Publicité intempestive

Publicité intempestive - Sécurité - Windows & Software

Marsh Posté le 01-12-2005 à 14:10:24    

Bonjour,
 
Mon problème le voici : Quand je suis sur internet, par exemple je tape google.fr, je vais sur le site mais 2 secondes après le site change et c'est un site publicitaire qui s'affiche. Ou sinon c'est aléatoirement : je reste 2 mn sur un site et quand je clique sur un lien hop je vais sur un autre site. Donc je pense que c'est un malware ou une chose de ce genre...Aussi je me suis rendu compte que j'avais des programmes sur mon bureau dont je n'en connais pas l'existence  :( ils apparaissent en gros...
 
J"ai exécuté, norton 2005, ad-aware, spybot, CCleaner et hijackthis.
Voilà le log hijackthis:
 

Citation :

Logfile of HijackThis v1.99.1
Scan saved at 14:02:41, on 01/12/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Fichiers communs\Aol\aoltpspd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GUILLA~1\LOCALS~1\Temp\Rar$EX00.547\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AOLSAV] C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
O4 - Global Startup: AOL 9.0 Icône AOL.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: &Recherche AOL Toolbar - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ [...] loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6D5ED5D-B4B7-4107-943B-5B7EE84F0B9F}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\lv2s09f7e.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINDOWS\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
 


 
Merci
(J'utilise FireFox, pas IE ni AOL malgré le navigateur intégré)


Message édité par PoWaG le 01-12-2005 à 14:15:18
Reply

Marsh Posté le 01-12-2005 à 14:10:24   

Reply

Marsh Posté le 01-12-2005 à 14:20:17    

je connais pas  - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033. c'est normal qu'ils soit lancer au démarrage ?

Reply

Marsh Posté le 01-12-2005 à 14:21:35    

Oui c'est normal.
http://img329.imageshack.us/img329/7509/bug8ve.jpg (c'est une capture de mon bureau)


Message édité par PoWaG le 01-12-2005 à 14:22:01
Reply

Marsh Posté le 01-12-2005 à 14:25:23    

celui là me paraît suspecte C:\WINDOWS\System32\UAService7.exe , je ne l'ai pas sur mon poste .. .

Reply

Marsh Posté le 01-12-2005 à 14:26:44    

tu dvrais le tuer dans la liste des taches, puis tu fais un test. si c'est mieux supprime le fichier ( ou renome le si tu n'est pas sur de toi)

Reply

Marsh Posté le 01-12-2005 à 14:28:43    

Je peux pas le terminer dans la liste des taches, il me met "Accès refusé". Donc je vais tenter de le supprimer.
 
EDIT : impossible de le suppprimer ce fichier (protége en ecriture, utilisé actuellement)


Message édité par PoWaG le 01-12-2005 à 14:31:09
Reply

Marsh Posté le 01-12-2005 à 14:31:14    

reboot en mode sans echec, et renome le ( tu pouras pas le faire sur windows si il est en utilisation) . c'est moin risquer, tu pourras le remmetre si il te mets la panade sur ton poste

Reply

Marsh Posté le 01-12-2005 à 14:31:57    

OK je vais tester .

Reply

Marsh Posté le 01-12-2005 à 14:43:28    

Bon alors je l'ai renomer quand j'étais en mode sans échec, et après 10 minutes le problème revient. Je dois le supprimer ?

Reply

Marsh Posté le 01-12-2005 à 14:55:41    

c'est ptête pas utiles, si le problème vient pas delà ton fichiers est peut être utile à un soft que je ne connais pas.
 
Vérifies quand même qu'il ne ce soit pas recréés, çà arrive que des virus recréer d'eux même des éxécutables ...

Reply

Marsh Posté le 01-12-2005 à 14:55:41   

Reply

Marsh Posté le 01-12-2005 à 14:59:40    

Citation :

Logfile of HijackThis v1.99.1
Scan saved at 14:58:38, on 01/12/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Fichiers communs\Aol\aoltpspd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GUILLA~1\LOCALS~1\Temp\Rar$EX00.047\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AOLSAV] C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
O4 - Global Startup: AOL 9.0 Icône AOL.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: &Recherche AOL Toolbar - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ [...] loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6D5ED5D-B4B7-4107-943B-5B7EE84F0B9F}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\hr4m05h1e.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINDOWS\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe (file missing)


 
Non je crois pas qu'il s'es recréé
 

Reply

Marsh Posté le 01-12-2005 à 18:03:50    

Toujours ce problème; j'ai refaire l'antivirusn ad-aware, et tout : ça fait pareil... :sweat:  
voilà un exemple de site qui se remplace à la place : http://popunder.paypopup.com/defau [...] ubid=23782


Message édité par PoWaG le 01-12-2005 à 18:05:22
Reply

Marsh Posté le 01-12-2005 à 18:37:30    

Bonsoir,
 
Télécharge L2MRemover.zip
Dézippe le (voici un décompresseur gratuit si tu n'en as pas QuickZip)
Installe l'exécutable dans C:\Program Files\Look2meRemover\
 
Supprime le Système de restauration
 
1. Clique sur L2MRemover.exe pour lancer le programme.
2. Clique sur "About" > "Check for updates..." dans le menu du programme pour le mettre à jour.
3. Clique sur "Scan" et attendre que le scan complet soit fait.
http://img300.imageshack.us/img300/4079/scanner7dv.gif
 
4. Clique sur le bouton "Delete Keys" pour nettoyer la base de registre.
 
(Si tu n'es pas sûr, tu peux cocher "Save before delete"
pour avoir une sauvegarde des clés supprimées; ceci créera un fichier reg)
 

Citation :

Note :
Si tu as un message d'erreur qui dit qu'il te faut le fichier Msinet.ocx ou Comctl32.ocx :
 
Télécharge DLLs.zip et extrais les (en suivant les instructions du fichier ReadMe.txt) ou tu peux simplement télécharger Look2Me Remover Setup Kit
Plus d'information sur Look2Me Remover V.1.0.0


 
Remettre le Système de restauration

Reply

Marsh Posté le 01-12-2005 à 18:53:15    

:sweat:  
Dès que je lance : http://img220.imageshack.us/img220/5387/bug26al.jpg


Message édité par PoWaG le 01-12-2005 à 18:55:18
Reply

Marsh Posté le 01-12-2005 à 19:10:03    

Reply

Marsh Posté le 01-12-2005 à 19:19:04    

Oui j'avais déja essayé, j'ai encore réessayé et ça ne marche toujours pas.


