Sujet Précédent Sujet Suivant

Pbl HCLEAN32.EXE - Help ! - décryptage Hijack

Yohan -  
balltrap34 Messages postés 16241 Statut Contributeur sécurité -
Bonjour à toutes et tous,

Je me permet de vous demander de l'aide car voila quelques jours que je me bagarre avec une anomalie récurrente.
J'ai lu les diverses discussions à ce sujet dans le forum et appliquer les remèdes - rien à faire.

Anomalie :
Norton détecte un troyan sur le ficheier c:\windows\system32\hclean32.exe. Après vérification ce ficheir n'existe pas !
de plus, antivir détecte un troyan dans le fichier rdsndin.exe.

J'ai passer SPYBOT, AD-AWARE, TAUSCAN, NORTON AV, ANTIVIR.
Rien à faire.

Je vous fais donc passer le Hijack en espérant que quelqu'un pourra me venir en aide.

En l'attente. Merci d'avance.

Logfile of HijackThis v1.99.1
Scan saved at 09:48:13, on 25/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\looknstop\_looknstop.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ensemble clavier et souris sans fil Labtec\MagicKey.exe
C:\Program Files\Ensemble clavier et souris sans fil Labtec\MulMouse.exe
C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
C:\Program Files\Ensemble clavier et souris sans fil Labtec\OSD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm66.exe
C:\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {C7DBAF37-8D7C-D325-6FC4-EED2460373FB} - _ctcp.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\looknstop\looknstop.exe" -auto
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\YOHAN&~1\LOCALS~1\Temp\bundle_cdt1006.exe run
O4 - HKLM\..\Run: [MSTCPDLL] SYSTRAV.exe
O4 - HKLM\..\Run: [Brong32] SYSTRAV.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [Dest068] MON76234.exe
O4 - HKCU\..\Run: [systemdll] xxtoolbar.exe
O4 - HKCU\..\Run: [NsCplTray] nmdllw.exe
O4 - Global Startup: Activer l'ensemble clavier et souris sans fil Labtec.lnk = C:\Program Files\Ensemble clavier et souris sans fil Labtec\MagicKey.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114460605218
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0914A442-A758-4B09-9FA6-2A8CAEE26F60}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFBDDBD5-77CA-414F-B77B-7AA99DDEC6B7}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{0914A442-A758-4B09-9FA6-2A8CAEE26F60}: NameServer = 69.50.176.158,85.255.112.8
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
A voir également:
  • Pbl HCLEAN32.EXE - Help ! - décryptage Hijack
  • .Exe - Télécharger - Divers Utilitaires
  • Winrar exe - Télécharger - Compression & Décompression
  • Svchost exe - Guide
  • Bat to exe - Télécharger - Édition & Programmation
  • Hijack this - Télécharger - Antivirus & Antimalwares

45 réponses

Réponse 1 / 45
Utilisateur anonyme
 
Bonjour,

Méthode à suivre dans l'ordre...

****
Te voila confronter a plusieurs logiciels qui tournent en tache de fond qui cause, ralentissement, lourdeurs et plantages:

Tu as sur ton pc 2 antivirus:
norton
antivir
Desinstalle s en un, de preference norton !

Tu as sur ton pc 2 pare feu
look n stop
zone alarme
Desinstalle s en, de preferrence look n stop

Mais bien sur tu es libre de garder celui que tu controles le mieux, moi je suis a l aise avec cet antivirus et ce pare feu dont je dispose, apres a toi de voir selon tes gouts
----------------------------------------------------------------------------
¤Télécharge ces logiciels mais que tu n‘utilises pas tout de suite:

1/Spybot S&D 1.4 <<nouvelle version
http://www.safer-networking.org/fr/index.html

Démo d’utilisation (merci à Balltrap34 pour cette réalisation)
http://pageperso.aol.fr/Balltrap34/demo%20spybot.htm

2/Ad-Aware SE 1.06 <<nouvelle version
http://www.lavasoftusa.com/software/adaware/
-Une aide:
http://www.tutopat.com/viewtopic.php?t=1191
- installe le patch français, tu pourras le trouver ici:
http://download.lavasoft.de.edgesuite.net/public/pllangs.exe
et une petite vidéo d'utilisation ici:(merci à Moe31 pour cette réalisation)
http://pageperso.aol.fr/balltrap34/adawrevid.asf

3/Clean Up 40:
http://pageperso.aol.fr/balltrap34/CleanUp40.exe
-aide en image:(merci à Balltrap34)
http://pageperso.aol.fr/balltrap34/democleanup.htm
----------------------------------------------------------------------------
¤Démarre en mode sans échec :
Pour cela, tu tapotes la touche F8 dès le début de l’allumage du pc sans t’arrêter
Une fenêtre va s’ouvrir tu te déplaces avec les flèches du clavier sur démarrer en mode sans échec puis tape entrée.
Une fois sur le bureau s’il n’y a pas toutes les couleurs et autres c’est normal !
(Si F8 ne marche pas utilise la touche F5)
----------------------------------------------------------------------------
¤Affiche tous les fichiers et dossiers :
Clique sur démarrer/panneau de configuration/outil/option des dossiers/affichage

Coche « afficher les fichiers et dossiers cachés »

Décoche la case "Masquer les fichiers protégés du système d'exploitation (recommandé)"

Décoche « masquer les extensions dont le type est connu »
Puis fais «Ok» pour valider les changements.

Et appliquer !
----------------------------------------------------------------------------
¤Vide tes fichiers temps et tempory internet file:
utilise ceci pour le faire (tu as téléchargé avant)
http://pageperso.aol.fr/balltrap34/CleanUp40.exe
----------------------------------------------------------------------------
¤Relance HijackThis, coche les cases devant ces lignes et ensuite clique sur fix checked :

R3 - URLSearchHook: (no name) - {C7DBAF37-8D7C-D325-6FC4-EED2460373FB} - _ctcp.dll (file missing)

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)

Si tu as desinstalle look n stop, fixe la
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\looknstop\looknstop.exe" -auto

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe

O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe

O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\YOHAN&~1\LOCALS~1\Temp\bundle_cdt1006.exe run

O4 - HKLM\..\Run: [MSTCPDLL] SYSTRAV.exe

O4 - HKLM\..\Run: [Brong32] SYSTRAV.exe

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"

O4 - HKCU\..\Run: [Dest068] MON76234.exe

O4 - HKCU\..\Run: [systemdll] xxtoolbar.exe

O4 - HKCU\..\Run: [NsCplTray] nmdllw.exe

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab

O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab

----------------------------------------------------------------------------
¤Recherche et supprime ceci:
attention seulement les fichiers (si présents)

C:\Program Files\looknstop <--seulement si tu l as desinstallé
C:\Program Files\Media Access
c:\program files\180searchassistant
SYSTRAV.exe
C:\Program Files\WareOut
MON76234.exe
xxtoolbar.exe
nmdllw.exe

----------------------------------------------------------------------------
¤ Passe Ad-Aware et vire tout ce qu’il trouve
----------------------------------------------------------------------------
¤ Passe Spybot et vire tout ce qu’il trouve
----------------------------------------------------------------------------
> Tu vides ta poubelle et tu redémarres en mode normal et refait un HijackThis

Précise tes soucis s’il en reste....

