Infection - antivirus bloque - IE bloque [Réglé]

[stevegerrard]

Bonjour,
je sollicite votre aide car je suis infecte par un vilain virus.
Les symptômes sont les suivants:
- impossible de lancer l'antivirus
- impossible Spybot
- impossible de se connecter a internet explorer ou Opera. Seul firefox marche
- impossible de faire un scan en ligne via divers sites dont je pense il bloque l'accès:
- http://www.secuser.com/antivirus/
- http://www.zebulon.fr
- http://www.bitdefender.fr/scanner/online/free.html
- http://www.kaspersky.com/fr/virusscanner
- http://www.eset.com/onlinescan/
- http://www.pandasecurity.com/activescan/index/
- http://housecall.trendmicro.com/fr/

Voila le rapport HijackThis v2.0.2

Code: Tout sélectionner

 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:44, on 29/07/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
D:\Applied Biosystems\StepOne Software v2.2\bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINNT\system32\PowerMAN.exe
C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\wbem\wmiprvse.exe
C:\WINNT\system32\wbem\wmiprvse.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\RTHDCPL.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\system32\VTTimer.exe
C:\WINNT\system32\S3trayp.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
v:\pcounter\WBALANCE3.EXE
C:\DOCUME~1\jvais\LOCALS~1\Temp\PPOPUP2.EXE
C:\WINNT\announcement_viewer\Announcement Viewer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\PowerMANUI.exe
C:\Documents and Settings\jvais\My Documents\Téléchargements\HiJackThis.exe
C:\WINNT\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liv.ac.uk/staff
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.liv.ac.uk/staff/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: ZoneAlarm Security Suite Toolbar - {3ce45c4f-bfff-4988-9a3c-a75c1f491319} - C:\Program Files\ZoneAlarm_Security_Suite\prxtbZone.dll
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\Documents and Settings\jvais\Local Settings\Application Data\yeoainio\hkgmsqrf.exe,
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: ZoneAlarm Security Suite - {3ce45c4f-bfff-4988-9a3c-a75c1f491319} - C:\Program Files\ZoneAlarm_Security_Suite\prxtbZone.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: ZoneAlarm Security Suite Toolbar - {3ce45c4f-bfff-4988-9a3c-a75c1f491319} - C:\Program Files\ZoneAlarm_Security_Suite\prxtbZone.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AutoGPUpdate] C:\WINNT\system32\gpupdate.exe /force /wait:0
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [DomainLogin] C:\temp\stage2hook.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [HkgMsqrf] C:\Documents and Settings\jvais\Local Settings\Application Data\yeoainio\hkgmsqrf.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-137024685-2204166116-4157399963-102676\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe (User 'bs0u60f9')
O4 - HKUS\S-1-5-21-137024685-2204166116-4157399963-154387\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'bs0u812c')
O4 - HKUS\S-1-5-21-137024685-2204166116-4157399963-176780\..\Run: [DomainLogin] C:\temp\stage2hook.bat (User 'bs0u913a')
O4 - HKUS\S-1-5-21-1644491937-1844237615-839522115-500\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.liv.ac.uk/
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/6c5b0a1ae398e3/player.virtools.com/downloads/player/Install2.5/Installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = livad.liv.ac.uk
O17 - HKLM\Software\..\Telephony: DomainName = livad.liv.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = livad.liv.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = liv.ac.uk,ac.uk,uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = livad.liv.ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = liv.ac.uk,ac.uk,uk
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = livad.liv.ac.uk
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = liv.ac.uk,ac.uk,uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = liv.ac.uk,ac.uk,uk
O18 - Protocol: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - C:\Program Files\Invitrogen\Vector NTI Advance 11\Ncbi.dll
O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - D:\Applied Biosystems\StepOne Software v2.2\bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Unknown owner - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe (file missing)
O23 - Service: PowerMAN Power Management Service (PowerMan) - Data Synergy UK Ltd - C:\WINNT\system32\PowerMAN.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Limited - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Limited - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Limited - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Web Intelligence Service (swi_service) - Sophos Limited - C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
O23 - Service: VNC Server (winvnc) - AT&T Research Labs Cambridge - C:\Program Files\ORL\VNC\WinVNC.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 12722 bytes


Voila j'ai plus la moindre idee. Mes connaissances informatiques etant limitees j'espere d'un expert pourra me depanner

[bernard53]

Bonjour
Dans cet ordre s.t.p

Relance HijackThis >puis : Do a system scan only > coche ces lignes: ensuite valides sur Fix checked

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\Documents and Settings\jvais\Local Settings\Application Data\yeoainio\hkgmsqrf.exe,
O4 - HKLM\..\Run: [AutoGPUpdate] C:\WINNT\system32\gpupdate.exe /force /wait:0
O4 - HKCU\..\Run: [DomainLogin] C:\temp\stage2hook.bat
O4 - HKCU\..\Run: [HkgMsqrf] C:\Documents and Settings\jvais\Local Settings\Application Data\yeoainio\hkgmsqrf.exe
O4 - HKUS\S-1-5-21-137024685-2204166116-4157399963-176780\..\Run: [DomainLogin] C:\temp\stage2hook.bat (User 'bs0u913a')
O14 - IERESET.INF: START_PAGE_URL=http://www.liv.ac.uk/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = livad.liv.ac.uk
O17 - HKLM\Software\..\Telephony: DomainName = livad.liv.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = livad.liv.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = liv.ac.uk,ac.uk,uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = livad.liv.ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = liv.ac.uk,ac.uk,uk
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = livad.liv.ac.uk
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = liv.ac.uk,ac.uk,uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = liv.ac.uk,ac.uk,uk


Ensuite ceci.

* Télécharge sur le bureau RogueKiller (par tigzy)
* Lance le puis valide choix 2.

* Un rapport (RKreport.txt) a du se créer à côté de l'exécutable, colle son contenu dans la réponse

Puis:
Télécharge >>OTM<< (de Old_Timer) sur ton Bureau.

>> Pour VISTA : Clic-droit et choisis "Exécuter en tant qu'administrateur".

>> AVAST reconnait ce logiciel comme un intrus, donc le désactiver le temps des manipulations.

Double-clique sur OTM pour le lancer.