Message édité par PoWaG le 01-12-2005 à 19:19:35
Reply

Marsh Posté le 01-12-2005 à 19:25:44    

Bien...
 
Télécharge L2mfix (de Shadowwar) de l'un de ces liens :
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
 
Sauvegarde-le sur ton Bureau et double-clique l2mfix.exe. Clique sur le bouton Install pour en extraire le contenu et suis les directives, puis ouvre le nouveau dossier "l2mfix" qui se trouve sur le Bureau. Double-clique l2mfix.bat et choisi l'option #1 pour Run Find Log en tapant 1 et ensuite Entrée. Le scan débutera sans générer d'indications, puis, après une minute ou deux, un fichier texte apparaîtra. Copie/colle le contenu de ce rapport ("report.txt" ) dans ta prochaine réponse.
 
IMPORTANT : NE PAS lancer l'option #2 OU autres fichiers situés dans le dossier "l2mfix".

Reply

Marsh Posté le 01-12-2005 à 19:36:28    

Le texte c'est afficher même pas 5 secondes après :
 

Citation :

L2MFIX find log 1.99
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\H323TSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\f00olad31d0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr4m05h1e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
 
 
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
 
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access  AUTORITE NT\SYSTEM
(IO)    ALLOW  Full access  AUTORITE NT\SYSTEM
(NI)    ALLOW  Full access  AUTORITE NT\SYSTEM
(IO)    ALLOW  Full access  AUTORITE NT\SYSTEM
(ID-NI) ALLOW  Read         BUILTIN\Utilisateurs
(ID-IO) ALLOW  Read         BUILTIN\Utilisateurs
(ID-NI) ALLOW  Read         BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW  Read         BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW  Full access  BUILTIN\Administrateurs
(ID-IO) ALLOW  Full access  BUILTIN\Administrateurs
(ID-NI) ALLOW  Full access  AUTORITE NT\SYSTEM
(ID-IO) ALLOW  Full access  AUTORITE NT\SYSTEM
(ID-IO) ALLOW  Full access  CREATEUR PROPRIETAIRE
 
 
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{93808BEF-5F19-EDCF-E686-5855F31FF3D8}"=""
 
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Feuille de propri‚t‚s du fichier multim‚dia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de s‚curit‚ NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des propri‚t‚s de OLE DocFile"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'environnement pour le partage"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage cran du Panneau de configuration"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Panorama du Panneau de configuration"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Page de s‚curit‚ DS"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Page de compatibilit‚"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Gestionnaire de donn‚es endommag‚es de l'environnement"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Extension copie de disquette"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensions de l'environnement pour les objets r‚seau de Microsoft Windows"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gestion d'‚cran ICM"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gestion d'imprimante ICM"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensions de l'environnement de compression de fichiers"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Extension de l'environnement d'imprimante Web"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu contextuel de cryptage"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porte-documents"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Extension ic“ne HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profil ICC"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Page de s‚curit‚ des imprimantes"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensions de l'environnement pour le partage"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie PKO"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie Sign"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Connexions r‚seau"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Connexions r‚seau"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&Scanneurs et appareils photo"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&Scanneurs et appareils photo"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="&Scanneurs et appareils photo"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&Scanneurs et appareils photo"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&Scanneurs et appareils photo"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Extension de la page de propri‚t‚s de mise … jour automatique"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensions de l'interpr‚teur de commandes pour l'environnement d'ex‚cution de scripts Windows"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Liaison de donn‚es Microsoft"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tƒches planifi‚es"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barre des tƒches et menu D‚marrer"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Rechercher"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ex‚cuter..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Courrier ‚lectronique"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Polices"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Outils d'administration"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barre d'outils Internet Microsoft"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="tat du t‚l‚chargement"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Dossier Bureau ‚tendu"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Dossier du shell augment‚"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Bande du navigateur Microsoft"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Bande de recherche"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Volet int‚gr‚ de recherche"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Recherche Web"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilitaire des options de l'arborescence du Registre"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="BoŒte d'entr‚e de l'adresse"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Saisie semi-automatique Microsoft"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="Liste de saisie semi-automatique MRU"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Liste de saisie semi-automatique personnalis‚e MRU"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barre de progrŠs auto-ouvrante"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analyseur de la barre d'adresses"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Liste de saisie semi-automatique de l'historique Microsoft"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Liste de saisie semi-automatique du dossier Shell Microsoft"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Conteneur de la liste de saisie semi-automatique multiple Microsoft"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu Site de bandes"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Barre du Bureau"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistance utilisateur"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="ParamŠtres du dossier global"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historique"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Image de d‚marrage de la Suite IE4"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Dossier ActiveX Cache"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Dossier Inscription"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gestionnaire d'applications d'environnement"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="num‚rateur d'applications install‚es"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Publication d'application Darwin"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extracteur de miniatures de fichier + GDI"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Gestionnaire de miniatures - Informations de r‚sum‚ (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extracteur de miniatures HTML"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Assistant Publication de sites Web"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Commande d'impressions via le Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objet Assistant de publication Shell"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Assistant Obtenir une identit‚ Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Comptes d'utilisateurs"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Fichier de chaŒne"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Raccourci de chaŒne"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Dossier Fichiers hors connexion"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Des &personnes..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Dossiers Web"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{8889DCAC-9DA4-4B1B-AA27-39B97D8DAC62}"=""
 