Tiens-moi au courant

a+
0
Yohan
 
Regis, merci de ta réponse.

J'ai suivi à la lettre tes instructions, ce qui a prix un certain temps.
Récap :
- J'ai désintallé Norton et Look and stop.
- J'ai booté en mode sans échec et ai lancé successivement Clean Up 40 qui a shooté tous les fichiers temp, Ad-aware qui a rien détecté de suspect et enfin Spybot qui a shooté 18 anomalies.
- J'ai rebooté en mode normal et voila que dès le démarrage de windows, antivir détecte le même problème que norton auparavant. A savoir un troyan sur le fichier C:\windows\system32\hclean32.exe. Ce troyan est TR/QHOST.QR.
Une fenetre de détection similaire s'ouvre dès que je lance internet explorer.
En parallèle, windows ouvre une fenetre qui signale un problème avec comme bouton de sélection "Envoyer le rapport d'erreur" et "ne rien envoyer". Si je clic sur l'un ou l'autre, toutes mes fenetres internet sont fermées automatiquement.

Concernant Hijackthis, j'ai supprimer les lignes que tu m'avais indiqué, toutefois certaines n'existaient pas.
J'en ai refait un que je te transmet ci-après.

Si tu as une idée du problème.

En tout cas, merci par avance...YOHAN

Logfile of HijackThis v1.99.1
Scan saved at 22:11:32, on 25/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Ensemble clavier et souris sans fil Labtec\MagicKey.exe
C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
C:\Program Files\Ensemble clavier et souris sans fil Labtec\MulMouse.exe
C:\Program Files\Ensemble clavier et souris sans fil Labtec\OSD.EXE
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\AVPersonal\GUARDGUI.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Activer l'ensemble clavier et souris sans fil Labtec.lnk = C:\Program Files\Ensemble clavier et souris sans fil Labtec\MagicKey.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114460605218
O17 - HKLM\System\CCS\Services\Tcpip\..\{0914A442-A758-4B09-9FA6-2A8CAEE26F60}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFBDDBD5-77CA-414F-B77B-7AA99DDEC6B7}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{0914A442-A758-4B09-9FA6-2A8CAEE26F60}: NameServer = 69.50.176.158,85.255.112.8
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
0
Réponse 2 / 45
Utilisateur anonyme
 
re
¤Affiche tous les fichiers et dossiers :
Clique sur démarrer/panneau de configuration/outil/option des dossiers/affichage

Coche « afficher les fichiers et dossiers cachés »

Décoche la case "Masquer les fichiers protégés du système d'exploitation (recommandé)"

Décoche « masquer les extensions dont le type est connu »
Puis fais «Ok» pour valider les changements.

Et appliquer !
----------------------------------------------------------------------------
Supprime
C:\windows\system32\hclean32.exe

a+
0
Yohan
 
Regis,

J'ai bien affiché tous les dossiers systèmes, les dossiers et fichiers cachés...rien à faire. Le fichier HCLEAN32.EXE est introuvable sur ma machine.
Depuis hier soir je n'ai pas booté et les fenetres de ANTIVIR sont encore actives.

A+, Merci
Yohan
0
Yohan
 
Salut Regis,

Je me permet de te relancer sur mon soucis avec HCLEAN32.exe.
Comme je l'ai indiqué dans mon précédent message, il y a quelque chose de plus qu'étrange : le fichier Hclean32.Exe n'existe pas dans system32. J'ai pourtant affiché tous les fichiers cachés et tous les répertoires systèmes. l'option recherche de explorer ne le trouve pas non plus.
Merci de ton aide.
Si tu as besoin d'un hijack, fais le savoir.

A bientôt
Yohan
0
Réponse 3 / 45
Utilisateur anonyme
 
Salut,
Essai ceci pour le trouver:
http://www.01net.com/telecharger/windows/Utilitaire/cryptage_et_securite/fiches/23822.html

Démo d’utilisation ici (merci à Balltrap34 pour cette réalisation)
http://pageperso.aol.fr/balltrap34/demochaos.swf

A+
0
Yohan
 
Regis,

Merci de ta réponse mais aucuns des liens de telecharger.com n'est valide (Même le site officiel).
Tu as une autre adresse ou le récup ?
Connais-tu un autre logiciel similaire ?

A+
Yohan
0
Réponse 4 / 45
Utilisateur anonyme
 
Comment ca?
moi elle marche chez moi
0
Yohan
 
Fausse alerte !
Après plusieurs tentatives, j'ai récup le prog.
J'ai lancé....pas de fichiers trouvés !
Je pense être dans une drole de galère.
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 5 / 45
Utilisateur anonyme
 
Verifie lol avec chaos shredder
C:\windows\system32\hclean32.exe

kill box tu l as essayer deja?
0
Yohan
 
1- Concernant Chaos Shredder : RAS - Pas de fichier trouvé

2- Concernant Killbox : En suppression directe, il indique que le fichier ne peut être supprimé. En mode reboot - Il ne veut pas relancer la machine. Il indique "PendingFileRenameOperations registry data has been removad by external process !"
0
Réponse 6 / 45
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
salut quentin
en forme
0
Réponse 7 / 45
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
salut essai avedc la kill en mode sans echec
0
Yohan
 
Je boote et vous tiens informé
A tout de suite
0
Réponse 8 / 45
Utilisateur anonyme
 
salut balltrap
bof bof
j ai un soucis pc, j ai poster dans materiel si t as le temps d aller voir

Je cherches des soluces, j ai poster dans divers sans faire expres mais ca t es adresse, si t as le temps de me donner un coup de pouce !
(pour virer ce que detecte spybot, j ai pas essayer silent runner, tu crois y a moyen?)
0
Réponse 9 / 45
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
je vais voir
0
Yohan
 
Balltrap, ou Regis,

J'ai bien réussi à supprimer ce fichier en mode sans échec.
MAIS...dès que je reviens en mode standard et que je me connecte, Antivir redétecte un troyan (Qhost.TR) sur ce fichier.
J'y comprend rien

Merci d'avance
0
Réponse 10 / 45
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
pour regis je t est repondu sur ton post
pour oyan a quelle emplacement exact il le detecte
0
Yohan
 
C:\WINDOWS\SYSTEM32\HCLEAN32.EXE
Mais il est invisible

PS : pas mal ton site de trap ! fotos excellentes
0
Réponse 11 / 45
Utilisateur anonyme
 
Antivir dit quoi lui??, car apparemment t as 2av
0
Yohan
 
Effectivement, j'avais 2 AV. J'ai supprimé NORTON comme suite à tes précédents conseils (ma machine tourne effectivement un peu mieux depuis...logique).
Antivir le détecte et c'est lui qui m'a donné le nom de ce troyan.
Voici une copie de la fenetre ANTIVIR:

C:\WINDOWS\SYSTEM32\HCLEAN32.EXE

Is the Trojan horse TR/Qhost.QR

Lorsque je clique delete file, il affiche ceci :

C:\WINDOWS\SYSTEM32\RDSNDIN.EXE

Is the Trojan horse TR/Click.526

Ou me remet la première fenetre.
Si je delete RDSNDIN.EXE; une fenetre Iexplorer apparait :

"iexplore.exe a rencontré un problème et doit fermer. Nous vous prions de nous excuser pour le désagrément encouru."
quel que soit le bouton "envoyer" ou "ne pas envoyer" sur lequel je clique....toutes mes fenetres internet sont fermées immédiatement.
0
Réponse 12 / 45
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
fait ceci
telecharge ceci
http://www.downloads.subratam.org/l2mfix.exe
decompresse le double clik sur l2mfix.bat appuie sur n importe quelle touche et ensuite choisi l option 2

recherche et suppr les deux fichiers mais assure toi de ceci pour les voir
Affiche tous les fichiers et dossiers :
cliquer sur démarrer/panneau de configuration/option des dossiers/affichage
Cocher afficher les dossiers cacher

Décoche la case "Masquer les fichiers protégés du système d'exploitation (recommandé)"

Décocher masquer les extensions dont le type est connu
Puis fais "Ok" pour valider les changements.

Et appliquer

si tu les vois pas utilise la kill box methode bloc note voir demo
avec ceci
C:\WINDOWS\SYSTEM32\HCLEAN32.EXE
C:\WINDOWS\SYSTEM32\RDSNDIN.EXE

Kill Box :

(ici) http://www.florensac-chasse-trap.com/ section virus

demo http://pageperso.aol.fr/balltrap34/killbox.htm

fait un scan ici
Scan bit defender
http://www.bitdefender.fr
clik sur scan on line a gauche et suis la procedure
----------------
0
Yohan
 
J'ai donc telecharger ton prog et l'ai lancé.
Il a rebooté la machine après que j'ai validé l'option 2 et il a édité un rapport après le redémarrage. Fais moi savoir si ce rapport t'ntéresse.
J'ai ensuite lancé killbox méthode bloc-note (merci pour la démo)
et il a booté après que j'ai copier coller les fichiers et cliquer sur crois rouge.
Actuellement je suis entrain de faire un bitdefender et il en a ancore pour 2h30 environ (temps estimé).
Je te rend la réponse après que ce soit fini.

Bon App' et à tout à l'heure,
Yohan
0
Réponse 13 / 45
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
donne moi les rapport du fix et aussi quand tu l aurat le rapport de defender
0
Yohan
 
Voila le rapport du fix :

L2Mfix 1.04

Running From:
C:\Program Files\l2mfix\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- removing existing ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE



Setting up for Reboot


Starting Reboot!

C:\Program Files\l2mfix\l2mfix
System Rebooted!

Running From:
C:\Program Files\l2mfix\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 196 'explorer.exe'
Killing PID 196 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (212 bytes security) (deflated 2%)
adding: echo.reg (212 bytes security) (deflated 11%)
adding: direct.txt (212 bytes security) (deflated 13%)
adding: lo2.txt (212 bytes security) (deflated 72%)
adding: readme.txt (212 bytes security) (deflated 52%)
adding: test.txt (212 bytes security) (stored 0%)
adding: test2.txt (212 bytes security) (stored 0%)
adding: test3.txt (212 bytes security) (stored 0%)
adding: test5.txt (212 bytes security) (stored 0%)
adding: backregs/notibac.reg (212 bytes security) (deflated 87%)
adding: backregs/shell.reg (212 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


Pour ce qui est de defender, voici le rapport :

BitDefender Online Scanner



Rapport d'analyse généré à: Sat, Aug 27, 2005 - 20:16:30





Voie d'analyse: A:\;C:\;D:\;E:\;F:\;







Statistiques

Temps
00:45:26

Fichiers
112591

Directoires
5029

Secteurs de boot
4

Archives
1373

Paquets programmes
12542




Résultats

Virus identifiés
5

Fichiers infectés
7

Fichiers suspects
0

Avertissements
0

Désinfectés
0

Fichiers effacés
7




Info sur les moteurs

Définition virus
202863

Version des moteurs
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Analyse des plugins
13

Archive des plugins
39

Unpack des plugins
4

E-mail plugins
6

Système plugins
1




Paramètres d'analyse

Première action
Désinfecté

Seconde Action
Supprimé

Heuristique
Oui

Acceptez les avertissements
Oui

Extensions analysées
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Excludez les extensions


Analyse d'emails
Oui

Analyse des Archives
Oui

Analyser paquets programmes
Oui

Analyse des fichiers
Oui

Analyse de boot
Oui




Fichier analysé
Statut

F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP148\A0015118.exe
Infecté par: Joke.Winshoot.A

F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP148\A0015118.exe
Echec de la désinfection

F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP148\A0015118.exe
Supprimé

F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP148\A0015135.exe
Infecté par: Win16.Joke.Delayprank.A

F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP148\A0015135.exe
Echec de la désinfection

F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP148\A0015135.exe
Supprimé

F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP149\A0015184.exe
Infecté par: Joke.Funny.A

F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP149\A0015184.exe
Echec de la désinfection

F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP149\A0015184.exe
Supprimé

F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHelper.dll
Détecté avec: Adware.Navexcel.A

F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHelper.dll
Echec de la désinfection

F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHelper.dll
Supprimé

F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab
Echec de la mise à jour

F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUninstaller.exe
Détecté avec: Adware.Navexcel.A

F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUninstaller.exe
Echec de la désinfection

F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUninstaller.exe
Supprimé

F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab
Echec de la mise à jour

F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUpdater.exe
Détecté avec: Adware.Navexcel.A

F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUpdater.exe
Echec de la désinfection

F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUpdater.exe
Supprimé

F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab
Echec de la mise à jour

F:\Utilitaires à graver\Internet et communication\Telechargement\Imesh V4\iMeshV3.exe=>wise0030
Détecté avec: Application.Adware.Gator

F:\Utilitaires à graver\Internet et communication\Telechargement\Imesh V4\iMeshV3.exe=>wise0030
Echec de la désinfection

F:\Utilitaires à graver\Internet et communication\Telechargement\Imesh V4\iMeshV3.exe=>wise0030
Supprimé

F:\Utilitaires à graver\Internet et communication\Telechargement\Imesh V4\iMeshV3.exe
Echec de la mise à jour
0
Réponse 14 / 45
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
tu vois le p2p c est pas le top
ou en sont tes soucis
0
Yohan
 
Salut Balltrap,

comme tu vois j'attaque de bon matin...brocante en vue.
Pour revenir à nos moutons, rien de neuf depuis hier.
J'en suis au point de départ. Selon Bitdefender mon micro est encore infecté (note laissée en haut de la fenetre de rapport).

Tu me fais remarquer que le P2P c'est la M... Effectivement, j'ai vite arrêter. Mais comme tu as pu le voir, ca laisse des traces. Comment faire pour nettoyer tout ceci sans formater ?

Je ne sais plus trop quoi faire désormais.
As-tu vu uqqch d'anormal dans les rapports FIX et DEFENDER ?
Faut-il que je boote ?
Tiens moi informé. Je suis de retour en début d'aprem. Merci d'avance et bon Dimanche.

Bye - Yohan
0
Réponse 15 / 45
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
salut
defender a fait du menage
que te dit norton maintenant
0
Yohan
 
Re-salut,

Defender a effectivement fait du ménage. Je boote dans la foulée et lance ANTIVIR. Je ne dispose plus de Norton (désinstallé car doublon avec Antivir).
Je te fais savoir les résultats du scan dès qu'il est fini.

Faut-il que je relance autre chose type hijackthis ??

Yohan
0
Réponse 16 / 45
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
pour l instant non ont vas voir se que dise ton av
0
Yohan
 
J'ai passé ANTIVIR. Apparemment RAS...Je te fais passer le rapport ci-après. Par contre, j'ai encore deux fenetres de détection qui sont apparues ..toujours sur ce fichier HCLEAN32.EXE.

Que faire ?

Rapport ANTIVIR :

Creation date of the report file: dimanche 28 août 2005 16:30

AntiVir®/XP (2000 + NT) PersonalEdition Classic
Build 1047 vom 07.06.2005
Mainprogram 6.31.00.03 of 10.05.2005
VDF file 6.31.1.143 (0) of 18.08.2005


This program is for PERSONAL USE only.
Any other use is PROHIBITED.
Informations regarding commercial versions of AntiVir may be obtained from:
www.hbedv.com.


Scanning for 204539 virus strains and unwanted programs.

Licensed for: AntiVir Personal Edition
Serial number: 0000149996-WURGE-0001

Please enter the workstation and
contact name with phone number in this form:

Name ___________________________________________

Street ___________________________________________

Town ___________________________________________

Phone/Fax ___________________________________________

Email ___________________________________________

Platform: Windows NT Workstation
Windows version: 5.1 Build 2600 (Service Pack 1)
Username: Yohan & Steph
Computername: PERRAT
Processor: Pentium
Working memory: 523760 KB free

Version information:
AVWIN.DLL : 6.31.00.03 561192 10.05.2005 16:50:16
AVEWIN32.DLL : 6.31.1.0 823808 19.07.2005 17:54:12
AVGNT.EXE : 6.31.00.01 168039 10.05.2005 16:50:16
AVGUARD.EXE : 6.31.00.01 238120 29.04.2005 08:07:12
GUARDMSG.DLL : 6.30.00.02 94248 01.02.2005 11:24:10
AVGCMSG.DLL : 6.31.00.00 295029 29.04.2005 08:07:16
AVGNTDW.SYS : 6.31.00.01 32896 29.04.2005 08:07:16
AVPACK32.DLL : 6.31.00.03 323664 25.05.2005 10:43:02
AVGETVER.DLL : 6.30.00.00 24576 28.01.2005 18:10:20
AVWIN.DLL : 6.31.00.03 561192 10.05.2005 16:50:16
AVSHLEXT.DLL : 6.30.00.01 40960 28.01.2005 18:10:22
AVSched32.EXE : 6.30.00.00 110632 01.02.2005 11:24:10
AVSched32.DLL : 6.30.00.00 122880 01.02.2005 11:24:10
AVREG.DLL : 6.30.00.03 41000 10.02.2005 18:47:48
AVRep.DLL : 6.31.01.140 1290280 18.08.2005 12:52:40
INETUPD.EXE : 6.31.00.02 249915 29.04.2005 08:07:14
INETUPD.DLL : 6.31.00.02 143360 29.04.2005 08:07:14
CTL3D32.DLL : 2.31.000 27136 28.08.2001 14:00:00
MFC42.DLL : 6.00.8665.0 995383 28.08.2001 14:00:00
MSVCRT.DLL : 7.0.2600.1106 (xpsp1.020828-1920
MSVCRT.DLL : 7.0.2600.1106 323072 29.08.2002 11:44:52
CTL3DV2.DLL : No information

Configuration file:

Name of configuration file: C:\Program Files\AVPersonal\AVWIN.INI
Name of report file: C:\Program Files\AVPersonal\LOGFILES\AVWIN.LOG
Start path: C:\Program Files\AVPersonal
Command line:
Start mode: unknown

Mode of report file:
[ ] Do not create report
[X] Overwrite report
[ ] Append new report

Data in report file:
[X] Infected files
[ ] Infected files with paths
[ ] All scanned files
[ ] Full information

Abridge report file:
[ ] Abridge report file

Warnings in report:
[X] Access denied/file locked
[X] Wrong file size in directory
[X] Wrong creation time in directory
[ ] COM file is too large
[X] Invalid start address
[X] Invalid EXE header
[X] Possibly damaged

Summary report:
[X] Create summary report
Output file: AVWIN.ACT
Maximum number of entries: 100

Where to search:
[X] Memory
[X] Boot record of selected drives
[ ] Report unknown boot sectors
[ ] All files
[X] Program files
Extensions: .386 .?HT* .ACM .ADE .ADP .ANI .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT .BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CRT .CSH .DLL .DLO .DO? .DRV .EMF .EML .EXE* .FLT .FOT .HLP .HT* .INF .INI .INS .ISP .J2K .JAR .JFF .JFI .JFIF .JIF .JMH .JNG .JP2 .JPE .JPEG .JPG .JS* .JSE .LNK .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD .OV? .PCD .PDR .PGM .PHP .PIF .PKG .PL* .PNG .POT .PPS .PPT .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB .SHS .SHTM* .SPL .SWF .SYS .TLB .TMP .TSP .TTF .URL .VB? .VCS .VLM .VXD .VXO .WIZ .WLL .WMD .WMS .WMZ .WPC .WSC .WSF .WSH .WWK .XL? .XML .ZIP

Response in case of a detection:
[X] Repair with prompt
[ ] Repair without prompt
[ ] Delete with prompt
[ ] Delete without prompt
[ ] Write in report file only
[X] Acoustic alarm

Response in case of destroyed files:
[X] Delete with prompt
[ ] Delete without prompt
[ ] Ignore

Response in case of destroyed files:
[X] No change
[ ] Current system time
[ ] Correct date

Drag&drop settings:
[X] Scan subdirectories

Profile settings:
[X] Scan subdirectories

Archive options
[X] Search archive
[X] All archive types

Miscellaneous options:
Temporary path: %TEMP% -> C:\Program Files\AVPersonal\BUILD.DAT
[X] Overwrite infected files
[ ] Detect idle time
[X] Allow interruptions of scan
[X] Load AVWin®/NT Guard on System start

General settings:
[X] Save options on exiting AntiVir
Priority: medium

Drives:
A: Floppy drive
C: Hard disk
D: CD-ROM
E: CD-ROM
F: Hard disk

Start of scan: dimanche 28 août 2005 16:30

Memory test OK
Master boot record of hard disk HD0 OK
Master boot record of hard disk HD1 OK
Boot record of drive C: OK
Boot record of drive F: OK


C:\
hiberfil.sys
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
pagefile.sys
Access denied! Error during file opening!
This is a Windows swap file. This file is locked by Windows.
Error code: 0x000D
WARNING! Access error/file locked!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
AlexaRelated.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
CoolWWWSearch.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit2.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DyFuCA.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
FindSpyA.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
FindSpyA1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechISTbar.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechISTbar1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechISTbar2.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechISTsvc.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechISTsvc1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechPowerScan.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechYSB.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechYSB1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechYSB2.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechYSB3.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wareout.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
C:\Program Files\GrabIt\Download\alt.binaries.dvd.french
dvdfr18296.part004.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part005.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part006.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part007.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part008.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part009.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part010.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part011.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part012.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part013.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part014.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part015.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part016.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part017.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part018.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part019.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part020.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part021.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part022.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part023.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part024.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part025.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part026.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part027.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part028.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part029.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part030.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part031.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part032.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part033.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part034.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part035.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part036.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part037.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part038.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part039.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part040.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part041.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part042.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part043.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part044.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part045.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part046.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part047.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part048.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part049.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part050.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part051.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part052.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part053.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part054.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part055.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part056.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part057.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part058.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part059.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part060.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part061.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part062.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part063.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part064.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part065.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part066.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part067.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part068.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part069.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part070.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part071.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part072.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part073.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part074.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part075.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part076.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part077.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part078.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part079.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part080.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part081.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part082.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part083.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part084.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part085.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part086.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part087.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part088.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part089.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part094.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part096.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part097.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part098.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part099.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part100.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part101.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part102.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part103.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part104.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part105.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part106.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part107.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part108.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part109.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part110.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part111.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part112.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part113.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part114.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part115.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part116.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part117.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part118.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part119.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part120.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part121.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part122.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part123.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part124.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part125.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part126.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part127.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part128.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part129.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part130.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part131.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part132.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part133.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part134.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part135.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part136.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part137.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part138.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
dvdfr18296.part139.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
C:\Program Files\GrabIt\Download\alt.binaries.dvd.french\Danny the dog
dtd-mt.rar
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
C:\Program Files\l2mfix\l2mfix
Process.exe
The file contains signature of the SPR/Processor.20 program and was suppressed by the user.
C:\Program Files\WinRAR
rarnew.dat
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
Error! Could not change directory: System Volume Information
C:\WINDOWS\SoftwareDistribution\EventCache
{E963AD3A-A243-4C4D-94F3-58D1AD697BFF}.bin
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
C:\WINDOWS\system32\config
default
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
SAM
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
SECURITY
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
software
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
system
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
C:\WINDOWS\Temp
ZLT04f4c.TMP
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!


Error! Could not change directory: System Volume Information
F:\Utilitaires à graver\Antivirus\LM2 Fix
l2mfix.exe
ArchiveType: ZIP SFX (self extracting)
--> l2mfix\Process.exe
The file contains signature of the SPR/Processor.20 program and was suppressed by the user.
F:\Utilitaires à graver\Images, son et vidéos\Codec & Rip\utilitaire divx Martial\codecs
MUSKCodec3vf.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
F:\Utilitaires à graver\Images, son et vidéos\Codec & Rip\utilitaire divx Martial\lecteurs\zoomplayer pro
ZPro.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
F:\Utilitaires à graver\Images, son et vidéos\MP3\mp3 cd converter
MP3 CD Converter.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
F:\Utilitaires à graver\logiciel de compression\winrar 311
Patch_WR3fr.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected



End of scan: dimanche 28 août 2005 17:03
Time taken: 33:22 min


4995 directories were scanned
59896 files were scanned
9 warning messages were issued
0 files were deleted
0 files were repaired
0 detections
0
Réponse 17 / 45
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
  
 j'ai encore deux fenetres de détection qui sont apparues ..toujours sur ce fichier HCLEAN32.EXE


donne le chemin
0
Yohan
 
Les deux fenetres sont identiques. L'une est apparue en cours d'analyse AV (je pense quand un prog a tenté de se connecté au net), l'autre est apparue dès que j'ai lancé IExplorer.
Chemin :

C:\WINDOWS\SYSTEM32\HCLEAN32.EXE

Is the Trojan horse TR/Qhost.QR
0
Réponse 18 / 45
Utilisateur anonyme
 
essaye ca aussi:

telecharge findt ici
http://bilder.informationsarchiv.net/Nikitas_Tools/FindT.zip
dezippe le et lance runme.bat
poste le rapport

telecharge hclsrch.zip ici
http://get.yourfile.net/jh73381.zip
dezippe le et lance hs.bat
poste le rapport

reposte un hijack fait en etant connecté
0
Réponse 19 / 45
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
juste pour info moe sur le reg ceci vire toute la clef run
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
????????
0
Yohan
 
Balltrap,

NOTA : afin de lancer correctement findT, j'ai du copier le fichier autoexec.nt qui se trouvait dans c:\windows\repair dan,s le répertoire c:\windows\system32. Puis j'ai lancé et voici le résultat

Voici tout d'abord le rapport du findT :
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

C:\WINDOWS\RDT.INI
C:\WINDOWS\BALLOON.WAV

Ensuite le rapport de hclsch :

Rapport fait à 17:39:12,06 le 28/08/2005
Executé à partir de C:\Program Files\hclsrch
OS: Microsoft Windows XP [version 5.1.2600]

Recherche registre ...


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SiSUSBRG REG_SZ C:\WINDOWS\SiSUSBrg.exe
Zone Labs Client REG_SZ "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
Easy-PrintToolBox REG_SZ C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
NeroFilterCheck REG_SZ C:\WINDOWS\system32\NeroCheck.exe
AnyDVD REG_SZ "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
AVGCtrl REG_SZ "C:\Program Files\AVPersonal\AVGNT.EXE" /min
Tau Monitor REG_SZ C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
system REG_SZ

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
"pgtshlld"=hex:58,03,00,00,29,59,61,6d,7e,71,7a,05,53,60,35,50,14,00,00,00
"nidnsdr"=hex:fa,60,00,00,f9,c3,c8,c5,eb,de,ad,e5,8a,af,ba,13,00,00,00
"23naelch"=hex:d6,72,00,00,ab,a4,e7,96,82,f9,cc,c5,d1,e6,ab,d6,14,00,00,00
"aplnsftn"=hex:92,62,00,00,95,9b,5d,a8,b5,43,c7,3e,15,2a,ef,1a,14,00,00,00
"23rtcdaol"=hex:60,5d,00,00,59,52,64,69,76,69,17,5e,47,53,20,35,30,15,00,00,00
"8"=hex:3c,3d,00,00,31,02,0d,0c,28,17,aa,a3,bf,7c,51,4c,14,00,00,00
"9"=hex:3c,3d,00,00,3b,3d,0a,07,15,18,6f,a7,74,69,44,13,00,00,00
"10"=hex:3c,3d,00,00,3f,2d,07,02,1f,15,69,50,bf,7c,51,4c,14,00,00,00
"11"=hex:4f,4a,00,00,22,2f,1e,19,05,00,47,4c,a8,69,22,59,14,00,00,00
"12"=hex:4f,4a,00,00,54,2e,67,10,06,05,78,b0,61,1a,51,13,00,00,00
"13"=hex:4f,4a,00,00,28,5e,10,6f,08,06,7a,7d,a8,69,22,59,14,00,00,00
"14"=hex:73,0b,00,00,4e,4b,7a,75,61,5c,63,68,74,05,0e,35,14,00,00,00
"15"=hex:a8,0b,00,00,8f,91,be,bb,b9,ac,d3,1b,d8,fd,e8,13,00,00,00
"16"=hex:a8,0b,00,00,83,81,ab,b6,a3,a9,dd,c4,03,d0,c5,e0,14,00,00,00
"17"=hex:06,20,00,00,fb,f4,d7,c6,d2,c9,fc,f5,e1,b6,9b,86,14,00,00,00
"18"=hex:06,20,00,00,ed,f7,dc,d9,df,d2,b1,f9,be,a3,8e,13,00,00,00
"19"=hex:06,20,00,00,e1,e7,c9,d4,c1,cf,b3,aa,e1,b6,9b,86,14,00,00,00
"20"=hex:93,29,00,00,6e,6b,5a,55,41,bc,03,08,14,25,ee,15,14,00,00,00
"21"=hex:c7,29,00,00,ac,b6,9f,98,9e,8d,f0,38,f9,e2,c9,13,00,00,00
"22"=hex:c7,29,00,00,a0,a6,88,97,80,8e,f2,e5,20,f1,da,c1,14,00,00,00
"23"=hex:1a,79,00,00,17,e0,23,d2,ce,35,88,81,9d,a2,77,92,14,00,00,00
"24"=hex:1a,79,00,00,19,e3,28,25,cb,3e,4d,85,aa,4f,9a,13,00,00,00
"25"=hex:1a,79,00,00,1d,13,25,20,3d,3b,4f,b6,9d,a2,77,92,14,00,00,00
"26"=hex:e9,42,00,00,c4,d1,f0,e3,ff,ea,d9,d6,c2,93,84,a3,14,00,00,00
"27"=hex:1a,43,00,00,19,e3,28,25,cb,3e,4d,85,aa,4f,9a,13,00,00,00
"28"=hex:1a,43,00,00,1d,13,25,20,3d,3b,4f,b6,9d,a2,77,92,14,00,00,00
"29"=hex:80,26,00,00,7d,7e,49,48,54,53,76,7f,7b,38,1d,08,14,00,00,00
"30"=hex:b5,26,00,00,b2,84,8d,8e,ac,a3,e6,2e,cf,f0,ff,13,00,00,00
"31"=hex:b5,26,00,00,b6,b4,be,85,96,9c,e0,db,36,c7,c8,f7,14,00,00,00
"32"=hex:2c,56,00,00,01,12,3d,3c,38,27,9a,93,8f,4c,41,7c,14,00,00,00
"33"=hex:95,56,00,00,92,64,ad,ae,4c,43,c6,0e,2f,d0,1f,13,00,00,00
"34"=hex:c6,56,00,00,a1,a7,89,94,81,8f,f3,ea,21,f6,db,c6,14,00,00,00
"35"=hex:1c,3b,00,00,11,e2,2d,2c,c8,37,8a,83,9f,5c,71,6c,14,00,00,00
"36"=hex:50,3b,00,00,57,29,66,13,01,04,7b,b3,60,15,50,13,00,00,00
"37"=hex:81,3b,00,00,7a,68,42,59,5a,50,34,2f,7a,3b,1c,0b,14,00,00,00
"38"=hex:c4,1c,00,00,b9,ba,95,84,90,8f,32,3b,27,f4,d9,c4,14,00,00,00
"39"=hex:f8,1c,00,00,ff,c1,ce,cb,e9,dc,a3,eb,88,ad,b8,13,00,00,00
"40"=hex:5e,1d,00,00,59,4f,61,7c,79,77,0b,72,59,1e,33,2e,14,00,00,00
"41"=hex:c0,4d,00,00,bd,be,89,88,94,93,36,3f,3b,f8,dd,c8,14,00,00,00
"42"=hex:f1,4d,00,00,f6,c8,c1,f2,e0,e7,9a,d2,83,b4,b3,13,00,00,00
"43"=hex:26,4e,00,00,01,07,29,34,21,2f,53,4a,81,56,7b,66,14,00,00,00
"44"=hex:b3,5e,00,00,8e,8b,ba,b5,a1,9c,23,28,34,c5,ce,f5,14,00,00,00
"45"=hex:e4,5e,00,00,c3,d5,f2,ff,fd,f0,97,df,9c,81,ac,13,00,00,00
"46"=hex:4d,5f,00,00,2e,5c,16,6d,0e,04,78,63,ae,6f,20,5f,14,00,00,00
"47"=hex:75,10,00,00,48,45,44,77,63,5e,6d,6a,76,07,08,37,14,00,00,00
"48"=hex:a9,10,00,00,8e,90,b9,ba,b8,af,d2,1a,db,fc,eb,13,00,00,00
"49"=hex:de,10,00,00,d9,cf,e1,fc,f9,f7,8b,f2,d9,9e,b3,ae,14,00,00,00
"50"=hex:11,42,00,00,ec,e9,d8,db,c7,c2,81,8e,ea,ab,6c,9b,14,00,00,00
"51"=hex:76,42,00,00,7d,47,4c,49,6f,62,21,69,0e,33,3e,13,00,00,00
"52"=hex:aa,42,00,00,8d,83,b5,b0,ad,ab,df,c6,0d,d2,c7,e2,14,00,00,00
"53"=hex:b3,47,00,00,8e,8b,ba,b5,a1,9c,23,28,34,c5,ce,f5,14,00,00,00
"54"=hex:1b,48,00,00,18,e2,2b,24,ca,39,4c,84,55,4e,65,13,00,00,00
"55"=hex:81,48,00,00,7a,68,42,59,5a,50,34,2f,7a,3b,1c,0b,14,00,00,00
"56"=hex:a9,5d,00,00,84,91,b0,a3,bf,aa,19,16,02,d3,c4,e3,14,00,00,00
"57"=hex:dd,5d,00,00,da,dc,f5,e6,f4,fb,8e,c6,97,88,a7,13,00,00,00
"58"=hex:42,5e,00,00,25,2b,0d,18,05,13,77,6e,a5,7a,5f,4a,14,00,00,00
"59"=hex:8c,00,00,00,61,72,5d,5c,58,47,7a,73,6f,2c,e1,1c,14,00,00,00
"60"=hex:5a,01,00,00,59,23,68,65,0b,7e,0d,45,6a,0f,5a,13,00,00,00
"61"=hex:f3,01,00,00,f4,fa,fc,cb,d4,e2,a6,99,f4,85,8e,b5,14,00,00,00
"62"=hex:f1,77,00,00,cc,c9,f8,fb,e7,e2,e1,ee,ca,8b,8c,bb,14,00,00,00
"63"=hex:56,78,00,00,5d,27,6c,69,0f,02,01,49,6e,13,5e,13,00,00,00
"64"=hex:bb,78,00,00,bc,b2,84,83,9c,9a,ee,d1,3c,fd,d6,cd,14,00,00,00
"65"=hex:29,32,00,00,04,11,30,23,3f,2a,99,96,82,53,44,63,14,00,00,00
"66"=hex:5c,33,00,00,5b,5d,6a,67,75,78,0f,47,14,09,24,13,00,00,00
"67"=hex:8d,35,00,00,6e,9c,56,ad,4e,44,38,23,6e,2f,e0,1f,14,00,00,00
"68"=hex:1d,0b,00,00,10,1d,2c,2f,cb,36,95,82,9e,5f,70,6f,14,00,00,00
"69"=hex:83,0b,00,00,60,7a,53,5c,52,51,34,7c,3d,26,0d,13,00,00,00
"70"=hex:eb,0b,00,00,cc,c2,f4,f3,ec,ea,9e,81,cc,8d,86,bd,14,00,00,00
"71"=hex:3d,7a,00,00,30,3d,0c,0f,2b,16,b5,a2,be,7f,50,4f,14,00,00,00
"72"=hex:d4,7a,00,00,d3,a5,e2,ef,8d,80,87,cf,ec,91,dc,13,00,00,00
"73"=hex:6d,7b,00,00,4e,7c,76,4d,6e,64,18,03,4e,0f,00,3f,14,00,00,00
"74"=hex:61,22,00,00,5c,59,68,6b,77,72,51,5e,5a,1b,3c,2b,14,00,00,00
"75"=hex:c6,22,00,00,ad,b7,9c,99,9f,92,f1,39,fe,e3,ce,13,00,00,00
"76"=hex:60,23,00,00,5b,49,63,7e,7b,71,15,0c,5b,18,3d,28,14,00,00,00
"77"=hex:cd,66,00,00,a0,ad,9c,9f,9b,86,c5,32,2e,ef,a0,df,14,00,00,00
"78"=hex:67,67,00,00,4c,56,7f,78,7e,6d,10,58,19,02,29,13,00,00,00
"79"=hex:cc,67,00,00,af,dd,97,92,8f,85,f9,e0,2f,ec,a1,dc,14,00,00,00
"80"=hex:11,58,00,00,ec,e9,d8,db,c7,c2,81,8e,ea,ab,6c,9b,14,00,00,00
"81"=hex:a7,58,00,00,8c,96,bf,b8,be,ad,d0,18,d9,c2,e9,13,00,00,00
"82"=hex:41,59,00,00,3a,28,02,19,1a,10,74,6f,ba,7b,5c,4b,14,00,00,00
"83"=hex:70,17,00,00,4d,4e,79,78,64,63,66,6f,4b,08,0d,38,14,00,00,00
"84"=hex:3e,18,00,00,25,3f,14,01,17,1a,69,a1,76,6b,46,13,00,00,00
"85"=hex:08,19,00,00,e3,e1,cb,d6,c3,c9,bd,a4,e3,b0,65,80,14,00,00,00
"86"=hex:62,7e,00,00,5f,58,6b,6a,76,6d,50,59,45,1a,3f,2a,14,00,00,00
"87"=hex:95,7f,00,00,92,64,ad,ae,4c,43,c6,0e,2f,d0,1f,13,00,00,00
"88"=hex:f9,00,00,00,f2,f0,fa,c1,d2,d8,ac,97,f2,83,94,b3,14,00,00,00
"89"=hex:78,6d,00,00,75,46,41,70,6c,5b,6e,67,73,00,15,30,14,00,00,00
"90"=hex:42,6e,00,00,21,3b,10,1d,13,16,75,bd,72,67,42,13,00,00,00
"91"=hex:10,6f,00,00,eb,19,d3,2e,cb,c1,45,bc,eb,a8,6d,98,14,00,00,00
"yqamd"=hex:26,3e,00,00,1f,0e,22,3a,2a,e9,4e,53,5e,11,00,00,00
"92"=hex:a5,50,00,00,98,95,b4,a7,b3,ae,1d,1a,06,d7,f8,e7,14,00,00,00
"93"=hex:73,51,00,00,70,4a,43,4c,62,61,24,6c,0d,36,3d,13,00,00,00
"94"=hex:3e,52,00,00,39,2f,01,1c,19,17,6b,52,b9,7e,53,4e,14,00,00,00
"95"=hex:b9,0e,00,00,b4,81,80,b3,af,9a,29,26,32,c3,d4,f3,14,00,00,00
"96"=hex:b7,10,00,00,bc,86,8f,88,ae,9d,e0,28,c9,f2,f9,13,00,00,00
"97"=hex:4e,13,00,00,29,5f,11,6c,09,07,7b,62,a9,6e,23,5e,14,00,00,00
"98"=hex:5c,4e,00,00,51,22,6d,6c,08,77,4a,43,5f,1c,31,2c,14,00,00,00
"99"=hex:f4,4f,00,00,f3,c5,c2,cf,ed,e0,a7,ef,8c,b1,bc,13,00,00,00
"100"=hex:bd,51,00,00,be,ac,86,9d,9e,94,e8,d3,3e,ff,d0,cf,14,00,00,00
"101"=hex:42,27,00,00,3f,38,0b,0a,16,0d,b0,b9,a5,7a,5f,4a,14,00,00,00
"102"=hex:74,29,00,00,73,45,42,4f,6d,60,27,6f,0c,31,3c,13,00,00,00
"103"=hex:40,2b,00,00,3b,29,03,1e,1b,11,75,6c,bb,78,5d,48,14,00,00,00
"104"=hex:9b,02,00,00,96,63,a2,ad,49,b4,0b,00,1c,dd,f6,ed,14,00,00,00
"105"=hex:ca,06,00,00,a9,b3,98,95,9b,8e,fd,35,fa,9f,ca,13,00,00,00
"106"=hex:93,08,00,00,94,9a,5c,ab,b4,42,c6,39,14,25,ee,15,14,00,00,00
"107"=hex:5b,24,00,00,56,23,62,6d,09,74,4b,40,5c,1d,36,2d,14,00,00,00
"108"=hex:58,26,00,00,5f,21,6e,6b,09,7c,03,4b,68,0d,58,13,00,00,00
"109"=hex:f0,2a,00,00,cb,f9,f3,ce,eb,e1,a5,9c,cb,88,8d,b8,14,00,00,00
"110"=hex:20,33,00,00,1d,1e,29,28,34,33,96,9f,9b,58,7d,68,14,00,00,00
"111"=hex:53,34,00,00,50,2a,63,6c,02,01,04,4c,6d,16,5d,13,00,00,00
"112"=hex:1c,36,00,00,1f,0d,27,22,3f,35,49,b0,9f,5c,71,6c,14,00,00,00
"113"=hex:10,08,00,00,ed,ee,d9,d8,c4,c3,86,8f,eb,a8,6d,98,14,00,00,00
"114"=hex:a7,0a,00,00,8c,96,bf,b8,be,ad,d0,18,d9,c2,e9,13,00,00,00
"115"=hex:0b,0f,00,00,ec,e2,d4,d3,cc,ca,be,a1,ec,ad,66,9d,14,00,00,00
"116"=hex:af,7a,00,00,82,8f,be,b9,a5,a0,27,2c,08,c9,c2,f9,14,00,00,00
"117"=hex:e0,7c,00,00,c7,d9,f6,e3,f1,f4,8b,c3,90,85,a0,13,00,00,00
"118"=hex:dd,7f,00,00,de,cc,e6,fd,fe,f4,88,f3,de,9f,b0,af,14,00,00,00
"119"=hex:38,7b,00,00,35,06,01,30,2c,1b,ae,a7,b3,40,55,70,14,00,00,00
"120"=hex:9d,7d,00,00,9a,9c,b5,a6,b4,bb,ce,06,d7,c8,e7,13,00,00,00
"121"=hex:34,00,00,00,37,35,3f,0a,17,1d,61,58,b7,44,49,74,14,00,00,00
"122"=hex:fc,16,00,00,f1,c2,cd,cc,e8,d7,ea,e3,ff,bc,91,8c,14,00,00,00
"123"=hex:93,19,00,00,90,6a,a3,ac,42,41,c4,0c,2d,d6,1d,13,00,00,00
"124"=hex:f9,1b,00,00,f2,f0,fa,c1,d2,d8,ac,97,f2,83,94,b3,14,00,00,00
"125"=hex:c2,03,00,00,bf,b8,8b,8a,96,8d,30,39,25,fa,df,ca,14,00,00,00
"126"=hex:26,05,00,00,0d,17,3c,39,3f,32,51,99,5e,43,6e,13,00,00,00
"127"=hex:8d,06,00,00,6e,9c,56,ad,4e,44,38,23,6e,2f,e0,1f,14,00,00,00
"128"=hex:ac,47,00,00,81,92,bd,bc,b8,a7,1a,13,0f,cc,c1,fc,14,00,00,00
"129"=hex:44,49,00,00,23,35,12,1f,1d,10,77,bf,7c,61,4c,13,00,00,00
"130"=hex:dc,4a,00,00,df,cd,e7,e2,ff,f5,89,f0,df,9c,b1,ac,14,00,00,00
"131"=hex:ab,4c,00,00,86,93,b2,bd,b9,a4,1b,10,0c,cd,c6,fd,14,00,00,00
"132"=hex:43,4e,00,00,20,3a,13,1c,12,11,74,bc,7d,66,4d,13,00,00,00
"133"=hex:d9,51,00,00,d2,d0,9a,e1,f2,f8,8c,f7,d2,e3,b4,d3,14,00,00,00
"134"=hex:ba,0c,00,00,b7,80,83,b2,ae,95,28,21,3d,c2,d7,f2,14,00,00,00
"135"=hex:20,0f,00,00,07,19,36,23,31,34,4b,83,50,45,60,13,00,00,00
"136"=hex:ea,10,00,00,cd,c3,f5,f0,ed,eb,9f,86,cd,92,87,a2,14,00,00,00
"137"=hex:d1,0a,00,00,ac,a9,98,9b,87,82,c1,ce,2a,eb,ac,db,14,00,00,00
"138"=hex:02,0d,00,00,e1,fb,d0,dd,d3,d6,b5,fd,b2,a7,82,13,00,00,00
"139"=hex:54,73,00,00,57,55,1f,6a,77,7d,01,78,57,64,29,54,14,00,00,00


Recherche dossier Internet Explorer...

Le volume dans le lecteur C n'a pas de nom.
Le num‚ro de s‚rie du volume est CCE8-7B91

R‚pertoire de C:\Program Files\Internet Explorer

29/08/2002 11:45 91ÿ136 iexplore.exe
1 fichier(s) 91ÿ136 octets
0 R‚p(s) 30ÿ672ÿ687ÿ104 octets libres

Recherche presence hclean32.exe...
non trouvé...


Enfin, un hijack en étant connecté :


Logfile of HijackThis v1.99.1
Scan saved at 17:40:45, on 28/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Ensemble clavier et souris sans fil Labtec\MagicKey.exe
C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
C:\Program Files\Ensemble clavier et souris sans fil Labtec\MulMouse.exe
C:\Program Files\Ensemble clavier et souris sans fil Labtec\OSD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\Program Files\AVPersonal\GUARDGUI.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVPersonal\GUARDGUI.EXE
C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe
C:\Program Files\Ahead\nero\nero.exe
C:\WINDOWS\System32\imapi.exe
C:\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Activer l'ensemble clavier et souris sans fil Labtec.lnk = C:\Program Files\Ensemble clavier et souris sans fil Labtec\MagicKey.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114460605218
O17 - HKLM\System\CCS\Services\Tcpip\..\{0914A442-A758-4B09-9FA6-2A8CAEE26F60}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{0914A442-A758-4B09-9FA6-2A8CAEE26F60}: NameServer = 69.50.176.158,85.255.112.8
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Bon courage !
0
Réponse 20 / 45
Utilisateur anonyme
 
perso j'ai pas cette clé, et elle est sur d'autres reg

j'ai été un peu vite ?
0

Discussions similaires

ou telecharger sndrec32.exe svp ?
Soundman -
Micra -

2 réponses
un lien pour telecharger sndrec32.exe
layesanga -
wartib -

2 réponses