O4 - HKUS\S-1-5-18\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [herjek] C:\WINDOWS\herjek.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'Default user')

Pour supprimer ces infections, fais ceci :

- Télécharge et installe MalwareByte's Anti-Malware :
http://www.malekal.com/tutorial_MalwareBytes_AntiMalware.php

- Mets-le à jour et fais un scan

- Supprime tout ce que le logiciel trouve et poste le rapport

Tu lance trop tôt MAM ... Envoie plutôt SDFix.

J'ai fait un tour sur Google. MAM va les voir, pourquoi sortir SDFix ?

Question de méthode. Déjà expliqué sur plusieurs topics ...

Arrête d'intervenir EvilElf, tu saoules.

Si j'interviens c'est pour qu'il chope de bons réflex... et pour éviter que ça devienne nawak.

De toute façon, c'est pas tous les jours que je fais ça, pas le temps.

tain deja 22 min que l'examen dure ...j'orer ptet pas du prendre le complet xd

Ça m'a pris 53 minutes Mais mieux vaut un examen complet plutot que de batailler pour enlever les trucs restants, nan ?

carrement la j'en sui a 45 min ^^

Je déconnais, t'as pas compris sous merde?
PS : Je déconne encore ici, c'est bien beau plaisanter mais j'veux pas me faire kicker ou bannir pour insulte, bref, tu fais comme bon te semble...

Moi je ne déconne pas et je vais demander ton ban de suite

rapport :

Malwarebytes' Anti-Malware 1.12
Version de la base de données: 770

Type de recherche: Examen complet (C:\|D:\|)
Eléments examinés: 278896
Temps écoulé: 1 hour(s), 23 minute(s), 47 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 1
Clé(s) du Registre infectée(s): 3
Valeur(s) du Registre infectée(s): 8
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 13
Fichier(s) infecté(s): 29

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
C:\WINDOWS\system32\basekbrlh32.dll (Trojan.Agent) -> Unloaded module successfully.

Clé(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe (Security.Hijack) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre
ntVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1
a36678} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre
ntVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5
c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Run\libor (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Run\herjek (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Run\totacon (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Run\Firewall auto setup (Trojan.Agent) -> Quarantined and deleted successfully.

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\les filles\Application Data\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\les filles\Application Data\AXPDefender\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\les filles\Application Data\AXPDefender\AXPDefender\Quarantine (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\les filles\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\les filles\Application
Data\AXPDefender\AXPDefender\Quarantine\BrowserObj
ects (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\les filles\Application Data\AXPDefender\AXPDefender\Quarantine\Packages (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\les filles\Application
Data\AXPDefender\AXPDefender\Quarantine\Autorun\HK
CU (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\les filles\Application
Data\AXPDefender\AXPDefender\Quarantine\Autorun\HK
LM (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\les filles\Application
Data\AXPDefender\AXPDefender\Quarantine\Autorun\St
artMenuAllUsers (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\les filles\Application
Data\AXPDefender\AXPDefender\Quarantine\Autorun\St
artMenuCurrentUser (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\les filles\Application
Data\AXPDefender\AXPDefender\Quarantine\Autorun\HK
CU\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\les filles\Application
Data\AXPDefender\AXPDefender\Quarantine\Autorun\HK
LM\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.

Fichier(s) infecté(s):
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\N0VHFI5M\2872tjentucw[1].exe (Spyware.BZub) -> Quarantined and deleted successfully.
C:\System Volume
Information\_restore{F75EEC69-6E97-419B-93B4-6A3A2
75301C4}\RP49\A0012705.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ctfmonb.bmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt64.tmp (Rogue.WinIFixer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\crypted.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsy185.tmp\DcryptDll.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsy185.tmp\nsExec.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\audio.dll.cla (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\herjek.config (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\totacon.config (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\libor.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\herjek.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\totacon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\basekbrlh32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\lost.exe.exe (Worm.Zhelatin) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\found.exe.exe (Worm.Zhelatin) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsub.xml (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dylan\Bureau\AntiSpywareShield.lnk (Rogue.AntiSpywareShield) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dylan.NOM-EB85C523610\win.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Menu Démarrer\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Bureau\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dylan\Application Data\Install.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Favoris\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Menu Démarrer\Online Security Guide.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Menu Démarrer\Security Troubleshooting.url (Rogue.Link) -> Quarantined and deleted successfully.