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
 
[HKEY_CLASSES_ROOT\CLSID\{8889DCAC-9DA4-4B1B-AA27-39B97D8DAC62}]
@=""
 
[HKEY_CLASSES_ROOT\CLSID\{8889DCAC-9DA4-4B1B-AA27-39B97D8DAC62}\Implemented Categories]
@=""
 
[HKEY_CLASSES_ROOT\CLSID\{8889DCAC-9DA4-4B1B-AA27-39B97D8DAC62}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
 
[HKEY_CLASSES_ROOT\CLSID\{8889DCAC-9DA4-4B1B-AA27-39B97D8DAC62}\InprocServer32]
@="C:\\WINDOWS\\system32\\McPMSP.dll"
"ThreadingModel"="Apartment"
 
**********************************************************************************
Files Found are not all bad files:
 
C:\WINDOWS\SYSTEM32\
   cmdlin~1.dll   Sun 13 Nov 2005  22:20:00   A....         90 112    88,00 K
   f00ola~1.dll   Thu  1 Dec 2005  18:44:18   ..S.R        233 898   228,41 K
   mcpmsp.dll     Thu  1 Dec 2005  19:05:14   ..S.R        233 898   228,41 K
   o6840g~1.dll   Thu  1 Dec 2005  19:04:18   ..S.R        236 720   231,17 K
   sirenacm.dll   Thu 13 Oct 2005   8:11:06   A....        118 784   116,00 K
   vsdata.dll     Tue 15 Nov 2005   0:50:30   A....         83 720    81,76 K
   vsinit.dll     Tue 15 Nov 2005   0:50:42   A....        141 064   137,76 K
   vsmonapi.dll   Tue 15 Nov 2005   0:50:52   A....        104 208   101,77 K
   vspubapi.dll   Tue 15 Nov 2005   0:50:56   A....        227 088   221,77 K
   vsregexp.dll   Tue 15 Nov 2005   0:51:00   A....         71 440    69,77 K
   vsutil.dll     Tue 15 Nov 2005   0:51:12   A....        382 728   373,76 K
   vsutil~1.dll   Tue 15 Nov 2005   0:37:08   A....         54 960    53,67 K
   vsxml.dll      Tue 15 Nov 2005   0:51:20   A....        100 104    97,76 K
   zlcomm.dll     Tue 15 Nov 2005   0:51:40   A....         79 624    77,76 K
   zlcommdb.dll   Tue 15 Nov 2005   0:51:44   A....         71 440    69,77 K
 
15 items found:  15 files (3 H/S), 0 directories.
   Total of file sizes:  2 229 788 bytes      2,13 M
Locate .tmp files:
 
No matches found.
**********************************************************************************
Directory Listing of system files:
 Le volume dans le lecteur C n'a pas de nom.
 Le num‚ro de s‚rie du volume est 90AA-6E17
 
 R‚pertoire de C:\WINDOWS\System32
 
01/12/2005  19:05           233ÿ898 McPMSP.dll
01/12/2005  19:04           236ÿ720 o6840glqe6qe0.dll
01/12/2005  18:44           233ÿ898 f00olad31d0.dll
26/09/2005  15:39    <REP>          dllcache
30/08/2005  12:56    <REP>          Microsoft
               3 fichier(s)          704ÿ516 octets
               2 R‚p(s)  14ÿ750ÿ822ÿ400 octets libres

Reply

Marsh Posté le 01-12-2005 à 19:51:34    

Ferme toutes les applications en cours, car cette étape nécessite un redémarrage.
 
Du dossier l2mfix situé sur ton Bureau, double-clique l2mfix.bat et choisi l'option #2 pour Run Fix en tapant 2 et ensuite "Entrée". Les icônes du Bureau vont disparaître (tout à fait normal). L2mfix poursuivra le scan et lorsque terminé, il sera prêt à redémarrer le PC. Appuie sur n'importe quelle touche pour redémarrer. Après le redémarrage, un fichier texte devrait apparaître. Copie/colle le contenu de ce rapport dans ta prochaine réponse, et poste un nouveau rapport HijackThis! également.
 
IMPORTANT: NE PAS lancer d'autres fichiers situés dans le dossier "l2mfix" sans en être avisé! Ne pas lancer cet outil en mode Sans Échec !!
**Si le fichier texte (rapport) n'apparaît pas au redémarrage, double-clique sur le fichier texte ("log.txt" ) situé dans le dossier "l2mfix".
 
Merci de ne pas mettre les rapports en citation (confort de lecture...)


Message édité par stonangel le 01-12-2005 à 19:52:37
Reply

Marsh Posté le 01-12-2005 à 21:08:30    

J'ai fait exactement comme tu me là dis, mais lorsqu'il scan, il affiche un message : "erreur pour importer shell.reg" donc j'ai fais OK, ensuite il demande de redémarrer. Ensuite au démarrage je n'est aucun fichier texte, et il y a écrit dans le fichier log.txt : Checking for L2mfix account (0=no 1=yes)  0
 

Reply

Marsh Posté le 01-12-2005 à 22:39:29    

Décidemment...
 
Télécharge SpySweeper (de Webroot) [color=red]ICI[/color] (version d'essai - 14 jours):[list]

  • Clic sur le lien Free Trial sous la rubrique "SpySweeper".
  • Installe le programme. Une fois installé, il se lancera.
  • L'option de le mettre à jour s'affichera; clic Yes.
  • Lorsque les mises à jour seront installées, clic Options sur la gauche.
  • Clic sur l'onglet Sweep Options.
  • Sous What to Sweep, coche les options suivantes:

[list]

  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • DÉCOCHE [color=blue]Do not Sweep System Restore Folder[/color].[/list]
  • Clic Sweep Now sur la gauche.
  • Clic sur Start.
  • Quand le scan est terminé, clic sur Next.
  • Assure-toi que tous les items sont cochés, puis clic sur Next.
  • Tous les items cochés seront éliminés.
  • Si Spy Sweeper veut redémarrer pour terminer le nettoyage : ACCEPTE.
  • Clic Session Log au haut - à droite, et copie tout ce qu'il y a dans la fenêtre.
  • Clic sur l'onglet Summary, puis clic sur Finish.
  • Colle le contenu du "Session Log" dans ta prochaine réponse.

