Infection majeure!!!

Gwinoo -  
balltrap34 Messages postés 16241 Statut Contributeur sécurité -
Bonjour,
Quelqu'un peut analyser ce ACTIVESCAN? merci...

Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\WINDOWS\FT*_GEPFAH.EXE
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\newmsrdk
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/WUpd No disinfected Windows Registry
Adware:Adware/SBSoft No disinfected C:\WINDOWS\Downloaded Program Files\webdlg32.inf
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINDOWS\inst
Virus:Eicar.Mod No disinfected C:\data1.cab[eicar.html]
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Julie Rivard\Application Data\eumn.exe
Spyware:Spyware/AdClicker No disinfected C:\Documents and Settings\Julie Rivard\Application Data\taskmon.exe
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[aOaamon.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[bkowsewm.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[d8j02i1mg8.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[dLdpmesh.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[dn0401dqe.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[donlobby.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[fp4603hse.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[gp4ml3h11.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[gp4ol3h31.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[gppol3731.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[jtru0799e.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[k2pm0c71ef.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[kddgae.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[kidsf.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[ksdusr.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[ljpsd11n.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[lmtga11n.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[m046lahs1d46.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[mgxml3.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[mjls31.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[mpcshext.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[mrc42u.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[mrjint35.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[nbtapi32.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[nplanui2.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[o8660ijse8o60.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[o8lu0i39e8.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[p8n8li5u18.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[ptdgen.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[qrv.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[rppwsx.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[rtnd.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[rUsrad.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[sclogcfg.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[scrio800.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[serrun.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[skeio.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[suardssp.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[tlappcmp.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[wcnsrv.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[wjpui.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[wmnsrv.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[wqsdmod.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[guard.tmp]
Adware:Adware/IGuard No disinfected C:\Hijackthis\backups\backup-20050427-104532-814.dll
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.inf
Adware:Adware/SBSoft No disinfected C:\WINDOWS\Downloaded Program Files\webdlg32.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\FT2_0_0_629_GEPFAH.EXE
Adware:Adware/nCase No disinfected C:\WINDOWS\icont.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\iconu.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\ceres.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInst.exe
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\MIEXEC~1.EXE
Virus:W32/Sdbot.DEL.worm Disinfected C:\WINDOWS\system32\scvvhost.exe
Virus:Trj/Multidropper.AAR No disinfected C:\winhelp.chm[d_tony1.exe]

18 réponses

  1. BmV Messages postés 43656 Date d'inscription   Statut Modérateur Dernière intervention   4 962
     
    Salut.

    Beaucoup de troyens/adwares/etc.
    Pas excessivement grave, mais faut nettoyer ça avec un anti-spy genre "spybotS&D" ou Pestpatrol ....

    Voir ici => http://assiste.free.fr/index.html , rubrique "trojans"

    Et tout de suite après le nettoyage => http://sebsauvage.net/safehex.html

    A+
    0
  2. Gwinoo
     
    Spybot et Adaware..ne voient rien?!?
    Voici un RavAntivirus..

    Scan started at 2005-05-18 09:14:13

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\WINDOWS\crt32_v2.dll - TrojanClicker:Win32/Small.AU -> Infected

    Scanned
    ============================
    Objects: 34117
    Directories: 2464
    Archives: 6728
    Size(Kb): 1935149
    Infected files: 1

    Found
    ============================
    Viruses found: 1
    Suspicious files: 0
    Disinfected files: 0
    Mail files: 292
    0
  3. Gwinoo
     
    Voici mon Hijack:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:46:21, on 2005-05-18
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [bob] C:\DOCUME~1\JULIER~1\LOCALS~1\Temp\RarSFX6\WINDOWS\bob.exe
    O16 - DPF: {2FB97B3F-B903-5CB6-4D03-482F29F81485} - http://69.50.182.94/1/rdgCA1735.exe
    O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

    ----------------------------------------------------

    O4 - HKLM\..\Run: [bob] C:\DOCUME~1\JULIER~1\LOCALS~1\Temp\RarSFX6\WINDOWS\bob.exe
    O16 - DPF: {2FB97B3F-B903-5CB6-4D03-482F29F81485} - http://69.50.182.94/1/rdgCA1735.exe


    Ces 2 là m'inquiètent...vous connaissez?
    0
  4. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  5. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
    c est bien de donner un lien mais
    si tu ne dit pas quoi prendre ou faire cela sert pas a grand chose lol
    0
  6. Gwinoo Messages postés 21 Statut Membre
     
    Pestpatrol est pas capable de rien effacer et trouve pas grand chose....
    cleanup,lui, efface pas bob.exe...

    Logfile of HijackThis v1.99.1
    Scan saved at 11:11:31, on 2005-05-18
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [TkBellExe]
    0
  7. Utilisateur anonyme
     
    ou sont passer les 023 ?
    0
  8. Gwinoo Messages postés 21 Statut Membre
     
    Logfile of HijackThis v1.99.1
    Scan saved at 11:15:00, on 2005-05-18
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [bob] C:\DOCUME~1\JULIER~1\LOCALS~1\Temp\RarSFX6\WINDOWS\bob.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
    O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    0
  9. Gwinoo Messages postés 21 Statut Membre
     
    Et alors????

    Qqu'un peut m'aider?
    0
  10. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
    t impatiente pas lol
    demarre en mode sans echec
    relance hijack coche et fix cette ligne
    O4 - HKLM\..\Run: [bob] C:\DOCUME~1\JULIER~1\LOCALS~1\Temp\RarSFX6\WINDOWS\bob.exe

    ensuite recherche et suppr ceci
    bob.exe
    0
  11. Gwinoo Messages postés 21 Statut Membre
     
    Ça semble aller pour Bob.exe...

    Mais mon ordi est lent et certains sites dans mes favoris ne s'affichent plus!?!

    Seraient-ils toujours infectés???
    0
  12. Gwinoo
     
    L2Mfix 1.03

    Running From:
    C:\Documents and Settings\Julie Rivard\Bureau\l2mfix

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (NI) ALLOW Full access AUTORITE NT\SYSTEM
    (IO) ALLOW Full access AUTORITE NT\SYSTEM
    (NI) ALLOW Full access AUTORITE NT\SYSTEM
    (IO) ALLOW Full access AUTORITE NT\SYSTEM
    (ID-NI) ALLOW Read BUILTIN\Utilisateurs
    (ID-IO) ALLOW Read BUILTIN\Utilisateurs
    (ID-NI) ALLOW Full access BUILTIN\Administrateurs
    (ID-IO) ALLOW Full access BUILTIN\Administrateurs
    (ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
    (ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
    (ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

    Setting registry permissions:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Denying C(CI) access for predefined group "Administrators"
    - adding new ACCESS DENY entry

    Registry Permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (CI) DENY --C------- BUILTIN\Administrateurs
    (NI) ALLOW Full access AUTORITE NT\SYSTEM
    (IO) ALLOW Full access AUTORITE NT\SYSTEM
    (NI) ALLOW Full access AUTORITE NT\SYSTEM
    (IO) ALLOW Full access AUTORITE NT\SYSTEM
    (ID-NI) ALLOW Read BUILTIN\Utilisateurs
    (ID-IO) ALLOW Read BUILTIN\Utilisateurs
    (ID-NI) ALLOW Full access BUILTIN\Administrateurs
    (ID-IO) ALLOW Full access BUILTIN\Administrateurs
    (ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
    (ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
    (ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

    Setting up for Reboot

    Starting Reboot!

    C:\Documents and Settings\Julie Rivard\Bureau\l2mfix
    System Rebooted!

    Running From:
    C:\Documents and Settings\Julie Rivard\Bureau\l2mfix

    killing explorer and rundll32.exe

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 1248 'explorer.exe'
    Killing PID 1248 'explorer.exe'

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Error, Cannot find a process with an image name of rundll32.exe

    Scanning First Pass. Please Wait!

    First Pass Completed

    Second Pass Scanning

    Second pass Completed!

    Zipping up files for submission:
    adding: clear.reg (104 bytes security) (deflated 2%)
    adding: echo.reg (104 bytes security) (deflated 10%)
    adding: direct.txt (104 bytes security) (stored 0%)
    adding: lo2.txt (104 bytes security) (deflated 73%)
    adding: log.txt (104 bytes security) (deflated 79%)
    adding: readme.txt (104 bytes security) (deflated 49%)
    adding: report.txt (104 bytes security) (deflated 62%)
    adding: test.txt (104 bytes security) (stored 0%)
    adding: test2.txt (104 bytes security) (stored 0%)
    adding: test3.txt (104 bytes security) (stored 0%)
    adding: test5.txt (104 bytes security) (stored 0%)
    adding: backregs/65A6D3A1-301A-4136-9765-7E12B444C89A.reg (104 bytes security) (deflated 70%)
    adding: backregs/D1BC54FF-E6FE-4520-AEB8-7D82C6FFE573.reg (104 bytes security) (deflated 71%)
    adding: backregs/shell.reg (104 bytes security) (deflated 74%)

    Restoring Registry Permissions:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Revoking access for predefined group "Administrators"
    Inherited ACE can not be revoked here!
    Inherited ACE can not be revoked here!

    Registry permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (NI) ALLOW Full access AUTORITE NT\SYSTEM
    (IO) ALLOW Full access AUTORITE NT\SYSTEM
    (NI) ALLOW Full access AUTORITE NT\SYSTEM
    (IO) ALLOW Full access AUTORITE NT\SYSTEM
    (ID-NI) ALLOW Read BUILTIN\Utilisateurs
    (ID-IO) ALLOW Read BUILTIN\Utilisateurs
    (ID-NI) ALLOW Full access BUILTIN\Administrateurs
    (ID-IO) ALLOW Full access BUILTIN\Administrateurs
    (ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
    (ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
    (ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

    Restoring Sedebugprivilege:

    Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

    The following Is the Current Export of the Winlogon notify key:
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    The following are the files found:
    ****************************************************************************

    Registry Entries that were Deleted:
    Please verify that the listing looks ok.
    If there was something deleted wrongly there are backups in the backreg folder.
    ****************************************************************************
    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "SV1"=""
    ****************************************************************************
    Desktop.ini Contents:
    ****************************************************************************
    ****************************************************************************
    0
  13. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
    je t ai pas demander un l2mfix
    il faut pas faire n importe quoi sinon ont vas pas s en sortir
    met moi un hijack

    --la chasse et le balltrap ma vrai passion
    voir site perso dans profil
    0
  14. Gwinoo
     
    Désolé Balltrap...

    Logfile of HijackThis v1.99.1
    Scan saved at 18:36:25, on 2005-05-18
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    0
  15. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
    relance hijack coche et fix seulement
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

    il ni a rien de mechant dans ton log
    je t ai fait virer ces lignes j uste pour que les prog ne se lance pas au demarrage

    ensuite fait un scan rav pour verif
    Faite scan en ligne et coller le rapport ici sur le post
    utiliser l'antivirus en ligne suivant :
    http://www.ravantivirus.com/scan/
    Cliquer sur "To continue without subscribing click here" et attendre quelques minutes.

    Lorsque "Ready" est affiché dans "status", cocher la case "Autoclean" puis cliquer sur "Scan my PC"
    A la fin de l'analyse, copier/coller le rapport ici.
    0
  16. gwinoo
     
    J'ai oublié de faire un rapport balltrap?!?!

    Désolé, mais il n'a rien trouvé...alors je crois que c'est résolu!

    Mon ordinateur semble avoir retrouvé sa vigueur!

    Merci à tous!
    0
  17. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
    content pour toi
    a++
    0