[RESOLUT] PUB PUB PUB j'en peut plus !!!

Bonjour,

Plusieurs infections.

La procédure est longue et en partie en mode sans échec,
imprime ou mets dans un fichier texte les instructions.
Les manipulations sont à faire sans interruption et dans l'ordre.
Si tu ne comprends pas quelque chose, demande des explications avant de commencer.

Télécharge Brute Force Uninstaller (de Merjin).
Créé un nouveau dossier directement sur le C:\ et nomme-le BFU. Décompresse le fichier téléchargé dans ce nouveau dossier (C:\BFU)

FAIS UN CLIC-DROIT ICI et choisis "Enregistrer la cible sous..." afin de télécharger alcanshorty.bfu (de Metallica). Sauvegarde dans le dossier créé (C:\BFU). **Note : si tu utlises Internet Explorer; lors de la sauvegarde, assure-toi que le champs "Type :" affiche "Tous les fichiers". Tu dois maintenant avoir deux fichiers dans le dossier C:\BFU : alcanshorty.bfu et BFU.exe (très important).

AIDE : Comment installer et utiliser BFU ?

Redémarre en mode Sans Échec : au redémarrage, tapote immédiatement la touche F8; tu verras un écran avec choix de démarrages apparaître. Utilisant les flèches du clavier, choisis "Mode Sans Échec" et valide avec "Entrée". Choisis ton compte usuel, et non Administrateur.

Démarre le "Brute Force Uninstaller" en double-cliquant BFU.exe (du dossier C:\BFU)

- Clique sur le petit dossier jaune, à la droite de la boîte Scriptline to execute, et double-clique sur :

alcanshorty.bfu

- Dans la boîte "Scriptline to execute", tu devrais maintenant voir ceci : C:\BFU\alcanshorty.bfu

Clique sur Execute et laisse-le faire son travail.

Attendre que Complete script execution apparaîsse et clique sur OK.
Clique Exit pour fermer le programme BFU.

Redémarre normalement.

Télécharge combofix.exe (par sUBs) sur ton Bureau

Double clique combofix.exe.

Tape sur la touche Y (Yes) pour démarrer le scan.

Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse.

NOTE : Le rapport se trouve également ici : C:\Combofix.txt

ok voici le résultat.
Je te préviens c'est super long...

Merci pour ton aide

David2 - 06-11-04 19:40:24,43 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\David2"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\teller2.chk
C:\dfndrff_e48.exe
C:\drsmartload.exe
C:\deskbar_e48.exe
C:\deskbar.exe
C:\kybrdff_e48.exe
C:\MTE3NDI6ODoxNgMTE3NDI6ODoxNg.exe
C:\nwnmff_e48.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\318OP5OS\dfndrff_e_uit[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EX1T3MQL\drsmartload[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\AT9DN6P5\drsmartload44a[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OD23S567\deskbar_e[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EX1T3MQL\kybrdff_e[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OD23S567\MTE3NDI6ODoxNg[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\318OP5OS\nwnmff_e[1].exe
C:\Program Files\Fichiers communs\Yazzle1125OinAdmin.exe
C:\Program Files\Fichiers communs\Yazzle1125OinUninstaller.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\WINDOWS\system32\w0023a5f.dll
C:\Program Files\Deskbar

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\CURITY~1
C:\QooBox\Purity\WINDOWS\system32\MCROSO~1.NET
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1.NET
C:\QooBox\Purity\WINDOWS\system32\MCROSO~1.NET\?ttrib.exe
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1.NET\??crosoft.NET
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1.NET\regsvr32.exe
C:\QooBox\Purity\WINDOWS\CURITY~1\n?lookup.exe
C:\QooBox\Purity\Documents and Settings\David2\Mes documents\YSTEM3~1
C:\QooBox\Purity\Documents and Settings\David2\Mes documents\YSTEM3~1\?ystem32
C:\QooBox\Purity\Documents and Settings\David2\Mes documents\YSTEM3~1\netdde.exe


((((((((((((((((((((((((((((((( Files Created from 2006-10-04 to 2006-11-04 ))))))))))))))))))))))))))))))))))


2006-11-04 19:37 131,072 --a------ C:\WINDOWS\system32\nxyqylm.dll
2006-11-04 19:35 40,973 ---hs---- C:\WINDOWS\system32\urqpmkl.dll
2006-11-04 19:35 28,672 --ahs---- C:\WINDOWS\system32\v8.exe
2006-11-04 19:35 28,672 --a------ C:\mc44a48.exe
2006-11-04 19:35 181,580 --a------ C:\WINDOWS\YazzleBundle-1125.exe
2006-11-04 19:35 110,592 --a------ C:\WINDOWS\v1201.exe
2006-11-04 19:02 40,973 ---hs---- C:\WINDOWS\system32\xxyxutu.dll
2006-11-04 17:54 598,197 ---hs---- C:\WINDOWS\system32\qrqss.bak2
2006-11-04 17:47 60,436 --a------ C:\WINDOWS\system32\abvymuou.dll
2006-11-04 17:47 598,067 ---hs---- C:\WINDOWS\system32\ihhkj.bak1
2006-11-04 17:47 110,612 --a------ C:\WINDOWS\system32\digrxkvf.exe
2006-11-04 17:46 692,276 ---hs---- C:\WINDOWS\system32\ssqrq.dll
2006-11-04 17:46 692,276 ---hs---- C:\WINDOWS\system32\jkhhi.dll
2006-11-04 17:31 2 --a------ C:\WINDOWS\system32\wcpcc.exe
2006-11-04 17:31 131,072 --a------ C:\WINDOWS\system32\msszztd.dll
2006-11-04 17:30 8,012 --a------ C:\WINDOWS\diretx.exe
2006-11-04 17:30 40,973 ---hs---- C:\WINDOWS\system32\awtqnkh.dll
2006-11-04 17:24 128,000 -r-hs---- C:\WINDOWS\loadll.exe
2006-11-04 15:09 115,712 --a------ C:\WINDOWS\system32\lol.exe
2006-11-04 15:02 183,296 --a-s---- C:\WINDOWS\NDNuninstall7_22.exe
2006-11-04 15:01 434,176 --a------ C:\windows.exe
2006-11-04 15:00 6,568 --a------ C:\WINDOWS\pwr.exe
2006-11-04 14:59 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-11-04 14:59 61,952 --a------ C:\WINDOWS\system32\pofaed4f.dll
2006-11-04 14:59 50,688 --a-s---- C:\WINDOWS\NDNuninstall6_38.exe
2006-11-04 14:59 266,240 --a------ C:\yz02.exe
2006-11-04 14:59 139,264 --a------ C:\MirarSetup_876087.exe
2006-11-04 14:59 1,259 --a------ C:\WINDOWS\system32\pofaed4f.sys
2006-11-04 14:58 6,568 --a------ C:\WINDOWS\pwrs.exe
2006-11-04 14:58 53,552 -r-hs---- C:\WINDOWS\system32\vcmon.exe
2006-11-04 14:58 28,672 --a------ C:\WINDOWS\volt7.exe
2006-11-04 14:58 28,672 --a------ C:\WINDOWS\docsys.exe
2006-11-04 14:45 83,712 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2006-11-04 14:45 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll
2006-11-04 14:45 8,064 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2006-11-04 14:45 50,688 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-11-04 14:45 45,568 --a------ C:\WINDOWS\system32\iyuv_32.dll
2006-11-04 14:45 4,992 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2006-11-04 14:45 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-11-04 14:45 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2006-11-04 14:45 18,560 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2006-11-04 14:45 16,384 --a------ C:\WINDOWS\system32\msyuv.dll
2006-11-04 14:45 16,384 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2006-11-04 14:45 14,592 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2006-11-04 14:45 131,712 --a------ C:\WINDOWS\system32\drivers\ks.sys
2006-11-04 14:45 10,752 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2006-11-04 14:42 57,344 -ra------ C:\WINDOWS\ctdrvins.exe
2006-11-04 14:42 49,152 -ra------ C:\WINDOWS\system32\webc3pin.dll
2006-11-04 14:42 45,056 -ra------ C:\WINDOWS\system32\webc3vfw.dll
2006-11-04 14:42 306,688 --a------ C:\WINDOWS\IsUninst.exe
2006-11-04 14:42 135,680 --a------ C:\WINDOWS\Webdelc.exe
2006-11-04 14:30 41,472 --a------ C:\WINDOWS\CTREGRUN.EXE
2006-11-04 13:31 0 --a------ C:\WINDOWS\system32\Isass.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-04 17:47 -------- d-------- C:\Program Files\VSAdd-in
2006-11-04 17:47 -------- d-------- C:\Documents and Settings\David2\Application Data\SearchToolbarCorp
2006-11-04 15:02 -------- d-------- C:\Program Files\MSN Messenger
2006-11-04 14:59 -------- d-a-s---- C:\Program Files\NewDotNet
2006-11-04 14:51 -------- d-------- C:\Program Files\Skype
2006-11-04 14:51 -------- d-------- C:\Documents and Settings\David2\Application Data\Skype
2006-11-04 14:42 -------- d-------- C:\Program Files\directx
2006-11-04 14:30 -------- d-------- C:\Program Files\Creative
2006-11-04 14:07 -------- d-------- C:\Documents and Settings\David2\Application Data\vlc
2006-11-04 14:02 -------- d-------- C:\Documents and Settings\David2\Application Data\Macromedia
2006-11-04 13:58 -------- d-------- C:\Program Files\Yahoo!
2006-11-04 13:42 -------- d-------- C:\Program Files\WinRAR
2006-11-04 10:34 -------- d-------- C:\Documents and Settings\David2\Application Data\Mozilla
2006-11-04 09:24 -------- d-------- C:\Documents and Settings\David2\Application Data\Identities


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Sudp"="\"C:\\DOCUME~1\\David2\\MESDOC~1\\YSTEM3~1\\netdde.exe\" -vt yazb"
"Wvvckjgd"="C:\\WINDOWS\\system32\\M?crosoft.NET\\?ttrib.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"CTRegRun"="C:\\WINDOWS\\CTRegRun.EXE"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"pofaed4f"="RUNDLL32.EXE w0023a5f.dll,n 006aed490000000a0023a5f"
"Winsock2 wqr1s"="EM32\\LOL.EXE"
"Winamp Agent"="C:\\WINDOWS\\System32\\winamp.exe"
"ACTX1"="C:\\WINDOWS\\v1201.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Internet Explorer\\zytety.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\WindowsUpdate\\woryroky.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,10,03,00,00,1f,00,00,00,e0,00,00,00,d6,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Sudp"="\"C:\\WINDOWS\\System32\\CROSOF~1.NET\\regsvr32.exe\" -vt yazb"
"Acrlfmg"="C:\\WINDOWS\\??curity\\n?lookup.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Winsock2 wqr1s"="EM32\\LOL.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Sudp"="\"C:\\WINDOWS\\System32\\CROSOF~1.NET\\regsvr32.exe\" -vt yazb"
"Acrlfmg"="C:\\WINDOWS\\??curity\\n?lookup.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"Winsock2 wqr1s"="EM32\\LOL.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{9A36CEDC-2619-43F0-8108-50A321AD3057}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxutu

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-04 19:42:49.51
C:\ComboFix.txt ... 06-11-04 19:42

Reposte un rapport Hijackthis stp.