[/list]

Reply

Marsh Posté le 02-12-2005 à 11:32:57    

********
11:01: |       Start of Session, vendredi 2 décembre 2005       |
11:01: Spy Sweeper started
11:01: Sweep initiated using definitions version 576
11:01: Starting Memory Sweep
11:02:   Found Adware: icannnews
11:02:   Detected running threat: C:\WINDOWS\system32\jtpm0771e.dll (ID = 83)
11:02:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:02:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:02:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:02:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:03:   Detected running threat: C:\WINDOWS\system32\mdrmsg.dll (ID = 83)
11:03: Memory Sweep Complete, Elapsed Time: 00:01:50
11:03: Starting Registry Sweep
11:03: Registry Sweep Complete, Elapsed Time:00:00:09
11:03: Starting Cookie Sweep
11:03:   Found Spy Cookie: falkag cookie
11:03:   guillaume@as1.falkag[1].txt (ID = 2650)
11:03:   Found Spy Cookie: bluestreak cookie
11:03:   guillaume@bluestreak[1].txt (ID = 2314)
11:03:   Found Spy Cookie: weborama cookie
11:03:   guillaume@weborama[2].txt (ID = 3658)
11:03: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:03: Starting File Sweep
11:04:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:04:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:04:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:04:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:05:   Found Trojan Horse: trojan-backdoor-us15info
11:05:   tool4.exe (ID = 183857)
11:05:   tool5.exe (ID = 183857)
11:05:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:05:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:05:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:05:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:05:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:05:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:05:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:05:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:06:   Found Adware: targetsaver
11:06:   tsuninst.exe (ID = 193501)
11:06:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:06:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:06:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:06:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:07:   Found Adware: look2me
11:07:   icont.exe (ID = 65722)
11:07:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:07:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:07:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:07:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:07:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:07:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:07:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:07:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:08:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:08:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:08:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:08:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:08:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:08:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:08:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:08:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:09:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:09:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:09:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:09:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:09:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:09:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:09:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:09:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:10:   class-barrel (ID = 78229)
11:10:   zqfmc.dll (ID = 195129)
11:10:   vocabulary (ID = 78283)
11:10:   n2p4lc7q1f.dll (ID = 159)
11:10:   o6840glqe6qe0.dll (ID = 159)
11:10:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:10:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:10:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:10:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:11:   nnobjapi.dll (ID = 159)
11:11:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:11:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:11:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:11:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:11:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:11:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:11:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:11:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:11:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:11:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:11:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:11:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:11:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:11:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   mcpmsp.dll (ID = 159)
11:12:   aaferror.dll (ID = 159)
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:12:   jtpm0771e.dll (ID = 159)
11:12:   o6660gjse6o60.dll (ID = 159)
11:12:   mdrmsg.dll (ID = 159)
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:12:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:13:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:13:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:13:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:13:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:13:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:13:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:13:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:13:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:13:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:13:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:13:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:13:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:14:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:14:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:14:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:14:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:14:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:14:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:14:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:14:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:16:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:17:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:17:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:17:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:17:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:17:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:17:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:17:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:17:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:17:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:17:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:17:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:17:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:18:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:18:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:18:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:18:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:18:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:18:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:18:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:18:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:19:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:19:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:19:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:19:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:19:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:19:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:19:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:19:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:20:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:20:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:20:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:20:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:21:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:21:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:21:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:21:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:22:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:22:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:22:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:22:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:22:   Found Adware: spysheriff
11:22:   secure32.html (ID = 184319)
11:22:   Found System Monitor: potentially rootkit-masked files
11:22:   nude shannon elizabeth  +americanpie03  naked celebrities actresses models porn sex topless real hentai lolita startrek disney britney spears(1).jpg (ID = 0)
11:22:   nude shannon elizabeth  +americanpie03  naked celebrities actresses models porn sex topless real hentai lolita startrek disney britney spears.jpg (ID = 0)
11:22:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:22:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:22:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:22:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:23:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:23:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:23:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:23:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:23:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:23:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:23:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:23:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:24:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:24:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:24:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:24:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:24: File Sweep Complete, Elapsed Time: 00:20:53
11:24: Full Sweep has completed.  Elapsed time 00:23:00
11:24: Traces Found: 23
11:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:25: Removal process initiated
11:25:   Quarantining All Traces: icannnews
11:25:   icannnews is in use.  It will be removed on reboot.
11:25:     C:\WINDOWS\system32\jtpm0771e.dll is in use.  It will be removed on reboot.
11:25:     C:\WINDOWS\system32\mdrmsg.dll is in use.  It will be removed on reboot.
11:25:   Quarantining All Traces: look2me
11:25:   look2me is in use.  It will be removed on reboot.
11:25:     jtpm0771e.dll is in use.  It will be removed on reboot.
11:25:     o6660gjse6o60.dll is in use.  It will be removed on reboot.
11:25:     mdrmsg.dll is in use.  It will be removed on reboot.
11:25:   Quarantining All Traces: potentially rootkit-masked files
11:25:   potentially rootkit-masked files is in use.  It will be removed on reboot.
11:25:     nude shannon elizabeth  +americanpie03  naked celebrities actresses models porn sex topless real hentai lolita startrek disney britney spears(1).jpg is in use.  It will be removed on reboot.
11:25:     nude shannon elizabeth  +americanpie03  naked celebrities actresses models porn sex topless real hentai lolita startrek disney britney spears.jpg is in use.  It will be removed on reboot.
11:25:   Quarantining All Traces: spysheriff
11:25:   Quarantining All Traces: trojan-backdoor-us15info
11:25:   Quarantining All Traces: targetsaver
11:26:   Quarantining All Traces: bluestreak cookie
11:26:   Quarantining All Traces: falkag cookie
11:26:   Quarantining All Traces: weborama cookie
11:26:   Warning: Launched explorer.exe
11:26:   Warning: Quarantine process could not restart Explorer.
11:26:   Preparing to restart your computer. Please wait...
11:26: Removal process completed.  Elapsed time 00:01:10
********
10:59: |       Start of Session, vendredi 2 décembre 2005       |
10:59: Spy Sweeper started
11:00: Your spyware definitions have been updated.
11:01: |       End of Session, vendredi 2 décembre 2005       |
 