Copie la liste qui se trouve en citation ci-dessous:

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"HkgMsqrf"=-
:Files
c:\documents and settings\jvais\local settings\application data\yeoainio
:Commands
[emptytemp]

et colle-la dans le cadre de gauche de OTM sous ceci:



Clique sur pour lancer la suppression.
attendre la fin du travail de l'outil puis fermer OTM

Le résultat apparaitra dans le cadre Results.
Clique sur Exit pour fermer.
Poste le rapport situé dans C:\_OTM\MovedFiles\06092009_130526.log "Exemple"

NB: Il te sera peut-être demandé de redémarrer le pc pour achever la suppression.
si c'est le cas accepte par Oui/Yes.

Ensuite ceci.

Installe Malewarebytes' Antimalware,

http://malwarebytes.org/products/malwarebytes_free

Prends bien la version FREE
*** Met-le à jour puis choisi, Exécuter un examen complet

*** Si une infection est trouvée, coche la case a coté et valides avec l’Onglet Supprimer la sélection

Poste le rapport final.


Et pour contrôle.

* Télécharge >> OTL <<sur ton bureau.

* Fait un double-clic sur l'icône d'OTL pour le lancer
/!\ pour Vista/Seven fais un clic-droit sur l'icône d'OTL et choisis "Exécuter en tant qu'administrateur"

* Assure-toi d'avoir fermé toutes les applications en court de fonctionnement.

* Quand la fenêtre d'OTL apparaît, assure toi que dans la section "Rapport" (en haut à droite) la case "Rapport minimal " soit cochée.

* Copies et colles le contenue de cette citation dans la partie inférieure d'OTL " Personnalisation"

NetSvcs
%systemroot%\system32\drivers\*.sys /lockedfiles
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
%SYSTEMDRIVE%\*.exe
netsvcs
/md5start
dwm.exe
taskhost.exe
taskeng.exe
wscntfy.exe
ctfmon.exe
rdpclip.exe
volsnap.sys
sptd.sys
explorer.exe
userinit.exe
winlogon.exe
wininit.exe
tcpip.sys
Sfloppy.sys
Changer.sys
cdrom.sys
disk.sys
ndis.sys
usbscan.sys
usbprint.sys
tdtcp.sys
tdpipe.sys
swmidi.sys
splitter.sys
rdpwd.sys
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
RASACD.SYS
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles

* Cliques sur l'icône "Analyse" (en haut à gauche) .
* Laisse le scan aller à son terme sans te servir du PC
* A la fin du scan un ou deux rapports vont s'ouvrir "OTL.Txt" et ( ou ) "Extras.Txt"( dans certains cas).
* Copie et colle le ou les rapports dans ta réponse stp...
* Au cas où, tu peux les retrouver dans le dossier C:\OTL ou sur ton bureau en fonction des cas rencontrés
Mets le rapport ici car il prend bien de la place.

http://www.cijoint.fr/index.php

[stevegerrard]

Merci beaucoup ta reponse bernard53.
Merci pour le tuto, vraiment tres pratique.
Voila tout est fait comme preconise par ton post

Rapport RogueKiller

Code: Tout sélectionner

RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: jvais [Admin rights]
Mode: Remove -- Date : 07/29/2011 12:06:37

Bad processes: 3
[SVCHOST] svchost.exe -- c:\winnt\system32\svchost.exe -> KILLED
[SVCHOST] svchost.exe -- c:\winnt\system32\svchost.exe -> KILLED
[SUSP PATH] PPOPUP2.EXE -- c:\docume~1\jvais\locals~1\temp\ppopup2.exe -> KILLED

Registry Entries: 5
[SUSP PATH] HKCU\[...]\Run : HkgMsqrf (C:\Documents and Settings\jvais\Local Settings\Application Data\yeoainio\hkgmsqrf.exe) -> DELETED
[SUSP PATH] HKUS\S-1-5-21-137024685-2204166116-4157399963-154387[...]\Run : DomainLogin (C:\temp\stage2hook.bat) -> DELETED
[SUSP PATH] HKUS\S-1-5-21-137024685-2204166116-4157399963-165211[...]\Run : DomainLogin (C:\temp\stage2hook.bat) -> DELETED
[SUSP PATH] HKLM\[...]\Winlogon : Userinit (C:\WINNT\system32\userinit.exe,C:\Documents and Settings\jvais\Local Settings\Application Data\yeoainio\hkgmsqrf.exe,) -> REPLACED (C:\WINNT\system32\userinit.exe,)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

HOSTS File:
127.0.0.1       localhost
127.0.0.1   www.007guard.com
127.0.0.1   007guard.com
127.0.0.1   008i.com
127.0.0.1   www.008k.com
127.0.0.1   008k.com
127.0.0.1   www.00hq.com
127.0.0.1   00hq.com
127.0.0.1   010402.com
127.0.0.1   www.032439.com
127.0.0.1   032439.com
127.0.0.1   www.0scan.com
127.0.0.1   0scan.com
127.0.0.1   1000gratisproben.com
127.0.0.1   www.1000gratisproben.com
127.0.0.1   1001namen.com
127.0.0.1   www.1001namen.com
127.0.0.1   100888290cs.com
127.0.0.1   www.100888290cs.com
127.0.0.1   www.100sexlinks.com
[...]


Finished : << RKreport[1].txt >>
RKreport[1].txt


Rapport OTM

Code: Tout sélectionner

 
All processes killed
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\HkgMsqrf not found.
========== FILES ==========
c:\documents and settings\jvais\local settings\application data\yeoainio folder moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 587193 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: All Users
 
User: bs0u60f9
->Temp folder emptied: 588603 bytes
->Temporary Internet Files folder emptied: 1028740 bytes
 
User: bs0u812c
->Temp folder emptied: 1192764 bytes
->Temporary Internet Files folder emptied: 32776898 bytes
 
User: bs0u913a
->Temp folder emptied: 1161069 bytes
->Temporary Internet Files folder emptied: 9282001 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: hariz
->Temp folder emptied: 1547475 bytes
->Temporary Internet Files folder emptied: 39384674 bytes
->Flash cache emptied: 1713 bytes
 
User: jvais
->Temp folder emptied: 132384737 bytes
->Temporary Internet Files folder emptied: 5455118 bytes
->FireFox cache emptied: 74235389 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 470 bytes
 
User: karen24
->Temp folder emptied: 22347500 bytes
->Temporary Internet Files folder emptied: 4475768 bytes
->Flash cache emptied: 12383 bytes
 
User: LocalService
->Temp folder emptied: 2088172 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: lofty
->Temp folder emptied: 7533840 bytes
->Temporary Internet Files folder emptied: 36156940 bytes
->Flash cache emptied: 69581 bytes
 
User: MWSInstall
->Temp folder emptied: 594221 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: ncobbe
->Temp folder emptied: 1158046 bytes
->Temporary Internet Files folder emptied: 4587259 bytes
->Flash cache emptied: 39043 bytes
 
User: NetworkService
->Temp folder emptied: 2133480 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: nkl
->Temp folder emptied: 1953522 bytes
->Temporary Internet Files folder emptied: 96247180 bytes
->Flash cache emptied: 1832 bytes
 
User: pevans
->Temp folder emptied: 1406852 bytes
->Temporary Internet Files folder emptied: 631123 bytes
 
User: register
->Temp folder emptied: 137135 bytes
->Temporary Internet Files folder emptied: 516249 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 783252 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 9783544 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1013 bytes
 
Total Files Cleaned = 470.00 mb
 
 
OTM by OldTimer - Version 3.1.18.0 log created on 07292011_120734

Files moved on Reboot...

Registry entries deleted on Reboot...


rapport Malwarebytes' Anti-Malware

Code: Tout sélectionner

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Version de la base de données: 7297

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

29/07/2011 14:09:59
mbam-log-2011-07-29 (14-09-59).txt

Type d'examen: Examen complet (C:\|D:\|)
Elément(s) analysé(s): 364722
Temps écoulé: 1 heure(s), 2 minute(s), 3 seconde(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)
 

Enfin voila les rapports OTL
http://www.cijoint.fr/cjlink.php?file=cj201107/cijE94RrcF.txt

http://www.cijoint.fr/cjlink.php?file=cj201107/cijQbbvhNQ.txt

Malheuresement le mal semble toujours dans mon ordi

[bernard53]

OK fait ceci s.t.p



* Fait un double-clic sur l'icône d'OTL pour le lancer
/!\ pour Vista/Seven fais un clic-droit sur l'icône d'OTL et choisis "Exécuter en tant qu'administrateur"

* Assure-toi d'avoir fermé toutes les applications en court de fonctionnement.

* Quand la fenêtre d'OTL apparaît, assure toi que dans la section "Rapport" (en haut à droite) la case " Rapport minimal" soit cochée.

* Copies et colles le contenue de cette citation dans la partie inférieure d'OTL "Personnalisation"

:OTL
PRC - C:\Documents and Settings\jvais\Local Settings\Temp\PPOPUP2.EXE (A.N.D. Technologies, Inc.)
SRV - (IswSvc) -- File not found
SRV - (HidServ) -- File not found
DRV - (KL1) -- C:\WINNT\system32\DRIVERS\kl1.sys (Kaspersky Lab ZAO)
DRV - (kl2) -- C:\WINNT\system32\drivers\kl2.sys (Kaspersky Lab ZAO)
DRV - (KLIF) -- C:\WINNT\system32\drivers\klif.sys (Kaspersky Lab)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll File not found
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Suite Toolbar) - {3ce45c4f-bfff-4988-9a3c-a75c1f491319} - C:\Program Files\ZoneAlarm_Security_Suite\prxtbZone.dll (Conduit Ltd.)
O4 - HKCU\..\Run: [HkgMsqrf] C:\Documents and Settings\jvais\Local Settings\Application Data\yeoainio\hkgmsqrf.exe File not found
O4 - HKCU\..\Run: [DomainLogin] C:\temp\stage2hook.bat ()
[2011/07/29 13:05:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jvais\Local Settings\Application Data\yeoainio
[2011/07/28 15:33:47 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2011/07/28 15:33:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jvais\Local Settings\Application Data\Conduit
:Commands
[emptytemp]
[emptyflash]
[createrestorepoint]
[reboot]

* Cliques sur l'icône Correction (en haut à gauche) .
* Laisse le scan aller à son terme sans te servir du PC
* A la fin du scan un rapport s'ouvrir "OTL.log"
* Copie et colle le ou les rapports dans ta réponse stp...
* Au cas où, tu peux les retrouver dans le dossier C:\OTL ou sur ton bureau en fonction des cas rencontrés
Mets le rapport ici car il prend bien de la place.
http://www.cijoint.fr/index.php

[stevegerrard]

encore merci pour la réponse et ton aide, j'essaie ca lundi.
là, Je pars en w.e.
Bon w.e à toi

[bernard53]

OK bon Weekend

[stevegerrard]

Voila c'est fait

Code: Tout sélectionner

All processes killed
========== OTL ==========
No active process named PPOPUP2.EXE was found!
Service IswSvc stopped successfully!
Service IswSvc deleted successfully!
File  File not found not found.
Service HidServ stopped successfully!
Service HidServ deleted successfully!
File  File not found not found.
Error: Unable to stop service KL1!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KL1 deleted successfully.
C:\WINNT\system32\drivers\kl1.sys moved successfully.
Error: Unable to stop service kl2!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kl2 deleted successfully.
C:\WINNT\system32\drivers\kl2.sys moved successfully.
Error: Unable to stop service KLIF!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KLIF deleted successfully.
C:\WINNT\system32\drivers\klif.sys moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@checkpoint.com/FFApi\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{3ce45c4f-bfff-4988-9a3c-a75c1f491319} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ce45c4f-bfff-4988-9a3c-a75c1f491319}\ deleted successfully.
C:\Program Files\ZoneAlarm_Security_Suite\prxtbZone.dll moved successfully.
Registry key HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Run not found.
File C:\temp\stage2hook.bat not found.
Folder move failed. C:\Documents and Settings\jvais\Local Settings\Application Data\yeoainio scheduled to be moved on reboot.
C:\Program Files\Conduit\Community Alerts folder moved successfully.
C:\Program Files\Conduit folder moved successfully.
C:\Documents and Settings\jvais\Local Settings\Application Data\Conduit\CT3015261 folder moved successfully.
C:\Documents and Settings\jvais\Local Settings\Application Data\Conduit\Community Alerts\Log folder moved successfully.
C:\Documents and Settings\jvais\Local Settings\Application Data\Conduit\Community Alerts folder moved successfully.
C:\Documents and Settings\jvais\Local Settings\Application Data\Conduit folder moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: All Users
 
User: bs0u60f9
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: bs0u812c
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: bs0u913a
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: hariz
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: jvais
->Temp folder emptied: 1206775 bytes
->Temporary Internet Files folder emptied: 63111 bytes
->FireFox cache emptied: 44969295 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 1101 bytes
 
User: karen24
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: LocalService
->Temp folder emptied: 226 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: lofty
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: MWSInstall
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: ncobbe
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: NetworkService
->Temp folder emptied: 1792 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: nkl
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: pevans
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: register
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 18000 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 44.00 mb
 
 
[EMPTYFLASH]
 
User: Administrator
 
User: All Users
 
User: bs0u60f9
 
User: bs0u812c
 
User: bs0u913a
 
User: Default User
 
User: hariz
->Flash cache emptied: 0 bytes
 
User: jvais
->Flash cache emptied: 0 bytes
 
User: karen24
->Flash cache emptied: 0 bytes
 
User: LocalService
 
User: lofty
->Flash cache emptied: 0 bytes
 
User: MWSInstall
 
User: ncobbe
->Flash cache emptied: 0 bytes
 
User: NetworkService
 
User: nkl
->Flash cache emptied: 0 bytes
 
User: pevans
 
User: register
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTL Restore Point (0)
 
OTL by OldTimer - Version 3.2.26.1 log created on 07292011_173405

Files\Folders moved on Reboot...
Folder move failed. C:\Documents and Settings\jvais\Local Settings\Application Data\yeoainio scheduled to be moved on reboot.

Registry entries deleted on Reboot...


[bernard53]

OK comment va ton pc cette fois?
As tu une alerte de signalée?

[stevegerrard]

Malheuresement toujours pareil.
Même symptômes qu'au début.
AdobeReader, IE toujours bloque
Sophos non dispo tout comme Spybot

Je sais pas si c'est une piste mais un fichier PowerMan.xml a été crée ce matin sur C:
Je me demande s'il est pas en lien avec PowerManui.exe qui est un processes en cours lie a mon nom d'utilisateur sur Windows Task manager

[bernard53]

OK fait ceci.


* Fait un double-clic sur l'icône d'OTL pour le lancer
/!\ pour Vista/Seven fais un clic-droit sur l'icône d'OTL et choisis "Exécuter en tant qu'administrateur"

* Assure-toi d'avoir fermé toutes les applications en court de fonctionnement.

* Quand la fenêtre d'OTL apparaît, assure toi que dans la section "Rapport" (en haut à droite) la case " Rapport minimal" soit cochée.

* Copies et colles le contenue de cette citation dans la partie inférieure d'OTL "Personnalisation"

:OTL
PRC - C:\WINNT\system32\PowerMANUI.exe (Data Synergy UK Ltd)
PRC - C:\WINNT\system32\PowerMAN.exe (Data Synergy UK Ltd)

* Cliques sur l'icône Correction (en haut à gauche) .
* Laisse le scan aller à son terme sans te servir du PC
* A la fin du scan un rapport s'ouvrir "OTL.log"
* Copie et colle le ou les rapports dans ta réponse stp...
* Au cas où, tu peux les retrouver dans le dossier C:\OTL ou sur ton bureau en fonction des cas rencontrés
Mets le rapport ici car il prend bien de la place.

http://www.cijoint.fr/index.php

Puis vérifies ceci.


- Sur Firefox, Outils /Options puis onglet Avancés.
- Cliquez sur Réseau et Paramètres.
- Choisissez "Pas de Proxy".

- Sur Internet Explorer , c'est le menu Outils / Options Internet.
- Onglet Connexions puis Paramètres réseau--> désactiver le proxy.

Vérifier que la case "Détecter automatiquement les paramètres de connections" soit cochée.
Redémarrez l'ordinateur.

et après ceci.


Pour Internet Explorer:
Démarrer IE-->>Outils-->>Options Internet-->>Onglet avancé-->>REINITIALISER

Pour FireFox :
Démarre FireFox --> Outil Options --> Onglet général --> Restaurer la configuration par défaut

Pour Google Chrome:
Outils "clé en haut à droite" --> Options -- > Options avancés --> Rétablir les valeurs par défaut.

[stevegerrard]

Merci pour ton aide.
Mais toujours pas de sortie de crise en vue

Code: Tout sélectionner

========== OTL ==========
Process PowerMANUI.exe killed successfully!
Process PowerMAN.exe killed successfully!
 
OTL by OldTimer - Version 3.2.26.1 log created on 08012011_104133


Apres la manip IE etait toujours en rade (comme le reste d'ailleurs)

[bernard53]

ok ceci alors.


Aller ici et télécharger, sur le Bureau, la dernière version de CAT ("Crisis Aversion Tool" par teamrocketops).
Double-cliquer sur (Vista/W7, cliquer-droit dessus => "Exécuter en tant qu'administrateur") pour lancer le programme.



Cliquer sur le menu Fixes et cocher les cases devant les lignes suivantes:

[*]Flush DNS Resolver Cache
[*]Repair Internet Explorer
[*]Reset Default Services Start States
[*]Reset Windows Update

Fermer toutes les fenêtres et applications ouvertes sauf CAT puis presser le bouton "Apply Checked Fixes". Fermer le programme et Redémarrer le PC.
A noter que le programme crée un dossier nommé "CAT-Logs" à la racine de la partition système (généralement C:\CAT-Logs). Penser à supprimer ce dossier à la fin du nettoyage.

[stevegerrard]

Merci
Voila c'est fait. Mais la méchante bête est toujours en vie

Code: Tout sélectionner

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~ CAT Summary Log - Date: 2011.08.02 @ 0905 hrs ~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- CAT Version: 1.1 ---

=============== DNS Cache Flush ===============
Flushing DNS Cache...   Done.
=========== DNS Cache Flush Complete ==========

=============== Resetting Default Services Start State ===============
Preparing backup file...
Backup directory does not exist. Creating...
Backup file prepared: C:\Documents and Settings\All Users\Application Data\CAT\Backups\DSR - 08.01.2011-17.50.45.ini

Setting service "wuauserv" start mode to: "Automatic"... Already set to correct state.
Setting service "Browser" start mode to: "Automatic"... Already set to correct state.
Setting service "CryptSvc" start mode to: "Automatic"... Already set to correct state.
Setting service "DcomLaunch" start mode to: "Automatic"... Already set to correct state.
Setting service "Dhcp" start mode to: "Automatic"... Already set to correct state.
Setting service "Dnscache" start mode to: "Automatic"... Already set to correct state.
Setting service "Eventlog" start mode to: "Automatic"... Already set to correct state.
Setting service "PlugPlay" start mode to: "Automatic"... Already set to correct state.
Setting service "Spooler" start mode to: "Automatic"... Already set to correct state.
Setting service "RpcSs" start mode to: "Automatic"... Already set to correct state.
Setting service "SamSs" start mode to: "Automatic"... Already set to correct state.
Setting service "lanmanserver" start mode to: "Automatic"... Successfully changed.
Setting service "ShellHWDetection" start mode to: "Automatic"... Already set to correct state.
Setting service "Schedule" start mode to: "Automatic"... Already set to correct state.
Setting service "AudioSrv" start mode to: "Automatic"... Already set to correct state.
Setting service "SharedAccess" start mode to: "Automatic"... Already set to correct state.
Setting service "winmgmt" start mode to: "Automatic"... Already set to correct state.
Setting service "lanmanworkstation" start mode to: "Automatic"... Successfully changed.
Setting service "Alerter" start mode to: "Disabled"... Already set to correct state.
Setting service "ClipSrv" start mode to: "Disabled"... Already set to correct state.
Setting service "HidServ" start mode to: "Disabled"... Service "HidServ" does not exist.
Setting service "Messenger" start mode to: "Disabled"... Already set to correct state.
Setting service "NetDDE" start mode to: "Disabled"... Already set to correct state.
Setting service "NetDDEdsdm" start mode to: "Disabled"... Already set to correct state.
Setting service "RemoteAccess" start mode to: "Disabled"... Already set to correct state.
Setting service "ERSvc" start mode to: "Automatic"... Already set to correct state.
Setting service "EapHost" start mode to: "Manual"... Service "EapHost" does not exist.
Setting service "FastUserSwitchingCompatibility" start mode to: "Manual"... Already set to correct state.
Setting service "hkmsvc" start mode to: "Manual"... Service "hkmsvc" does not exist.
Setting service "helpsvc" start mode to: "Automatic"... Already set to correct state.
Setting service "HTTPFilter" start mode to: "Manual"... Already set to correct state.
Setting service "cisvc" start mode to: "Automatic"... Successfully changed.
Setting service "PolicyAgent" start mode to: "Automatic"... Already set to correct state.
Setting service "ehRecvr" start mode to: "Automatic"... Service "ehRecvr" does not exist.
Setting service "ehSched" start mode to: "Automatic"... Service "ehSched" does not exist.
Setting service "MHN" start mode to: "Automatic"... Service "MHN" does not exist.
Setting service "SwPrv" start mode to: "Manual"... Already set to correct state.
Setting service "Netlogon" start mode to: "Manual"... Successfully changed.
Setting service "mnmsrvc" start mode to: "Manual"... Already set to correct state.
Setting service "xmlprov" start mode to: "Manual"... Already set to correct state.
Setting service "SysmonLog" start mode to: "Manual"... Already set to correct state.
Setting service "WmdmPmSN" start mode to: "Manual"... Already set to correct state.
Setting service "ProtectedStorage" start mode to: "Automatic"... Already set to correct state.
Setting service "RSVP" start mode to: "Manual"... Already set to correct state.
Setting service "RasAuto" start mode to: "Manual"... Already set to correct state.
Setting service "RasMan" start mode to: "Manual"... Already set to correct state.
Setting service "RDSessMgr" start mode to: "Manual"... Already set to correct state.
Setting service "RemoteRegistry" start mode to: "Automatic"... Already set to correct state.
Setting service "NtmsSvc" start mode to: "Manual"... Already set to correct state.
Setting service "seclogon" start mode to: "Automatic"... Already set to correct state.
Setting service "wscsvc" start mode to: "Automatic"... Already set to correct state.
Setting service "SCardSvr" start mode to: "Manual"... Already set to correct state.
Setting service "SSDPSRV" start mode to: "Manual"... Already set to correct state.
Setting service "SENS" start mode to: "Automatic"... Already set to correct state.
Setting service "srservice" start mode to: "Automatic"... Already set to correct state.
Setting service "LmHosts" start mode to: "Automatic"... Already set to correct state.
Setting service "TlntSvr" start mode to: "Disabled"... Already set to correct state.
Setting service "TermService" start mode to: "Manual"... Successfully changed.
Setting service "Themes" start mode to: "Automatic"... Already set to correct state.
Setting service "UPS" start mode to: "Manual"... Already set to correct state.
Setting service "upnphost" start mode to: "Manual"... Already set to correct state.
Setting service "VSS" start mode to: "Manual"... Already set to correct state.
Setting service "WebClient" start mode to: "Automatic"... Already set to correct state.
Setting service "stisvc" start mode to: "Manual"... Already set to correct state.
Setting service "W32Time" start mode to: "Automatic"... Already set to correct state.
Setting service "Dot3svc" start mode to: "Manual"... Service "Dot3svc" does not exist.
Setting service "WZCSVC" start mode to: "Automatic"... Already set to correct state.
Setting service "WmiApSrv" start mode to: "Manual"... Already set to correct state.
Setting service "ALG" start mode to: "Manual"... Already set to correct state.
Setting service "AppMgmt" start mode to: "Manual"... Already set to correct state.
Setting service "BITS" start mode to: "Manual"... Already set to correct state.
Setting service "EventSystem" start mode to: "Manual"... Already set to correct state.
Setting service "COMSysApp" start mode to: "Manual"... Already set to correct state.
Setting service "MSDTC" start mode to: "Manual"... Already set to correct state.
Setting service "ImapiService" start mode to: "Manual"... Already set to correct state.
Setting service "dmadmin" start mode to: "Manual"... Already set to correct state.
Setting service "napagent" start mode to: "Manual"... Service "napagent" does not exist.
Setting service "Netman" start mode to: "Manual"... Already set to correct state.
Setting service "Nla" start mode to: "Manual"... Already set to correct state.
Setting service "NtLmSsp" start mode to: "Manual"... Already set to correct state.
Setting service "RpcLocator" start mode to: "Manual"... Already set to correct state.
Setting service "TapiSrv" start mode to: "Manual"... Already set to correct state.
Setting service "MSIServer" start mode to: "Manual"... Already set to correct state.
Setting service "Wmi" start mode to: "Manual"... Already set to correct state.
Setting service "TrkWks" start mode to: "Automatic"... Already set to correct state.
Setting service "dmserver" start mode to: "Automatic"... Already set to correct state.
One or more services have been modified. The computer must be rebooted to finalize the repairs.
============= Default Services Start State Fix Complete ==============

=============== Repairing Windows Update services... ===============
Stopping service: "bits"... Successful.
Setting service "bits" start mode to: "Automatic"... Successfully changed.
Stopping service: "wuauserv"... Successful.
Setting service "wuauserv" start mode to: "Automatic"... Already set to correct state.
Stopping service: "cryptsvc"... Successful.
Setting service "cryptsvc" start mode to: "Automatic"... Already set to correct state.
Deleting: "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr*.dat"...   Successful.
Deleting: "C:\WINNT\system32\catroot2"...   Successful.
Deleting: "C:\WINNT\SoftwareDistribution\DataStore"...   Failed. Unable to lock access rights for deletion or directory is not empty.
Retrying with rd.exe...   Return code: 2
Deleting: "C:\WINNT\SoftwareDistribution\Download"...   Successful.
Deleting: "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader"...   Successful.
Windows XP Detected...
Registering wuweb.dll... Success.
Registering qmgr.dll... Success.
Registering qmgrprxy.dll... Success.
Registering wucltux.dll... Success.
Registering muweb.dll... Success.
Registering wuwebv.dll... Success.
Registering urlmon.dll... Success.
Registering mshtml.dll... Success.
Registering shdocvw.dll... Success.
Registering browseui.dll... Success.
Registering jscript.dll... Success.
Registering vbscript.dll... Success.
Registering scrrun.dll... Success.
Registering msxml.dll... Success.
Registering actxprxy.dll... Success.
Registering softpub.dll... Success.
Registering wintrust.dll... Success.
Registering dssenh.dll... Success.
Registering rsaenh.dll... Success.
Registering gpkcsp.dll... Success.
Registering sccbase.dll... Success.
Registering slbcsp.dll... Success.
Registering cryptdlg.dll... Success.
Registering oleaut.dll... Success.
Registering ole.dll... Success.
Registering initpki.dll (this one usually takes a while)... Success.
Registering wuapi.dll... Success.
Registering wups.dll... Success.
Registering wuaueng.dll... Success.
Registering wucltui.dll... Success.
Registering atl.dll... Success.
Registering msxml3.dll... Success.
Registering Wups2.dll... Success.
Registering msscript.ocx... Success.
Registering dispex.dll... Success.
Registering shell.dll... Success.
Resetting winsock catalog...   Done.
Resetting proxy server settings...   Done.
Deleting registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess"... Key/Value does not exist.
Deleting registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoWindowsUpdate"... Key/Value does not exist.
Deleting registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoWindowsUpdate"... Key/Value does not exist.
Deleting registry key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate"... Key/Value does not exist.
Deleting registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate"... Key/Value does not exist.
Deleting registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDevMgrUpdate"... Key/Value does not exist.
Deleting registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdateDisableWindowsUpdateAccess"... Key/Value does not exist.
Deleting registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoWindowsUpdate"... Key/Value does not exist.
Writing to registry: "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MainNoUpdateCheck"... Successful.
Writing to registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AUNoAutoUpdate"... Successful.
Writing to registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AUAUOptions"... Successful.
Writing to registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AUScheduledInstallDay"... Successful.
Writing to registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AUScheduledInstallTime"... Successful.
Writing to registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AUNoAutoRebootWithLoggedOnUsers"... Successful.
Writing to registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto UpdateNoAutoUpdate"... Successful.
Writing to registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto UpdateAUOptions"... Successful.
Writing to registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto UpdateScheduledInstallDay"... Successful.
Writing to registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto UpdateScheduledInstallTime"... Successful.
Writing to registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto UpdateNoAutoRebootWithLoggedOnUsers"... Successful.
Deleting registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto UpdateLastWaitTimeout"... Key/Value does not exist.
Deleting registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto UpdateDetectionStartTime"... Key/Value does not exist.
Deleting registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto UpdateNextDetectionTime"... Key deleted successfully.
Deleting registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto UpdateScheduledInstallDate"... Key deleted successfully.
Setting service "RpCss" start mode to: "Automatic"... Already set to correct state.
Starting service: "DcomLaunch"... Successful.
Starting service: "RpCss"... Successful.
Starting service: "bits"... Successful.
Starting service: "wuauserv"... Successful.
Starting service: "cryptsvc"... Successful.
============= Windows Update Services Repair Complete ==============

=============== Repairing Internet Explorer ===============
Detecting IE Version...  Version 7 detected.
Registering ACTIVEDS.dll... Success.
Registering adsldpc.dll... Success.
Registering ADVAPI32.dll... Success.
Registering appHelp.dll... Success.
Registering ATL.dll... Success.
Registering browselc.dll... Success.
Registering BROWSEUI.dll... Success.
Registering cdmyidd.dll... Success.
Registering CLBCATQ.dll... Success.
Registering comctl32.dll... Success.
Registering comdlg32.dll... Success.
Registering COMRes.dll... Success.
Registering CRYPT32.dll... Success.
Registering CRYPTUI.dll... Success.
Registering CSCDLL.dll... Success.
Registering cscui.dll... Success.
Registering DNSAPI.dll... Success.
Registering GDI32.dll... Success.
Registering hnetcfg.dll... Success.
Registering IMAGEHLP.dll... Success.
Registering IMM32.dll... Success.
Registering inetmib1.dll... Success.
Registering iphlpapi.dll... Success.
Registering jscript.dll... Success.
Registering kernel32.dll... Success.
Registering LMIRhook.000.dll... Success.
Registering mlang.dll... Success.
Registering MPRAPI.dll... Success.
Registering MSASN1.dll... Success.
Registering MSCTF.dll... Success.
Registering mshtml.dll... Success.
Registering msimg32.dll... Success.
Registering msimtf.dll... Success.
Registering msls31.dll... Success.
Registering msvcrt.dll... Success.
Registering mswsock.dll... Success.
Registering NETAPI32.dll... Success.
Registering ntdll.dll... Success.
Registering ole32.dll... Success.
Registering OLEAUT32.dll... Success.
Registering psapi.dll... Success.
Registering rahook.dll... Success.
Registering rasadhlp.dll... Success.
Registering RASAPI32.dll... Success.
Registering rasman.dll... Success.
Registering rassapi.dll... Success.
Registering RPCRT4.dll... Success.
Registering rtutils.dll... Success.
Registering SAMLIB.dll... Success.
Registering Secur32.dll... Success.
Registering sensapi.dll... Success.
Registering SETUPAPI.dll... Success.
Registering shdoclc.dll... Success.
Registering SHDOCVW.dll... Success.
Registering SHELL32.dll... Success.
Registering SHLWAPI.dll... Success.
Registering snmpapi.dll... Success.
Registering SXS.dll... Success.
Registering TAPI32.dll... Success.
Registering urlmon.dll... Success.
Registering USER32.dll... Success.
Registering userenv.dll... Success.
Registering uxtheme.dll... Success.
Registering VERSION.dll... Success.
Registering WININET.dll... Success.
Registering WINMM.dll... Success.
Registering WINSTA.dll... Success.
Registering WINTRUST.dll... Success.
Registering WLDAP32.dll... Success.
Registering WS2_32.dll... Success.
Registering WS2HELP.dll... Success.
Registering wshtcpip.dll... Success.
Registering wsock32.dll... Success.
Registering wtsapi32.dll... Success.
Registering xpsp2res.dll... Success.

============ Internet Explorer Repairs Complete ===========

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~ CAT Summary Log End - Date: 2011.08.02 @ 0905 hrs ~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



---------------------------------------------------------------------





[bernard53]

Bon on va voir plus loin.



Télécharge ComboFix <ICI>>

Pour les Utilisateurs de VISTA: Clic-droit et choisis "Exécuter en tant qu'administrateur".
Pour VISTA : pas d'installation de la console de récupération.

>> Lors de son exécution, ComboFix va vérifier si la Console de récupération Microsoft Windows est installée.

Avec des infections comme celles d'aujourd'hui, il est fortement conseillé de l'avoir préinstallée sur votre PC avant toute suppression de nuisibles.
Elle permettra de démarrer dans un mode spécial, de récupération (réparation), qui nous permet de vous aider plus facilement si jamais votre ordinateur rencontre un problème après une tentative de nettoyage.

Suis les invites pour permettre à ComboFix de télécharger et installer la Console de récupération Microsoft Windows, et lorsque cela est demandé, accepte le Contrat de Licence Utilisateur Final pour l'installer.
>> Une fois sur ton bureau double clique dessus pour le lancer.
Note importante : Si la Console de récupération Microsoft Windows est déjà installée, ComboFix continuera ses procédures de suppression de nuisibles.

Lorsque le scan sera complet, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse.
NOTE : Le rapport se trouve également ici : C:\Combofix.txt

>>Ne pas cliquer dans la fenêtre de Combofix durant l’analyse, ceci provoquerait le gel du programme

[stevegerrard]

Voila c'est fait

Code: Tout sélectionner

ComboFix 11-07-29.01 - jvais 03/08/2011   8:43.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.44.1033.18.1918.1027 [GMT 1:00]
Running from: c:\documents and settings\jvais\My Documents\Téléchargements\ComboFix.exe
AV: Sophos Anti-Virus *Enabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
 * Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\winnt\system32\export.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-07-03 to 2011-08-03  )))))))))))))))))))))))))))))))
.
.
2011-08-01 16:51 . 2011-08-03 07:34   --------   d-----w-   c:\winnt\system32\CatRoot2
2011-08-01 16:50 . 2011-08-01 16:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\CAT
2011-07-30 07:25 . 2011-07-13 03:39   6881616   ------w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{73C7C949-7876-4CF1-A534-352CB84C7616}\mpengine.dll
2011-07-29 16:28 . 2011-07-29 16:28   --------   d-----w-   C:\_OTL
2011-07-29 12:05 . 2011-07-29 12:05   --------   d-----w-   c:\documents and settings\jvais\Local Settings\Application Data\yeoainio
2011-07-29 11:07 . 2011-07-29 11:07   --------   d-----w-   C:\_OTM
2011-07-28 16:22 . 2011-07-28 16:22   --------   d-----w-   c:\documents and settings\jvais\Application Data\CheckPoint
2011-07-28 14:33 . 2011-07-28 14:33   --------   d-----w-   c:\documents and settings\jvais\Local Settings\Application Data\ZoneAlarm_Security_Suite
2011-07-28 14:33 . 2011-07-29 16:37   --------   d-----w-   c:\program files\ZoneAlarm_Security_Suite
2011-07-28 14:32 . 2011-07-28 14:32   --------   d-----w-   c:\documents and settings\All Users\Application Data\CheckPoint
2011-07-28 14:27 . 2011-07-28 14:32   --------   d-----w-   C:\ca6058f574ea3eb5fade0b
2011-07-28 14:25 . 2011-07-29 08:15   --------   d-----w-   c:\program files\CheckPoint
2011-07-28 13:57 . 2011-07-28 14:33   --------   d-----w-   c:\documents and settings\jvais\Local Settings\Application Data\Temp
2011-07-28 08:17 . 2011-07-28 08:17   361984   ----a-w-   c:\winnt\system32\PowerMANUI.exe
2011-07-13 07:43 . 2011-07-13 07:43   404640   ----a-w-   c:\winnt\system32\FlashPlayerCPLApp.cpl
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 15:09 . 2009-05-13 11:54   978944   ----a-w-   c:\winnt\system32\PowerMAN.exe
2011-07-13 03:39 . 2009-05-13 13:51   6881616   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-07-06 18:52 . 2011-06-01 16:22   41272   ----a-w-   c:\winnt\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52 . 2011-06-01 16:22   22712   ----a-w-   c:\winnt\system32\drivers\mbam.sys
2011-06-08 09:16 . 2011-04-06 15:20   53248   ----a-w-   c:\winnt\system32\jdns_sd.dll
2011-06-03 09:10 . 2009-03-18 10:18   153728   ----a-w-   c:\winnt\system32\drivers\savonaccesscontrol.sys
2011-06-03 09:10 . 2009-03-18 10:18   24192   ----a-w-   c:\winnt\system32\drivers\savonaccessfilter.sys
2011-06-03 09:10 . 2011-06-03 09:11   30744   ----a-w-   c:\winnt\system32\SophosBootTasks.exe
2011-06-03 09:09 . 2011-06-03 09:09   14976   ----a-w-   c:\winnt\system32\drivers\SophosBootDriver.sys
2011-06-03 09:09 . 2011-06-03 09:09   24312   ----a-w-   c:\winnt\system32\drivers\sdcfilter.sys
2011-06-03 09:09 . 2011-06-03 09:09   31736   ----a-w-   c:\winnt\system32\drivers\skmscan.sys
2011-06-03 09:09 . 2011-06-03 09:09   131824   ----a-w-   c:\winnt\system32\sdccoinstaller.dll
2011-05-24 18:14 . 2009-12-07 17:21   222080   ------w-   c:\winnt\system32\MpSigStub.exe
2004-03-01 13:25 . 2004-03-01 13:25   201135   ------w-   c:\program files\internet explorer\plugins\ChimeShim.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"DomainLogin"="c:\temp\stage2hook.bat" [2011-08-03 73]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 16132608]
"WinVNC"="c:\program files\ORL\VNC\WinVNC.exe" [2001-03-22 295413]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" [2007-06-11 176128]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 508307]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-03-10 300400]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-25 185896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2011-03-14 494616]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\winnt\system32\CTFMON.EXE" [2004-08-04 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2010-05-04 124928]
.
c:\documents and settings\lofty\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\hariz\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\jvais\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)
"HideLogonScripts"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\winnt\system32\userinit.exe,,c:\documents and settings\jvais\Local Settings\Application Data\yeoainio\hkgmsqrf.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-102676\Scripts\Logoff\0\0]
"Script"=v:\batch\login\logoff.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-102676\Scripts\Logon\0\0]
"Script"=\\mwsapps01\st_apps\batch\login\userstub.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-154387\Scripts\Logoff\0\0]
"Script"=v:\batch\login\logoff.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-154387\Scripts\Logon\0\0]
"Script"=\\mwsapps04\ug_apps\batch\login\userstub.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-164621\Scripts\Logoff\0\0]
"Script"=v:\batch\login\logoff.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-164621\Scripts\Logon\0\0]
"Script"=\\mwsapps01\st_apps\batch\login\userstub.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-165211\Scripts\Logoff\0\0]
"Script"=v:\batch\login\logoff.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-165211\Scripts\Logon\0\0]
"Script"=\\mwsapps01\st_apps\batch\login\userstub.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-168146\Scripts\Logoff\0\0]
"Script"=v:\batch\login\logoff.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-168146\Scripts\Logon\0\0]
"Script"=\\mwsapps01\st_apps\batch\login\userstub.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-175004\Scripts\Logoff\0\0]
"Script"=v:\batch\login\logoff.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-175004\Scripts\Logon\0\0]
"Script"=\\mwsapps01\st_apps\batch\login\userstub.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-176780\Scripts\Logoff\0\0]
"Script"=v:\batch\login\logoff.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-176780\Scripts\Logon\0\0]
"Script"=\\mwsapps04\ug_apps\batch\login\userstub.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-188417\Scripts\Logoff\0\0]
"Script"=v:\batch\login\logoff.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-188417\Scripts\Logon\0\0]
"Script"=\\mwsapps01\st_apps\batch\login\userstub.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-210955\Scripts\Logoff\0\0]
"Script"=v:\batch\login\logoff.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-210955\Scripts\Logon\0\0]
"Script"=\\mwsapps01\st_apps\batch\login\userstub.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-86222\Scripts\Logoff\0\0]
"Script"=v:\batch\login\logoff.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-137024685-2204166116-4157399963-86222\Scripts\Logon\0\0]
"Script"=\\mwsapps01\st_apps\batch\login\userstub.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\winnt\system32\drivers\ctxusbm.sys [05/10/2009 10:08 65584]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\winnt\system32\drivers\savonaccesscontrol.sys [18/03/2009 11:18 153728]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\winnt\system32\drivers\savonaccessfilter.sys [18/03/2009 11:18 24192]
R1 SKMScan;SKMScan;c:\winnt\system32\drivers\skmscan.sys [03/06/2011 10:09 31736]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [01/06/2011 17:22 366640]
R2 PowerMan;PowerMAN Power Management Service;c:\winnt\system32\PowerMAN.exe [13/05/2009 12:54 978944]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [03/06/2011 10:10 99864]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [03/06/2011 10:09 1543192]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R3 MBAMProtector;MBAMProtector;c:\winnt\system32\drivers\mbam.sys [01/06/2011 17:22 22712]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;\??\c:\program files\CheckPoint\ZAForceField\ISWKL.sys --> c:\program files\CheckPoint\ZAForceField\ISWKL.sys [?]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [03/06/2011 10:09 167960]
S3 sdcfilter;sdcfilter;c:\winnt\system32\drivers\sdcfilter.sys [03/06/2011 10:09 24312]
S4 SophosBootDriver;SophosBootDriver;c:\winnt\system32\drivers\SophosBootDriver.sys [03/06/2011 10:09 14976]
S4 viasraid;viasraid;c:\winnt\system32\drivers\viasraid.sys [05/01/2009 12:20 77312]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\autorunner.exe "WPC Presentation 2008.pps"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{478fb500-97ff-11e0-9932-001d9209893e}]
\Shell\AutoRun\command - G:\autorunner.exe "WPC Presentation 2008.pps"
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-03 c:\winnt\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.liv.ac.uk/staff
uInternet Connection Wizard,ShellNext = hxxp://www.liv.ac.uk/staff/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: liv.ac.uk\*
Trusted Zone: liv.ac.uk\archiveone
Trusted Zone: liv.ac.uk\vital
Trusted Zone: liverpool.ac.uk\*
TCP: DhcpNameServer = 138.253.110.104 138.253.110.103
Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\program files\Invitrogen\Vector NTI Advance 11\Ncbi.dll
FF - ProfilePath - c:\documents and settings\jvais\Application Data\Mozilla\Firefox\Profiles\06q59lvn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:fr:official
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{3ce45c4f-bfff-4988-9a3c-a75c1f491319} - (no file)
BHO-{3ce45c4f-bfff-4988-9a3c-a75c1f491319} - (no file)
HKCU-Run-HkgMsqrf - c:\documents and settings\jvais\Local Settings\Application Data\yeoainio\hkgmsqrf.exe
AddRemove-HijackThis - c:\documents and settings\jvais\My Documents\Téléchargements\HijackThis.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-03 08:44
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
.
c:\documents and settings\jvais\Start Menu\Programs\Startup\hkgmsqrf.exe 79512 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(756)
c:\progra~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
d:\applied biosystems\StepOne Software v2.2\bonjour\mdnsNSP.dll
.
Completion time: 2011-08-03  08:48:19
ComboFix-quarantined-files.txt  2011-08-03 07:48
.
Pre-Run: 7,434,747,904 bytes free
Post-Run: 7,371,030,528 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 6915EC9369745C5E37BEFAFC81F6C324


L'ordi ne fait plus le bruit bizarre (toutes les 2 secondes). Par contre le reste est toujours en carafe.
Je refais un coup de CAT?