Voilou

Logfile of HijackThis v1.99.1
Scan saved at 19:56:04, on 4/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\vcmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\loadll.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\winamp.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
c:\windows\pwr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\dfndrff_e48.exe
c:\kybrdff_e48.exe
C:\WINDOWS\System32\SSTEM3~1\dvdplay.exe
c:\nwnmff_e48.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\dGVzdA\command.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
c:\windows\pwrs.exe
C:\WINDOWS\system32\cmd.exe
c:\windows\pwr.exe
C:\Documents and Settings\David2\Bureau\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {AC9B0D98-9756-93DE-7801-BA89182C60C9} - C:\WINDOWS\System32\iatzqtdv.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [pofaed4f] RUNDLL32.EXE w0023a5f.dll,n 006aed490000000a0023a5f
O4 - HKLM\..\Run: [Winsock2 wqr1s] EM32\LOL.EXE
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e48.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e48.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmff_e48.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sudp] "C:\WINDOWS\System32\SSTEM3~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [Wvvckjgd] C:\WINDOWS\system32\M?crosoft.NET\?ttrib.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.google.fr
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dGVzdA\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Process Manager - Unknown owner - C:\WINDOWS\system32\vcmon.exe
O23 - Service: ¾2:¡/
wù:GŸ·siÖ (€?
) - Unknown owner - C:\WINDOWS\loadll.exe

Tu as raté l'étape avec BFU...

FAIS UN CLIQUE-DROIT ICI et choisis "Enregistrer la cible sous..." afin de télécharger DelDomains

Ferme toutes les fenêtres puis déconnecte toi

Clique Droit sur DelDomains puis choisis Installer

Télécharge delcmdservice (par Marckie), et sauvegardez-le sur ton Bureau.

Décompresse le contenu sur votre Bureau (un dossier nommé delcmdservice)

Double-clique sur le dossier delcmdservice

Double-clique sur delreg.bat afin de lancer l'outil

----------
-> Démarrer
-> Exécuter...
Tape Services.msc puis valide
Double clique sur " Network Monitor "
Type de démarrage : " Désactiver "
Clique en bas sur " Arrêter "
Valide les changements.
Fais pareil avec :
Command Service
Remote Process Manager
¾2:¡/
wù:GŸ·siÖ
-----
Ouvre Hijackthis puis:
-> Open the Misc Tools Section
-> Delete an NT Service
Tape " Network Monitor " puis valide.
Fais pareil avec :
cmdService
Remote Process Manager
€?
----------

- Assure toi d'avoir accès aux dossiers/fichiers cachés
-> Démarrer
-> Panneau de configuration
-> Options des Dossiers, onglet Affichage :
. Clique sur Afficher les dossiers cachés
. Décoche Masquer les extensions des fichiers dont le type est connu
. Décoche Masquer les fichiers protégés du système d'exploitation

Supprime :
C:\Program Files\Network Monitor\
C:\WINDOWS\dGVzdA\command.exe
C:\WINDOWS\system32\vcmon.exe
C:\WINDOWS\loadll.exe

Repasse un coup de Combofix + rapport.

Je dois refaire BFU avant tout le reste ?
Dois je déconnecter internet pendant tous les processus ?

Non


Renon  

Salut,

Je n'ai pas réussit a supprimer:
C:\Program Files\Network Monitor\
C:\WINDOWS\dGVzdA\command.exe
C:\WINDOWS\system32\vcmon.exe
C:\WINDOWS\loadll.exe

Dans Services.msc il n'y a pas wù:GŸ·siÖ

Et Hijackthis n'a pas trouvé €?

Pour l'instant j'ai l'impression de ne plus recevoir de pub.
Je t'envoi quand même mes logs pour si des fois tu vois encore quelques soucis.

Pourrais tu m'expilquer d'ou viennent les problèmes? (ça m'interesse a fond)

Quel antivirus gratos dois je utiliser pour évité cela dans le futur ?

Merci de ton aide

---------------------------------------------------------------------
Le log de Combofix:

David2 - 06-11-04 21:46:53,15 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\David2\Bureau"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\dfndrff_e48.exe
C:\drsmartload.exe
C:\deskbar_e48.exe
C:\deskbar.exe
C:\kybrdff_e48.exe
C:\MTE3NDI6ODoxNgMTE3NDI6ODoxNg.exe
C:\nwnmff_e48.exe
C:\Documents and Settings\David2\Local Settings\Temporary Internet Files\Content.IE5\1O2HLIC0\drsmartload[1].exe
C:\Documents and Settings\David2\Local Settings\Temporary Internet Files\Content.IE5\1O2HLIC0\drsmartload[2].exe
C:\Documents and Settings\David2\Local Settings\Temporary Internet Files\Content.IE5\MNJHQWFZ\kybrdff_e[1].exe
C:\Program Files\Fichiers communs\Yazzle1125OinAdmin.exe
C:\Program Files\Fichiers communs\Yazzle1125OinUninstaller.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Deskbar
C:\WINDOWS\dGVzdA

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\CURITY~1
C:\QooBox\Purity\WINDOWS\SSEMBL~1
C:\QooBox\Purity\WINDOWS\system32\MCROSO~1.NET
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1.NET
C:\QooBox\Purity\WINDOWS\system32\SSTEM3~1
C:\QooBox\Purity\WINDOWS\system32\MCROSO~1.NET\?ttrib.exe
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1.NET\??crosoft.NET
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1.NET\regsvr32.exe
C:\QooBox\Purity\WINDOWS\system32\SSTEM3~1\s?stem32
C:\QooBox\Purity\WINDOWS\system32\SSTEM3~1\dvdplay.exe
C:\QooBox\Purity\WINDOWS\CURITY~1\n?lookup.exe
C:\QooBox\Purity\Documents and Settings\David2\Mes documents\YSTEM3~1
C:\QooBox\Purity\Documents and Settings\David2\Mes documents\DOBE~1
C:\QooBox\Purity\Documents and Settings\David2\Mes documents\YSTEM3~1\?ystem32
C:\QooBox\Purity\Documents and Settings\David2\Mes documents\YSTEM3~1\netdde.exe


((((((((((((((((((((((((((((((( Files Created from 2006-10-04 to 2006-11-04 ))))))))))))))))))))))))))))))))))


2006-11-04 21:30 131,072 --a------ C:\WINDOWS\system32\kpxlo.dll
2006-11-04 21:29 40,973 ---hs---- C:\WINDOWS\system32\pmnnkjk.dll
2006-11-04 21:15 40,973 ---hs---- C:\WINDOWS\system32\qommnnm.dll
2006-11-04 21:05 298,496 --a------ C:\WINDOWS\unin040c.exe
2006-11-04 19:43 40,973 ---hs---- C:\WINDOWS\system32\efcdccb.dll
2006-11-04 19:35 40,973 ---hs---- C:\WINDOWS\system32\urqpmkl.dll
2006-11-04 19:35 28,672 --ahs---- C:\WINDOWS\system32\v8.exe
2006-11-04 19:35 28,672 --a------ C:\mc44a48.exe
2006-11-04 19:35 181,580 --a------ C:\WINDOWS\YazzleBundle-1125.exe
2006-11-04 19:35 110,592 --a------ C:\WINDOWS\v1201.exe
2006-11-04 19:02 40,973 ---hs---- C:\WINDOWS\system32\xxyxutu.dll
2006-11-04 17:54 598,197 ---hs---- C:\WINDOWS\system32\qrqss.bak2
2006-11-04 17:47 60,436 --a------ C:\WINDOWS\system32\abvymuou.dll
2006-11-04 17:47 598,067 ---hs---- C:\WINDOWS\system32\ihhkj.bak1
2006-11-04 17:47 110,612 --a------ C:\WINDOWS\system32\digrxkvf.exe
2006-11-04 17:46 692,276 ---hs---- C:\WINDOWS\system32\ssqrq.dll
2006-11-04 17:46 692,276 ---hs---- C:\WINDOWS\system32\jkhhi.dll
2006-11-04 17:31 2 --a------ C:\WINDOWS\system32\wcpcc.exe
2006-11-04 17:31 131,072 --a------ C:\WINDOWS\system32\msszztd.dll
2006-11-04 17:30 8,012 --a------ C:\WINDOWS\diretx.exe
2006-11-04 17:30 40,973 ---hs---- C:\WINDOWS\system32\awtqnkh.dll
2006-11-04 17:24 128,000 ---h----- C:\WINDOWS\loadll.exe
2006-11-04 15:09 115,712 --a------ C:\WINDOWS\system32\lol.exe
2006-11-04 15:02 183,296 --a-s---- C:\WINDOWS\NDNuninstall7_22.exe
2006-11-04 15:01 434,176 --a------ C:\windows.exe
2006-11-04 15:00 6,568 --a------ C:\WINDOWS\pwr.exe
2006-11-04 14:59 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-11-04 14:59 61,952 --a------ C:\WINDOWS\system32\pofaed4f.dll
2006-11-04 14:59 50,688 --a-s---- C:\WINDOWS\NDNuninstall6_38.exe
2006-11-04 14:59 266,240 --a------ C:\yz02.exe
2006-11-04 14:59 139,264 --a------ C:\MirarSetup_876087.exe
2006-11-04 14:59 1,259 --a------ C:\WINDOWS\system32\pofaed4f.sys
2006-11-04 14:58 6,568 --a------ C:\WINDOWS\pwrs.exe
2006-11-04 14:58 53,552 ---h----- C:\WINDOWS\system32\vcmon.exe
2006-11-04 14:58 28,672 --a------ C:\WINDOWS\volt7.exe
2006-11-04 14:58 28,672 --a------ C:\WINDOWS\docsys.exe
2006-11-04 14:45 83,712 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2006-11-04 14:45 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll
2006-11-04 14:45 8,064 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2006-11-04 14:45 50,688 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-11-04 14:45 45,568 --a------ C:\WINDOWS\system32\iyuv_32.dll
2006-11-04 14:45 4,992 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2006-11-04 14:45 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-11-04 14:45 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2006-11-04 14:45 18,560 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2006-11-04 14:45 16,384 --a------ C:\WINDOWS\system32\msyuv.dll
2006-11-04 14:45 16,384 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2006-11-04 14:45 14,592 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2006-11-04 14:45 131,712 --a------ C:\WINDOWS\system32\drivers\ks.sys
2006-11-04 14:45 10,752 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2006-11-04 14:42 57,344 -ra------ C:\WINDOWS\ctdrvins.exe
2006-11-04 14:42 49,152 -ra------ C:\WINDOWS\system32\webc3pin.dll
2006-11-04 14:42 45,056 -ra------ C:\WINDOWS\system32\webc3vfw.dll
2006-11-04 14:42 306,688 --a------ C:\WINDOWS\IsUninst.exe
2006-11-04 14:42 135,680 --a------ C:\WINDOWS\Webdelc.exe
2006-11-04 14:30 41,472 --a------ C:\WINDOWS\CTREGRUN.EXE
2006-11-04 13:31 0 --a------ C:\WINDOWS\system32\Isass.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-04 19:44 -------- d-------- C:\Documents and Settings\David2\Application Data\àdobe
2006-11-04 17:47 -------- d-------- C:\Program Files\VSAdd-in
2006-11-04 17:47 -------- d-------- C:\Documents and Settings\David2\Application Data\SearchToolbarCorp
2006-11-04 15:02 -------- d-------- C:\Program Files\MSN Messenger
2006-11-04 14:59 -------- d-a-s---- C:\Program Files\NewDotNet
2006-11-04 14:51 -------- d-------- C:\Program Files\Skype
2006-11-04 14:51 -------- d-------- C:\Documents and Settings\David2\Application Data\Skype
2006-11-04 14:42 -------- d-------- C:\Program Files\directx
2006-11-04 14:30 -------- d-------- C:\Program Files\Creative
2006-11-04 14:07 -------- d-------- C:\Documents and Settings\David2\Application Data\vlc
2006-11-04 14:02 -------- d-------- C:\Documents and Settings\David2\Application Data\Macromedia
2006-11-04 13:58 -------- d-------- C:\Program Files\Yahoo!
2006-11-04 13:42 -------- d-------- C:\Program Files\WinRAR
2006-11-04 10:34 -------- d-------- C:\Documents and Settings\David2\Application Data\Mozilla
2006-11-04 09:24 -------- d-------- C:\Documents and Settings\David2\Application Data\Identities