 
(Merci)


Message édité par PoWaG le 02-12-2005 à 11:33:40
Reply

Marsh Posté le 02-12-2005 à 16:27:43    

Je crois que ça doit être bon, plus rien ne s'affiche; par contre défois j'ai de la pub pour winfixer 2005.

Reply

Marsh Posté le 27-09-2006 à 04:52:58    

bonjour tt le monde !!
mon probleme es pareil ke certain dentre vs, en fait d ke jvai sur internet des pages de publicité safiche (casino,cdiscount...) et impossible dareter sa, meme en lisan vo reponse ji ariv pa jcompren rien. alor sil vs plai aidez moi...  :??:


---------------
MG
Reply

Marsh Posté le 27-09-2006 à 07:34:01    

je pige pas vraiment !
si  vous activer le bloqueur de fenetre intenpestive vous ne devrier pas avoir ses fameuse fenetre !

Reply

Marsh Posté le 27-09-2006 à 21:10:59    

ben mon blokeur de fenetre est activé et sa change rien.


---------------
MG
Reply

Marsh Posté le 27-09-2006 à 21:39:06    

Bonjour
 
En cas d'infection, les bloqueurs de pub ne servent à rien.
 
Télécharge le logiciel HijackThis v1.99.1
http://pchelpbordeaux.free.fr/logiciels.html
Tutorial
http://pchelpbordeaux.free.fr/tuto.html
Démo en image
http://pageperso.aol.fr/balltrap34/demohijack.htm
 
Fais un scan et poste l'analyse.
 
Poste aussi ce rapport.
Télécharge Blacklight (de F-Secure) et sauvegarde le sur ton Bureau.
https://europe.f-secure.com/blacklight/try.shtml
Clique sur "I ACCEPT" au bas de la page. Sauvegarde le sur ton Bureau.
Double-clique blbeta.exe et accepte la licence; clique Scan puis Next
Tu verras une liste de fichiers détectés apparaître. Tu verras également un rapport, sur ton Bureau, nommé fsbl.xxxxxxx.log (les xxxxxxx sont des chiffres).
Copie et colle le contenu de ce rapport dans ta prochaine réponse.

Reply

Marsh Posté le 28-09-2006 à 01:25:09    

An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=win.ini, sSection=windows, sValue=load)
Error #5 - Invalid procedure call or argument
 
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
 
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1
 
This message has been copied to your clipboard.
Click OK to continue the rest of the scan.


---------------
MG
Reply

Marsh Posté le 28-09-2006 à 01:25:54    

dsl jme sui trompé


---------------
MG
Reply

Marsh Posté le 28-09-2006 à 01:26:06    

Logfile of HijackThis v1.99.1
Scan saved at 01:19:42, on 28/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\WINDOWS\VM_STI.EXE
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis Version Française\hijackthis vf.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi- [...] key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.fr/8SEFRFR020100/FRWCompleteAddIns
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBFRV2 - {4E7BD74F-2B8D-469E-A0E8-ED6AB685FA7D} - C:\WINDOWS\system32\pbfrv2.dll
O2 - BHO: Barre d'outils MSN Search Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fr-fr\msntb.dll
O3 - Toolbar: PBFRV2 - {4E7BD74F-2B8D-469E-A0E8-ED6AB685FA7D} - C:\WINDOWS\system32\pbfrv2.dll
O3 - Toolbar: Barre d'outils MSN Search - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fr-fr\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC 200NC PC Camera
O4 - HKLM\..\Run: [NsUpdate] C:\WINDOWS\NsUpdate.exe UPDATE
O4 - HKLM\..\Run: [CanalPlayer] C:\Program Files\Lecteur CANALPLAY\CanalPlayer.exe /iconic
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [antebookjugsmeta] C:\Documents and Settings\All Users\Application Data\Live Itch Ante Book\RectFace.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Global Startup: TrayMin300.exe.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fr-fr\bin\WindowsSearch.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fr.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/n [...] 0.0.15.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bina [...] b31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn. [...] tPkMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ [...] loader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: MysqlInventime - Unknown owner - C:\Apps\INVENT~1\mysql\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe


---------------
MG
Reply

Marsh Posté le 28-09-2006 à 01:46:18    

09/28/06 01:22:25 [Info]: BlackLight Engine 1.0.46 initialized
09/28/06 01:22:25 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/28/06 01:22:25 [Note]: 7019 4
09/28/06 01:22:25 [Note]: 7005 0
09/28/06 01:22:29 [Note]: 7006 0
09/28/06 01:22:29 [Note]: 7011 1616
09/28/06 01:22:29 [Note]: 7026 0
09/28/06 01:22:29 [Note]: 7026 0
09/28/06 01:22:29 [Note]: 7015 344
09/28/06 01:22:29 [Note]: 7015 5
09/28/06 01:22:29 [Note]: 7015 912
09/28/06 01:22:29 [Note]: 7015 5
09/28/06 01:22:29 [Note]: 7024 3
09/28/06 01:22:29 [Info]: Hidden process: C:\windows\system32\mnteuxaoh.exe
09/28/06 01:22:29 [Note]: 7015 1520
09/28/06 01:22:29 [Note]: 7015 5
09/28/06 01:22:29 [Note]: FSRAW library version 1.7.1019
09/28/06 01:22:33 [Error]: 6019 0
09/28/06 01:22:33 [Error]: 6017 0
09/28/06 01:23:33 [Note]: 7007 0


---------------
MG
Reply

Marsh Posté le 28-09-2006 à 17:24:02    

Bonjour
 
Plusieurs fichiers infectieux.
On commence.
 