je reviendrait voir ta reponse demain aprem wiwi .

et encors un enorme merci

- Télécharge Deckard's System Scanner (DSS) sur ton bureau :
http://www.techsupportforum.com/sectools/Deckard/dss.exe
- Ferme toutes les applications en cours antivirus y compris
- Double-clique sur dss.exe pour lancer le soft
- S'il ne trouve pas HijackThis, clique sur Oui
- Clique sur OK à chaque fois que cela sera demandé
- L'analyse finie, un fichier texte s'affichera. Enregistre-le et upload-le sur mediafire et poste le lien pour qu'on puisse télécharger le rapport DSS :
http://www.mediafire.com/
- Le rapport se trouve ici : C:\Deckard\System Scanner\main.txt

enfin un virus original ....

http://www.mediafire.com/?yjhyztg51mt

Bon alors, tu vois bien que MAM ne fait pas l'affaire

T'enchaine tool sur tool pour un petit truc ... Préfère les tools dédiés aux solutions magiques style MAM ... Pourtant déjà expliqué plusieurs fois rofl ...

Deriak, fais ceci :
http://www.xplodconcept.com/viewtopic.php?f=14&t=62

Poste le rapport + nouveau rapport DSS.

@+

[b]SDFix: Version 1.184 [/b]
Run by Administrateur on 21/05/2008 at 13:56

Microsoft Windows XP [version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

[b]Checking Files [/b]:

Trojan Files Found:

C:\smp.bat - Deleted
C:\tempdel.bat - Deleted
C:\WINDOWS\gogora.config - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted

Removing Temp Files

[b]ADS Check [/b]:

[b]Final Check [/b]:

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 14:10:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

[b]Remaining Services [/b]:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servi
ces\sharedaccess\parameters\firewallpolicy\standar
dprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\syste
m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL France"
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\Hp\\Digital
Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"

"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\Hp\\Digital
Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"

"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\Hp\\Digital
Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"

"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\Hp\\Digital
Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"

"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\Hp\\Digital
Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"

"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\Hp\\Digital
Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"

"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\Hp\\Digital
Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"

"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\Hp\\Digital
Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"

"C:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\Hp\\Digital
Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.e
xe"
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\Hp\\Digital
Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,
-20000"
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"="C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe:*:Enabled:Zoo Tycoon 2 Executable"

"C:\\WINDOWS\\libor.exe"="C:\\WINDOWS\\libor.exe:*
:enabled:enable"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program
Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

"C:\\WINDOWS\\totacon.exe"="C:\\WINDOWS\\totacon.e
xe:*:Enabled:enable"

"C:\\WINDOWS\\herjek.exe"="C:\\WINDOWS\\herjek.exe
:*:Enabled:enable"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servi
ces\sharedaccess\parameters\firewallpolicy\domainp
rofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\syste
m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,
-20000"

[b]Remaining Files [/b]:

File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Sat 5 Apr 2008 218 A.SHR --- "C:\BOOT.BAK"
Sat 29 Mar 2008 48 ..SH. --- "C:\WINDOWS\SE2A63CE5.tmp"
Thu 8 May 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 2 May 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.key.bak"
Mon 12 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 12 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 5 Apr 2008 14,771,744 A..H. ---
"C:\WINDOWS\SoftwareDistribution\Download\cc102203
f99c8c6ebf1523556f8411b6\BITA.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\Deckard\System Scanner\backup\WINDOWS\temp\1948530hp85300.exe"
Thu 8 May 2008 4,348 ...H. --- "C:\Documents and Settings\les filles\Mes documents\Mes fichiers re‡us\Ma musique\Sauvegarde de la licence\drmv1key.bak"
Fri 9 May 2008 20 A..H. --- "C:\Documents and Settings\les filles\Mes documents\Mes fichiers re‡us\Ma musique\Sauvegarde de la licence\drmv1lic.bak"
Thu 8 May 2008 400 A.SH. --- "C:\Documents and Settings\les filles\Mes documents\Mes fichiers re‡us\Ma musique\Sauvegarde de la licence\drmv2key.bak"

[b]Finished![/b]

HS mais é-norme

utilise une bombe anti-cafards