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Sudp"="\"C:\\WINDOWS\\System32\\SSTEM3~1\\dvdplay.exe\" -vt yazb"
"Wvvckjgd"="C:\\WINDOWS\\system32\\M?crosoft.NET\\?ttrib.exe"
@=".exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"CTRegRun"="C:\\WINDOWS\\CTRegRun.EXE"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"pofaed4f"="RUNDLL32.EXE w0023a5f.dll,n 006aed490000000a0023a5f"
"Winsock2 wqr1s"="EM32\\LOL.EXE"
"Winamp Agent"="C:\\WINDOWS\\System32\\winamp.exe"
"ACTX1"="C:\\WINDOWS\\v1201.exe"
@=".exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
@=".exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Internet Explorer\\zytety.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\WindowsUpdate\\woryroky.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,10,03,00,00,1f,00,00,00,e0,00,00,00,d6,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Sudp"="\"C:\\WINDOWS\\System32\\CROSOF~1.NET\\regsvr32.exe\" -vt yazb"
"Acrlfmg"="C:\\WINDOWS\\??curity\\n?lookup.exe"
@=".exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Winsock2 wqr1s"="EM32\\LOL.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Sudp"="\"C:\\WINDOWS\\System32\\CROSOF~1.NET\\regsvr32.exe\" -vt yazb"
"Acrlfmg"="C:\\WINDOWS\\??curity\\n?lookup.exe"
@=".exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"Winsock2 wqr1s"="EM32\\LOL.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{9A36CEDC-2619-43F0-8108-50A321AD3057}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxutu

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-04 21:50:04.37
C:\ComboFix2.txt ... 06-11-04 19:42
C:\ComboFix.txt ... 06-11-04 21:50
--------------------------------------------------------------------

Le log de Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 21:56:12, on 4/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\winamp.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\System32\.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\lrsys.exe
C:\Documents and Settings\David2\Bureau\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {72BE7BCD-BF03-B5D9-2C54-CFCE6CCBBEC5} - C:\WINDOWS\System32\kpxlo.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [pofaed4f] RUNDLL32.EXE w0023a5f.dll,n 006aed490000000a0023a5f
O4 - HKLM\..\Run: [Winsock2 wqr1s] EM32\LOL.EXE
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [] .exe
O4 - HKLM\..\RunServices: [] .exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sudp] "C:\WINDOWS\System32\SSTEM3~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [Wvvckjgd] C:\WINDOWS\system32\M?crosoft.NET\?ttrib.exe
O4 - HKCU\..\Run: [] .exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.google.fr
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Debug Config System - Unknown owner - C:\WINDOWS\system32\lrsys.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Supprime ce service stp :
Debug Config System

Supprime :
C:\WINDOWS\system32\lrsys.exe

Installe un antivirus comme Antivir, fais un scan complet puis poste le rapport :
http://www.malekal.com/tutorial_antivir.php

J'ai toujour les satanées pub.

Le fichier lrsys.exe n'existe pas sur mon pc.

J'ai désactivé le service Debug Config System.

J'installe antivir et te poste le rapport

-> tu te fais réinfecter puisque tu n'es pas protégé.

j'ai effectué le scan avec l'antivirus. Il a solutionné pas mal d'erreurs (apriori).
Il n'a pas réussit a suprimé un fichier nomé xxyxutu.dll. Il me donne souvent une alerte sur cette dll.

Que puis je faire a présent ?

Si dessous le report du scan:
AntiVir PersonalEdition Classic
Report file date: samedi 4 novembre 2006 22:59

Scanning for 495093 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-WURGE-0001
Platform: Windows XP
Windows version: (Service Pack 1) [5.1.2600]
Username: David2
Computer name: TEST

Version information:
AVSCAN.EXE : 7.0.0.47 196648 21/08/2006 11:06:50
AVSCAN.DLL : 7.0.0.45 41000 7/09/2006 11:51:52
LUKE.DLL : 7.0.0.47 110632 7/09/2006 11:32:30
LUKERES.DLL : 7.0.0.47 9256 7/09/2006 11:51:52
ANTIVIR0.VDF : 6.35.0.1 7371264 31/05/2006 11:35:12
ANTIVIR1.VDF : 6.36.0.9 1424384 6/09/2006 08:12:24
ANTIVIR2.VDF : 6.36.0.10 2048 6/09/2006 08:12:26
ANTIVIR3.VDF : 6.36.0.11 2048 6/09/2006 08:12:28
AVEWIN32.DLL : 7.2.0.14 1827328 4/09/2006 15:23:26
AVPREF.DLL : 7.0.0.2 17960 24/07/2006 13:35:38
AVREP.DLL : 6.36.0.3 544808 6/09/2006 09:04:18
AVRPBASE.DLL : 7.0.0.0 1544232 30/03/2006 09:42:44
AVPACK32.DLL : 7.2.0.0 360488 21/07/2006 07:00:30
AVREG.DLL : 6.31.0.90 25128 28/07/2005 11:06:12
NETNT.DLL : 6.32.0.0 6696 27/09/2005 08:56:46
NETNW.DLL : 7.0.0.0 9768 24/07/2006 13:35:40
RCIMAGE.DLL : 7.0.0.74 1642536 1/08/2006 12:22:52
RCTEXT.DLL : 7.0.0.107 77864 7/09/2006 11:51:50

Configuration settings for the scan:
Jobname.......................: Local Hard Disks
Configuration file............: C:\Program Files\AntiVir PersonalEdition Classic\alldiscs.avp
Boot sectors..................: C
Scan memory...................: 1
Process scan..................: 1
Scan all files................: 2
Scan archives.................: 1
Recursion depth...............: 20
Smart extensions..............: 1
Macro heuristic...............: 1
File heuristic................: 0
Primary action................: 1
Secondary action..............: 0

Start of the scan: samedi 4 novembre 2006 22:59


The scan of running processes will be started
4 Processes were scanned

Start scanning boot sectors:

Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\WINDOWS\v1201.exe
[DETECTION] Is the Trojan horse TR/Click.VB.IS.7
[INFO] The file was deleted!
C:\WINDOWS\v1201.exe
[DETECTION] Is the Trojan horse TR/Click.VB.IS.7

The registry was scanned ( 20 files ).


Starting the file scan:

C:\PAGEFILE.SYS
[WARNING] The file could not be opened!
C:\MTE3NDI6ODoxNgMTE3NDI6ODoxNg.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.buy.1
[INFO] The file was deleted!
C:\WINDOWS\loadll.exe
[DETECTION] Contains signature of the worm WORM/Sdbot.128000.22
[INFO] The file was deleted!
C:\WINDOWS\system32\xxyxutu.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\efcdccb.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\urqpmkl.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\qommnnm.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\pmnnkjk.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\yaywvus.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\ddcddab.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\awtqnkh.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\digrxkvf.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\config\system.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SYSTEM
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SOFTWARE
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\DEFAULT
[WARNING] The file could not be opened!
C:\WINDOWS\dGVzdA\command.exe
[DETECTION] Is the Trojan horse TR/Spy.Banbra.df.199
[INFO] The file was deleted!
C:\Documents and Settings\David2\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\David2\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\David2\Local Settings\Temporary Internet Files\Content.IE5\85EJCPQB\wallpap[1].exe
[DETECTION] Is the Trojan horse TR/Click.Small.JF.6
[INFO] The file was deleted!
C:\Documents and Settings\David2\Local Settings\Temporary Internet Files\Content.IE5\45I789AN\popup[1].php
[0] Archive type: GZ
--> popup[1]
[DETECTION] Contains signature of the exploits EXP/Agent.B
[INFO] The file was deleted!
C:\Documents and Settings\David2\Local Settings\Temporary Internet Files\Content.IE5\45I789AN\MTE3NDI6ODoxNg[1].exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.buy.1
[INFO] The file was deleted!
C:\Documents and Settings\David2\Local Settings\Temporary Internet Files\Content.IE5\45I789AN\popup[2].php
[0] Archive type: GZ
--> popup[2]
[DETECTION] Contains signature of the exploits EXP/Agent.B
[INFO] The file was deleted!
C:\Documents and Settings\David2\Local Settings\Temporary Internet Files\Content.IE5\MUBNU5E7\popup[2].htm
[DETECTION] Contains signature of the exploits EXP/Agent.B
[INFO] The file was deleted!
C:\Documents and Settings\David2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\David2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Program Files\Internet Explorer\zytety.html
[DETECTION] Is the Trojan horse TR/Click.Small.JF.8
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP1\A0000829.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.ajc.2
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000912.exe
[DETECTION] Is the Trojan horse TR/Click.VB.IS.7
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000917.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.buy.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000920.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.BCB.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000945.exe
[DETECTION] Is the Trojan horse TR/Click.Small.JF.6
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000977.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.buy.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000983.DLL
[DETECTION] Is the Trojan horse TR/Dldr.YM
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001052.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.buy.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001068.exe
[DETECTION] Is the Trojan horse TR/Spy.Banbra.df.199
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001077.exe
[DETECTION] Is the Trojan horse TR/Click.Small.JF.6
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001086.exe
[DETECTION] Is the Trojan horse TR/Click.VB.IS.7
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002068.exe
[DETECTION] Is the Trojan horse TR/Click.Small.JF.6
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002088.DLL
[DETECTION] Is the Trojan horse TR/Dldr.Small.ctp
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002093.exe
[DETECTION] Is the Trojan horse TR/Click.VB.IS.7
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002094.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.buy.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002095.exe
[DETECTION] Contains signature of the worm WORM/Sdbot.128000.22
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002096.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002097.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002098.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002099.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002100.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002101.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002102.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002103.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002104.exe
[DETECTION] Is the Trojan horse TR/Spy.Banbra.df.199
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002105.exe
[DETECTION] Is the Trojan horse TR/Click.Small.JF.6
[INFO] The file was deleted!
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002106.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.buy.1
[INFO] The file was deleted!
C:\bintheredunthat\RDFX4.exe
[DETECTION] Contains signature of the dropper DR/Dldr.Small.ctp
[INFO] The file was deleted!
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1.NET\regsvr32.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.DB
[INFO] The file was deleted!
C:\QooBox\Purity\WINDOWS\system32\SSTEM3~1\dvdplay.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.DB
[INFO] The file was deleted!
C:\QooBox\Purity\Documents and Settings\David2\Mes documents\YSTEM3~1\netdde.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.DB
[INFO] The file was deleted!


End of the scan: samedi 4 novembre 2006 23:41
Used time: 41:23 min

The scan has been done completely.

1007 Scanning directories
33073 Files were scanned
50 viruses and/or unwanted programs were found
49 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
330 Archives were scanned
16 Warnings
0 Notes

Bonsoir,

Télécharge VundoFix.exe (par Atribune) sur ton Bureau.

Double-clique VundoFix.exe afin de le lancer

Lorsque l'outil se lance à nouveau, clique sur le bouton Scan for Vundo

Clique sur le bouton Scan for Vundo

Lorsque le scan est complété, clique sur le bouton Remove Vundo

Une invite te demandera si tu veux supprimer les fichiers, clique YES

Après avoir cliqué "Yes", le Bureau disparaîtra un moment lors de la suppression des fichiers

Tu verras une invite qui t'annonce que ton PC va redémarrer; clique OK

Copie/colle le contenu du rapport situé dans C:\vundofix.txt ainsi qu'un nouveau rapport HijackThis! dans ta prochaine réponse

Note: Il est possible que VundoFix soit confronté à un fichier qu'il ne peut supprimer. Si tel est le cas, l'outil se lancera au prochain redémarrage; il faut simplement suivre les instructions ci-haut, à partir de "clique sur le bouton Scan for Vundo".

Bonjour,
J'ai fait se que tu m'a dis.
Pour info Antivir trouve toujours des erreurs avec: C:\WINDOWS\System32\xxyxutu.dll
Et il n'arrive pas a le traiter car il est utilisé par je ne sais quel programme. Y a t'il un moyen de le fixer ?

Que dois je faire maintenant ?

Merci


Voila le résultat de VundoFix

VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 11:17:04 5/11/2006

Listing files found while scanning....

C:\WINDOWS\System32\ssqrq.dll
C:\WINDOWS\System32\qrqss.ini
C:\WINDOWS\System32\qrqss.bak2
C:\WINDOWS\System32\qrqss.ini2
C:\WINDOWS\System32\qrqss.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ssqrq.dll
C:\WINDOWS\System32\ssqrq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\qrqss.ini
C:\WINDOWS\System32\qrqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\qrqss.bak2
C:\WINDOWS\System32\qrqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\qrqss.ini2
C:\WINDOWS\System32\qrqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\qrqss.tmp
C:\WINDOWS\System32\qrqss.tmp Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ssqrq.dll
C:\WINDOWS\System32\ssqrq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\qrqss.ini
C:\WINDOWS\System32\qrqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\qrqss.ini2
C:\WINDOWS\System32\qrqss.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 11:32:47 5/11/2006

Listing files found while scanning....

C:\WINDOWS\System32\ssqrq.dll
C:\WINDOWS\System32\qrqss.ini

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ssqrq.dll
C:\WINDOWS\System32\ssqrq.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\qrqss.ini
C:\WINDOWS\System32\qrqss.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 11:36:55 5/11/2006

Listing files found while scanning....

No infected files were found.

--------------------------------------------------------------------
Report de Hitjackthis

Logfile of HijackThis v1.99.1
Scan saved at 11:53:22, on 5/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\winamp.exe
C:\dfndrff_e48.exe
C:\kybrdff_e48.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\SKS~1\javaw.exe
C:\WINDOWS\System32\.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David2\Bureau\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {70E92DC5-EE52-B5DD-2C54-CFCE6CCBBEC6} - C:\WINDOWS\System32\womfvutl.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {3C617842-532E-40E8-9DF0-2AFB94057D00} - C:\WINDOWS\System32\ssqrq.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {70E92DC5-EE52-B5DD-2C54-CFCE6CCBBEC6} - C:\WINDOWS\System32\womfvutl.dll
O2 - BHO: (no name) - {9A36CEDC-2619-43F0-8108-50A321AD3057} - C:\WINDOWS\System32\xxyxutu.dll
O2 - BHO: (no name) - {9DA29368-D385-4860-A1D3-76F1C355CCCB} - C:\Program Files\microsoft frontpage\womehety.dll (file missing)
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\abvymuou.dll
O2 - BHO: (no name) - {FA9E5FCC-CD56-958E-7801-BA89182C60CF} - C:\WINDOWS\System32\msszztd.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [pofaed4f] RUNDLL32.EXE w0023a5f.dll,n 006aed490000000a0023a5f
O4 - HKLM\..\Run: [Winsock2 wqr1s] EM32\LOL.EXE
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [] .exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e48.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e48.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [] .exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sudp] "C:\PROGRA~1\SKS~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Wvvckjgd] C:\WINDOWS\system32\M?crosoft.NET\?ttrib.exe
O4 - HKCU\..\Run: [] .exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.google.fr
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: xxyxutu - C:\WINDOWS\SYSTEM32\xxyxutu.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dGVzdA\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

On passe aux choses sérieuses.

Installe puis configure le firewall Kerio :
http://www.malekal.com/kerio_firewall.php

Les manipulations sont à faire sans interruption et dans l'ordre
Si tu ne comprends pas quelque chose, demande des explications avant de commencer.

Enregistre cette page pour avoir accès à la procédure en mode sans échec :
- Fichier
- Enregistrer Sous...
- Nom du fichier : Procédure
- Type : Page Web, complète
- Pour l'emplacement, chosis ton Bureau
- Clique maintenant sur Enregistrer

Télécharge:

Ccleaner
Installe le dans un répertoire dédié.
Lors de l'installation décoche: "Ajouter la Barre d'Outils Yahoo! Ccleaner"
AIDE : Tuto de Malekal

Clean.zip (de Malekal),
décompresse-le sur ton bureau (clic droit / extraire tout), tu dois obtenir un dossier clean.

LSPfix

Redémarre en mode sans échec

Désinstalle si possible :
VSAdd-In
NewDotNet

Ferme TOUS les fenêtres ouvertes (sauf Hijackthis)
et les logiciels de protection en temps réel (antivirus...)

Lance LSPFix
Coche la case "I know what I'm doing"
Sélectionne la ou les dll suivantes
UNIQUEMENT celle(s) qui est(sont) INDIQUÉE(S) CI-DESSOUS, NE TOUCHE PAS aux autres !

newdotnet7_22.dll

Glisse la du panneau de gauche "Keep" au panneau "Remove".
Clique sur "Finish".
(Si elles sont déjà dans le panneau "Remove" alors clique directement sur le bouton "Finish".)

- Lance Hijackthis ->Do a system scan only
->Coche les lignes ci-dessous :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: (no name) - {3C617842-532E-40E8-9DF0-2AFB94057D00} - C:\WINDOWS\System32\ssqrq.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [pofaed4f] RUNDLL32.EXE w0023a5f.dll,n 006aed490000000a0023a5f
O4 - HKLM\..\Run: [Winsock2 wqr1s] EM32\LOL.EXE
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [] .exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e48.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e48.exe
O4 - HKLM\..\RunServices: [] .exe
O4 - HKCU\..\Run: [Sudp] "C:\PROGRA~1\SKS~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Wvvckjgd] C:\WINDOWS\system32\M?crosoft.NET\?ttrib.exe
O4 - HKCU\..\Run: [] .exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dGVzdA\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Clique sur Fix checked (en bas à gauche)

----------
-> Démarrer
-> Exécuter...
Tape Services.msc puis valide
Double clique sur " Command Service "
Type de démarrage : " Désactiver "
Clique en bas sur " Arrêter "
Valide les changements.
Fais pareil avec :
Network Monitor
-----
Ouvre Hijackthis puis:
-> Open the Misc Tools Section
-> Delete an NT Service
Tape " cmdService " puis valide.
Fais pareil avec :
Network Monitor
----------

- Assure toi d'avoir accès aux dossiers/fichiers cachés
-> Démarrer
-> Panneau de configuration
-> Options des Dossiers, onglet Affichage :
. Clique sur Afficher les dossiers cachés
. Décoche Masquer les extensions des fichiers dont le type est connu
. Décoche Masquer les fichiers protégés du système d'exploitation

- Suppime ces fichiers et/ou dossiers s'ils existent encore :

C:\WINDOWS\System32\winamp.exe
C:\WINDOWS\System32\pofaed4f.sys
C:\WINDOWS\web\related.htm
C:\WINDOWS\dGVzdA\
C:\Program Files\Network Monitor\
C:\Program Files\VSAdd-in\
C:\Program Files\NewDotNet\

- Lance un nettoyage Ccleaner :
Clique sur le bouton "Analyse" puis "Lancer le Néttoyage"

- Ouvre le dossier clean qui se trouve sur ton bureau, et double-clique sur clean.cmd, une fenêtre noire va apparaître pendant un instant, laisse la ouverte.

Redémarre normalement.

- Le rapport clean : Poste de travail / double clic sur disque C / double-clic sur rapport_clean.txt et copier/coller le contenu ici C:\rapport_clean.txt

- Supprime ta version de Combofix puis refais un scan et poste le rapport

- -- Clique Droit sur Hijackthis :
-> Choisis " Renommer "
-> Tape Scanner.exe puis valide

- Lance l'application
- Choisis l'option Do a system scan and save a logfile
-- Le Bloc-Notes s'ouvre :
-> Edition / Sélectionner Tout
-> Edition / Copier
- Colle le rapport ici.

Aide sur Hijackthis

Voila
C'est mieux ???

Merci


Cleaner:

Script clean par Malekal_morte - http://www.malekal.com

Microsoft Windows XP [version 5.1.2600]
Script execute en mode sans echec

*** Suppression de fichiers sur C:
C:\dfndr*.exe FOUND
C:\kybr*.exe FOUND
C:\nwnm*.exe FOUND

*** Suppression des fichiers dans C:\WINDOWS\
C:\WINDOWS\keyboard*.dat FOUND
C:\WINDOWS\NDNuninstall?_??.exe FOUND
C:\WINDOWS\newname.dat FOUND
C:\WINDOWS\YazzleBundle-*.exe FOUND
C:\WINDOWS\pwr.exe FOUND
C:\WINDOWS\pwrs.exe FOUND

*** Suppression des fichiers dans C:\WINDOWS\system32
C:\WINDOWS\system32\atmtd.dll._ FOUND
C:\WINDOWS\system32\eraseme_?????.exe FOUND
C:\WINDOWS\system32\i FOUND
C:\WINDOWS\system32\install.exe FOUND
C:\WINDOWS\system32\mcrh.tmp FOUND
C:\WINDOWS\system32\msiuins.exe FOUND
C:\WINDOWS\system32\o FOUND
C:\WINDOWS\system32\vcmon.exe FOUND
C:\WINDOWS\system32\wupdmgr.exe FOUND
C:\WINDOWS\system32\atmtd.dll FOUND

"C:\Program Files\Fichiers communs\Yazzle????OinAdmin.exe" FOUND
"C:\Program Files\Deskbar\" FOUND
----------------------------------------------------------------

Combofix

David2 - 06-11-05 15:34:49,23 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\David2\Bureau"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Fichiers communs\Yazzle1125OinUninstaller.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Documents and Settings\LocalService\Application Data\NetMon

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\CURITY~1
C:\QooBox\Purity\WINDOWS\SSEMBL~1
C:\QooBox\Purity\WINDOWS\STEM~1
C:\QooBox\Purity\WINDOWS\system32\MCROSO~1.NET
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1.NET
C:\QooBox\Purity\WINDOWS\system32\SSTEM3~1
C:\QooBox\Purity\WINDOWS\system32\MCROSO~1.NET\?ttrib.exe
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1.NET\??crosoft.NET
C:\QooBox\Purity\WINDOWS\system32\SSTEM3~1\s?stem32
C:\QooBox\Purity\WINDOWS\CURITY~1\n?lookup.exe
C:\QooBox\Purity\Documents and Settings\David2\Mes documents\YSTEM3~1
C:\QooBox\Purity\Documents and Settings\David2\Mes documents\DOBE~1
C:\QooBox\Purity\Documents and Settings\David2\Mes documents\YSTEM3~1\?ystem32
C:\QooBox\Purity\Program Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\SKS~1
C:\QooBox\Purity\Program Files\SKS~1\ç?sks
C:\QooBox\Purity\Program Files\SKS~1\javaw.exe


((((((((((((((((((((((((((((((( Files Created from 2006-10-05 to 2006-11-05 ))))))))))))))))))))))))))))))))))


2006-11-05 14:17 126,976 --a------ C:\WINDOWS\system32\jsnnfugw.dll
2006-11-05 13:58 598,067 ---hs---- C:\WINDOWS\system32\gfhkj.bak1
2006-11-05 13:46 692,276 ---hs---- C:\WINDOWS\system32\jkhfg.dll
2006-11-04 22:55 32,768 --a------ C:\WINDOWS\system32\drivers\avgntdd.sys
2006-11-04 22:55 14,848 --a------ C:\WINDOWS\system32\drivers\avgntmgr.sys
2006-11-04 22:54 57,384 --a------ C:\WINDOWS\system32\avsda.dll
2006-11-04 22:13 6,540 --a------ C:\WINDOWS\cent.exe
2006-11-04 21:05 298,496 --a------ C:\WINDOWS\unin040c.exe
2006-11-04 19:35 28,672 --ahs---- C:\WINDOWS\system32\v8.exe
2006-11-04 19:02 40,973 --------- C:\WINDOWS\system32\xxyxutu.dll
2006-11-04 17:47 60,436 --a------ C:\WINDOWS\system32\abvymuou.dll
2006-11-04 17:47 598,067 ---hs---- C:\WINDOWS\system32\ihhkj.bak1
2006-11-04 17:46 692,276 ---hs---- C:\WINDOWS\system32\jkhhi.dll
2006-11-04 17:31 2 --a------ C:\WINDOWS\system32\wcpcc.exe
2006-11-04 17:31 131,072 --a------ C:\WINDOWS\system32\msszztd.dll
2006-11-04 17:30 8,012 --a------ C:\WINDOWS\diretx.exe
2006-11-04 15:09 115,712 --a------ C:\WINDOWS\system32\lol.exe
2006-11-04 15:01 434,176 --a------ C:\windows.exe
2006-11-04 14:59 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-11-04 14:59 266,240 --a------ C:\yz02.exe
2006-11-04 14:59 139,264 --a------ C:\MirarSetup_876087.exe
2006-11-04 14:58 28,672 --a------ C:\WINDOWS\volt7.exe
2006-11-04 14:58 28,672 --a------ C:\WINDOWS\docsys.exe
2006-11-04 14:45 83,712 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2006-11-04 14:45 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll
2006-11-04 14:45 8,064 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2006-11-04 14:45 50,688 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-11-04 14:45 45,568 --a------ C:\WINDOWS\system32\iyuv_32.dll
2006-11-04 14:45 4,992 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2006-11-04 14:45 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-11-04 14:45 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2006-11-04 14:45 18,560 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2006-11-04 14:45 16,384 --a------ C:\WINDOWS\system32\msyuv.dll
2006-11-04 14:45 16,384 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2006-11-04 14:45 14,592 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2006-11-04 14:45 131,712 --a------ C:\WINDOWS\system32\drivers\ks.sys
2006-11-04 14:45 10,752 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2006-11-04 14:42 57,344 -ra------ C:\WINDOWS\ctdrvins.exe
2006-11-04 14:42 49,152 -ra------ C:\WINDOWS\system32\webc3pin.dll
2006-11-04 14:42 45,056 -ra------ C:\WINDOWS\system32\webc3vfw.dll
2006-11-04 14:42 306,688 --a------ C:\WINDOWS\IsUninst.exe
2006-11-04 14:42 135,680 --a------ C:\WINDOWS\Webdelc.exe
2006-11-04 14:30 41,472 --a------ C:\WINDOWS\CTREGRUN.EXE
2006-11-04 13:31 0 --a------ C:\WINDOWS\system32\Isass.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-05 14:53 -------- d-------- C:\Program Files\CCleaner
2006-11-05 14:42 -------- d-------- C:\Program Files\Sunbelt Software
2006-11-04 22:54 -------- d-------- C:\Program Files\AntiVir PersonalEdition Classic
2006-11-04 19:44 -------- d-------- C:\Documents and Settings\David2\Application Data\àdobe
2006-11-04 17:47 -------- d-------- C:\Documents and Settings\David2\Application Data\SearchToolbarCorp
2006-11-04 15:02 -------- d-------- C:\Program Files\MSN Messenger
2006-11-04 14:51 -------- d-------- C:\Program Files\Skype
2006-11-04 14:51 -------- d-------- C:\Documents and Settings\David2\Application Data\Skype
2006-11-04 14:42 -------- d-------- C:\Program Files\directx
2006-11-04 14:30 -------- d-------- C:\Program Files\Creative
2006-11-04 14:07 -------- d-------- C:\Documents and Settings\David2\Application Data\vlc
2006-11-04 14:02 -------- d-------- C:\Documents and Settings\David2\Application Data\Macromedia
2006-11-04 13:58 -------- d-------- C:\Program Files\Yahoo!
2006-11-04 13:42 -------- d-------- C:\Program Files\WinRAR
2006-11-04 10:34 -------- d-------- C:\Documents and Settings\David2\Application Data\Mozilla
2006-11-04 09:24 -------- d-------- C:\Documents and Settings\David2\Application Data\Identities


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"CTRegRun"="C:\\WINDOWS\\CTRegRun.EXE"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Internet Explorer\\zytety.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\WindowsUpdate\\woryroky.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,10,03,00,00,1f,00,00,00,e0,00,00,00,d6,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Sudp"="\"C:\\WINDOWS\\System32\\CROSOF~1.NET\\regsvr32.exe\" -vt yazb"
"Acrlfmg"="C:\\WINDOWS\\??curity\\n?lookup.exe"
@=".exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Winsock2 wqr1s"="EM32\\LOL.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Sudp"="\"C:\\WINDOWS\\System32\\CROSOF~1.NET\\regsvr32.exe\" -vt yazb"
"Acrlfmg"="C:\\WINDOWS\\??curity\\n?lookup.exe"
@=".exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"Winsock2 wqr1s"="EM32\\LOL.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhfg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-05 15:36:23.20
C:\ComboFix3.txt ... 06-11-04 19:42
C:\ComboFix2.txt ... 06-11-04 21:50
C:\ComboFix.txt ... 06-11-05 15:36

-------------------------------------------------------------

Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 15:38:45, on 5/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Sunbelt Software\Personal Firewall\assist.exe
C:\Documents and Settings\David2\Bureau\Scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.fr
R3 - URLSearchHook: (no name) - {A333456C-89FF-847D-DEAB-A028E203329C} - C:\WINDOWS\System32\jsnnfugw.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {3C617842-532E-40E8-9DF0-2AFB94057D00} - C:\WINDOWS\System32\ssqrq.dll (file missing)
O2 - BHO: (no name) - {6552998B-9367-46A7-8371-544B31C690CC} - C:\WINDOWS\System32\jkhfg.dll
O2 - BHO: (no name) - {9DA29368-D385-4860-A1D3-76F1C355CCCB} - C:\Program Files\microsoft frontpage\womehety.dll (file missing)
O2 - BHO: (no name) - {A333456C-89FF-847D-DEAB-A028E203329C} - C:\WINDOWS\System32\jsnnfugw.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\abvymuou.dll
O2 - BHO: (no name) - {FA9E5FCC-CD56-958E-7801-BA89182C60CF} - C:\WINDOWS\System32\msszztd.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.fr
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: jkhfg - C:\WINDOWS\System32\jkhfg.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Beaucoup mieux !

On supprime le Vundo récalcitrant :

Clique sur le menu Démarrer puis executer et copie/colle ceci :
"%userprofile%\Bureau\combofix.exe" /v jkhfg
puis clic sur OK.

Suis les invites.

Ne touche a rien et attends que combofix ait terminé, un rapport sera créé. Poste le rapport.

Va sur le site de VirusTotal
Clique sur Parcourir... puis ouvre:

C:\WINDOWS\System32\jsnnfugw.dll
C:\WINDOWS\System32\abvymuou.dll
C:\WINDOWS\System32\msszztd.dll
PS : Ouvre une fenêtre VirusTotal par fichier

Clique ensuite sur Send
Poste le rapport en fin d'analyse.

Si tu vois ce message:
" Your file " ***.*** " is queued in position: ***. Estimated start time is between *** and *** minutes. "
Il te faudra patienter.

Ok j'ai tout fait:

Combofix

David2 - 06-11-05 17:25:35,21 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\David2\Bureau"
Command switches used :: /v jkhfg

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\gfhkj.ini
C:\WINDOWS\system32\gfhkj.bak1


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\CURITY~1
C:\QooBox\Purity\WINDOWS\SSEMBL~1
C:\QooBox\Purity\WINDOWS\STEM~1
C:\QooBox\Purity\WINDOWS\system32\MCROSO~1.NET
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1.NET
C:\QooBox\Purity\WINDOWS\system32\SSTEM3~1
C:\QooBox\Purity\WINDOWS\system32\MCROSO~1.NET\?ttrib.exe
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1.NET\??crosoft.NET
C:\QooBox\Purity\WINDOWS\system32\SSTEM3~1\s?stem32
C:\QooBox\Purity\WINDOWS\CURITY~1\n?lookup.exe
C:\QooBox\Purity\Documents and Settings\David2\Mes documents\YSTEM3~1
C:\QooBox\Purity\Documents and Settings\David2\Mes documents\DOBE~1
C:\QooBox\Purity\Documents and Settings\David2\Mes documents\YSTEM3~1\?ystem32
C:\QooBox\Purity\Program Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\SKS~1
C:\QooBox\Purity\Program Files\SKS~1\ç?sks
C:\QooBox\Purity\Program Files\SKS~1\javaw.exe


((((((((((((((((((((((((((((((( Files Created from 2006-10-05 to 2006-11-05 ))))))))))))))))))))))))))))))))))


2006-11-05 14:17 126,976 --a------ C:\WINDOWS\system32\jsnnfugw.dll
2006-11-04 22:55 32,768 --a------ C:\WINDOWS\system32\drivers\avgntdd.sys
2006-11-04 22:55 14,848 --a------ C:\WINDOWS\system32\drivers\avgntmgr.sys
2006-11-04 22:54 57,384 --a------ C:\WINDOWS\system32\avsda.dll
2006-11-04 22:13 6,540 --a------ C:\WINDOWS\cent.exe
2006-11-04 21:05 298,496 --a------ C:\WINDOWS\unin040c.exe
2006-11-04 19:35 28,672 --ahs---- C:\WINDOWS\system32\v8.exe
2006-11-04 19:02 40,973 --------- C:\WINDOWS\system32\xxyxutu.dll
2006-11-04 17:47 60,436 --a------ C:\WINDOWS\system32\abvymuou.dll
2006-11-04 17:47 598,067 ---hs---- C:\WINDOWS\system32\ihhkj.bak1
2006-11-04 17:46 692,276 ---hs---- C:\WINDOWS\system32\jkhhi.dll
2006-11-04 17:31 2 --a------ C:\WINDOWS\system32\wcpcc.exe
2006-11-04 17:31 131,072 --a------ C:\WINDOWS\system32\msszztd.dll
2006-11-04 17:30 8,012 --a------ C:\WINDOWS\diretx.exe
2006-11-04 15:09 115,712 --a------ C:\WINDOWS\system32\lol.exe
2006-11-04 15:01 434,176 --a------ C:\windows.exe
2006-11-04 14:59 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-11-04 14:59 266,240 --a------ C:\yz02.exe
2006-11-04 14:59 139,264 --a------ C:\MirarSetup_876087.exe
2006-11-04 14:58 28,672 --a------ C:\WINDOWS\volt7.exe
2006-11-04 14:58 28,672 --a------ C:\WINDOWS\docsys.exe
2006-11-04 14:45 83,712 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2006-11-04 14:45 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll
2006-11-04 14:45 8,064 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2006-11-04 14:45 50,688 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-11-04 14:45 45,568 --a------ C:\WINDOWS\system32\iyuv_32.dll
2006-11-04 14:45 4,992 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2006-11-04 14:45 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-11-04 14:45 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2006-11-04 14:45 18,560 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2006-11-04 14:45 16,384 --a------ C:\WINDOWS\system32\msyuv.dll
2006-11-04 14:45 16,384 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2006-11-04 14:45 14,592 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2006-11-04 14:45 131,712 --a------ C:\WINDOWS\system32\drivers\ks.sys
2006-11-04 14:45 10,752 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2006-11-04 14:42 57,344 -ra------ C:\WINDOWS\ctdrvins.exe
2006-11-04 14:42 49,152 -ra------ C:\WINDOWS\system32\webc3pin.dll
2006-11-04 14:42 45,056 -ra------ C:\WINDOWS\system32\webc3vfw.dll
2006-11-04 14:42 306,688 --a------ C:\WINDOWS\IsUninst.exe
2006-11-04 14:42 135,680 --a------ C:\WINDOWS\Webdelc.exe
2006-11-04 14:30 41,472 --a------ C:\WINDOWS\CTREGRUN.EXE
2006-11-04 13:31 0 --a------ C:\WINDOWS\system32\Isass.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-05 14:53 -------- d-------- C:\Program Files\CCleaner
2006-11-05 14:42 -------- d-------- C:\Program Files\Sunbelt Software
2006-11-04 22:54 -------- d-------- C:\Program Files\AntiVir PersonalEdition Classic
2006-11-04 19:44 -------- d-------- C:\Documents and Settings\David2\Application Data\àdobe
2006-11-04 17:47 -------- d-------- C:\Documents and Settings\David2\Application Data\SearchToolbarCorp
2006-11-04 15:02 -------- d-------- C:\Program Files\MSN Messenger
2006-11-04 14:51 -------- d-------- C:\Program Files\Skype
2006-11-04 14:51 -------- d-------- C:\Documents and Settings\David2\Application Data\Skype
2006-11-04 14:42 -------- d-------- C:\Program Files\directx
2006-11-04 14:30 -------- d-------- C:\Program Files\Creative
2006-11-04 14:07 -------- d-------- C:\Documents and Settings\David2\Application Data\vlc
2006-11-04 14:02 -------- d-------- C:\Documents and Settings\David2\Application Data\Macromedia
2006-11-04 13:58 -------- d-------- C:\Program Files\Yahoo!
2006-11-04 13:42 -------- d-------- C:\Program Files\WinRAR
2006-11-04 10:34 -------- d-------- C:\Documents and Settings\David2\Application Data\Mozilla
2006-11-04 09:24 -------- d-------- C:\Documents and Settings\David2\Application Data\Identities


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"CTRegRun"="C:\\WINDOWS\\CTRegRun.EXE"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Internet Explorer\\zytety.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\WindowsUpdate\\woryroky.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,10,03,00,00,1f,00,00,00,e0,00,00,00,d6,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Sudp"="\"C:\\WINDOWS\\System32\\CROSOF~1.NET\\regsvr32.exe\" -vt yazb"
"Acrlfmg"="C:\\WINDOWS\\??curity\\n?lookup.exe"
@=".exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Winsock2 wqr1s"="EM32\\LOL.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Sudp"="\"C:\\WINDOWS\\System32\\CROSOF~1.NET\\regsvr32.exe\" -vt yazb"
"Acrlfmg"="C:\\WINDOWS\\??curity\\n?lookup.exe"
@=".exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"Winsock2 wqr1s"="EM32\\LOL.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-05 17:28:10.95
C:\ComboFix3.txt ... 06-11-04 21:50
C:\ComboFix2.txt ... 06-11-05 15:36
C:\ComboFix.txt ... 06-11-05 17:28

--------------------------------------------------------------

Complete scanning result of "jsnnfugw.dll", received in VirusTotal at 11.05.2006, 17:49:56 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.37 11.05.2006 ADSPY/PurityScan.AK.126
Authentium 4.93.8 11.05.2006 no virus found
Avast 4.7.892.0 11.03.2006 Win32:Agent-RY
AVG 386 11.04.2006 Adware Generic.RSC
BitDefender 7.2 11.05.2006 no virus found
CAT-QuickHeal 8.00 11.04.2006 no virus found
ClamAV devel-20060426 11.05.2006 Trojan.PurityScan.AK
DrWeb 4.33 11.05.2006 no virus found
eTrust-InoculateIT 23.73.45 11.03.2006 no virus found
eTrust-Vet 30.3.3176 11.03.2006 no virus found
Ewido 4.0 11.05.2006 no virus found
Fortinet 2.82.0.0 11.05.2006 Adware/ClickSpring
F-Prot 3.16f 11.04.2006 no virus found
F-Prot4 4.2.1.29 11.04.2006 no virus found
Ikarus 0.2.65.0 11.03.2006 no virus found
Kaspersky 4.0.2.24 11.05.2006 not-a-virus:AdWare.Win32.PurityScan.ak
McAfee 4888 11.03.2006 potentially unwanted program Adware-ClickSpring
Microsoft 1.1609 11.04.2006 no virus found
NOD32v2 1.1853 11.03.2006 a variant of Win32/Adware.PurityScan
Norman 5.80.02 11.03.2006 W32/PurityScan.AFW
Panda 9.0.0.4 11.04.2006 Adware/PurityScan
Sophos 4.10.0 10.26.2006 ClickSpring
TheHacker 6.0.1.112 11.03.2006 Adware/PurityScan.ak
UNA 1.83 11.03.2006 Adware.PurityScan.F667
VBA32 3.11.1 11.05.2006 AdWare.Win32.PurityScan.ak
VirusBuster 4.3.15:9 11.05.2006 no virus found

Aditional Information
File size: 126976 bytes
MD5: 059ec51b3e1f521bff58e1118fa39563
SHA1: d8cff5e35a2068ffc6f9c937280f8785464259d3

--------------------------------------------------------------
Complete scanning result of "abvymuou.dll_", received in VirusTotal at 11.05.2006, 18:16:13 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.37 11.05.2006 no virus found
Authentium 4.93.8 11.05.2006 no virus found
Avast 4.7.892.0 11.03.2006 no virus found
AVG 386 11.04.2006 no virus found
BitDefender 7.2 11.05.2006 no virus found
CAT-QuickHeal 8.00 11.04.2006 no virus found
ClamAV devel-20060426 11.05.2006 no virus found
DrWeb 4.33 11.05.2006 Trojan.Juan
eTrust-InoculateIT 23.73.45 11.03.2006 no virus found
eTrust-Vet 30.3.3176 11.03.2006 no virus found
Ewido 4.0 11.05.2006 no virus found
Fortinet 2.82.0.0 11.05.2006 suspicious
F-Prot 3.16f 11.04.2006 no virus found
F-Prot4 4.2.1.29 11.04.2006 no virus found
Ikarus 0.2.65.0 11.03.2006 no virus found
Kaspersky 4.0.2.24 11.05.2006 no virus found
McAfee 4888 11.03.2006 no virus found
Microsoft 1.1609 11.04.2006 no virus found
NOD32v2 1.1853 11.03.2006 no virus found
Norman 5.80.02 11.03.2006 no virus found
Panda 9.0.0.4 11.04.2006 Suspicious file
Sophos 4.10.0 10.26.2006 no virus found
TheHacker 6.0.1.112 11.03.2006 no virus found
UNA 1.83 11.03.2006 no virus found
VBA32 3.11.1 11.05.2006 no virus found
VirusBuster 4.3.15:9 11.05.2006 no virus found

Aditional Information
File size: 60436 bytes
MD5: f544a84ce01289b56326c7e600c7caab
SHA1: 7d294f2f62f0d8c53b8eb7ea4f3364aea6601633

--------------------------------------------------------------

Complete scanning result of "msszztd.dll", received in VirusTotal at 11.05.2006, 18:22:50 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.37 11.05.2006 ADSPY/PurityScan.AK.129
Authentium 4.93.8 11.05.2006 no virus found
Avast 4.7.892.0 11.03.2006 Win32:Agent-RY
AVG 386 11.04.2006 Adware Generic.RSN
BitDefender 7.2 11.05.2006 no virus found
CAT-QuickHeal 8.00 11.04.2006 no virus found
ClamAV devel-20060426 11.05.2006 Trojan.PurityScan.AK
DrWeb 4.33 11.05.2006 no virus found
eTrust-InoculateIT 23.73.45 11.03.2006 no virus found
eTrust-Vet 30.3.3176 11.03.2006 no virus found
Ewido 4.0 11.05.2006 Adware.PurityScan
Fortinet 2.82.0.0 11.05.2006 Adware/ClickSpring
F-Prot 3.16f 11.04.2006 no virus found
F-Prot4 4.2.1.29 11.04.2006 no virus found
Ikarus 0.2.65.0 11.03.2006 not-a-virus:AdWare.Win32.PurityScan.ak
Kaspersky 4.0.2.24 11.05.2006 not-a-virus:AdWare.Win32.PurityScan.ak
McAfee 4888 11.03.2006 potentially unwanted program Adware-ClickSpring
Microsoft 1.1609 11.04.2006 no virus found
NOD32v2 1.1853 11.03.2006 a variant of Win32/Adware.PurityScan
Norman 5.80.02 11.03.2006 no virus found
Panda 9.0.0.4 11.04.2006 Suspicious file
Sophos 4.10.0 10.26.2006 ClickSpring
TheHacker 6.0.1.112 11.03.2006 Adware/PurityScan.ak
UNA 1.83 11.03.2006 Adware.PurityScan.39F8
VBA32 3.11.1 11.05.2006 AdWare.Win32.PurityScan.ak
VirusBuster 4.3.15:9 11.05.2006 Adware.ClickSpring.Gen

Et je viens de remarqué que quand mon active desktop est désactivé je ne reçois plus les satanées pbus !!!!!

Comment je peux faire pour le désactiver ??

On verra ca à la fin  

Double-clique VundoFix.exe afin de le lancer

NE clique PAS sur le bouton Scan for Vundo

Clique Droit dans la fenêtre blanche, choisis Add more files ?

Rajoute dans la première ligne :
C:\WINDOWS\System32\jsnnfugw.dll
Dans la deuxième :
C:\WINDOWS\System32\msszztd.dll

Clique successivement sur :
- Add Files
- Close Windows
- Remove Vundo

Si l'outil te demande de redémarrer, accepte.

Copie/Colle ensuite le rapport C:\vundofix.txt

Voila,


VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 11:17:04 5/11/2006

Listing files found while scanning....

C:\WINDOWS\System32\ssqrq.dll
C:\WINDOWS\System32\qrqss.ini
C:\WINDOWS\System32\qrqss.bak2
C:\WINDOWS\System32\qrqss.ini2
C:\WINDOWS\System32\qrqss.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ssqrq.dll
C:\WINDOWS\System32\ssqrq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\qrqss.ini
C:\WINDOWS\System32\qrqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\qrqss.bak2
C:\WINDOWS\System32\qrqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\qrqss.ini2
C:\WINDOWS\System32\qrqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\qrqss.tmp
C:\WINDOWS\System32\qrqss.tmp Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ssqrq.dll
C:\WINDOWS\System32\ssqrq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\qrqss.ini
C:\WINDOWS\System32\qrqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\qrqss.ini2
C:\WINDOWS\System32\qrqss.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 11:32:47 5/11/2006

Listing files found while scanning....

C:\WINDOWS\System32\ssqrq.dll
C:\WINDOWS\System32\qrqss.ini

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ssqrq.dll
C:\WINDOWS\System32\ssqrq.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\qrqss.ini
C:\WINDOWS\System32\qrqss.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 11:36:55 5/11/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\System32\jsnnfugw.dll
C:\WINDOWS\System32\jsnnfugw.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\msszztd.dll
C:\WINDOWS\System32\msszztd.dll Has been deleted!

Performing Repairs to the registry.
Done!

Reposte un rapport Hijackthis.

Voila

Logfile of HijackThis v1.99.1
Scan saved at 20:30:31, on 5/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\David2\Bureau\Scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.fr
R3 - URLSearchHook: (no name) - {A333456C-89FF-847D-DEAB-A028E203329C} - C:\WINDOWS\System32\jsnnfugw.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {3C617842-532E-40E8-9DF0-2AFB94057D00} - C:\WINDOWS\System32\ssqrq.dll (file missing)
O2 - BHO: (no name) - {9DA29368-D385-4860-A1D3-76F1C355CCCB} - C:\Program Files\microsoft frontpage\womehety.dll (file missing)
O2 - BHO: (no name) - {A333456C-89FF-847D-DEAB-A028E203329C} - C:\WINDOWS\System32\jsnnfugw.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\abvymuou.dll
O2 - BHO: (no name) - {FA9E5FCC-CD56-958E-7801-BA89182C60CF} - C:\WINDOWS\System32\msszztd.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.fr
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Fixe ces lignes :
R3 - URLSearchHook: (no name) - {A333456C-89FF-847D-DEAB-A028E203329C} - C:\WINDOWS\System32\jsnnfugw.dll (file missing)
O2 - BHO: (no name) - {A333456C-89FF-847D-DEAB-A028E203329C} - C:\WINDOWS\System32\jsnnfugw.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\abvymuou.dll
O2 - BHO: (no name) - {FA9E5FCC-CD56-958E-7801-BA89182C60CF} - C:\WINDOWS\System32\msszztd.dll (file missing)

D'autres problèmes ?

Toujours les pubs, grrrr

Logfile of HijackThis v1.99.1
Scan saved at 20:59:48, on 5/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David2\Bureau\Scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.fr
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {3C617842-532E-40E8-9DF0-2AFB94057D00} - C:\WINDOWS\System32\ssqrq.dll (file missing)
O2 - BHO: (no name) - {9DA29368-D385-4860-A1D3-76F1C355CCCB} - C:\Program Files\microsoft frontpage\womehety.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.fr
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Re,

Double-clique VundoFix.exe afin de le lancer

NE clique PAS sur le bouton Scan for Vundo

Clique Droit dans la fenêtre blanche, choisis Add more files ?

Rajoute dans la première ligne :
C:\WINDOWS\System32\abvymuou.dll
Dans la deuxième :
C:\WINDOWS\system32\xxyxutu.dll

Clique successivement sur :
- Add Files
- Close Windows
- Remove Vundo

Si l'outil te demande de redémarrer, accepte.

Copie/Colle ensuite le rapport C:\vundofix.txt

Télécharge puis installe AVG Anti-Spyware (AVG AS)
Une fois AVG AS lancé, clique sur "Mise à jour"
Ferme le programme.
AIDE : Tuto de Malekal

Redémarre en mode sans échec

Relance AVG AS puis choisis l'onglet "Analyse"
Puis l'onglet "Paramètres"
Sous la question "Comment réagir ?", clique sur "Actions recommandées" et choisis "Quarantaine"
Re-clique sur l'onglet "Analyse" puis réalise une "Analyse complète du système"

/!\ Si un fichier est infecté en fin d'analyse /!\
Clique sur "Appliquer toutes les actions "

Clique sur "Enregistrer le rapport" puis sur "Enregistrer le rapport sous"
Enregistre ce fichier texte sur ton bureau.

Redémarre normalement
Copie/Colle le rapport ici.

Voila

---------------------------------------------------------
AVG Anti-Spyware - Rapport d'analyse
---------------------------------------------------------

+ Créé à: 22:38:09 5/11/2006

+ Résultat de l'analyse:



C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP4\A0006274.dll -> Adware.Agent : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001067.dll -> Adware.CommAd : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP4\A0006272.dll -> Adware.CommAd : Aucune action entreprise.
C:\Documents and Settings\David2\Bureau\backups\backup-20061105-150820-410.dll -> Adware.Mirar : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000873.dll -> Adware.Mirar : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000878.dll -> Adware.Mirar : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP4\A0006257.dll -> Adware.Mirar : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000839.dll -> Adware.NewDotNet : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP4\A0006251.exe -> Adware.NewDotNet : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP4\A0006252.exe -> Adware.NewDotNet : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP4\A0006254.dll -> Adware.NewDotNet : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP4\A0006304.exe -> Adware.NewDotNet : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP4\A0006305.exe -> Adware.NewDotNet : Aucune action entreprise.
C:\yz02.exe -> Adware.NewDotNet : Aucune action entreprise.
HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : Aucune action entreprise.
HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001015.dll -> Adware.PurityScan : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001042.dll -> Adware.PurityScan : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001061.dll -> Adware.PurityScan : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002134.DLL -> Adware.PurityScan : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP3\A0005220.dll -> Adware.PurityScan : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP4\A0007364.dll -> Adware.PurityScan : Aucune action entreprise.
C:\VundoFix Backups\msszztd.dll.bad -> Adware.PurityScan : Aucune action entreprise.
C:\MirarSetup_876087.exe -> Adware.SaveNow : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000844.dll -> Adware.Softomate : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000919.exe -> Adware.Softomate : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000984.dll -> Adware.Softomate : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001050.exe -> Adware.Softomate : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001066.dll -> Adware.Softomate : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002122.exe -> Adware.Softomate : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0004193.exe -> Adware.Softomate : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP4\A0006318.dll -> Adware.Softomate : Aucune action entreprise.
C:\WINDOWS\system32\xxyxutu.dll -> Adware.Virtumonde : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP4\A0006270.exe -> Backdoor.IRCBot.xn : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0004194.EXE -> Backdoor.SdBot.aad : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP4\A0006309.exe -> Backdoor.SdBot.aad : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP4\A0006313.exe -> Backdoor.SdBot.aad : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000960.exe -> Downloader.Adload.fu : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0004191.exe -> Downloader.Adload.fu : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000850.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000863.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000885.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000899.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000913.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001022.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001034.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001036.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001054.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001080.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002086.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002121.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0003122.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0003128.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0003135.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0003145.exe -> Downloader.Adload.ht : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0004182.dll -> Downloader.Agent.awb : Aucune action entreprise.
C:\QooBox\Purity\Program Files\SKS~1\javaw.exe -> Downloader.PurityScan.db : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000905.exe -> Downloader.Small.duf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000966.exe -> Downloader.Small.duf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001012.exe -> Downloader.Small.duf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001031.exe -> Downloader.Small.duf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001111.exe -> Downloader.Small.duf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002074.EXE -> Downloader.Small.duf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002084.EXE -> Downloader.Small.duf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002125.EXE -> Downloader.Small.duf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0003141.exe -> Downloader.Small.duf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0003157.EXE -> Downloader.Small.duf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0003165.EXE -> Downloader.Small.duf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0004187.EXE -> Downloader.Small.duf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0005201.exe -> Downloader.Small.duf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP3\A0005216.exe -> Downloader.Small.duf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP4\A0006236.EXE -> Downloader.Small.duf : Aucune action entreprise.
C:\WINDOWS\diretx.exe -> Downloader.Small.duf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000888.exe -> Hijacker.Small : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000903.exe -> Hijacker.Small : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000927.exe -> Hijacker.Small : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0002083.exe -> Hijacker.Small : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0003127.exe -> Hijacker.Small : Aucune action entreprise.
C:\Program Files\WindowsUpdate\woryroky.html -> Hijacker.Small.jf : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0000958.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP2\A0001090.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Aucune action entreprise.
C:\System Volume Information\_restore{2AF2E902-1AB3-4282-9566-FB4B62E1553C}\RP4\A0006275.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Aucune action entreprise.
C:\Documents and Settings\David2\Cookies\david2@adbrite[2].txt -> TrackingCookie.Adbrite : Aucune action entreprise.
C:\Documents and Settings\LocalService\Cookies\system@adbrite[2].txt -> TrackingCookie.Adbrite : Aucune action entreprise.
C:\Documents and Settings\LocalService\Cookies\system@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Aucune action entreprise.
C:\Documents and Settings\David2\Cookies\david2@atdmt[2].txt -> TrackingCookie.Atdmt : Aucune action entreprise.
C:\Documents and Settings\David2\Cookies\david2@bluestreak[1].txt -> TrackingCookie.Bluestreak : Aucune action entreprise.
C:\Documents and Settings\LocalService\Cookies\system@a.as-us.falkag[1].txt -> TrackingCookie.Falkag : Aucune action entreprise.
C:\Documents and Settings\LocalService\Cookies\system@as-us.falkag[2].txt -> TrackingCookie.Falkag : Aucune action entreprise.
C:\Documents and Settings\David2\Cookies\david2@fastclick[2].txt -> TrackingCookie.Fastclick : Aucune action entreprise.
C:\Documents and Settings\David2\Cookies\david2@media.fastclick[2].txt -> TrackingCookie.Fastclick : Aucune action entreprise.
C:\Documents and Settings\LocalService\Cookies\system@mediaplex[1].txt -> TrackingCookie.Mediaplex : Aucune action entreprise.
:mozilla.23:C:\Documents and Settings\David2\Application Data\Mozilla\Firefox\Profiles\r87h8r7z.default\cookies.txt -> TrackingCookie.Revenue : Aucune action entreprise.
C:\Documents and Settings\David2\Cookies\david2@revenue[1].txt -> TrackingCookie.Revenue : Aucune action entreprise.
C:\Documents and Settings\David2\Cookies\david2@revenue[2].txt -> TrackingCookie.Revenue : Aucune action entreprise.
C:\Documents and Settings\David2\Cookies\david2@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Aucune action entreprise.
C:\Documents and Settings\LocalService\Cookies\system@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Aucune action entreprise.
C:\Documents and Settings\David2\Cookies\david2@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : Aucune action entreprise.
C:\Documents and Settings\David2\Cookies\david2@media.top-banners[1].txt -> TrackingCookie.Top-banners : Aucune action entreprise.
C:\Documents and Settings\LocalService\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : Aucune action entreprise.
C:\Documents and Settings\David2\Cookies\david2@weborama[2].txt -> TrackingCookie.Weborama : Aucune action entreprise.
C:\Documents and Settings\David2\Cookies\david2@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Aucune action entreprise.
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Aucune action entreprise.


Fin du rapport

--------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:46:06, on 5/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David2\Bureau\Scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.fr
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {3C617842-532E-40E8-9DF0-2AFB94057D00} - C:\WINDOWS\System32\ssqrq.dll (file missing)
O2 - BHO: (no name) - {9DA29368-D385-4860-A1D3-76F1C355CCCB} - C:\Program Files\microsoft frontpage\womehety.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.fr
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Re,

Fixe ces deux lignes :
O2 - BHO: (no name) - {3C617842-532E-40E8-9DF0-2AFB94057D00} - C:\WINDOWS\System32\ssqrq.dll (file missing)
O2 - BHO: (no name) - {9DA29368-D385-4860-A1D3-76F1C355CCCB} - C:\Program Files\microsoft frontpage\womehety.dll (file missing)

Le rapport Vundofix ?

Salut,

J'ai la bonne surprise de ne plus avoir de pubs yeahhhhhh!!!
J'ai toutefois fixé les 2 lignes que tu m'as demandé.

Tout est ok tu penses ?? Si oui je pourrais faire une image de mon disque afin de ne pas refaire toutes ses étapes a mon prochain crach.

Merci de ton aide
--------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 18:27:53, on 6/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Documents and Settings\David2\Bureau\Scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.fr
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.fr
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--------------------------------------------------------------------

Je pense que c'est le dernier rapport Vundofix.


VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 11:17:04 5/11/2006

Listing files found while scanning....

C:\WINDOWS\System32\ssqrq.dll
C:\WINDOWS\System32\qrqss.ini
C:\WINDOWS\System32\qrqss.bak2
C:\WINDOWS\System32\qrqss.ini2
C:\WINDOWS\System32\qrqss.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ssqrq.dll
C:\WINDOWS\System32\ssqrq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\qrqss.ini
C:\WINDOWS\System32\qrqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\qrqss.bak2
C:\WINDOWS\System32\qrqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\qrqss.ini2
C:\WINDOWS\System32\qrqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\qrqss.tmp
C:\WINDOWS\System32\qrqss.tmp Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ssqrq.dll
C:\WINDOWS\System32\ssqrq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\qrqss.ini
C:\WINDOWS\System32\qrqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\qrqss.ini2
C:\WINDOWS\System32\qrqss.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 11:32:47 5/11/2006

Listing files found while scanning....

C:\WINDOWS\System32\ssqrq.dll
C:\WINDOWS\System32\qrqss.ini

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ssqrq.dll
C:\WINDOWS\System32\ssqrq.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\qrqss.ini
C:\WINDOWS\System32\qrqss.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 11:36:55 5/11/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\System32\jsnnfugw.dll
C:\WINDOWS\System32\jsnnfugw.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\msszztd.dll
C:\WINDOWS\System32\msszztd.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 21:11:46 5/11/2006

Listing files found while scanning....

No infected files were found.

C'est Ok.

Dénonce ton infection (VUNDO) pour faire condamner les auteurs, ça serait sympa.
Crée un message pour faire avancer les choses sur Malware-Complaints, nous devons être le plus nombreux possibles, alors rends compte de ton infection.
AIDE : Comment rapporter son infection sur Malware-Complaints ?

Consulte cette page pour éviter que ces problèmes ne réapparaissent pas.

L'infection s'appelle Vundo alors ?

Je vais de se pas laisser un mesage sur malwarecomplaints.

Merci pour ton aide , si j'était directeur d'une boite d'antivirus je t'enbocherai direct...lol

a+

Oui  


Mais tu n'es pas un directeur de boîte d'antivirus