Une partie de la procédure se déroulera sans avoir accès à internet, prière d'imprimer ces instructions, ou de les coller dans un fichier texte, pour lecture durant cette désinfection.
Les  manipulations sont à faire sans interruption et dans l'ordre.
Si tu ne comprends pas quelque chose, demande des explications avant de commencer
.

 
1 Télécharge  
CCleaner.

http://www.filehippo.com/download_ccleaner.html
Installe le dans un répertoire dédié.
 
Ewido
http://www.ewido.net/en/download/
Tu l'installes.
Lance Ewido et clique sur le bouton Update (barre d'outils - au haut).  
Sous Manual Update clique Start update. Patiente jusqu'à l'affichage "Update successful".
 
2 Redémarre en mode sans echec. Attention, tu n'as pas accès à internet dans ce mode, note bien ce que tu as à faire.
Démarre l'ordinateur.
Une fois le chargement du BIOS terminé, il y a un écran noir. Appuye sur la touche F8 jusqu'à l'affichage du menu des options avancées de Windows.  
En utilisant les touches du curseur, sélectionne Mode sans échec et appuye sur Entrée.
 
3 Relance un scan HijackThis et coche les lignes ci-dessous :
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm  
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell  
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx  
O2 - BHO: PBFRV2 - {4E7BD74F-2B8D-469E-A0E8-ED6AB685FA7D} - C:\WINDOWS\system32\pbfrv2.dll  
O3 - Toolbar: PBFRV2 - {4E7BD74F-2B8D-469E-A0E8-ED6AB685FA7D} - C:\WINDOWS\system32\pbfrv2.dll  
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot  
O4 - HKLM\..\Run: [NsUpdate] C:\WINDOWS\NsUpdate.exe UPDATE  
O4 - HKLM\..\Run: [antebookjugsmeta] C:\Documents and Settings\All Users\Application Data\Live Itch Ante Book\RectFace.exe  
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe  
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000  
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL  
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fr.htm  
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/n [...] 0.0.15.cab  
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB  
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bina [...] b31267.cab  
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn. [...] tPkMSN.cab  
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ [...] loader.cab  
 
Ferme toutes les fenêtres Windows, Internet explorer, Outlook,sauf le logiciel Hijackthis et clique sur « Fix checked »
 
4 Assure toi d'avoir accés à tous les fichiers.
Démarrer, Poste de travail ou autre dossier, Menu Outils, Option des dossiers, onglet Affichage :
Activer la case : Afficher les fichiers et dossiers cachés
Désactiver la case : Masquer les extensions des fichiers dont le type est connu
Désactiver la case : Masquer les fichiers protégés du système d'exploitation
Puis Appliquer
 
5 Supprime les fichiers/dossiers incriminés (s'ils existent encore) :
 
C:\WINDOWS\system32\pbfrv2.dll
C:\windows\system32\mnteuxaoh.exe
C:\WINDOWS\NsUpdate.exe
C:\Documents and Settings\All Users\Application Data\Live Itch Ante Book
 
Recache les fichiers systeme afin de ne pas faire d'erreur à l'avenir en sélectionnant ne pas afficher les fichiers cachés ou les fichiers système.
 
6 Lance le nettoyage avec CCleaner.
 
7 Lance Ewido.  
Clique sur le bouton Scanner (de la barre d'outils)
Puis sur l'onglets Settings, pour How to Act. Clique sur Recommanded Actions. Sélectionne Quarantine.
Reviens a l'onglet Scan. Clique Complete system Scan
A la fin du scan, choisis l'option " Apply All Actions " en bas.  
Clique sur "Save Report", puis "Save Report As". Ceci génère un rapport en fichier texte. Assure-toi de le sauvegarder dans un endroit facile à retrouver.
 
8 Redémarre normalement et poste un nouveau log HijackThis avec le rapport d'Ewido.
 
Quel est ton parefeu ?

Reply

Marsh Posté le 28-09-2006 à 18:25:33    

tu peu me dir se ques un repertoire dédié stp ou si jinstal ccleaner sur le bureau c bon ?


---------------
MG
Reply

Marsh Posté le 28-09-2006 à 18:53:19    

Reply

Marsh Posté le 29-09-2006 à 04:27:06    

ben je sai pa ce kes exactement un pare feu mai mon antivirus est kaspersky anti-virus personnal pro je sai pa si ya un rapor repondez moi svp. et voici les rapor...


