsvc -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\ISTsvc -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\ISTsvc\history -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc -> Adware.ISTBar : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\IST -> Adware.ISTBar : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\IST -> Adware.ISTBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-2757958871-1309467409-2704692236-1005\Software\IST -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\PerfectNav -> Adware.KeenValue : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Adware.MoneyTree : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 -> Adware.MoneyTree : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID -> Adware.MoneyTree : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer -> Adware.MoneyTree : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj -> Adware.MoneyTree : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj.1 -> Adware.MoneyTree : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj\CLSID -> Adware.MoneyTree : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj\CurVer -> Adware.MoneyTree : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Adware.MoneyTree : Cleaned with backup (quarantined).
C:\WINDOWS\system32\9o46v86i.exe -> Adware.Sahat : Cleaned with backup (quarantined).
C:\WINDOWS\system32\um52t3ui.dll -> Adware.Sahat : Cleaned with backup (quarantined).
C:\WINDOWS\system32\upm5mn2c.exe -> Adware.Sahat : Cleaned with backup (quarantined).
C:\WINDOWS\tbej92qs.exe -> Adware.Sahat : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SearchRelevancy -> Adware.SearchRelevancy : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SearchRelevancy\CLSID -> Adware.SearchRelevancy : Cleaned with backup (quarantined).
C:\Program Files\Media Pass\MediaPassC.dll -> Adware.WinAD : Cleaned with backup (quarantined).
C:\WINDOWS\Messenger2.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\WINDOWS\ck21.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\Program Files\Fichiers communs\WinSoftware\CrXML.dll -> Adware.Winfixer : Cleaned with backup (quarantined).
C:\Program Files\Fichiers communs\WinSoftware\PCheck.dll -> Adware.Winfixer : Cleaned with backup (quarantined).
C:\Program Files\AdStatus Service -> Adware.WinTaskAd : Cleaned with backup (quarantined).
C:\Program Files\AdStatus Service\AdStatComm.dll -> Adware.WinTaskAd : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SysWebTelecom.SysWebTelecom -> Dialer.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SysWebTelecom.SysWebTelecom\CurVer -> Dialer.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\system\BHOmod.dll -> Downloader.Agent.li : Cleaned with backup (quarantined).
C:\WINDOWS\system\bhomod00.dll -> Downloader.Agent.mk : Cleaned with backup (quarantined).
C:\WINDOWS\nem220.dll -> Downloader.Dyfuca : Cleaned with backup (quarantined).
C:\WINDOWS\wsem303.dll -> Downloader.Dyfuca.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{FE32DDCA-30FF-4C2F-A021-39EAE75462BD}\RP373\A0061673.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\WINDOWS\test.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{FE32DDCA-30FF-4C2F-A021-39EAE75462BD}\RP385\A0065440.exe -> Downloader.IstBar.ij : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{FE32DDCA-30FF-4C2F-A021-39EAE75462BD}\RP385\A0065430.EXE -> Downloader.IstBar.pd : Cleaned with backup (quarantined).
C:\WINDOWS\yrnfyp.exe -> Downloader.IstBar.pj : Cleaned with backup (quarantined).
C:\temp\SAHPackage.exe -> Dropper.Agent.lh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5V_0001_0802NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.c : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5V_0001_0802NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.c : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5V_0001_0802NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.c : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5V_0001_0802NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.c : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX5V_0001_0802NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.c : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWFX5V_0001_0802NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.c : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UERSV_0001_LPNetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.d : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWFX5VNetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.d : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.e : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UERSV_0001_N68M0602NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USDR6V_0001_D08M1005NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{FE32DDCA-30FF-4C2F-A021-39EAE75462BD}\RP378\A0064178.exe -> Not-A-Virus.Hacktool.EvID : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{FE32DDCA-30FF-4C2F-A021-39EAE75462BD}\RP378\A0064179.exe -> Not-A-Virus.Hacktool.EvID : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\df_kmd.sys -> Rootkit.Agent.af : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@www.shopathomeselect[2].txt -> TrackingCookie.Shopathomeselect : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@xxxtoolbar[1].txt -> TrackingCookie.Xxxtoolbar : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\rdgFR283.exe -> Trojan.Dialer.ht : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{FE32DDCA-30FF-4C2F-A021-39EAE75462BD}\RP385\A0065441.exe -> Trojan.Small.cy : Cleaned with backup (quarantined).

::Report end

| Alerter

Répondre à jbpa

jbpa

20 Septembre 2006 20:04:05

rapport hijack this

Logfile of HijackThis v1.99.1
Scan saved at 21:54:46, on 20/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis Version Française\hijackthis vf.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.numericable.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = NUMERICABLE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\bhomod00.dll (file missing)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Gazxpexf] C:\Program Files\Zgtazs\Wkijg.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.advnt01.com/dialer/fra_allgl.exe
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int13.exe
O16 - DPF: {00000000-0000-0000-0000-000020050660} - http://207.234.185.217/ABoxInst_int15.exe
O16 - DPF: {2472DCCC-68CE-49DA-AA81-E7E6D83C1DFA} (PackageHTML) - http://acces.blonde.com/package/op/PackageHtmlCab.CAB
O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} - http://sp.ask.com/docs/teoma/toolbar/download/teomab-in...
O16 - DPF: {5CE7A7AF-8C5E-48CF-AE30-8FC6F01C27E3} (Yahoo! Photos - Outil de publication Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/y...
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.playqames.com/default.cab?uid=9&id=60953&1s&...
O17 - HKLM\System\CCS\Services\Tcpip\..\{74F126E8-2B97-4C2E-A047-3737FB3AD875}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Service Framework McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Unknown owner - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe (file missing)

| Alerter

Répondre à jbpa

jbpa

20 Septembre 2006 20:12:47

09/20/06 22:04:07 [Info]: BlackLight Engine 1.0.46 initialized
09/20/06 22:04:07 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/20/06 22:04:07 [Note]: 7019 4
09/20/06 22:04:07 [Note]: 7005 0
09/20/06 22:04:14 [Note]: 7006 0
09/20/06 22:04:14 [Note]: 7011 1456
09/20/06 22:04:15 [Note]: 7026 0
09/20/06 22:04:15 [Note]: 7026 0
09/20/06 22:04:16 [Note]: 7024 3
09/20/06 22:04:16 [Info]: Hidden process: C:\windows\system32\gcmjhu.exe
09/20/06 22:04:16 [Note]: FSRAW library version 1.7.1019
09/20/06 22:04:19 [Info]: Hidden file: C:\windows\system32\gcmjhu.exe
09/20/06 22:04:20 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\GCMJHU.DAT
09/20/06 22:04:22 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\GCMJHU~2.DAT
09/20/06 22:04:22 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\GCMJHU~1.DAT
09/20/06 22:04:48 [Info]: Hidden file: c:\WINDOWS\Prefetch\GCMJHU~1.PF
09/20/06 22:09:33 [Note]: 7007 0

| Alerter

Répondre à jbpa

chercheur_

20 Septembre 2006 20:23:27

Re

Beaucoup d'infections différentes. On commence.

Une partie de la procédure se déroulera sans avoir accès à internet, prière d'imprimer ces instructions, ou de les coller dans un fichier texte, pour lecture durant cette désinfection.
Les manipulations sont à faire sans interruption et dans l'ordre.
Si tu ne comprends pas quelque chose, demande des explications avant de commencer.

Télécharge Brute Force Uninstaller (de Merijn)
http://www.merijn.org/files/bfu.zip
Créé un nouveau dossier directement sur le C:\ et nomme-le BFU. Décompresse le fichier téléchargé dans ce nouveau dossier (C:\BFU)

FAIS UN CLIC-DROIT ICI et choisis "Enregistrer la cible sous..." afin de télécharger EGDACCESS.bfu (de Metallica). Sauvegarde dans le dossier créé (C:\BFU). **Note : si tu utlises Internet Explorer; lors de la sauvegarde, assure-toi que le champs "Type :" affiche "Tous les fichiers". Tu dois maintenant avoir deux fichiers dans le dossier C:\BFU : EGDACCESS.bfu et BFU.exe (très important).

Ouvre le Bloc-note et copie-colle les lignes en rouge ci-dessous

RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gcmjhu
RegDelValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run|gcmjhu
FileDelete %SYSDIR%\gcmjhu_navps.dat
FileDelete %SYSDIR%\gcmjhu_nav.dat
FileDelete %SYSDIR%\gcmjhu.dat
FileDelete %SYSDIR%\gcmjhu.exe

Sauvegarde dans le dossier créé (C:\BFU) (Nom du fichier : "Fixme.bfu " -sans inclure les guillemets- ; Type : Tous les fichiers).

Redémarre en mode Sans Échec : au redémarrage, tapote immédiatement la touche F8; tu verras un écran avec choix de démarrages apparaître. Utilisant les flèches du clavier, choisis "Mode Sans Échec" et valide avec "Entrée". Choisis ton compte usuel, et non Administrateur.

Démarre le "Brute Force Uninstaller" en double-cliquant BFU.exe (du dossier C:\BFU)

--- Clique sur le petit dossier jaune, à la droite de la boîte Scriptline to execute, et double-clique sur :

EGDACCESS.bfu

- Dans la boîte "Scriptline to execute", tu devrais maintenant voir ceci : C:\BFU\EGDACCESS.bfu
Clique sur Execute et laisse-le faire son travail.
Attendre que Complete script execution apparaîsse et clique sur OK.

--- Clique sur le petit dossier jaune, à la droite de la boîte Scriptline to execute, et double-clique sur :

Fixme.bfu

- Dans la boîte "Scriptline to execute", tu devrais maintenant voir ceci : C:\BFU\Fixme.bfu
Clique sur Execute et laisse-le faire son travail.
Attendre que Complete script execution apparaîsse et clique sur OK.

Clique Exit pour fermer le programme BFU.

Redémarre normalement.

Poste un nouveau hijackThis et un nouveau BlackLight.

| Alerter

Répondre à chercheur_

jbpa

20 Septembre 2006 21:04:40

Logfile of HijackThis v1.99.1
Scan saved at 22:58:13, on 20/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis Version Française\hijackthis vf.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.numericable.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = NUMERICABLE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\bhomod00.dll (file missing)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Gazxpexf] C:\Program Files\Zgtazs\Wkijg.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.advnt01.com/dialer/fra_allgl.exe
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int13.exe
O16 - DPF: {00000000-0000-0000-0000-000020050660} - http://207.234.185.217/ABoxInst_int15.exe
O16 - DPF: {2472DCCC-68CE-49DA-AA81-E7E6D83C1DFA} (PackageHTML) - http://acces.blonde.com/package/op/PackageHtmlCab.CAB
O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} - http://sp.ask.com/docs/teoma/toolbar/download/teomab-in...
O16 - DPF: {5CE7A7AF-8C5E-48CF-AE30-8FC6F01C27E3} (Yahoo! Photos - Outil de publication Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/y...
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.playqames.com/default.cab?uid=9&id=60953&1s&...
O17 - HKLM\System\CCS\Services\Tcpip\..\{74F126E8-2B97-4C2E-A047-3737FB3AD875}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Service Framework McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Unknown owner - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe (file missing)

blacklight

09/20/06 23:00:03 [Info]: BlackLight Engine 1.0.46 initialized
09/20/06 23:00:03 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/20/06 23:00:03 [Note]: 7019 4
09/20/06 23:00:03 [Note]: 7005 0
09/20/06 23:00:09 [Note]: 7006 0
09/20/06 23:00:09 [Note]: 7011 1492
09/20/06 23:00:09 [Note]: 7026 0
09/20/06 23:00:10 [Note]: 7026 0
09/20/06 23:00:17 [Note]: FSRAW library version 1.7.1019
09/20/06 23:00:37 [Note]: 2000 1006
09/20/06 23:00:37 [Note]: 2000 1006
09/20/06 23:01:33 [Note]: 7007 0

| Alerter

Répondre à jbpa

chercheur_

20 Septembre 2006 21:43:31

Re

Prière d'imprimer ces instructions, ou de les coller dans un fichier texte pour lecture en mode Sans Échec.)

Ouvre le Bloc-note et copie-colle les lignes en rouge ci-dessous

ProcessKill %WINDIR%\logon.exe|1
ProcessKill %PROGRAMFILES%\ISTsvc\istsvc.exe|1
ProcessKill %PROGRAMFILES%\Zgtazs\Wkijg.exe|1
ProcessKill %WINDIR%\winasp.exe |1

RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\logon
RegDelValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run|WinLogon
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winasp.exe
RegDelValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run|NvCplScan

RegDeleteKey HKCR\CLSID\{00000000-0000-0000-0000-000020030000}
RegDeleteKey HKCR\CLSID\{00000000-0000-0000-0000-000020040000}
RegDeleteKey HKCR\CLSID\{00000000-0000-0000-0000-000020050660}
RegDeleteKey HKCR\CLSID\{2472DCCC-68CE-49DA-AA81-E7E6D83C1DFA}
RegDeleteKey HKCR\CLSID\{470A6E01-15A3-49B3-B8B9-8EDF4AC1A480}

RegDeleteKey HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{00000000-0000-0000-0000-000020030000}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{00000000-0000-0000-0000-000020040000}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{00000000-0000-0000-0000-000020050660}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2472DCCC-68CE-49DA-AA81-E7E6D83C1DFA}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{470A6E01-15A3-49B3-B8B9-8EDF4AC1A480}

RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-0000-0000-0000-000020030000}|Compatibility Flags|1024
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-0000-0000-0000-000020040000}|Compatibility Flags|1024
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-0000-0000-0000-000020050660}|Compatibility Flags|1024
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2472DCCC-68CE-49DA-AA81-E7E6D83C1DFA}|Compatibility Flags|1024
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{470A6E01-15A3-49B3-B8B9-8EDF4AC1A480}|Compatibility Flags|1024

FileDelete %WINDIR%\logon.exe
FileDelete %WINDIR%\winasp.exe

FolderDelete %PROGRAMFILES%\ISTsvc
FolderDelete %PROGRAMFILES%\Zgtazs

SystemEmptyTempFolder
SystemEmptyRecycleBin

Sauvegarde dans le dossier créé (C:\BFU) (Nom du fichier : "Fixme.bfu " -sans inclure les guillemets- ; Type : Tous les fichiers).

Redémarre en mode Sans Échec : au redémarrage, tapote immédiatement la touche F8; tu verras un écran avec choix de démarrages apparaître. Utilisant les flèches du clavier, choisis "Mode Sans Échec" et valide avec "Entrée". Choisis ton compte usuel, et non Administrateur.

Démarre le "Brute Force Uninstaller" en double-cliquant BFU.exe (du dossier C:\BFU)

- Clique sur le petit dossier jaune, à la droite de la boîte Scriptline to execute, et double-clique sur :

Fixme.bfu

- Dans la boîte "Scriptline to execute", tu devrais maintenant voir ceci : C:\BFU\Fixme.bfu

Clique sur Execute et laisse-le faire son travail.

Attendre que Complete script execution apparaîsse et clique sur OK.
Clique Exit pour fermer le programme BFU.

Redémarre normalement.

Nouveau HijackThis.

| Alerter

Répondre à chercheur_

jbpa

21 Septembre 2006 08:52:38

Logfile of HijackThis v1.99.1
Scan saved at 10:49:13, on 21/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis Version Française\hijackthis vf.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.numericable.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = NUMERICABLE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\bhomod00.dll (file missing)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Gazxpexf] C:\Program Files\Zgtazs\Wkijg.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5CE7A7AF-8C5E-48CF-AE30-8FC6F01C27E3} (Yahoo! Photos - Outil de publication Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/y...
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.playqames.com/default.cab?uid=9&id=60953&1s&...
O17 - HKLM\System\CCS\Services\Tcpip\..\{74F126E8-2B97-4C2E-A047-3737FB3AD875}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Service Framework McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Unknown owner - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe (file missing)

| Alerter

Répondre à jbpa

Angeldark

21 Septembre 2006 11:35:22

Encore du boulot.

La procédure est longue et en partie en mode sans échec,
imprime ou mets dans un fichier texte les instructions.
Les manipulations sont à faire sans interruption et dans l'ordre.
Si tu ne comprends pas quelque chose, demande des explications avant de commencer.

Télécharge:

Clean.zip (de Malekal),
décompresse-le sur ton bureau (clic droit / extraire tout), tu dois obtenir un dossier clean.

Redémarre en mode sans échec

Désinstalle si possible :
ISTBar

Ferme TOUS les fenêtres ouvertes (sauf Hijackthis)
et les logiciels de protection en temps réel (antivirus...)

- Lance Hijackthis ->Do a system scan only
->Coche les lignes ci-dessous :

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\bhomod00.dll (file missing)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll (file missing)
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Gazxpexf] C:\Program Files\Zgtazs\Wkijg.exe
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe

Clique sur Fix checked (en bas à gauche)

- Assure toi d'avoir accès aux dossiers/fichiers cachés
-> Démarrer
-> Panneau de configuration
-> Options des Dossiers, onglet Affichage :
. Clique sur Afficher les dossiers cachés
. Décoche Masquer les extensions des fichiers dont le type est connu
. Décoche Masquer les fichiers protégés du système d'exploitation

- Suppime ces fichiers et/ou dossiers s'ils existent encore :

C:\Program Files\ISTsvc\<- le dossier
C:\Program Files\Zgtazs\<- le dossier
C:\Program Files\ISTsvc\istsvc.exe
Surement dans C:\Windows\System32
winasp.exe

- Lance un nettoyage Ccleaner :
Clique sur le bouton "Analyse" puis "Lancer le Néttoyage"

- Ouvre le dossier clean qui se trouve sur ton bureau, et double-clic sur clean.cmd, une fenêtre noire va apparaître pendant un instant, laisse la ouverte.

Redémarre normalement.

- Poste un nouveau rapport Hijackthis.

- Le rapport clean : Poste de travail / double clic sur disque C / double-clic sur rapport_clean.txt et copier/coller le contenu ici C:\rapport_clean.txt

| Alerter

Répondre à Angeldark

jbpa

21 Septembre 2006 12:29:19

je n'ai pas trouvé les fichiers suivant;
C:\Program Files\ISTsvc\<- le dossier
C:\Program Files\Zgtazs\<- le dossier
C:\Program Files\ISTsvc\istsvc.exe
Surement dans C:\Windows\System32
winasp.exe

Logfile of HijackThis v1.99.1
Scan saved at 14:20:50, on 21/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Hijackthis Version Française\hijackthis vf.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.numericable.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = NUMERICABLE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5CE7A7AF-8C5E-48CF-AE30-8FC6F01C27E3} (Yahoo! Photos - Outil de publication Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/y...
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.playqames.com/default.cab?uid=9&id=60953&1s&...
O17 - HKLM\System\CCS\Services\Tcpip\..\{74F126E8-2B97-4C2E-A047-3737FB3AD875}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Service Framework McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Unknown owner - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe (file missing)

je n'arrive pas à faire la dernière manip... pas de fichier rapport_clean.txt sous C/!!

| Alerter

Répondre à jbpa

Angeldark

21 Septembre 2006 12:40:15

Ca me semble bon :

- Fais un scan en ligne Kaspersky :
. Scan la zone critique
. Sauvegarde puis colle le rapport en fin d'analyse
Aide pour le scan en ligne.

NOTES :

- Si ce message apparaît :
"La licence de Kaspersky On-line Scanner est périmée"
Vas dans Ajout/Suppression de programmes pour désinstaller l'Online Scanner
Retente ensuite le scan.

- Si tu n'arrive toujours pas à utiliser le scan en ligne, fait un scan en ligne Panda
. /!\ Lorsqu'il te faudra entrée ton adresse e-mail, clique sur I don't accept (en bas)
. Poste le rapport en fin d'analyse
. Si tu as Avast! désactive-le.