Se connecter avec
S'enregistrer | Connectez-vous

pub intempestives !!!

Dernière réponse : dans Sécurité
Lassé par la pub ? Créez un compte

Logfile of HijackThis v1.99.1
Scan saved at 19:28:09, on 26/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrateur\Application Data\WinButler\WinButler.exe
C:\Documents and Settings\Administrateur\Application Data\Microsoft\Windows\rayio.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrateur\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WinButler] C:\Documents and Settings\Administrateur\Application Data\WinButler\WinButler.exe
O4 - HKCU\..\Run: [SfKg6wIPu] C:\Documents and Settings\Administrateur\Application Data\Microsoft\Windows\rayio.exe
O4 - Global Startup: Démarrage rapide du logiciel HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986....
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld...
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - http://charon777.free.fr/plugins/hardwaredetection.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPACl...
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)

Bonjour


Télécharge Navilog (par Il Mafioso) sur le Bureau
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe
Ensuite double clique sur navilog1.exe pour lancer l'installation.
Une fois l'installation terminée, le fix s'exécutera automatiquement.
(Si ce n'est pas le cas, double-clique sur le raccourci Navilog1 présent sur le bureau).

Laisse-toi guider. Au menu principal, choisis 1 et valide.
(ne fais pas le choix 2,3 ou 4 sans notre avis/accord)

Patiente jusqu'au message :
*** Analyse Termine le ..... ***
Appuie sur une touche comme demandé, le blocnote va s'ouvrir.
Copie-colle l'intégralité dans une réponse. Referme le blocnote.
Le rapport est en outre sauvegardé à la racine du disque (fixnavi.txt)

re,

Search Navipromo version 3.3.6 commencé le 01/12/2007 à 18:30:50,95

!!! Attention,ce rapport peut indiquer des fichiers/programmes légitimes!!!
!!! Postez ce rapport sur le forum pour le faire analyser !!!
!!! Ne lancez pas la partie désinfection sans l'avis d'un spécialiste !!!

Outil exécuté depuis C:\Program Files\navilog1
Mise à jour le 14.11.2007 à 18h00 par IL-MAFIOSO


Microsoft Windows XP [version 5.1.2600]
Internet Explorer : 6.0.2900.2180


*** Recherche Programmes installés ***




*** Recherche dossiers dans C:\WINDOWS ***



*** Recherche dossiers dans C:\Program Files ***



*** Recherche dossiers dans C:\Documents and Settings\All Users\Application Data ***




*** Recherche dossiers dans C:\Documents and Settings\Administrateur\Application Data ***


*** Recherche dossiers dans C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1 ***


*** Recherche avec Catchme-rootkit/stealth malware detector par gmer ***
pour + d'infos : http://www.gmer.net

Aucun fichier trouvé dans :

- C:\WINDOWS\system32
- C:\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1



*** Recherche avec GenericNaviSearch ***
!!! Tous ces résultats peuvent révéler des fichiers légitimes !!!
!!! A vérifier impérativement avant toute suppression manuelle !!!

* Recherche dans C:\WINDOWS\system32 *

* Recherche dans C:\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1 *



*** Recherche fichiers ***




*** Recherche clés spécifiques dans le Registre ***


*** Module de Recherche complémentaire ***
(Recherche fichiers spécifiques)

1)Recherche fichiers connus:

2)Recherche Heuristique :



3)Recherche Certificats :

Certificat Egroup absent !


*** Analyse terminée le 01/12/2007 à 18:31:26,90 ***

Merci encore ...

re,

ComboFix 07-11-19.4C - Administrateur 2007-12-01 22:01:38.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.133 [GMT 1:00]
Running from: C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\Content.IE5\PAG27TH0\ComboFix[1].exe
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\WebMediaPlayer
C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\WebMediaPlayer\Conditions générales.lnk
C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\WebMediaPlayer\Confidentialité.lnk
C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\WebMediaPlayer\Website.lnk
C:\WINDOWS\Installer\{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}\program files\VistaCodecPack\Tools\233.exe
C:\WINDOWS\Installer\{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}\program files\VistaCodecPack\Tools\238.exe

.
((((((((((((((((((((((((((((( Fichiers créés 2007-11-01 to 2007-12-01 ))))))))))))))))))))))))))))))))))))
.

2007-11-25 17:47 <REP> d----c--- C:\Documents and Settings\Administrateur\Application Data\WinButler
2007-11-05 19:45 <REP> d----c--- C:\Documents and Settings\Administrateur\Application Data\ATI
2007-11-05 19:42 520,192 -----c--- C:\WINDOWS\system32\ati2sgag.exe
2007-11-05 19:41 <REP> d----c--- C:\Program Files\ATI Technologies
2007-11-05 19:35 <REP> d----c--- C:\Program Files\Lavalys
2007-11-03 17:56 <REP> d----c--- C:\Program Files\VistaCodecPack
2007-11-03 17:56 <REP> d----c--- C:\Documents and Settings\All Users\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 18:54 --------- dc----w C:\Program Files\eMule
2007-12-01 17:31 --------- dc----w C:\Program Files\Navilog1
2007-11-26 18:53 --------- dc----w C:\Program Files\Java
2007-11-25 16:49 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-04 13:02 --------- dc----w C:\Documents and Settings\Administrateur\Application Data\Image Zone Express
2007-11-03 17:02 --------- dc----w C:\Program Files\SopCast
2007-11-03 17:02 --------- dc----w C:\Documents and Settings\Administrateur\Application Data\SopCast
2007-10-28 18:03 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-10-28 18:03 --------- dc----w C:\Program Files\KONAMI
2007-10-28 17:54 107,888 -c--a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-28 17:54 --------- dc-h--r C:\Documents and Settings\Administrateur\Application Data\SecuROM
2007-10-28 13:27 --------- dc----w C:\Program Files\QuickTime
2007-10-28 08:31 --------- dc----w C:\Program Files\Winamp
2007-10-27 10:00 --------- dc----w C:\Program Files\Fichiers communs\Sonic Shared
2007-10-27 10:00 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sonic
2007-10-27 09:59 --------- dc----w C:\Program Files\Fichiers communs\HP
2007-10-27 09:28 --------- dc----w C:\Program Files\HP
2007-10-18 21:16 --------- dc----w C:\Program Files\Soulseek-Test
2007-10-17 17:28 --------- dc----w C:\Program Files\K-Lite Codec Pack(2)
2007-10-17 17:28 --------- dc----w C:\Program Files\K-Lite Codec Pack
2007-10-17 17:27 --------- dc----w C:\Program Files\Windows Media Connect 2
2007-10-17 17:27 --------- dc----w C:\Program Files\MSXML 4.0
2007-10-17 17:27 --------- dc----w C:\Program Files\DivX
2007-10-16 19:54 --------- dc----w C:\Documents and Settings\Administrateur\Application Data\DivX
2007-10-07 20:23 --------- dc----w C:\Documents and Settings\Administrateur\Application Data\AdobeUM
2007-09-26 22:07 7,680 -c--a-w C:\WINDOWS\system32\ff_vfw.dll
2007-09-06 10:09 801,144 -c--a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 -c--a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-15 15:23 1,967,207 -c--a-w C:\Program Files\SopCast.zip
2006-12-15 17:46 284 -c--a-w C:\Documents and Settings\Administrateur\Application Data\ViewerApp.dat
2005-05-11 21:36 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-10-31 13:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe" [2005-12-16 11:57]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:55]
"WinButler"="C:\Documents and Settings\Administrateur\Application Data\WinButler\WinButler.exe" [2007-10-25 15:55]
"SfKg6wIPu"="C:\Documents and Settings\Administrateur\Application Data\Microsoft\Windows\rayio.exe" [2007-10-25 16:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 16:30]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 16:32]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 14:00 C:\WINDOWS\SOUNDMAN.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-14 14:44]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-28 14:27]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-10-31 13:00]

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
D‚marrage rapide du logiciel HP Image Zone.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 23:49:24]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-08 18:30:37]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
C:\Program Files\Messenger Plus! 3\MsgPlus.exe /WinStart

R0 viadsk;viadsk;C:\WINDOWS\system32\DRIVERS\viadsk.sys
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
S3 DSDrv4;DSDrv4;\??\C:\PROGRA~1\K!TV\Plugins\S_Bt8x8\DSDrv4.sys
S3 s3chipid;s3chipid;\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s3chipid.sys
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S3 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1971d085-bf74-11db-ac5d-00142a8bb0c4}]
\Shell\AutoRun\command - F:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27d73709-1feb-11db-af2b-00142a8bb0c4}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5869a49-1103-11dc-ad39-00142a8bb0c4}]
\Shell\AutoRun\command - F:\autorun_PES2008.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-01 22:03:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-01 22:03:47
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 22:06:04, on 01/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrateur\Application Data\WinButler\WinButler.exe
C:\Documents and Settings\Administrateur\Application Data\Microsoft\Windows\rayio.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SopCast\SopCast.exe
C:\Documents and Settings\Administrateur\Application Data\SopCast\adv\SopAdver.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrateur\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WinButler] C:\Documents and Settings\Administrateur\Application Data\WinButler\WinButler.exe
O4 - HKCU\..\Run: [SfKg6wIPu] C:\Documents and Settings\Administrateur\Application Data\Microsoft\Windows\rayio.exe
O4 - Global Startup: Démarrage rapide du logiciel HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986....
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld...
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - http://charon777.free.fr/plugins/hardwaredetection.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPACl...
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)


Re


Télécharge Flash Disinfector sur ton Bureau
http://www.techsupportforum.com/sectools/sUBs/Flash_Dis...
Connecte tous les périphériques externes ( DD , USB , ..... )
Double clique sur Flash Disinfector et laisse toi guider


Copie (Ctrl+C) le texte ci-dessous :

File::
C:\Documents and Settings\Administrateur\Application Data\Microsoft\Windows\rayio.exe

Folder::
C:\Documents and Settings\Administrateur\Application Data\WinButler

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinButler"=-
"SfKg6wIPu"=-

Ouvre le Bloc-Notes puis colle (Ctrl+V) le texte précedemment copié.
Sauvegarde ce fichier sous le nom de CFScript.txt



Comme l'image le montre, fait glisser CFScript.txt sur Combofix.exe
Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.
Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!
Ne touche à rien tant que le scan n'est pas terminé.
Une fois le scan achevé, un rapport va s'afficher: poste son contenu.
Si le fichier ne s'ouvre pas, il se trouve ici > C:\ComboFix.txt

Bonjour

Combofix montre une infection (RavMon.exe) qui se transmet essentiellement par les périphériques externes (disque dur amovible, clé USB, etc )

Quand tu lances Flash Disinfector, est ce que tu peux lancer la désinfection sans brancher un périphérique ?

pour ceux qui parle anglais j'ai une solution qui m'a sauve la vie pour ce probleme
What are Powered by Zedo and URL.CPVFEED.COM Popups?
I consider myself a pretty good spyware removal expert, but I ALMOST was stumped the other day when a customer's computer was infected with these strange "Powered by Zedo" ad popups. They would popup in the middle of the screen without warning usually when I was trying to search Google or another search engine. Then they would take my search term and put it in the popup ad showing Ebay or a few other sites.

The javascript that was producing the popups had several ad networks that it was using including

xads.zedo.com
upspiral.com
searchlocal.ws
aavalue.com
url.cpvfeed.com
The popups were appearing in Internet Explorer as well as Firefox and popup blockers including Google Toolbar were not stopping the invasion.


Removal Procedures I Tried

Everytime I thought I had these "Powered by Zedo" ads removed, they would return soon after a boot up, The Hijackthis log didn't reveal any major problems.

Logfile of HijackThis v1.99.1
Scan saved at 2:49:00 PM, on 4/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\UPS\WSTD\Messages\WSTDMessaging.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\HP_Administrator\Desktop\comboscan.exe
C:\DOCUME~1\HP_ADM~1\Desktop\HP_Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.c [...] x_homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr? [...] seconduser
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr? [...] seconduser
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\Messages\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/window [...] 5723153484
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6 [...] /cabsa.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

The customer's computer had a current version of Norton Internet Security 2006 and he had also used Spyware Doctor by PCTools to remove the problems. I used all the basic tools at first to try to remove them including SmitRem, CWShredder, SmitFraudFix, Lop Uninstaller, Look2Me Uninstallers, VundoFix, etc. but nothing seemed to touch this infection.

On to the Online Scanners...First I tried Housecall, then Panda ActiveScan, nothing was found...Finally I tried Kaspersky Online Scanner and it found a Rootkit (Rootkit.Win32.Agent.EQ) infecting a file called core.sys in the c:\windows\system32\drivers directory.

Upon further investigation, I also found a second file called core.cache.dsk that was related in the same directory. The core.sys file had registered itself as a service and was starting automatically each time Windows booted. Because of such a generic name, it didnt appear suspicious when I was examining the running services early on in the investigation.

How to Remove Core.sys

Follow the instructions below to remove core.sys and core.cache.dsk and rid your computer of the "Powered by Zedo" and other ads.

1) Boot into Safe Mode
2) Click on Start, Search, and choose All Files and Folders
3) In the all or part of file name box, type the following

core.sys

4) In the Look In box, choose local hard drives and click Search
5) When core.sys is found in the c:\windows\system32\drivers directory, right-click on it and choose Delete
6) Repeat steps 2-5 for the file core.cache.dsk
7) Close the Search box
8) Click on Start, Run and type REGEDIT and press Enter
9) Click on the Plus sign (+) next to HKEY_LOCAL_MACHINE
10) Click the plus next to SYSTEM
11) Click the plus next to CurrentControlSet
12) Click the plus next to Services
13) Find the folder called CORE and right-click on it and choose Delete

*** WARNING *** If the folder CORE does not exist, dont do anything

14) Close the Registry Editor by clicking on the X in the right-hand corner of the window

15) Reboot your computer in Normal mode
16) Once the computer is rebooted, open your web browser and go to Kaspersky Online Scanner by clicking on the link below.

http://www.kaspersky.com/virusscanner

17) Scan your computer and delete any other files flagged as problems.

Your computer should now be free of these vicious popups.

voila un autre rapport fait avec kasperky j'ai 2 trojans

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, December 04, 2007 10:14:44 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/12/2007
Kaspersky Anti-Virus database records: 442507
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 71551
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 01:09:24

Infected Object Name / Virus Name / Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Documents and Settings\Administrateur\Application Data\Microsoft\Windows\rayio.exe Object is locked skipped
C:\Documents and Settings\Administrateur\Application Data\WinButler\WinBuninstaller.exe Infected: Trojan-Downloader.Win32.Agent.dwe skipped
C:\Documents and Settings\Administrateur\Application Data\WinButler\WinButler.exe Infected: Trojan-Downloader.Win32.Agent.fct skipped
C:\Documents and Settings\Administrateur\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Messenger\lafouine7834@hotmail.fr\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Messenger\lafouine7834@hotmail.fr\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Messenger\lafouine7834@hotmail.fr\SharingMetadata\Working\database_1AB4_D994_B4D9_732D\dfsr.db Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Messenger\lafouine7834@hotmail.fr\SharingMetadata\Working\database_1AB4_D994_B4D9_732D\fsr.log Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Messenger\lafouine7834@hotmail.fr\SharingMetadata\Working\database_1AB4_D994_B4D9_732D\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Messenger\lafouine7834@hotmail.fr\SharingMetadata\Working\database_1AB4_D994_B4D9_732D\tmp.edb Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Windows Live Contacts\lafouine7834@hotmail.fr\real\members.stg Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Windows Live Contacts\lafouine7834@hotmail.fr\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Historique\History.IE5\MSHist012007120420071205\index.dat Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Temp\Perflib_Perfdata_8f4.dat Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Temp\Perflib_Perfdata_f6c.dat Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Temp\Perflib_Perfdata_f74.dat Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Temp\~DF35E4.tmp Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Temp\~DF35F4.tmp Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Temp\~DF4B29.tmp Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Temp\~DF4B37.tmp Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Temp\~DF858B.tmp Object is locked skipped
C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrateur\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrateur\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Protection résidente.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{20B29C87-4FAD-44B1-8844-36937796A621}\RP565\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6a8.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

C:\Documents and Settings\Administrateur\Application Data\WinButler\WinBuninstaller.exe Infected: Trojan-Downloader.Win32.Agent.dwe skipped
C:\Documents and Settings\Administrateur\Application Data\WinButler\WinButler.exe Infected: Trojan-Downloader.Win32.Agent.fct skipped

C'est normal, tu n'as pas mis Combofix sur le Bureau, mais dans un fichier temporaire.

On change.

Télécharge OTMoveIt (de Old_Timer) sur ton Bureau.
http://download.bleepingcomputer.com/oldtimer/OTMoveIt....
Double-clique sur OTMoveIt.exe pour le lancer.
Copie la liste qui se trouve ci-dessous, et colle-la dans le cadre de gauche de OTMoveIt :p aste List of Files/Folders to be moved.

C:\Documents and Settings\Administrateur\Application Data\Microsoft\Windows\rayio.exe
C:\Documents and Settings\Administrateur\Application Data\WinButler
C:\WINDOWS\System32\RavMon.exe

Clique sur MoveIt! pour lancer la suppression.
Le résultat apparaitra dans le cadre Results.
Clique sur Exit pour fermer.

Il te sera peut-être demander de redémarrer le PC pour achever la suppression. Si c'est le cas accepte par Yes.


Poste le rapport situé dans C:\_OTMoveIt\MovedFiles.

si vous avez besoin de traduction il n'y a qu'a demander je me ferais un plaisir de traduire. sinon pour l'etape de desinfection il faut;
demarrer en mode sans echec
aller dans demarrer-rechercher-tous les fichiers et dossiers- ET la vous taper ''core.sys'' quand ce fichier est trouve vous faites clic droit et vous l'effacer
faites de meme avec ''core.cache.dsk''...

ensuite vous allez dans l'editeur de commande vous taper ''REGIDIT'' clic ok
aller dans
HKEY_LOCAL_MACHINE ----SYSTEM-----CurrentControlSet -----Services

trouver et effacer le dossier CORE . attention s'il ny a pas de fichier CORE dans le registre ne rien modifier.

redemarrer normalement et faites un scan avec kaspersky a jour.

nb: cela n'est pas mentionne mais moi je n'est pas trouve le fichier core.sys ni ''core.cache.dsk'' j'avais par contre le dossier core dans mon registre je l'ai donc efface et quand j'ai redemarre j'ai fait un scan avec spybot and destroy et il me les a trouve chose qui ne faisait pas avant je les ai supprime et j'ai fait un scan avec mon mcafee au lieu de kaspersky........voila

re,

File move failed. C:\Documents and Settings\Administrateur\Application Data\Microsoft\Windows\rayio.exe scheduled to be moved on reboot.
Folder cleanup failed. C:\Documents and Settings\Administrateur\Application Data\WinButler scheduled to be deleted on reboot.
File/Folder C:\WINDOWS\System32\RavMon.exe not found.
File/Folder not found.

Created on 12-05-2007 21:01:16

RE, voila le rapport chercheur :

Search Navipromo version 3.3.6 commencé le 2007-12-07 à 19:14:23.10

!!! Attention,ce rapport peut indiquer des fichiers/programmes légitimes!!!
!!! Postez ce rapport sur le forum pour le faire analyser !!!
!!! Ne lancez pas la partie désinfection sans l'avis d'un spécialiste !!!

Outil exécuté depuis C:\Program Files\navilog1
Mise à jour le 14.11.2007 à 18h00 par IL-MAFIOSO


Microsoft Windows XP [version 5.1.2600]
Internet Explorer : 6.0.2900.2180


*** Recherche Programmes installés ***




*** Recherche dossiers dans C:\WINDOWS ***



*** Recherche dossiers dans C:\Program Files ***



*** Recherche dossiers dans C:\Documents and Settings\All Users\Application Data ***




*** Recherche dossiers dans C:\Documents and Settings\Administrateur\Application Data ***


*** Recherche dossiers dans C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1 ***


*** Recherche avec Catchme-rootkit/stealth malware detector par gmer ***
pour + d'infos : http://www.gmer.net

Aucun fichier trouvé dans :

- C:\WINDOWS\system32
- C:\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1



*** Recherche avec GenericNaviSearch ***
!!! Tous ces résultats peuvent révéler des fichiers légitimes !!!
!!! A vérifier impérativement avant toute suppression manuelle !!!

* Recherche dans C:\WINDOWS\system32 *

* Recherche dans C:\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1 *



*** Recherche fichiers ***




*** Recherche clés spécifiques dans le Registre ***


*** Module de Recherche complémentaire ***
(Recherche fichiers spécifiques)

1)Recherche fichiers connus:

2)Recherche Heuristique :



3)Recherche Certificats :

Certificat Egroup absent !


*** Analyse terminée le 2007-12-07 à 19:14:55.34 ***

ok ,

ComboFix 07-12-02.6 - Administrateur 2007-12-08 20:20:15.3 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.231 [GMT 1:00]
Running from: C:\Documents and Settings\Administrateur\Bureau\ComboFix.exe
.

((((((((((((((((((((((((((((( Fichiers créés 2007-11-08 to 2007-12-08 ))))))))))))))))))))))))))))))))))))
.

2007-12-04 19:34 . 2007-12-04 19:34 <REP> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-02 08:20 . 2007-12-02 08:20 <REP> d----c--- C:\WINDOWS\system32\xircom
2007-12-02 08:20 . 2007-12-02 08:20 <REP> d----c--- C:\Program Files\microsoft frontpage
2007-11-25 17:47 . 2007-12-08 13:08 <REP> d----c--- C:\Documents and Settings\Administrateur\Application Data\WinButler

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 12:30 --------- dc----w C:\Program Files\eMule
2007-12-07 18:15 --------- dc----w C:\Program Files\Navilog1
2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 -c--a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 -c--a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 -c--a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 -c--a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 -c--a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 -c--a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-26 18:53 --------- dc----w C:\Program Files\Java
2007-11-25 16:49 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-05 18:45 --------- dc----w C:\Documents and Settings\Administrateur\Application Data\ATI
2007-11-05 18:42 --------- dc----w C:\Program Files\ATI Technologies
2007-11-05 18:35 --------- dc----w C:\Program Files\Lavalys
2007-11-04 13:02 --------- dc----w C:\Documents and Settings\Administrateur\Application Data\Image Zone Express
2007-11-03 17:02 --------- dc----w C:\Program Files\SopCast
2007-11-03 17:02 --------- dc----w C:\Documents and Settings\Administrateur\Application Data\SopCast
2007-11-03 16:56 --------- dc----w C:\Program Files\VistaCodecPack
2007-11-03 16:56 --------- dc----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-28 18:03 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-10-28 18:03 --------- dc----w C:\Program Files\KONAMI
2007-10-28 17:54 107,888 -c--a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-28 17:54 --------- dc-h--r C:\Documents and Settings\Administrateur\Application Data\SecuROM
2007-10-28 13:27 --------- dc----w C:\Program Files\QuickTime
2007-10-28 08:31 --------- dc----w C:\Program Files\Winamp
2007-10-27 10:00 --------- dc----w C:\Program Files\Fichiers communs\Sonic Shared
2007-10-27 10:00 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sonic
2007-10-27 09:59 --------- dc----w C:\Program Files\Fichiers communs\HP
2007-10-27 09:28 --------- dc----w C:\Program Files\HP
2007-10-18 21:16 --------- dc----w C:\Program Files\Soulseek-Test
2007-10-17 17:28 --------- dc----w C:\Program Files\K-Lite Codec Pack(2)
2007-10-17 17:28 --------- dc----w C:\Program Files\K-Lite Codec Pack
2007-10-17 17:27 --------- dc----w C:\Program Files\Windows Media Connect 2
2007-10-17 17:27 --------- dc----w C:\Program Files\MSXML 4.0
2007-10-17 17:27 --------- dc----w C:\Program Files\DivX
2007-10-16 19:54 --------- dc----w C:\Documents and Settings\Administrateur\Application Data\DivX
2007-09-26 22:07 7,680 -c--a-w C:\WINDOWS\system32\ff_vfw.dll
2007-08-15 15:23 1,967,207 -c--a-w C:\Program Files\SopCast.zip
2006-12-15 17:46 284 -c--a-w C:\Documents and Settings\Administrateur\Application Data\ViewerApp.dat
2005-05-11 21:36 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( snapshot_2007-12-04_23.01.29,39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-08 15:40:39 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_6c4.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-10-31 13:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe" [2005-12-16 11:57]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:55]
"WinButler"="C:\Documents and Settings\Administrateur\Application Data\WinButler\WinButler.exe" [2007-10-25 15:55]
"SfKg6wIPu"="C:\Documents and Settings\Administrateur\Application Data\Microsoft\Windows\rayio.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 16:30]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 16:32]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 14:00 C:\WINDOWS\SOUNDMAN.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-14 14:44]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-28 14:27]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-10-31 13:00]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
C:\Program Files\Messenger Plus! 3\MsgPlus.exe /WinStart

R0 viadsk;viadsk;C:\WINDOWS\system32\DRIVERS\viadsk.sys
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
S3 DSDrv4;DSDrv4;\??\C:\PROGRA~1\K!TV\Plugins\S_Bt8x8\DSDrv4.sys
S3 s3chipid;s3chipid;\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s3chipid.sys
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S3 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1971d085-bf74-11db-ac5d-00142a8bb0c4}]
\Shell\AutoRun\command - F:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27d73709-1feb-11db-af2b-00142a8bb0c4}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5869a49-1103-11dc-ad39-00142a8bb0c4}]
\Shell\AutoRun\command - F:\autorun_PES2008.exe

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-08 20:21:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-08 20:22:28
C:\ComboFix2.txt ... 2007-12-04 23:02
C:\ComboFix3.txt ... 2007-12-01 22:03
.
--- E O F ---

Re

Copie (Ctrl+C) le texte ci-dessous :

File::
C:\Documents and Settings\Administrateur\Application Data\WinButler\WinButler.exe
C:\Documents and Settings\Administrateur\Application Data\Microsoft\Windows\rayio.exe
C:\RavMon.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinButler"=-
"SfKg6wIPu"=-

Ouvre le Bloc-Notes puis colle (Ctrl+V) le texte précedemment copié.
Sauvegarde ce fichier sous le nom de CFScript.txt



Comme l'image le montre, fait glisser CFScript.txt sur Combofix.exe
Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.
Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!
Ne touche à rien tant que le scan n'est pas terminé.
Une fois le scan achevé, un rapport va s'afficher: poste son contenu.
Si le fichier ne s'ouvre pas, il se trouve ici > C:\ComboFix.txt

re,

ComboFix 07-12-02.6 - Administrateur 2007-12-08 22:43:17.4 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.203 [GMT 1:00]
Running from: C:\Documents and Settings\Administrateur\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrateur\Bureau\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Administrateur\Application Data\Microsoft\Windows\rayio.exe
C:\Documents and Settings\Administrateur\Application Data\WinButler\WinButler.exe
C:\RavMon.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrateur\Application Data\WinButler\WinButler.exe

.
((((((((((((((((((((((((((((( Fichiers créés 2007-11-08 to 2007-12-08 ))))))))))))))))))))))))))))))))))))
.

2007-12-04 19:34 . 2007-12-04 19:34 <REP> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-02 08:20 . 2007-12-02 08:20 <REP> d----c--- C:\WINDOWS\system32\xircom
2007-12-02 08:20 . 2007-12-02 08:20 <REP> d----c--- C:\Program Files\microsoft frontpage
2007-11-25 17:47 . 2007-12-08 22:44 <REP> d----c--- C:\Documents and Settings\Administrateur\Application Data\WinButler

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 12:30 --------- dc----w C:\Program Files\eMule
2007-12-07 18:15 --------- dc----w C:\Program Files\Navilog1
2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 -c--a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 -c--a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 -c--a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 -c--a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 -c--a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 -c--a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-26 18:53 --------- dc----w C:\Program Files\Java
2007-11-25 16:49 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-05 18:45 --------- dc----w C:\Documents and Settings\Administrateur\Application Data\ATI
2007-11-05 18:42 --------- dc----w C:\Program Files\ATI Technologies
2007-11-05 18:35 --------- dc----w C:\Program Files\Lavalys
2007-11-04 13:02 --------- dc----w C:\Documents and Settings\Administrateur\Application Data\Image Zone Express
2007-11-03 17:02 --------- dc----w C:\Program Files\SopCast
2007-11-03 17:02 --------- dc----w C:\Documents and Settings\Administrateur\Application Data\SopCast
2007-11-03 16:56 --------- dc----w C:\Program Files\VistaCodecPack
2007-11-03 16:56 --------- dc----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-28 18:03 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-10-28 18:03 --------- dc----w C:\Program Files\KONAMI
2007-10-28 17:54 107,888 -c--a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-28 17:54 --------- dc-h--r C:\Documents and Settings\Administrateur\Application Data\SecuROM
2007-10-28 13:27 --------- dc----w C:\Program Files\QuickTime
2007-10-28 08:31 --------- dc----w C:\Program Files\Winamp
2007-10-27 10:00 --------- dc----w C:\Program Files\Fichiers communs\Sonic Shared
2007-10-27 10:00 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sonic
2007-10-27 09:59 --------- dc----w C:\Program Files\Fichiers communs\HP
2007-10-27 09:28 --------- dc----w C:\Program Files\HP
2007-10-18 21:16 --------- dc----w C:\Program Files\Soulseek-Test
2007-10-17 17:28 --------- dc----w C:\Program Files\K-Lite Codec Pack(2)
2007-10-17 17:28 --------- dc----w C:\Program Files\K-Lite Codec Pack
2007-10-17 17:27 --------- dc----w C:\Program Files\Windows Media Connect 2
2007-10-17 17:27 --------- dc----w C:\Program Files\MSXML 4.0
2007-10-17 17:27 --------- dc----w C:\Program Files\DivX
2007-10-16 19:54 --------- dc----w C:\Documents and Settings\Administrateur\Application Data\DivX
2007-09-26 22:07 7,680 -c--a-w C:\WINDOWS\system32\ff_vfw.dll
2007-08-15 15:23 1,967,207 -c--a-w C:\Program Files\SopCast.zip
2006-12-15 17:46 284 -c--a-w C:\Documents and Settings\Administrateur\Application Data\ViewerApp.dat
2005-05-11 21:36 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( snapshot_2007-12-04_23.01.29,39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-08 19:25:55 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_6a4.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-10-31 13:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe" [2005-12-16 11:57]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:55]
"WinButler"="C:\Documents and Settings\Administrateur\Application Data\WinButler\WinButler.exe" []
"SfKg6wIPu"="C:\Documents and Settings\Administrateur\Application Data\Microsoft\Windows\rayio.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 16:30]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 16:32]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 14:00 C:\WINDOWS\SOUNDMAN.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-14 14:44]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-28 14:27]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-10-31 13:00]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
C:\Program Files\Messenger Plus! 3\MsgPlus.exe /WinStart

R0 viadsk;viadsk;C:\WINDOWS\system32\DRIVERS\viadsk.sys
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
S3 DSDrv4;DSDrv4;\??\C:\PROGRA~1\K!TV\Plugins\S_Bt8x8\DSDrv4.sys
S3 s3chipid;s3chipid;\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s3chipid.sys
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S3 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1971d085-bf74-11db-ac5d-00142a8bb0c4}]
\Shell\AutoRun\command - F:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27d73709-1feb-11db-af2b-00142a8bb0c4}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5869a49-1103-11dc-ad39-00142a8bb0c4}]
\Shell\AutoRun\command - F:\autorun_PES2008.exe

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-08 22:44:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-08 22:45:05
C:\ComboFix2.txt ... 2007-12-08 20:22
C:\ComboFix3.txt ... 2007-12-04 23:02
.
--- E O F ---

Re


Télécharge OTMoveIt (de Old_Timer) sur ton Bureau.
http://download.bleepingcomputer.com/oldtimer/OTMoveIt....
Double-clique sur OTMoveIt.exe pour le lancer.
Copie la liste qui se trouve ci-dessous, et colle-la dans le cadre de gauche de OTMoveIt :p aste List of Files/Folders to be moved.

C:\Documents and Settings\Administrateur\Application Data\WinButler

Clique sur MoveIt! pour lancer la suppression.
Le résultat apparaitra dans le cadre Results.
Clique sur Exit pour fermer.

Il te sera peut-être demander de redémarrer le PC pour achever la suppression. Si c'est le cas accepte par Yes.


Poste le rapport situé dans C:\_OTMoveIt\MovedFiles.
Lassé par la pub ? Créez un compte

Créer un nouveau sujet

Tom's guide dans le monde