---------------
MG
Reply

Marsh Posté le 29-09-2006 à 04:29:19    

Logfile of HijackThis v1.99.1
Scan saved at 04:27:40, on 29/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\WINDOWS\VM_STI.EXE
C:\apps\ABoard\AOSD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis Version Française\hijackthis vf.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi- [...] key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.fr/8SEFRFR020100/FRWCompleteAddIns
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Barre d'outils MSN Search Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fr-fr\msntb.dll
O3 - Toolbar: Barre d'outils MSN Search - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fr-fr\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC 200NC PC Camera
O4 - HKLM\..\Run: [CanalPlayer] C:\Program Files\Lecteur CANALPLAY\CanalPlayer.exe /iconic
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [mnteuxaoh] c:\windows\system32\mnteuxaoh.exe mnteuxaoh
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [NsUpdate] C:\WINDOWS\NsUpdate.exe UPDATE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Global Startup: TrayMin300.exe.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fr-fr\bin\WindowsSearch.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: MysqlInventime - Unknown owner - C:\Apps\INVENT~1\mysql\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
 
 
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
 
 + Created at: 04:04:10 29/09/2006
 
 + Scan result:  
 
 
 
HKLM\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-A0E8-ED6AB685FA7D} -> Adware.2020Search : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-A0E8-ED6AB685FA7D} -> Adware.2020Search : Cleaned with backup (quarantined).
HKU\S-1-5-21-2041892279-848296084-3185487583-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-A0E8-ED6AB685FA7D} -> Adware.2020Search : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EMediaCodec.Chl -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EMediaCodec.Chl\CLSID -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msplock32.dll -> Adware.NaviPromo : Cleaned with backup (quarantined).
C:\Program Files\License_Manager\license_manager.exe -> Adware.WeirWeb : Cleaned with backup (quarantined).
C:\WINDOWS\iaccess32.exe -> Dialer.EgroupDial.w : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-2041892279-848296084-3185487583-1011\Dc35\NsUpdate.exe -> Dialer.Generic : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-2041892279-848296084-3185487583-1011\Dc36.exe -> Dialer.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-2041892279-848296084-3185487583-1011\Software\GlobalCS -> Dialer.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@msnuk.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@microsoftwlmessengermkt.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@msnportal.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@sfr.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@msnaccountservices.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@opodo.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@sfr.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@adserver.71i[1].txt -> TrackingCookie.71i : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@ad.adnet[1].txt -> TrackingCookie.Adnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@iv2.bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@casinodelrio[1].txt -> TrackingCookie.Casinodelrio : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@www.casinodelrio[1].txt -> TrackingCookie.Casinodelrio : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@crbanner.casinopays[1].txt -> TrackingCookie.Casinopays : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@casinopays[1].txt -> TrackingCookie.Casinopays : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@crbanner.casinopays[2].txt -> TrackingCookie.Casinopays : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@casinotropez[1].txt -> TrackingCookie.Casinotropez : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@casinotropez[2].txt -> TrackingCookie.Casinotropez : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@www.casinotropez[2].txt -> TrackingCookie.Casinotropez : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@clickbank[2].txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@cz3.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@banner.clubdicecasino[2].txt -> TrackingCookie.Clubdicecasino : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@clubdicecasino[1].txt -> TrackingCookie.Clubdicecasino : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@fl01.ct2.comclick[1].txt -> TrackingCookie.Comclick : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@fl01.ct2.comclick[1].txt -> TrackingCookie.Comclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@fl01.ct2.comclick[1].txt -> TrackingCookie.Comclick : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@dbbsrv[1].txt -> TrackingCookie.Dbbsrv : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@www.88.com.29965.fb.dbbsrv[2].txt -> TrackingCookie.Dbbsrv : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@estat[1].txt -> TrackingCookie.Estat : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@estat[1].txt -> TrackingCookie.Estat : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@estat[1].txt -> TrackingCookie.Estat : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@www.etracker[2].txt -> TrackingCookie.Etracker : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@www.etracker[1].txt -> TrackingCookie.Etracker : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@as1.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@cityclub.gamingpromo[2].txt -> TrackingCookie.Gamingpromo : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@gamingpromo[2].txt -> TrackingCookie.Gamingpromo : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@c.goclick[1].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@ehg-playboy.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@ehg-ads.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@ehg-neuftelecom.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@ehg-sonyesolutions.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@ehg-ads.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@ehg-nokiafin.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@ehg-telecomitalia.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@lop[1].txt -> TrackingCookie.Lop : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@lop[1].txt -> TrackingCookie.Lop : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@stat.onestat[1].txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@sexlist[1].txt -> TrackingCookie.Sexlist : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@counter1.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@counter10.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@counter12.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@counter9.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@counter12.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@counter2.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@counter6.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@counter8.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@smartadserver[2].txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@smartadserver[1].txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@www.smartadserver[2].txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@spylog[2].txt -> TrackingCookie.Spylog : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@www.tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@weborama[1].txt -> TrackingCookie.Weborama : Cleaned with backup (quarantined).
C:\Documents and Settings\Invité\Cookies\invité@wreport.weborama[2].txt -> TrackingCookie.Weborama : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@weborama[1].txt -> TrackingCookie.Weborama : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@weborama[2].txt -> TrackingCookie.Weborama : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@xxxcounter[2].txt -> TrackingCookie.Xxxcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\MOHAMMED\Cookies\mohammed@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Documents and Settings\Moh@mmed\Cookies\moh@mmed@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Program Files\MailSkinner\MailSkinner.exe -> Trojan.Mailskinner.A : Cleaned with backup (quarantined).
C:\Program Files\eMedia Codec -> Trojan.Small : Cleaned with backup (quarantined).
C:\Program Files\eMedia Codec\uninst.exe -> Trojan.Small : Cleaned with backup (quarantined).
 
 
::Report end
 
 


---------------
MG
Reply

Marsh Posté le 29-09-2006 à 22:41:57    

Bonsoir
 
Gros travail d'Ewido
Les rapports montrent 3 choses :
- Une infection Instant Access.
- Un fichier aléatoire résistant (c:\windows\system32\mnteuxaoh.exe ).
- Un fichier résistant (C:\WINDOWS\NsUpdate.exe ).
 
On continue.
 
