Accès au Site
 FAQFAQ   RechercherCharte   RechercherRechercher   MembresMembres   UtilisateursUtilisateurs   S'enregistrerS'enregistrer   ProfilProfil   Vérifier ses messages privésVérifier ses messages privés   ConnexionConnexion
 
Problème Windows XP SP2
Aller à la page Précédente  1, 2, 3  Suivante
 
Répondre au sujet Le site -> Assiste PC Index du Forum -> Désinfection des virus & analyses de logs HijackThisCréer un flux RSS 2.0
Auteur Message
Mina
Habitué
Habitué


Inscrit le: 27 Mar 2007
Message(s): 61
MessagePosté le: 01 Avr 2007 21:42    Sujet du message: Répondre en citant
Salut Sév,

Je n’arrive pas à trouver Network helper Service (MSDisk) sur la liste des services ?

Est-ce que ce service pourrait figurer sur la liste sous un nom différent ?

Confus
Revenir en haut de page
Voir le profil de l'utilisateur Envoyer un message privé
APC
Invité
MessagePosté le: 01 Avr 2007 22:25    Sujet du message: Répondre en citant
Re Mina,

Si tu ne trouves pas le service, ce n'est pas grave, passe à la suite. Wink

En fait il est sur ton log HijackThis :

« HJT » a écrit:
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)


Mais le fichier du service a été dégommé par SDFix, et sans doute le service avec. Comme tu as généré un log HJT avant de passer SDFix, il appartient peut être effectivement au passé.

++
Revenir en haut de page
Mina
Habitué
Habitué


Inscrit le: 27 Mar 2007
Message(s): 61
MessagePosté le: 01 Avr 2007 22:38    Sujet du message: Répondre en citant
ok Wink
Revenir en haut de page
Voir le profil de l'utilisateur Envoyer un message privé
Mina
Habitué
Habitué


Inscrit le: 27 Mar 2007
Message(s): 61
MessagePosté le: 02 Avr 2007 14:12    Sujet du message: Répondre en citant
Salut Sév,

Me voilà de nouveau... Smile

1. Rapport OTMoveIt

Citation:
C:\Program Files\Fichiers communs\FreeProd2\mc-46-533-0000027.exe moved successfully.
C:\Temp\bb_auto_wider.swf moved successfully.
C:\Temp\bb_click_wider.swf moved successfully.
C:\Temp\bb_welcome.html moved successfully.
c:\program files\fichiers communs\WinSoftware moved successfully.
C:\Documents and Settings\Utilisateur\Local Settings\Temp\BVR\auraupg1.exe moved successfully.
C:\Documents and Settings\Utilisateur\Local Settings\Temp\NHB\auraupg1.exe moved successfully.
c:\program files\MyWay\myBar\Settings moved successfully.
Folder move failed. c:\program files\MyWay\myBar\History\search scheduled to be moved on reboot.
c:\program files\MyWay\myBar\History moved successfully.
c:\program files\MyWay\myBar moved successfully.
c:\program files\MyWay moved successfully.
c:\windows\smdat32m.sys moved successfully.
c:\windows\smdat32a.sys moved successfully.
c:\windows\rdt.ini moved successfully.
c:\windows\help\SPAlert.chm moved successfully.
LoadLibrary failed for c:\windows\system32\thun.dll
c:\windows\system32\thun.dll NOT unregistered.
c:\windows\system32\thun.dll moved successfully.
c:\windows\system32\loadctr32.exe moved successfully.
c:\windows\system32\exclean.exe moved successfully.
c:\windows\system32\drivers\zpmodemnt.sys moved successfully.
C:\Program Files\wamp\www\cnam moved successfully.
C:\Program Files\wamp\www moved successfully.
Folder move failed. C:\Program Files\wamp\tmp\sess_9329560c3c4129f1b4ac511667173a33 scheduled to be moved on reboot.
Folder move failed. C:\Program Files\wamp\tmp\sess_08dcfdde9af3d9f45edf6e99bb95a15a scheduled to be moved on reboot.
Folder move failed. C:\Program Files\wamp\tmp\session_dir scheduled to be moved on reboot.
Folder move failed. C:\Program Files\wamp\tmp\eaccelerator\eaccelerator_dir scheduled to be moved on reboot.
C:\Program Files\wamp\tmp\eaccelerator moved successfully.
C:\Program Files\wamp\tmp moved successfully.
Folder move failed. C:\Program Files\wamp\sqlitemanager\TODO scheduled to be moved on reboot.
C:\Program Files\wamp\sqlitemanager\theme\PMA moved successfully.
C:\Program Files\wamp\sqlitemanager\theme\jall moved successfully.
C:\Program Files\wamp\sqlitemanager\theme\green\pics moved successfully.
C:\Program Files\wamp\sqlitemanager\theme\green\menu moved successfully.
C:\Program Files\wamp\sqlitemanager\theme\green moved successfully.
C:\Program Files\wamp\sqlitemanager\theme\default\pics moved successfully.
C:\Program Files\wamp\sqlitemanager\theme\default\menu moved successfully.
C:\Program Files\wamp\sqlitemanager\theme\default moved successfully.
C:\Program Files\wamp\sqlitemanager\theme moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\toolbars\sqlitemanager moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\toolbars\sidetable moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\toolbars\mini moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\toolbars\intlink moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\toolbars\full moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\toolbars\default moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\toolbars moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\themes\default\js moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\themes\default\img moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\themes\default\css moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\themes\default moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\themes\classic\js moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\themes\classic\img moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\themes\classic\css moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\themes\classic moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\themes moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\zh-gb2312 moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\zh-big5 moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\vn moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\uk moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\tr moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\th moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\sk moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\si moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\se moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\ru moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\pt moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\pl moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\no moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\nl moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\lt moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\ko moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\ja-utf8 moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\ja-sjis moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\ja-jis moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\ja-euc moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\it moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\hu moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\hr moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\he moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\gz moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\gr moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\fr moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\fi moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\et moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\es moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\en moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\dk moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\de moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\cz moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\ca moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\br moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang\bg moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib\lang moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\lib moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\dialogs moved successfully.
Folder move failed. C:\Program Files\wamp\sqlitemanager\spaw\config\.cvsignore scheduled to be moved on reboot.
C:\Program Files\wamp\sqlitemanager\spaw\config moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw\class moved successfully.
C:\Program Files\wamp\sqlitemanager\spaw moved successfully.
C:\Program Files\wamp\sqlitemanager\plugins\Pear_Tools\pics moved successfully.
C:\Program Files\wamp\sqlitemanager\plugins\Pear_Tools moved successfully.
C:\Program Files\wamp\sqlitemanager\plugins\MySQL_Import\pics moved successfully.
C:\Program Files\wamp\sqlitemanager\plugins\MySQL_Import moved successfully.
C:\Program Files\wamp\sqlitemanager\plugins moved successfully.
Folder move failed. C:\Program Files\wamp\sqlitemanager\LICENCE scheduled to be moved on reboot.
C:\Program Files\wamp\sqlitemanager\lang moved successfully.
C:\Program Files\wamp\sqlitemanager\jscalendar\skins\aqua moved successfully.
C:\Program Files\wamp\sqlitemanager\jscalendar\skins moved successfully.
Folder move failed. C:\Program Files\wamp\sqlitemanager\jscalendar\README scheduled to be moved on reboot.
C:\Program Files\wamp\sqlitemanager\jscalendar\lang moved successfully.
C:\Program Files\wamp\sqlitemanager\jscalendar\doc\html moved successfully.
C:\Program Files\wamp\sqlitemanager\jscalendar\doc moved successfully.
Folder move failed. C:\Program Files\wamp\sqlitemanager\jscalendar\ChangeLog scheduled to be moved on reboot.
C:\Program Files\wamp\sqlitemanager\jscalendar moved successfully.
Folder move failed. C:\Program Files\wamp\sqlitemanager\INSTALL scheduled to be moved on reboot.
C:\Program Files\wamp\sqlitemanager\include moved successfully.
Folder move failed. C:\Program Files\wamp\sqlitemanager\CHANGES scheduled to be moved on reboot.
C:\Program Files\wamp\sqlitemanager moved successfully.
C:\Program Files\wamp\scripts moved successfully.
Folder move failed. C:\Program Files\wamp\phpmyadmin\TODO scheduled to be moved on reboot.
C:\Program Files\wamp\phpmyadmin\themes\original\img moved successfully.
C:\Program Files\wamp\phpmyadmin\themes\original\css moved successfully.
C:\Program Files\wamp\phpmyadmin\themes\original moved successfully.
C:\Program Files\wamp\phpmyadmin\themes\darkblue_orange\img moved successfully.
C:\Program Files\wamp\phpmyadmin\themes\darkblue_orange\css moved successfully.
C:\Program Files\wamp\phpmyadmin\themes\darkblue_orange moved successfully.
C:\Program Files\wamp\phpmyadmin\themes moved successfully.
C:\Program Files\wamp\phpmyadmin\test moved successfully.
C:\Program Files\wamp\phpmyadmin\scripts moved successfully.
Folder move failed. C:\Program Files\wamp\phpmyadmin\README scheduled to be moved on reboot.
Folder move failed. C:\Program Files\wamp\phpmyadmin\LICENSE scheduled to be moved on reboot.
Folder move failed. C:\Program Files\wamp\phpmyadmin\libraries\transformations\TEMPLATE_MIMETYPE scheduled to be moved on reboot.
Folder move failed. C:\Program Files\wamp\phpmyadmin\libraries\transformations\TEMPLATE scheduled to be moved on reboot.
Folder move failed. C:\Program Files\wamp\phpmyadmin\libraries\transformations\README scheduled to be moved on reboot.
C:\Program Files\wamp\phpmyadmin\libraries\transformations moved successfully.
Folder move failed. C:\Program Files\wamp\phpmyadmin\libraries\import\README scheduled to be moved on reboot.
C:\Program Files\wamp\phpmyadmin\libraries\import moved successfully.
Folder move failed. C:\Program Files\wamp\phpmyadmin\libraries\.htaccess scheduled to be moved on reboot.
Folder move failed. C:\Program Files\wamp\phpmyadmin\libraries\fpdf\README scheduled to be moved on reboot.
C:\Program Files\wamp\phpmyadmin\libraries\fpdf\font moved successfully.
C:\Program Files\wamp\phpmyadmin\libraries\fpdf moved successfully.
C:\Program Files\wamp\phpmyadmin\libraries\export moved successfully.
C:\Program Files\wamp\phpmyadmin\libraries\engines moved successfully.
C:\Program Files\wamp\phpmyadmin\libraries\dbi moved successfully.
C:\Program Files\wamp\phpmyadmin\libraries\dbg moved successfully.
C:\Program Files\wamp\phpmyadmin\libraries\auth moved successfully.
C:\Program Files\wamp\phpmyadmin\libraries moved successfully.
C:\Program Files\wamp\phpmyadmin\lang moved successfully.
C:\Program Files\wamp\phpmyadmin\js moved successfully.
Folder move failed. C:\Program Files\wamp\phpmyadmin\INSTALL scheduled to be moved on reboot.
C:\Program Files\wamp\phpmyadmin\css moved successfully.
Folder move failed. C:\Program Files\wamp\phpmyadmin\CREDITS scheduled to be moved on reboot.
Folder move failed. C:\Program Files\wamp\phpmyadmin\contrib\README scheduled to be moved on reboot.
C:\Program Files\wamp\phpmyadmin\contrib\packaging\Fedora moved successfully.
C:\Program Files\wamp\phpmyadmin\contrib\packaging moved successfully.
C:\Program Files\wamp\phpmyadmin\contrib moved successfully.
Folder move failed. C:\Program Files\wamp\phpmyadmin\ChangeLog scheduled to be moved on reboot.
C:\Program Files\wamp\phpmyadmin moved successfully.
C:\Program Files\wamp\php\PEAR moved successfully.
C:\Program Files\wamp\php\extras\pdf-related moved successfully.
C:\Program Files\wamp\php\extras\openssl moved successfully.
Folder move failed. C:\Program Files\wamp\php\extras\mibs\.index scheduled to be moved on reboot.
C:\Program Files\wamp\php\extras\mibs moved successfully.
C:\Program Files\wamp\php\extras moved successfully.
C:\Program Files\wamp\php\ext moved successfully.
C:\Program Files\wamp\php\dev moved successfully.
C:\Program Files\wamp\php moved successfully.
C:\Program Files\wamp\mysql\share\ukrainian moved successfully.
C:\Program Files\wamp\mysql\share\swedish moved successfully.
C:\Program Files\wamp\mysql\share\spanish moved successfully.
C:\Program Files\wamp\mysql\share\slovak moved successfully.
C:\Program Files\wamp\mysql\share\serbian moved successfully.
C:\Program Files\wamp\mysql\share\russian moved successfully.
C:\Program Files\wamp\mysql\share\romanian moved successfully.
C:\Program Files\wamp\mysql\share\portuguese moved successfully.
C:\Program Files\wamp\mysql\share\polish moved successfully.
C:\Program Files\wamp\mysql\share\norwegian-ny moved successfully.
C:\Program Files\wamp\mysql\share\norwegian moved successfully.
C:\Program Files\wamp\mysql\share\korean moved successfully.
C:\Program Files\wamp\mysql\share\japanese-sjis moved successfully.
C:\Program Files\wamp\mysql\share\japanese moved successfully.
C:\Program Files\wamp\mysql\share\italian moved successfully.
C:\Program Files\wamp\mysql\share\hungarian moved successfully.
C:\Program Files\wamp\mysql\share\greek moved successfully.
C:\Program Files\wamp\mysql\share\german moved successfully.
C:\Program Files\wamp\mysql\share\french moved successfully.
C:\Program Files\wamp\mysql\share\estonian moved successfully.
C:\Program Files\wamp\mysql\share\english moved successfully.
C:\Program Files\wamp\mysql\share\dutch moved successfully.
C:\Program Files\wamp\mysql\share\danish moved successfully.
C:\Program Files\wamp\mysql\share\czech moved successfully.
Folder move failed. C:\Program Files\wamp\mysql\share\charsets\README scheduled to be moved on reboot.
C:\Program Files\wamp\mysql\share\charsets moved successfully.
C:\Program Files\wamp\mysql\share moved successfully.
C:\Program Files\wamp\mysql\scripts moved successfully.
Folder move failed. C:\Program Files\wamp\mysql\EXCEPTIONS-CLIENT scheduled to be moved on reboot.
C:\Program Files\wamp\mysql\data\test moved successfully.
C:\Program Files\wamp\mysql\data\phpmyadmin moved successfully.
C:\Program Files\wamp\mysql\data\mysql moved successfully.
Folder move failed. C:\Program Files\wamp\mysql\data\ib_logfile1 scheduled to be moved on reboot.
Folder move failed. C:\Program Files\wamp\mysql\data\ib_logfile0 scheduled to be moved on reboot.
Folder move failed. C:\Program Files\wamp\mysql\data\ibdata1 scheduled to be moved on reboot.
C:\Program Files\wamp\mysql\data moved successfully.
Folder move failed. C:\Program Files\wamp\mysql\COPYING scheduled to be moved on reboot.
C:\Program Files\wamp\mysql\bin moved successfully.
C:\Program Files\wamp\mysql moved successfully.
Folder move failed. C:\Program Files\wamp\logs\log_dir scheduled to be moved on reboot.
C:\Program Files\wamp\logs moved successfully.
Folder move failed. C:\Program Files\wamp\lang\modules\lang_dir scheduled to be moved on reboot.
C:\Program Files\wamp\lang\modules moved successfully.
C:\Program Files\wamp\lang moved successfully.
C:\Program Files\wamp\Apache2\modules moved successfully.
C:\Program Files\wamp\Apache2\logs moved successfully.
C:\Program Files\wamp\Apache2\lib moved successfully.
C:\Program Files\wamp\Apache2\icons\small moved successfully.
C:\Program Files\wamp\Apache2\icons moved successfully.
C:\Program Files\wamp\Apache2\error\include moved successfully.
C:\Program Files\wamp\Apache2\error moved successfully.
Folder move failed. C:\Program Files\wamp\Apache2\conf\magic scheduled to be moved on reboot.
C:\Program Files\wamp\Apache2\conf\extra moved successfully.
Folder move failed. C:\Program Files\wamp\Apache2\conf\default\magic scheduled to be moved on reboot.
C:\Program Files\wamp\Apache2\conf\default moved successfully.
C:\Program Files\wamp\Apache2\conf\alias moved successfully.
C:\Program Files\wamp\Apache2\conf moved successfully.
C:\Program Files\wamp\Apache2\cgi-bin moved successfully.
C:\Program Files\wamp\Apache2\bin\iconv moved successfully.
C:\Program Files\wamp\Apache2\bin moved successfully.
C:\Program Files\wamp\Apache2 moved successfully.
C:\Program Files\wamp moved successfully.

Created on 04/01/2007 23:05:03


2. Rapport FixWareout

Citation:

Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csiao.exe"

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "pgtshlld" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "nidnsdr" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "djkse" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23rtcdaol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "6" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23rtcdool" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "8" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "9" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "10" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "11" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "12" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "13" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "14" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "15" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "16" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "17" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "18" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23naelch" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "20" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "21" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "22" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "24" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "25" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "26" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "27" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "28" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "1dedoc" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "llams_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "repiwh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "domdnb" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "orcimlh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23tsniow" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "35" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "36" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "37" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "38" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "39" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "40" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "41" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "42" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "43" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "44" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "45" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "46" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "47" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "48" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "49" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "50" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "51" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "52" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "53" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "54" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "55" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "56" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "57" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "58" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "59" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "60" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "61" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "62" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "63" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "64" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "65" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "66" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "67" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "68" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "69" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "70" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "71" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "72" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "73" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "74" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "75" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "76" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "77" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "78" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "79" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "80" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "81" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "82" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "83" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "84" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "85" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "86" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "87" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "88" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "89" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "90" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "91" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "92" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "93" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "94" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "95" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "96" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "97" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "98" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "99" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "100" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "101" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "102" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "103" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "104" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "105" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "106" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "107" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "108" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "109" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "110" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "111" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "xedocne" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "gib_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "repiwoh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23plhps" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "mgcppp" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "tesvaf" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "golmedi" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "32refaselif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "120" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "121" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "122" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "123" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "124" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "125" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "126" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "127" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "128" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "129" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "130" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "131" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "132" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "133" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "134" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "135" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "136" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "rjhmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "137" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "138" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "139" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "140" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "141" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "142" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "143" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "144" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "145" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "pgtshlld" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "nidnsdr" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ytpme" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23lserspg" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ifpnxesm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23rtcdaol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ibpnxesm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23rtcdool" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "gib_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23naelch" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "lserspg" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1dedoc" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llams_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "domdnb" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "orcimlh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "putesprpgd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23tsniow" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "xedocne" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwoh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llun" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23plhps" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "mgcppp" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "tesvaf" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "golmedi" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "32refaselif" Deleted
....
»»»»» Misc files.
C:\Documents and Settings\mina\Application Data\uns.tmp Deleted
C:\WINDOWS\BALLOON.WAV Deleted
C:\WINDOWS\System32\close.bmp Deleted
C:\WINDOWS\System32\dating.bmp Deleted
C:\WINDOWS\System32\gambling.bmp Deleted
C:\WINDOWS\System32\idesk.conf Deleted
C:\WINDOWS\System32\insurance.bmp Deleted
C:\WINDOWS\System32\pharmacy.bmp Deleted
C:\WINDOWS\System32\spyware.bmp Deleted
C:\WINDOWS\System32\WOINST32.EXE Deleted
C:\WINDOWS\System32\xxx.bmp Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\NUMERI~1\\MONASS~1\\SMARTB~1\\MotiveSB.exe"
"EPSON Stylus C64 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P23 \"EPSON Stylus C64 Series\" /O6 \"USB002\" /M \"Stylus C64\""
"StatusCheck"="AppMasterCenter.exe"
"powerdll"="10010.exe"
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus Titanium\\APVXDWIN.EXE\" /s"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
02/04/2007 00h04


Papports 3. et 4. =>> message 2
Revenir en haut de page
Voir le profil de l'utilisateur Envoyer un message privé
Mina
Habitué
Habitué


Inscrit le: 27 Mar 2007
Message(s): 61
MessagePosté le: 02 Avr 2007 14:35    Sujet du message: Répondre en citant
3. Rapport FixWareout

Citation:

Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csiao.exe"

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "pgtshlld" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "nidnsdr" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "djkse" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23rtcdaol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "6" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23rtcdool" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "8" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "9" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "10" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "11" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "12" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "13" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "14" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "15" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "16" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "17" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "18" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23naelch" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "20" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "21" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "22" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "24" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "25" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "26" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "27" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "28" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "1dedoc" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "llams_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "repiwh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "domdnb" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "orcimlh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23tsniow" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "35" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "36" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "37" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "38" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "39" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "40" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "41" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "42" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "43" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "44" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "45" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "46" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "47" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "48" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "49" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "50" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "51" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "52" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "53" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "54" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "55" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "56" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "57" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "58" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "59" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "60" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "61" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "62" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "63" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "64" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "65" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "66" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "67" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "68" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "69" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "70" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "71" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "72" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "73" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "74" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "75" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "76" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "77" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "78" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "79" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "80" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "81" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "82" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "83" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "84" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "85" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "86" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "87" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "88" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "89" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "90" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "91" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "92" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "93" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "94" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "95" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "96" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "97" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "98" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "99" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "100" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "101" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "102" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "103" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "104" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "105" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "106" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "107" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "108" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "109" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "110" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "111" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "xedocne" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "gib_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "repiwoh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23plhps" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "mgcppp" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "tesvaf" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "golmedi" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "32refaselif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "120" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "121" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "122" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "123" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "124" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "125" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "126" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "127" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "128" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "129" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "130" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "131" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "132" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "133" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "134" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "135" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "136" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "rjhmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "137" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "138" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "139" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "140" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "141" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "142" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "143" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "144" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "145" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "pgtshlld" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "nidnsdr" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ytpme" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23lserspg" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ifpnxesm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23rtcdaol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ibpnxesm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23rtcdool" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "gib_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23naelch" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "lserspg" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1dedoc" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llams_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "domdnb" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "orcimlh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "putesprpgd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23tsniow" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "xedocne" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwoh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llun" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23plhps" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "mgcppp" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "tesvaf" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "golmedi" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "32refaselif" Deleted
....
»»»»» Misc files.
C:\Documents and Settings\mina\Application Data\uns.tmp Deleted
C:\WINDOWS\BALLOON.WAV Deleted
C:\WINDOWS\System32\close.bmp Deleted
C:\WINDOWS\System32\dating.bmp Deleted
C:\WINDOWS\System32\gambling.bmp Deleted
C:\WINDOWS\System32\idesk.conf Deleted
C:\WINDOWS\System32\insurance.bmp Deleted
C:\WINDOWS\System32\pharmacy.bmp Deleted
C:\WINDOWS\System32\spyware.bmp Deleted
C:\WINDOWS\System32\WOINST32.EXE Deleted
C:\WINDOWS\System32\xxx.bmp Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\NUMERI~1\\MONASS~1\\SMARTB~1\\MotiveSB.exe"
"EPSON Stylus C64 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P23 \"EPSON Stylus C64 Series\" /O6 \"USB002\" /M \"Stylus C64\""
"StatusCheck"="AppMasterCenter.exe"
"powerdll"="10010.exe"
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus Titanium\\APVXDWIN.EXE\" /s"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Revenir en haut de page
Voir le profil de l'utilisateur Envoyer un message privé
APC
Invité
MessagePosté le: 02 Avr 2007 14:55    Sujet du message: Répondre en citant
Salut Mina Content

Tu t'es trompée en postant tes rapports, tu m'as envoyé 2 fois le rapport de FixWareout. Larme

Il me manque un nouveau log HijackThis et le rapport de KAV.

Tout s'est bien passé sinon ? Comment va ton PC ?

++
Revenir en haut de page
Mina
Habitué
Habitué


Inscrit le: 27 Mar 2007
Message(s): 61
MessagePosté le: 02 Avr 2007 15:55    Sujet du message: Répondre en citant
Re salut Sév,

Je n’arrive pas du tout à faire copier/coller du rapport Kaspersky ( format html ), ma machine ne le supporte pas !?!
J’ouvre le fichier, je clique sur « sélectionner tout » et on s’arrête là… Mouais
Je vais réessayer…
Hier soir, j’ai installé firewall Kerio et j’avoue que ça commence à m’embêter beaucoup !!!

Je ne comprends pas les messages d’alerte de Kerio, par ex. :

« [02/04/2007 15:03:49]

Direction: sortant
Point local: 82.67.105.200, port 19187
Materiel: Connexion au reseau local
Point distant: venoix-1-82-67-105-254.fbx.proxad.net [82.67.105.254], port 1900
Protocole: UDP

Fichier: c:\Program Files\Messenger\msmsgs.exe
Description: Messenger
Version: 4.7.0041
Cree le: 2007/3/28, 11:08:12
Modifie le: 2002/8/20, 14:08:38
Accede le: 2007/4/2, 13:03:50

RuleId = 67108885 »

Je ne sais pas quelles entrées d’accepter et quelles de refuser ???

L’ordinateur se ralentit de plus en plus…
Je ne sais plus quoi faire ?

3. Rapport HijackThis
Citation:
Logfile of HijackThis v1.99.1
Scan saved at 10:40:39, on 02/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par NC NUMERICABLE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NUMERI~1\MONASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB002" /M "Stylus C64"
O4 - HKLM\..\Run: [StatusCheck] AppMasterCenter.exe
O4 - HKLM\..\Run: [powerdll] 10010.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168006756905
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe



a+
Revenir en haut de page
Voir le profil de l'utilisateur Envoyer un message privé
APC
Invité
MessagePosté le: 02 Avr 2007 20:21    Sujet du message: Répondre en citant
« Mina » a écrit:
Je n’arrive pas du tout à faire copier/coller du rapport Kaspersky ( format html ), ma machine ne le supporte pas !?!
J’ouvre le fichier, je clique sur « sélectionner tout » et on s’arrête là… Mouais
Je vais réessayer…


Uploade le fichier sur C-Joint et colle le lien sur le forum, ça devrait fonctionner comme ça ► Comment faire.


Citation:
Hier soir, j’ai installé firewall Kerio et j’avoue que ça commence à m’embêter beaucoup !!!


Je sais que c'est casse-pieds, mais c'est nécessaire pour l'instant. On verra pour que tu puisses t'en passer quand tu auras pu mettre le système à jour.

Citation:
Je ne sais pas quelles entrées d’accepter et quelles de refuser ???


Pour l'alerte que tu as mis en exemple, tu peux laisser passer, c'est MSN.

Ton log HJT montre toujours des signes d'infection, et en particulier Wareout qui s'accroche.

On verra pour la suite quand j'aurais vu ton rapport de KAV. Wink

@+
Revenir en haut de page
Mina
Habitué
Habitué


Inscrit le: 27 Mar 2007
Message(s): 61
MessagePosté le: 03 Avr 2007 0:32    Sujet du message: Répondre en citant
Salut Sév,

Merci pour ta réponse !Content

Je t'envoie le lien vers le rapport KAV, j'espère que cette fois-ci ça va marcher Idea

http://cjoint.com/data/edanYZgyBh.htm

A+ Smile
Revenir en haut de page
Voir le profil de l'utilisateur Envoyer un message privé
APC
Invité
MessagePosté le: 03 Avr 2007 22:32    Sujet du message: Répondre en citant
Bonsoir Mina,

Ok pour le rapport de KAV wacko

Deux questions pour commencer :

  • Tu es bien certaine que tu as bien utilisé CCleaner, parceque si le rapport de scan est aussi long, c'est parcequ'il y a beaucoup de fichiers temporaires.

  • A quoi correspond la session "Utilisateur" sur ta machine ?


On continue le ménage de printemps Wink

  1. Par Ajout / Suppression de Programmes désinstalle HBTools (ou Hotbar, ou ShopperReports c'est selon)

  2. Donne toi accès aux fichiers cachés et supprime ces dossiers :

    • C:\Documents and Settings\mina\Bureau\SDFix\backups\backups.zip
    • C:\Documents and Settings\Utilisateur\Local Settings\Temp\Temporary Internet Files\Content.IE5 --> Tout le contenu


  3. Vide la corbeille,

  4. Désactive la restauration du système et réactive la aussitôt,

  5. Télécharge Clean.zip de Malekal_morte,

    • Décompresse-le sur ton bureau (Clic Droit/Extraire tout), tu dois obtenir un dossier Clean.
    • Ouvre le dossier clean, double-clique sur clean.cmd (ou clean, le .cmd peut ne pas apparaître)
    • Choisis l'option 1 puis patiente,
    • Poste ensuite le contenu du rapport


  6. Lance de nouveau FixWareout, comme tu l'as fait précedemment (si tu ne sais plus, tu regardes le point 5 de la procédure)

  7. Au redémarrage, coche et fix cette ligne avec HijackThis:

    Citation:
    O4 - HKLM\..\Run: [powerdll] 10010.exe


  8. Passe un coup de CCleaner et redémarre ton PC de nouveau,

    On va vérifier aussi, qu'il n'y a pas d'autres invités un peu plus coriaces Smile

  9. Télécharge Gmer

    • Déconnecte toi d'internet et ferme tous les programmes en cours d'exécution,

    • Décompresse le fichier zip et double-clic sur gmer.exe,

      Idea Si une alerte de ton antivirus apparaît pour le fichier gmer.sys ou gmer.exe, laisse le s'executer.

    • Clique sur l'onglet "rootkit"

    • Puis sur scan

      Idea Si un rootkit est détecté, Gmer le signifiera en mettant les entrées incriminées en rouge à l'écran. (voir copie d'écran)

    • Lorsque le scan est terminé, clique sur "copy"

    • Ouvre le bloc-notes et clique sur le Menu Edition / Coller, le rapport doit alors apparaître

    • Enregistre le fichier sur ton bureau poste le rapport sur ta prochaine réponse.


  10. Nouveau log HijackThis, et refais un scan avec Panda cette fois, qu'on voit ce qu'il reste comme cochoncetés à virer.

    S'il n'y a rien à signaler du côté de Gmer on fera les updates de Windows, ça devrait passer cette fois. Wink



Bonne soirée,
Bye
Revenir en haut de page
Mina
Habitué
Habitué


Inscrit le: 27 Mar 2007
Message(s): 61
MessagePosté le: 04 Avr 2007 16:22    Sujet du message: Répondre en citant
Salut Sév,

Merci d’abord pour tes conseils ! Smile

Moi aussi j’étais très étonnée de voir le rapport KAV plein de fichiers temporaires et je n’ai aucune idée pourquoi Question
J’ai fait deux fois nettoyage du système avec CCleaner en suivant les instructions données sur le forum (http://www.assistepc.com/eliminer_virus/ccleaner.htm) et je vais le refaire, bien sûr.

Les rapports de Panda et de KAV sont très différents au niveau des résultats et je trouve ça bizarre ???
(Panda avait trouvé 9 virus, KAV – 24)

En fin de compte je suis bien consciente d’avoir fait une énorme bêtise en supprimant SP2 de mon ordinateur, et je suis vraiment navrée… Triste
Le compte « utilisateur » appartient à un petit garçon de 9 ans et demi qui joue sur les sites pour enfants :
« kinder surprise », etc. et qui n'a pas des droits d'administrateur.

Bon, je continue le ménage de printemps…
Je te tiens au courant et je te remercie !!! Smile
Revenir en haut de page
Voir le profil de l'utilisateur Envoyer un message privé
APC
Invité
MessagePosté le: 04 Avr 2007 20:36    Sujet du message: Répondre en citant
Bonsoir Mina,

Curieux que CCleaner n'ait pas tout viré... Tu vas le laisser de côté pour le moment, on va le remplacer Smile

  • Télécharge ATF Cleaner d'Atribune,
  • Double clique ATF-Cleaner.exe
  • Dans le menu Main, coche la case All ,
  • Puis clique sur Empty Selected



  • Relance le une seconde fois, et cette fois tu vas sur le menu Firefox, coche la case All puis Empty Selected.


« Mina » a écrit:
Les rapports de Panda et de KAV sont très différents au niveau des résultats et je trouve ça bizarre ???
(Panda avait trouvé 9 virus, KAV – 24)


Panda n'analyse pas les points de restauration système, KAV oui, ce qui explique cette grosse différence. Smile

« Mina » a écrit:
Le compte « utilisateur » appartient à un petit garçon de 9 ans et demi qui joue sur les sites pour enfants :
« kinder surprise », etc. et qui n'a pas des droits d'administrateur.


Vi Kinder Surprise c'est le cas de le dire Confused

En fait les sites à risque sont les sites de cracks, les sites de jeux, les sites pour adultes... et les sites pour enfants. Les créateurs de malwares, s'en donnent à coeur joie sur ces sites, car ils ont affaire justement à un jeune public, pas averti des dangers du net, et les pièges sont très fréquents. Triste

Et encore heureux que c'est une session qui n'a que les droits d'utilisateur, ça limite les dégâts.

Fais le surfer avec Firefox, déjà ce sera un moindre mal.

Bon courage Wink

++
Revenir en haut de page
Mina
Habitué
Habitué


Inscrit le: 27 Mar 2007
Message(s): 61
MessagePosté le: 04 Avr 2007 22:57    Sujet du message: Répondre en citant
Bonsoir Sév et merci pour ton message !!! Smile

Je suis au tout début de mon ménage de Printemps, mais j’aimerais te dire ce qui vient de se passer :

Au début j’ai commencé avec :

« Par Ajout / Suppression de Programmes désinstalle HBTools (ou Hotbar, ou ShopperReports c'est selon)».

Malheureusement sans résultat, parce que je n’ai pas trouvé : ni HBTools, ni Hotbar, ni ShopperReports….dans C:\Program Files, ….bizarre non ?!

Ensuite, j’ai effacé sans problème « SDFix\backups\backups.zip »,

ce qui n’était pas le cas avec :

« C:\Documents and Settings \Utilisateur\Local Settings\Temp\Temporary Internet Files\Content.IE5 ».

Là-dedans il y avait 4 fichiers à noms longs et bizarres du genre : « U2LHT.net%2%2…. » et aussi « FFFFF&color_text=4a2coo&…. », que je n’ai pas réussis à supprimer. Evil

Alors, j’ai décidé de supprimer complètement le compte « Utilisateur ».

Je ne sais pas si c’était le choix le plus raisonnable, mais c’est déjà fait… Embarassé

Est-ce que j’ai eu tort ? Rolling Eyes

Quand je suis allée dans les options du compte d'utilisateur pour supprimer le compte « Utilisateur », j’étais très étonnée de voir qu’il y avait un autre compte d’utilisateur que je ne connaissais pas avant, ni moi, ni personne d’autre autour de moi Surpris Choqué

Ce compte aux droits limités avait pour nom « ASP.NET MachineA… ? », et je me suis dépêchée de le supprimer ausssi.

Je ne sais pas non plus si c’était le bon choix ? Rolling Eyes

J’ai fait aussi : « Désactive la restauration du système et réactive la aussitôt », mais j’avais oublié de vider la corbeille avant…
Est-ce qu’on a besoin de le refaire Question

Merci d’avance pour tes conseils et a + Smile
Revenir en haut de page
Voir le profil de l'utilisateur Envoyer un message privé
APC
Invité
MessagePosté le: 04 Avr 2007 23:20    Sujet du message: Répondre en citant
« Mina » a écrit:
« Par Ajout / Suppression de Programmes désinstalle HBTools (ou Hotbar, ou ShopperReports c'est selon)».

Malheureusement sans résultat, parce que je n’ai pas trouvé : ni HBTools, ni Hotbar, ni ShopperReports….dans C:\Program Files, ….bizarre non ?!

Non ça c'est plutôt une bonne nouvelle.

« Mina » a écrit:
« C:\Documents and Settings \Utilisateur\Local Settings\Temp\Temporary Internet Files\Content.IE5 ».

Là-dedans il y avait 4 fichiers à noms longs et bizarres du genre : « U2LHT.net%2%2…. » et aussi « FFFFF&color_text=4a2coo&…. », que je n’ai pas réussis à supprimer. Evil

Alors, j’ai décidé de supprimer complètement le compte « Utilisateur ».


Ca au moins c'est radical Neutre


« Mina » a écrit:
Quand je suis allée dans les options du compte d'utilisateur pour supprimer le compte « Utilisateur », j’étais très étonnée de voir qu’il y avait un autre compte d’utilisateur que je ne connaissais pas avant, ni moi, ni personne d’autre autour de moi Surpris Choqué

Ce compte aux droits limités avait pour nom « ASP.NET MachineA… ? », et je me suis dépêchée de le supprimer ausssi.

Je ne sais pas non plus si c’était le bon choix ? Rolling Eyes


Ca c'est grosse boulette par contre. Mr. Green

Là il va falloir se recréer le compte parcequ'il est indispensable au bon fonctionnement du système.

Fais Démarrer / Exécuter et copie / colle cette ligne de commande : %WINDIR%\Microsoft.NET\Framework

Là deux façons de faire selon les cas :

Si tu as plusieurs versions de Framework, tu vas y trouver plusieurs dossiers avec le nom exact de la version.

Donne moi le numéro de version le plus récent.

Si tu n'as pas plusieurs dossiers cherche un fichier qui se nomme mscorlib.dll -> Clic droit dessus / Propriétes / Version et dis moi ce qu'il est écrit.

On en a besoin pour recréer le compte ASP.NET Machine Account.


« Mina » a écrit:
J’ai fait aussi : « Désactive la restauration du système et réactive la aussitôt », mais j’avais oublié de vider la corbeille avant…
Est-ce qu’on a besoin de le refaire Question


Non, ce n'est pas la peine, on verra ça en fin de désinfection.

Je préfère que tu me demandes quand tu as un doute sur quelque chose plutôt que de prendre des initiatives un peu à la hussarde. Il y avait d'autres solutions que celles que tu as prises, ce serait plus efficace de se concentrer sur le nettoyage plutôt que sur la réparation du système. Smile


++
Revenir en haut de page
Mina
Habitué
Habitué


Inscrit le: 27 Mar 2007
Message(s): 61
MessagePosté le: 04 Avr 2007 23:57    Sujet du message: Répondre en citant
Coucou,

J'ai deux versions de Framework : v1.0.3705 et v1.1.4322

Je viens de t’envoyer un mail

a+ Smile
Revenir en haut de page
Voir le profil de l'utilisateur Envoyer un message privé
Publicité
Répondre au sujet Le site -> Assiste PC Index du Forum -> Désinfection des virus & analyses de logs HijackThis Toutes les heures sont au format GMT + 2 Heures
Aller à la page Précédente  1, 2, 3  Suivante
Page 2 sur 3

Navigation Autres sujets similaires

Sauter vers :
10