Une partie de la procédure se déroulera sans avoir accès à internet, prière d'imprimer ces instructions, ou de les coller dans un fichier texte, pour lecture durant cette désinfection.
Les  manipulations sont à faire sans interruption et dans l'ordre.
Si tu ne comprends pas quelque chose, demande des explications avant de commencer
.

 
$$ Télécharge Brute Force Uninstaller (de Merijn).
Créé un nouveau dossier directement sur le C:\ et nomme-le BFU. Décompresse le fichier téléchargé dans ce nouveau dossier (C:\BFU)
 
$$ FAIS UN CLIC-DROIT ICI et choisis "Enregistrer la cible sous..." afin de télécharger EGDACCESS.bfu (de Metallica). Sauvegarde dans le dossier créé (C:\BFU). **Note : si tu utlises Internet Explorer; lors de la sauvegarde, assure-toi que le champs "Type :" affiche "Tous les fichiers". Tu dois maintenant avoir deux fichiers dans le dossier C:\BFU : EGDACCESS.bfu et BFU.exe (très important).
 
$$ Clique sur ce lien
http://www.sendspace.com/file/4bwwd4
FAIS UN CLIC-DROIT sur le fichier Gentlemen.bfu et choisis "Enregistrer la cible sous..." afin de télécharger Gentlemen.bfu. Sauvegarde dans le dossier créé (C:\BFU). **Note : si tu utilises Internet Explorer; lors de la sauvegarde, assure-toi que le champs "Type :" affiche "Tous les fichiers".
 
$$ Redémarre en mode Sans Échec : au redémarrage, tapote immédiatement la touche F8 ou F5; tu verras un écran avec choix de démarrages apparaître. Utilisant les flèches du clavier, choisis "Mode Sans Échec" et valide avec "Entrée". Choisis ton compte usuel, et non Administrateur.
 
$$ Démarre le "Brute Force Uninstaller" en double-cliquant BFU.exe (du dossier C:\BFU)
 
---- Clique sur le petit dossier jaune, à la droite de la boîte Scriptline to execute, et double-clique sur :
 
EGDACCESS.bfu
 
Dans la boîte "Scriptline to execute", tu devrais maintenant voir ceci : C:\BFU\EGDACCESS.bfu
Clique sur Execute et laisse-le faire son travail.
Attendre que Complete script execution apparaîsse et clique sur OK.
 
---- Clique sur le petit dossier jaune, à la droite de la boîte Scriptline to execute, et double-clique sur :
 
Gentlemen.bfu
 
Dans la boîte "Scriptline to execute", tu devrais maintenant voir ceci : C:\BFU\Gentlemen.bfu
Clique sur Execute et laisse-le faire son travail.
 
Quand BFU disparait, redémarre normalement et poste un nouveau hijackthis avec le rapport situé ici C:\egd.txt

Message cité 1 fois
Message édité par chercheurbis le 29-09-2006 à 22:48:35
Reply

Marsh Posté le 30-09-2006 à 16:48:33    

je croi ke g fai kelke ereur mai voila le rapor...
 
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"PCMService"="\"c:\\Apps\\Powercinema\\PCMService.exe\""
"ACTIVBOARD"="c:\\apps\\ABoard\\ABoard.exe"
"BigDogPath"="C:\\WINDOWS\\VM_STI.EXE Philips SPC 200NC PC Camera"
"CanalPlayer"="C:\\Program Files\\Lecteur CANALPLAY\\CanalPlayer.exe /iconic"
"KAVPersonal50"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal Pro\\kav.exe\" /minimize"
"mnteuxaoh"="c:\\windows\\system32\\mnteuxaoh.exe mnteuxaoh"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"NsUpdate"="C:\\WINDOWS\\NsUpdate.exe UPDATE"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
 


---------------
MG
Reply

Marsh Posté le 30-09-2006 à 22:44:01    

Bonsoir
 
Je pense que la manip avec Edgaccess a bien fonctionné, mais pas celle avec Gentlemen.bfu.
 
Recommence ceci.
 

chercheurbis a écrit :

Une partie de la procédure se déroulera sans avoir accès à internet, prière d'imprimer ces instructions, ou de les coller dans un fichier texte, pour lecture durant cette désinfection.
Les  manipulations sont à faire sans interruption et dans l'ordre.
Si tu ne comprends pas quelque chose, demande des explications avant de commencer
.

 
$$ Clique sur ce lien
http://www.sendspace.com/file/4bwwd4
FAIS UN CLIC-DROIT sur le fichier Gentlemen.bfu et choisis "Enregistrer la cible sous..." afin de télécharger Gentlemen.bfu. Sauvegarde dans le dossier créé (C:\BFU). **Note : si tu utilises Internet Explorer; lors de la sauvegarde, assure-toi que le champs "Type :" affiche "Tous les fichiers".
 
$$ Redémarre en mode Sans Échec : au redémarrage, tapote immédiatement la touche F8 ou F5; tu verras un écran avec choix de démarrages apparaître. Utilisant les flèches du clavier, choisis "Mode Sans Échec" et valide avec "Entrée". Choisis ton compte usuel, et non Administrateur.
 
$$ Démarre le "Brute Force Uninstaller" en double-cliquant BFU.exe (du dossier C:\BFU)
 
---- Clique sur le petit dossier jaune, à la droite de la boîte Scriptline to execute, et double-clique sur :
 
Gentlemen.bfu
 
Dans la boîte "Scriptline to execute", tu devrais maintenant voir ceci : C:\BFU\Gentlemen.bfu
Clique sur Execute et laisse-le faire son travail.
 
Quand BFU disparait, redémarre normalement et poste un nouveau hijackthis avec le rapport situé ici C:\egd.txt

Reply

Marsh Posté le 30-09-2006 à 23:04:13    

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"PCMService"="\"c:\\Apps\\Powercinema\\PCMService.exe\""
"ACTIVBOARD"="c:\\apps\\ABoard\\ABoard.exe"
"BigDogPath"="C:\\WINDOWS\\VM_STI.EXE Philips SPC 200NC PC Camera"
"CanalPlayer"="C:\\Program Files\\Lecteur CANALPLAY\\CanalPlayer.exe /iconic"
"KAVPersonal50"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal Pro\\kav.exe\" /minimize"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
 


---------------
MG
Reply

Marsh Posté le    

Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed