Pbl HCLEAN32.EXE - Help ! - décryptage Hijack

Yohan -  
balltrap34 Messages postés 16241 Statut Contributeur sécurité -
Bonjour à toutes et tous,

Je me permet de vous demander de l'aide car voila quelques jours que je me bagarre avec une anomalie récurrente.
J'ai lu les diverses discussions à ce sujet dans le forum et appliquer les remèdes - rien à faire.

Anomalie :
Norton détecte un troyan sur le ficheier c:\windows\system32\hclean32.exe. Après vérification ce ficheir n'existe pas !
de plus, antivir détecte un troyan dans le fichier rdsndin.exe.

J'ai passer SPYBOT, AD-AWARE, TAUSCAN, NORTON AV, ANTIVIR.
Rien à faire.

Je vous fais donc passer le Hijack en espérant que quelqu'un pourra me venir en aide.

En l'attente. Merci d'avance.

Logfile of HijackThis v1.99.1
Scan saved at 09:48:13, on 25/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\looknstop\_looknstop.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ensemble clavier et souris sans fil Labtec\MagicKey.exe
C:\Program Files\Ensemble clavier et souris sans fil Labtec\MulMouse.exe
C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
C:\Program Files\Ensemble clavier et souris sans fil Labtec\OSD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm66.exe
C:\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {C7DBAF37-8D7C-D325-6FC4-EED2460373FB} - _ctcp.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\looknstop\looknstop.exe" -auto
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\YOHAN&~1\LOCALS~1\Temp\bundle_cdt1006.exe run
O4 - HKLM\..\Run: [MSTCPDLL] SYSTRAV.exe
O4 - HKLM\..\Run: [Brong32] SYSTRAV.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [Dest068] MON76234.exe
O4 - HKCU\..\Run: [systemdll] xxtoolbar.exe
O4 - HKCU\..\Run: [NsCplTray] nmdllw.exe
O4 - Global Startup: Activer l'ensemble clavier et souris sans fil Labtec.lnk = C:\Program Files\Ensemble clavier et souris sans fil Labtec\MagicKey.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114460605218
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0914A442-A758-4B09-9FA6-2A8CAEE26F60}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFBDDBD5-77CA-414F-B77B-7AA99DDEC6B7}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{0914A442-A758-4B09-9FA6-2A8CAEE26F60}: NameServer = 69.50.176.158,85.255.112.8
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

45 réponses

  • 1
  • 2
  • 3
Résumé de la discussion

Des détections antivirus signalent un Trojan sur c:\windows\system32\hclean32.exe alors que ce fichier n'existe pas, et sur rdsndin.exe, ce qui motive une recherche de solution. Plusieurs éléments de réponse recommandent d'afficher les fichiers cachés puis de supprimer C:\windows\system32\hclean32.exe, afin d'éliminer la piste directement associée au Trojan. En cas d'échec, il est recommandé d'examiner d'autres éléments suspects et les entrées Run ainsi que les rapports HijackThis pour orienter le nettoyage et prévenir les réinfections. Par ailleurs, l'échange signale que les résultats varient entre antivirus et que l'élimination passe par la suppression manuelle de traces dans le système et une vérification des composants actifs démarrés au boot.

Généré automatiquement par IA
sur la base des meilleures réponses
  1. Utilisateur anonyme
     
    Bonjour,

    Méthode à suivre dans l'ordre...

    ****
    Te voila confronter a plusieurs logiciels qui tournent en tache de fond qui cause, ralentissement, lourdeurs et plantages:

    Tu as sur ton pc 2 antivirus:
    norton
    antivir
    Desinstalle s en un, de preference norton !

    Tu as sur ton pc 2 pare feu
    look n stop
    zone alarme
    Desinstalle s en, de preferrence look n stop

    Mais bien sur tu es libre de garder celui que tu controles le mieux, moi je suis a l aise avec cet antivirus et ce pare feu dont je dispose, apres a toi de voir selon tes gouts
    ----------------------------------------------------------------------------
    ¤Télécharge ces logiciels mais que tu n‘utilises pas tout de suite:

    1/Spybot S&D 1.4 <<nouvelle version
    http://www.safer-networking.org/fr/index.html

    Démo d’utilisation (merci à Balltrap34 pour cette réalisation)
    http://pageperso.aol.fr/Balltrap34/demo%20spybot.htm

    2/Ad-Aware SE 1.06 <<nouvelle version
    http://www.lavasoftusa.com/software/adaware/
    -Une aide:
    http://www.tutopat.com/viewtopic.php?t=1191
    - installe le patch français, tu pourras le trouver ici:
    http://download.lavasoft.de.edgesuite.net/public/pllangs.exe
    et une petite vidéo d'utilisation ici:(merci à Moe31 pour cette réalisation)
    http://pageperso.aol.fr/balltrap34/adawrevid.asf

    3/Clean Up 40:
    http://pageperso.aol.fr/balltrap34/CleanUp40.exe
    -aide en image:(merci à Balltrap34)
    http://pageperso.aol.fr/balltrap34/democleanup.htm
    ----------------------------------------------------------------------------
    ¤Démarre en mode sans échec :
    Pour cela, tu tapotes la touche F8 dès le début de l’allumage du pc sans t’arrêter
    Une fenêtre va s’ouvrir tu te déplaces avec les flèches du clavier sur démarrer en mode sans échec puis tape entrée.
    Une fois sur le bureau s’il n’y a pas toutes les couleurs et autres c’est normal !
    (Si F8 ne marche pas utilise la touche F5)
    ----------------------------------------------------------------------------
    ¤Affiche tous les fichiers et dossiers :
    Clique sur démarrer/panneau de configuration/outil/option des dossiers/affichage

    Coche « afficher les fichiers et dossiers cachés »

    Décoche la case "Masquer les fichiers protégés du système d'exploitation (recommandé)"

    Décoche « masquer les extensions dont le type est connu »
    Puis fais «Ok» pour valider les changements.

    Et appliquer !
    ----------------------------------------------------------------------------
    ¤Vide tes fichiers temps et tempory internet file:
    utilise ceci pour le faire (tu as téléchargé avant)
    http://pageperso.aol.fr/balltrap34/CleanUp40.exe
    ----------------------------------------------------------------------------
    ¤Relance HijackThis, coche les cases devant ces lignes et ensuite clique sur fix checked :

    R3 - URLSearchHook: (no name) - {C7DBAF37-8D7C-D325-6FC4-EED2460373FB} - _ctcp.dll (file missing)

    O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)

    O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)

    Si tu as desinstalle look n stop, fixe la
    O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\looknstop\looknstop.exe" -auto

    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe

    O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe

    O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\YOHAN&~1\LOCALS~1\Temp\bundle_cdt1006.exe run

    O4 - HKLM\..\Run: [MSTCPDLL] SYSTRAV.exe

    O4 - HKLM\..\Run: [Brong32] SYSTRAV.exe

    O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"

    O4 - HKCU\..\Run: [Dest068] MON76234.exe

    O4 - HKCU\..\Run: [systemdll] xxtoolbar.exe

    O4 - HKCU\..\Run: [NsCplTray] nmdllw.exe

    O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

    O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab

    O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab

    ----------------------------------------------------------------------------
    ¤Recherche et supprime ceci:
    attention seulement les fichiers (si présents)

    C:\Program Files\looknstop <--seulement si tu l as desinstallé
    C:\Program Files\Media Access
    c:\program files\180searchassistant
    SYSTRAV.exe
    C:\Program Files\WareOut
    MON76234.exe
    xxtoolbar.exe
    nmdllw.exe

    ----------------------------------------------------------------------------
    ¤ Passe Ad-Aware et vire tout ce qu’il trouve
    ----------------------------------------------------------------------------
    ¤ Passe Spybot et vire tout ce qu’il trouve
    ----------------------------------------------------------------------------
    > Tu vides ta poubelle et tu redémarres en mode normal et refait un HijackThis

    Précise tes soucis s’il en reste....

    Tiens-moi au courant

    a+
    0
    1. Yohan
       
      Regis, merci de ta réponse.

      J'ai suivi à la lettre tes instructions, ce qui a prix un certain temps.
      Récap :
      - J'ai désintallé Norton et Look and stop.
      - J'ai booté en mode sans échec et ai lancé successivement Clean Up 40 qui a shooté tous les fichiers temp, Ad-aware qui a rien détecté de suspect et enfin Spybot qui a shooté 18 anomalies.
      - J'ai rebooté en mode normal et voila que dès le démarrage de windows, antivir détecte le même problème que norton auparavant. A savoir un troyan sur le fichier C:\windows\system32\hclean32.exe. Ce troyan est TR/QHOST.QR.
      Une fenetre de détection similaire s'ouvre dès que je lance internet explorer.
      En parallèle, windows ouvre une fenetre qui signale un problème avec comme bouton de sélection "Envoyer le rapport d'erreur" et "ne rien envoyer". Si je clic sur l'un ou l'autre, toutes mes fenetres internet sont fermées automatiquement.

      Concernant Hijackthis, j'ai supprimer les lignes que tu m'avais indiqué, toutefois certaines n'existaient pas.
      J'en ai refait un que je te transmet ci-après.

      Si tu as une idée du problème.

      En tout cas, merci par avance...YOHAN

      Logfile of HijackThis v1.99.1
      Scan saved at 22:11:32, on 25/08/2005
      Platform: Windows XP SP1 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\csrss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\AVPersonal\AVGUARD.EXE
      C:\Program Files\AVPersonal\AVWUPSRV.EXE
      C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\ZoneLabs\vsmon.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
      C:\Program Files\AVPersonal\AVGNT.EXE
      C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
      C:\WINDOWS\System32\ctfmon.exe
      C:\Program Files\Messenger\msmsgs.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\WINDOWS\System32\msiexec.exe
      C:\Program Files\Ensemble clavier et souris sans fil Labtec\MagicKey.exe
      C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
      C:\Program Files\Ensemble clavier et souris sans fil Labtec\MulMouse.exe
      C:\Program Files\Ensemble clavier et souris sans fil Labtec\OSD.EXE
      C:\WINDOWS\System32\dwwin.exe
      C:\Program Files\AVPersonal\GUARDGUI.EXE
      C:\WINDOWS\System32\wuauclt.exe
      C:\WINDOWS\System32\wbem\wmiprvse.exe
      C:\WINDOWS\System32\wuauclt.exe
      C:\hijack\hijackthis\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
      O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
      O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
      O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
      O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
      O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
      O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - Global Startup: Activer l'ensemble clavier et souris sans fil Labtec.lnk = C:\Program Files\Ensemble clavier et souris sans fil Labtec\MagicKey.exe
      O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
      O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
      O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
      O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
      O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
      O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
      O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
      O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114460605218
      O17 - HKLM\System\CCS\Services\Tcpip\..\{0914A442-A758-4B09-9FA6-2A8CAEE26F60}: NameServer = 69.50.176.158,85.255.112.8
      O17 - HKLM\System\CCS\Services\Tcpip\..\{CFBDDBD5-77CA-414F-B77B-7AA99DDEC6B7}: NameServer = 69.50.176.158,85.255.112.8
      O17 - HKLM\System\CS1\Services\Tcpip\..\{0914A442-A758-4B09-9FA6-2A8CAEE26F60}: NameServer = 69.50.176.158,85.255.112.8
      O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
      O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
      O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
      O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
      O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
      0
  2. Utilisateur anonyme
     
    re
    ¤Affiche tous les fichiers et dossiers :
    Clique sur démarrer/panneau de configuration/outil/option des dossiers/affichage

    Coche « afficher les fichiers et dossiers cachés »

    Décoche la case "Masquer les fichiers protégés du système d'exploitation (recommandé)"

    Décoche « masquer les extensions dont le type est connu »
    Puis fais «Ok» pour valider les changements.

    Et appliquer !
    ----------------------------------------------------------------------------
    Supprime
    C:\windows\system32\hclean32.exe

    a+
    0
    1. Yohan
       
      Regis,

      J'ai bien affiché tous les dossiers systèmes, les dossiers et fichiers cachés...rien à faire. Le fichier HCLEAN32.EXE est introuvable sur ma machine.
      Depuis hier soir je n'ai pas booté et les fenetres de ANTIVIR sont encore actives.

      A+, Merci
      Yohan
      0
    2. Yohan
       
      Salut Regis,

      Je me permet de te relancer sur mon soucis avec HCLEAN32.exe.
      Comme je l'ai indiqué dans mon précédent message, il y a quelque chose de plus qu'étrange : le fichier Hclean32.Exe n'existe pas dans system32. J'ai pourtant affiché tous les fichiers cachés et tous les répertoires systèmes. l'option recherche de explorer ne le trouve pas non plus.
      Merci de ton aide.
      Si tu as besoin d'un hijack, fais le savoir.

      A bientôt
      Yohan
      0
  3. Utilisateur anonyme
     
    Salut,
    Essai ceci pour le trouver:
    http://www.01net.com/telecharger/windows/Utilitaire/cryptage_et_securite/fiches/23822.html

    Démo d’utilisation ici (merci à Balltrap34 pour cette réalisation)
    http://pageperso.aol.fr/balltrap34/demochaos.swf

    A+
    0
    1. Yohan
       
      Regis,

      Merci de ta réponse mais aucuns des liens de telecharger.com n'est valide (Même le site officiel).
      Tu as une autre adresse ou le récup ?
      Connais-tu un autre logiciel similaire ?

      A+
      Yohan
      0
  4. Utilisateur anonyme
     
    Comment ca?
    moi elle marche chez moi
    0
    1. Yohan
       
      Fausse alerte !
      Après plusieurs tentatives, j'ai récup le prog.
      J'ai lancé....pas de fichiers trouvés !
      Je pense être dans une drole de galère.
      0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. Utilisateur anonyme
     
    Verifie lol avec chaos shredder
    C:\windows\system32\hclean32.exe

    kill box tu l as essayer deja?
    0
    1. Yohan
       
      1- Concernant Chaos Shredder : RAS - Pas de fichier trouvé

      2- Concernant Killbox : En suppression directe, il indique que le fichier ne peut être supprimé. En mode reboot - Il ne veut pas relancer la machine. Il indique "PendingFileRenameOperations registry data has been removad by external process !"
      0
  7. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
    salut quentin
    en forme
    0
  8. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
    salut essai avedc la kill en mode sans echec
    0
    1. Yohan
       
      Je boote et vous tiens informé
      A tout de suite
      0
  9. Utilisateur anonyme
     
    salut balltrap
    bof bof
    j ai un soucis pc, j ai poster dans materiel si t as le temps d aller voir

    Je cherches des soluces, j ai poster dans divers sans faire expres mais ca t es adresse, si t as le temps de me donner un coup de pouce !
    (pour virer ce que detecte spybot, j ai pas essayer silent runner, tu crois y a moyen?)
    0
  10. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
    je vais voir
    0
    1. Yohan
       
      Balltrap, ou Regis,

      J'ai bien réussi à supprimer ce fichier en mode sans échec.
      MAIS...dès que je reviens en mode standard et que je me connecte, Antivir redétecte un troyan (Qhost.TR) sur ce fichier.
      J'y comprend rien

      Merci d'avance
      0
  11. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
    pour regis je t est repondu sur ton post
    pour oyan a quelle emplacement exact il le detecte
    0
    1. Yohan
       
      C:\WINDOWS\SYSTEM32\HCLEAN32.EXE
      Mais il est invisible

      PS : pas mal ton site de trap ! fotos excellentes
      0
  12. Utilisateur anonyme
     
    Antivir dit quoi lui??, car apparemment t as 2av
    0
    1. Yohan
       
      Effectivement, j'avais 2 AV. J'ai supprimé NORTON comme suite à tes précédents conseils (ma machine tourne effectivement un peu mieux depuis...logique).
      Antivir le détecte et c'est lui qui m'a donné le nom de ce troyan.
      Voici une copie de la fenetre ANTIVIR:

      C:\WINDOWS\SYSTEM32\HCLEAN32.EXE

      Is the Trojan horse TR/Qhost.QR


      Lorsque je clique delete file, il affiche ceci :

      C:\WINDOWS\SYSTEM32\RDSNDIN.EXE

      Is the Trojan horse TR/Click.526


      Ou me remet la première fenetre.
      Si je delete RDSNDIN.EXE; une fenetre Iexplorer apparait :

      "iexplore.exe a rencontré un problème et doit fermer. Nous vous prions de nous excuser pour le désagrément encouru."
      quel que soit le bouton "envoyer" ou "ne pas envoyer" sur lequel je clique....toutes mes fenetres internet sont fermées immédiatement.
      0
  13. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
    fait ceci
    telecharge ceci
    http://www.downloads.subratam.org/l2mfix.exe
    decompresse le double clik sur l2mfix.bat appuie sur n importe quelle touche et ensuite choisi l option 2

    recherche et suppr les deux fichiers mais assure toi de ceci pour les voir
    Affiche tous les fichiers et dossiers :
    cliquer sur démarrer/panneau de configuration/option des dossiers/affichage
    Cocher afficher les dossiers cacher

    Décoche la case "Masquer les fichiers protégés du système d'exploitation (recommandé)"

    Décocher masquer les extensions dont le type est connu
    Puis fais "Ok" pour valider les changements.

    Et appliquer

    si tu les vois pas utilise la kill box methode bloc note voir demo
    avec ceci
    C:\WINDOWS\SYSTEM32\HCLEAN32.EXE
    C:\WINDOWS\SYSTEM32\RDSNDIN.EXE

    Kill Box :

    (ici) http://www.florensac-chasse-trap.com/ section virus

    demo http://pageperso.aol.fr/balltrap34/killbox.htm

    fait un scan ici
    Scan bit defender
    http://www.bitdefender.fr
    clik sur scan on line a gauche et suis la procedure
    ----------------
    0
    1. Yohan
       
      J'ai donc telecharger ton prog et l'ai lancé.
      Il a rebooté la machine après que j'ai validé l'option 2 et il a édité un rapport après le redémarrage. Fais moi savoir si ce rapport t'ntéresse.
      J'ai ensuite lancé killbox méthode bloc-note (merci pour la démo)
      et il a booté après que j'ai copier coller les fichiers et cliquer sur crois rouge.
      Actuellement je suis entrain de faire un bitdefender et il en a ancore pour 2h30 environ (temps estimé).
      Je te rend la réponse après que ce soit fini.

      Bon App' et à tout à l'heure,
      Yohan
      0
  14. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
    donne moi les rapport du fix et aussi quand tu l aurat le rapport de defender
    0
    1. Yohan
       
      Voila le rapport du fix :

      L2Mfix 1.04

      Running From:
      C:\Program Files\l2mfix\l2mfix



      RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
      Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
      This program is Freeware, use it on your own risk!

      Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
      (CI) DENY --C------- BUILTIN\Administrateurs
      (ID-NI) ALLOW Read BUILTIN\Utilisateurs
      (ID-IO) ALLOW Read BUILTIN\Utilisateurs
      (ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
      (ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
      (ID-NI) ALLOW Full access BUILTIN\Administrateurs
      (ID-IO) ALLOW Full access BUILTIN\Administrateurs
      (ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
      (ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
      (ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE



      Setting registry permissions:


      RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
      Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
      This program is Freeware, use it on your own risk!


      Denying C(CI) access for predefined group "Administrators"
      - adding new ACCESS DENY entry
      - removing existing ACCESS DENY entry


      Registry Permissions set too:

      RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
      Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
      This program is Freeware, use it on your own risk!

      Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
      (CI) DENY --C------- BUILTIN\Administrateurs
      (ID-NI) ALLOW Read BUILTIN\Utilisateurs
      (ID-IO) ALLOW Read BUILTIN\Utilisateurs
      (ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
      (ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
      (ID-NI) ALLOW Full access BUILTIN\Administrateurs
      (ID-IO) ALLOW Full access BUILTIN\Administrateurs
      (ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
      (ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
      (ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE



      Setting up for Reboot


      Starting Reboot!

      C:\Program Files\l2mfix\l2mfix
      System Rebooted!

      Running From:
      C:\Program Files\l2mfix\l2mfix

      killing explorer and rundll32.exe

      Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
      Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
      Killing PID 196 'explorer.exe'
      Killing PID 196 'explorer.exe'

      Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
      Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
      Error, Cannot find a process with an image name of rundll32.exe

      Scanning First Pass. Please Wait!

      First Pass Completed

      Second Pass Scanning

      Second pass Completed!

      Zipping up files for submission:
      adding: clear.reg (212 bytes security) (deflated 2%)
      adding: echo.reg (212 bytes security) (deflated 11%)
      adding: direct.txt (212 bytes security) (deflated 13%)
      adding: lo2.txt (212 bytes security) (deflated 72%)
      adding: readme.txt (212 bytes security) (deflated 52%)
      adding: test.txt (212 bytes security) (stored 0%)
      adding: test2.txt (212 bytes security) (stored 0%)
      adding: test3.txt (212 bytes security) (stored 0%)
      adding: test5.txt (212 bytes security) (stored 0%)
      adding: backregs/notibac.reg (212 bytes security) (deflated 87%)
      adding: backregs/shell.reg (212 bytes security) (deflated 73%)

      Restoring Registry Permissions:


      RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
      Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
      This program is Freeware, use it on your own risk!


      Revoking access for predefined group "Administrators"
      Inherited ACE can not be revoked here!
      Inherited ACE can not be revoked here!


      Registry permissions set too:

      RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
      Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
      This program is Freeware, use it on your own risk!

      Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
      (ID-NI) ALLOW Read BUILTIN\Utilisateurs
      (ID-IO) ALLOW Read BUILTIN\Utilisateurs
      (ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
      (ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
      (ID-NI) ALLOW Full access BUILTIN\Administrateurs
      (ID-IO) ALLOW Full access BUILTIN\Administrateurs
      (ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
      (ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
      (ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE


      Restoring Sedebugprivilege:

      Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

      Restoring Windows Update Certificates.:


      The following Is the Current Export of the Winlogon notify key:
      ****************************************************************************
      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
      "Asynchronous"=dword:00000000
      "Impersonate"=dword:00000000
      "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
      6c,00,00,00
      "Logoff"="ChainWlxLogoffEvent"

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
      "Asynchronous"=dword:00000000
      "Impersonate"=dword:00000000
      "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
      6c,00,6c,00,00,00
      "Logoff"="CryptnetWlxLogoffEvent"

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
      "DLLName"="cscdll.dll"
      "Logon"="WinlogonLogonEvent"
      "Logoff"="WinlogonLogoffEvent"
      "ScreenSaver"="WinlogonScreenSaverEvent"
      "Startup"="WinlogonStartupEvent"
      "Shutdown"="WinlogonShutdownEvent"
      "StartShell"="WinlogonStartShellEvent"
      "Impersonate"=dword:00000000
      "Asynchronous"=dword:00000001

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
      "DLLName"="wlnotify.dll"
      "Logon"="SCardStartCertProp"
      "Logoff"="SCardStopCertProp"
      "Lock"="SCardSuspendCertProp"
      "Unlock"="SCardResumeCertProp"
      "Enabled"=dword:00000001
      "Impersonate"=dword:00000001
      "Asynchronous"=dword:00000001

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
      "Asynchronous"=dword:00000000
      "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
      6c,00,6c,00,00,00
      "Impersonate"=dword:00000000
      "StartShell"="SchedStartShell"
      "Logoff"="SchedEventLogOff"

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
      "Logoff"="WLEventLogoff"
      "Impersonate"=dword:00000000
      "Asynchronous"=dword:00000001
      "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
      6c,00,6c,00,00,00

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
      "DLLName"="WlNotify.dll"
      "Lock"="SensLockEvent"
      "Logon"="SensLogonEvent"
      "Logoff"="SensLogoffEvent"
      "Safe"=dword:00000001
      "MaxWait"=dword:00000258
      "StartScreenSaver"="SensStartScreenSaverEvent"
      "StopScreenSaver"="SensStopScreenSaverEvent"
      "Startup"="SensStartupEvent"
      "Shutdown"="SensShutdownEvent"
      "StartShell"="SensStartShellEvent"
      "PostShell"="SensPostShellEvent"
      "Disconnect"="SensDisconnectEvent"
      "Reconnect"="SensReconnectEvent"
      "Unlock"="SensUnlockEvent"
      "Impersonate"=dword:00000001
      "Asynchronous"=dword:00000001

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
      "Asynchronous"=dword:00000000
      "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
      6c,00,6c,00,00,00
      "Impersonate"=dword:00000000
      "Logoff"="TSEventLogoff"
      "Logon"="TSEventLogon"
      "PostShell"="TSEventPostShell"
      "Shutdown"="TSEventShutdown"
      "StartShell"="TSEventStartShell"
      "Startup"="TSEventStartup"
      "MaxWait"=dword:00000258
      "Reconnect"="TSEventReconnect"
      "Disconnect"="TSEventDisconnect"

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
      "DLLName"="wlnotify.dll"
      "Logon"="RegisterTicketExpiredNotificationEvent"
      "Logoff"="UnregisterTicketExpiredNotificationEvent"
      "Impersonate"=dword:00000001
      "Asynchronous"=dword:00000001

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
      "DLLName"="wzcdlg.dll"
      "Logon"="WZCEventLogon"
      "Logoff"="WZCEventLogoff"
      "Impersonate"=dword:00000000
      "Asynchronous"=dword:00000000


      The following are the files found:
      ****************************************************************************

      Registry Entries that were Deleted:
      Please verify that the listing looks ok.
      If there was something deleted wrongly there are backups in the backreg folder.
      ****************************************************************************
      REGEDIT4

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
      REGEDIT4

      [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
      "SV1"=""
      ****************************************************************************
      Desktop.ini Contents:
      ****************************************************************************
      ****************************************************************************
      

      Pour ce qui est de defender, voici le rapport :

      BitDefender Online Scanner



      Rapport d'analyse généré à: Sat, Aug 27, 2005 - 20:16:30





      Voie d'analyse: A:\;C:\;D:\;E:\;F:\;







      Statistiques

      Temps
      00:45:26

      Fichiers
      112591

      Directoires
      5029

      Secteurs de boot
      4

      Archives
      1373

      Paquets programmes
      12542




      Résultats

      Virus identifiés
      5

      Fichiers infectés
      7

      Fichiers suspects
      0

      Avertissements
      0

      Désinfectés
      0

      Fichiers effacés
      7




      Info sur les moteurs

      Définition virus
      202863

      Version des moteurs
      AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

      Analyse des plugins
      13

      Archive des plugins
      39

      Unpack des plugins
      4

      E-mail plugins
      6

      Système plugins
      1




      Paramètres d'analyse

      Première action
      Désinfecté

      Seconde Action
      Supprimé

      Heuristique
      Oui

      Acceptez les avertissements
      Oui

      Extensions analysées
      exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

      Excludez les extensions


      Analyse d'emails
      Oui

      Analyse des Archives
      Oui

      Analyser paquets programmes
      Oui

      Analyse des fichiers
      Oui

      Analyse de boot
      Oui




      Fichier analysé
      Statut

      F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP148\A0015118.exe
      Infecté par: Joke.Winshoot.A

      F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP148\A0015118.exe
      Echec de la désinfection

      F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP148\A0015118.exe
      Supprimé

      F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP148\A0015135.exe
      Infecté par: Win16.Joke.Delayprank.A

      F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP148\A0015135.exe
      Echec de la désinfection

      F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP148\A0015135.exe
      Supprimé

      F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP149\A0015184.exe
      Infecté par: Joke.Funny.A

      F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP149\A0015184.exe
      Echec de la désinfection

      F:\System Volume Information\_restore{86C9FEB8-ECDB-461D-8AAD-FF2E6B9BEC98}\RP149\A0015184.exe
      Supprimé

      F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHelper.dll
      Détecté avec: Adware.Navexcel.A

      F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHelper.dll
      Echec de la désinfection

      F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHelper.dll
      Supprimé

      F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab
      Echec de la mise à jour

      F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUninstaller.exe
      Détecté avec: Adware.Navexcel.A

      F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUninstaller.exe
      Echec de la désinfection

      F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUninstaller.exe
      Supprimé

      F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab
      Echec de la mise à jour

      F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUpdater.exe
      Détecté avec: Adware.Navexcel.A

      F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUpdater.exe
      Echec de la désinfection

      F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUpdater.exe
      Supprimé

      F:\Utilitaires à graver\Images, son et vidéos\MP3\wav to mp3\setupwavtomp3.exe=>wise0017=>(ZIP Sfx o)=>v2.0.4a.cab
      Echec de la mise à jour

      F:\Utilitaires à graver\Internet et communication\Telechargement\Imesh V4\iMeshV3.exe=>wise0030
      Détecté avec: Application.Adware.Gator

      F:\Utilitaires à graver\Internet et communication\Telechargement\Imesh V4\iMeshV3.exe=>wise0030
      Echec de la désinfection

      F:\Utilitaires à graver\Internet et communication\Telechargement\Imesh V4\iMeshV3.exe=>wise0030
      Supprimé

      F:\Utilitaires à graver\Internet et communication\Telechargement\Imesh V4\iMeshV3.exe
      Echec de la mise à jour
      0
  15. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
    tu vois le p2p c est pas le top
    ou en sont tes soucis
    0
    1. Yohan
       
      Salut Balltrap,

      comme tu vois j'attaque de bon matin...brocante en vue.
      Pour revenir à nos moutons, rien de neuf depuis hier.
      J'en suis au point de départ. Selon Bitdefender mon micro est encore infecté (note laissée en haut de la fenetre de rapport).

      Tu me fais remarquer que le P2P c'est la M... Effectivement, j'ai vite arrêter. Mais comme tu as pu le voir, ca laisse des traces. Comment faire pour nettoyer tout ceci sans formater ?

      Je ne sais plus trop quoi faire désormais.
      As-tu vu uqqch d'anormal dans les rapports FIX et DEFENDER ?
      Faut-il que je boote ?
      Tiens moi informé. Je suis de retour en début d'aprem. Merci d'avance et bon Dimanche.

      Bye - Yohan
      0
  16. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
    salut
    defender a fait du menage
    que te dit norton maintenant
    0
    1. Yohan
       
      Re-salut,

      Defender a effectivement fait du ménage. Je boote dans la foulée et lance ANTIVIR. Je ne dispose plus de Norton (désinstallé car doublon avec Antivir).
      Je te fais savoir les résultats du scan dès qu'il est fini.

      Faut-il que je relance autre chose type hijackthis ??

      Yohan
      0
  17. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
    pour l instant non ont vas voir se que dise ton av
    0
    1. Yohan
       
      J'ai passé ANTIVIR. Apparemment RAS...Je te fais passer le rapport ci-après. Par contre, j'ai encore deux fenetres de détection qui sont apparues ..toujours sur ce fichier HCLEAN32.EXE.

      Que faire ?

      Rapport ANTIVIR :

      Creation date of the report file: dimanche 28 août 2005 16:30

      AntiVir®/XP (2000 + NT) PersonalEdition Classic
      Build 1047 vom 07.06.2005
      Mainprogram 6.31.00.03 of 10.05.2005
      VDF file 6.31.1.143 (0) of 18.08.2005


      This program is for PERSONAL USE only.
      Any other use is PROHIBITED.
      Informations regarding commercial versions of AntiVir may be obtained from:
      www.hbedv.com.


      Scanning for 204539 virus strains and unwanted programs.

      Licensed for: AntiVir Personal Edition
      Serial number: 0000149996-WURGE-0001

      Please enter the workstation and
      contact name with phone number in this form:

      Name ___________________________________________

      Street ___________________________________________

      Town ___________________________________________

      Phone/Fax ___________________________________________

      Email ___________________________________________

      Platform: Windows NT Workstation
      Windows version: 5.1 Build 2600 (Service Pack 1)
      Username: Yohan & Steph
      Computername: PERRAT
      Processor: Pentium
      Working memory: 523760 KB free

      Version information:
      AVWIN.DLL : 6.31.00.03 561192 10.05.2005 16:50:16
      AVEWIN32.DLL : 6.31.1.0 823808 19.07.2005 17:54:12
      AVGNT.EXE : 6.31.00.01 168039 10.05.2005 16:50:16
      AVGUARD.EXE : 6.31.00.01 238120 29.04.2005 08:07:12
      GUARDMSG.DLL : 6.30.00.02 94248 01.02.2005 11:24:10
      AVGCMSG.DLL : 6.31.00.00 295029 29.04.2005 08:07:16
      AVGNTDW.SYS : 6.31.00.01 32896 29.04.2005 08:07:16
      AVPACK32.DLL : 6.31.00.03 323664 25.05.2005 10:43:02
      AVGETVER.DLL : 6.30.00.00 24576 28.01.2005 18:10:20
      AVWIN.DLL : 6.31.00.03 561192 10.05.2005 16:50:16
      AVSHLEXT.DLL : 6.30.00.01 40960 28.01.2005 18:10:22
      AVSched32.EXE : 6.30.00.00 110632 01.02.2005 11:24:10
      AVSched32.DLL : 6.30.00.00 122880 01.02.2005 11:24:10
      AVREG.DLL : 6.30.00.03 41000 10.02.2005 18:47:48
      AVRep.DLL : 6.31.01.140 1290280 18.08.2005 12:52:40
      INETUPD.EXE : 6.31.00.02 249915 29.04.2005 08:07:14
      INETUPD.DLL : 6.31.00.02 143360 29.04.2005 08:07:14
      CTL3D32.DLL : 2.31.000 27136 28.08.2001 14:00:00
      MFC42.DLL : 6.00.8665.0 995383 28.08.2001 14:00:00
      MSVCRT.DLL : 7.0.2600.1106 (xpsp1.020828-1920
      MSVCRT.DLL : 7.0.2600.1106 323072 29.08.2002 11:44:52
      CTL3DV2.DLL : No information

      Configuration file:

      Name of configuration file: C:\Program Files\AVPersonal\AVWIN.INI
      Name of report file: C:\Program Files\AVPersonal\LOGFILES\AVWIN.LOG
      Start path: C:\Program Files\AVPersonal
      Command line:
      Start mode: unknown

      Mode of report file:
      [ ] Do not create report
      [X] Overwrite report
      [ ] Append new report

      Data in report file:
      [X] Infected files
      [ ] Infected files with paths
      [ ] All scanned files
      [ ] Full information

      Abridge report file:
      [ ] Abridge report file

      Warnings in report:
      [X] Access denied/file locked
      [X] Wrong file size in directory
      [X] Wrong creation time in directory
      [ ] COM file is too large
      [X] Invalid start address
      [X] Invalid EXE header
      [X] Possibly damaged

      Summary report:
      [X] Create summary report
      Output file: AVWIN.ACT
      Maximum number of entries: 100

      Where to search:
      [X] Memory
      [X] Boot record of selected drives
      [ ] Report unknown boot sectors
      [ ] All files
      [X] Program files
      Extensions: .386 .?HT* .ACM .ADE .ADP .ANI .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT .BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CRT .CSH .DLL .DLO .DO? .DRV .EMF .EML .EXE* .FLT .FOT .HLP .HT* .INF .INI .INS .ISP .J2K .JAR .JFF .JFI .JFIF .JIF .JMH .JNG .JP2 .JPE .JPEG .JPG .JS* .JSE .LNK .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD .OV? .PCD .PDR .PGM .PHP .PIF .PKG .PL* .PNG .POT .PPS .PPT .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB .SHS .SHTM* .SPL .SWF .SYS .TLB .TMP .TSP .TTF .URL .VB? .VCS .VLM .VXD .VXO .WIZ .WLL .WMD .WMS .WMZ .WPC .WSC .WSF .WSH .WWK .XL? .XML .ZIP

      Response in case of a detection:
      [X] Repair with prompt
      [ ] Repair without prompt
      [ ] Delete with prompt
      [ ] Delete without prompt
      [ ] Write in report file only
      [X] Acoustic alarm

      Response in case of destroyed files:
      [X] Delete with prompt
      [ ] Delete without prompt
      [ ] Ignore

      Response in case of destroyed files:
      [X] No change
      [ ] Current system time
      [ ] Correct date

      Drag&drop settings:
      [X] Scan subdirectories

      Profile settings:
      [X] Scan subdirectories

      Archive options
      [X] Search archive
      [X] All archive types

      Miscellaneous options:
      Temporary path: %TEMP% -> C:\Program Files\AVPersonal\BUILD.DAT
      [X] Overwrite infected files
      [ ] Detect idle time
      [X] Allow interruptions of scan
      [X] Load AVWin®/NT Guard on System start

      General settings:
      [X] Save options on exiting AntiVir
      Priority: medium

      Drives:
      A: Floppy drive
      C: Hard disk
      D: CD-ROM
      E: CD-ROM
      F: Hard disk

      Start of scan: dimanche 28 août 2005 16:30

      Memory test OK
      Master boot record of hard disk HD0 OK
      Master boot record of hard disk HD1 OK
      Boot record of drive C: OK
      Boot record of drive F: OK


      C:\
      hiberfil.sys
      Access denied! Error during file opening!
      Error code: 0x000D
      WARNING! Access error/file locked!
      pagefile.sys
      Access denied! Error during file opening!
      This is a Windows swap file. This file is locked by Windows.
      Error code: 0x000D
      WARNING! Access error/file locked!
      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
      AlexaRelated.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      CoolWWWSearch.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      DSOExploit.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      DSOExploit1.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      DSOExploit2.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      DyFuCA.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      FindSpyA.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      FindSpyA1.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      ISearchTechISTbar.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      ISearchTechISTbar1.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      ISearchTechISTbar2.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      ISearchTechISTsvc.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      ISearchTechISTsvc1.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      ISearchTechPowerScan.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      ISearchTechYSB.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      ISearchTechYSB1.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      ISearchTechYSB2.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      ISearchTechYSB3.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      Wareout.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      C:\Program Files\GrabIt\Download\alt.binaries.dvd.french
      dvdfr18296.part004.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part005.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part006.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part007.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part008.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part009.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part010.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part011.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part012.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part013.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part014.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part015.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part016.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part017.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part018.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part019.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part020.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part021.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part022.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part023.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part024.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part025.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part026.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part027.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part028.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part029.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part030.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part031.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part032.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part033.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part034.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part035.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part036.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part037.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part038.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part039.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part040.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part041.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part042.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part043.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part044.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part045.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part046.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part047.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part048.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part049.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part050.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part051.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part052.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part053.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part054.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part055.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part056.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part057.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part058.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part059.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part060.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part061.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part062.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part063.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part064.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part065.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part066.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part067.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part068.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part069.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part070.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part071.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part072.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part073.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part074.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part075.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part076.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part077.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part078.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part079.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part080.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part081.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part082.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part083.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part084.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part085.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part086.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part087.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part088.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part089.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part094.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part096.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part097.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part098.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part099.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part100.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part101.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part102.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part103.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part104.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part105.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part106.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part107.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part108.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part109.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part110.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part111.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part112.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part113.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part114.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part115.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part116.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part117.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part118.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part119.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part120.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part121.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part122.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part123.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part124.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part125.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part126.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part127.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part128.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part129.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part130.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part131.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part132.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part133.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part134.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part135.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part136.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part137.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part138.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      dvdfr18296.part139.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      C:\Program Files\GrabIt\Download\alt.binaries.dvd.french\Danny the dog
      dtd-mt.rar
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      C:\Program Files\l2mfix\l2mfix
      Process.exe
      The file contains signature of the SPR/Processor.20 program and was suppressed by the user.
      C:\Program Files\WinRAR
      rarnew.dat
      ArchiveType: RAR
      NOTE! The archive is created by multiple volumes
      Error! Could not change directory: System Volume Information
      C:\WINDOWS\SoftwareDistribution\EventCache
      {E963AD3A-A243-4C4D-94F3-58D1AD697BFF}.bin
      Access denied! Error during file opening!
      Error code: 0x000D
      WARNING! Access error/file locked!
      C:\WINDOWS\system32\config
      default
      Access denied! Error during file opening!
      Error code: 0x000D
      WARNING! Access error/file locked!
      SAM
      Access denied! Error during file opening!
      Error code: 0x000D
      WARNING! Access error/file locked!
      SECURITY
      Access denied! Error during file opening!
      Error code: 0x000D
      WARNING! Access error/file locked!
      software
      Access denied! Error during file opening!
      Error code: 0x000D
      WARNING! Access error/file locked!
      system
      Access denied! Error during file opening!
      Error code: 0x000D
      WARNING! Access error/file locked!
      C:\WINDOWS\Temp
      ZLT04f4c.TMP
      Access denied! Error during file opening!
      Error code: 0x000D
      WARNING! Access error/file locked!


      Error! Could not change directory: System Volume Information
      F:\Utilitaires à graver\Antivirus\LM2 Fix
      l2mfix.exe
      ArchiveType: ZIP SFX (self extracting)
      --> l2mfix\Process.exe
      The file contains signature of the SPR/Processor.20 program and was suppressed by the user.
      F:\Utilitaires à graver\Images, son et vidéos\Codec & Rip\utilitaire divx Martial\codecs
      MUSKCodec3vf.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      F:\Utilitaires à graver\Images, son et vidéos\Codec & Rip\utilitaire divx Martial\lecteurs\zoomplayer pro
      ZPro.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      F:\Utilitaires à graver\Images, son et vidéos\MP3\mp3 cd converter
      MP3 CD Converter.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected
      F:\Utilitaires à graver\logiciel de compression\winrar 311
      Patch_WR3fr.zip
      ArchiveType: ZIP
      NOTE! The whole archive is password protected



      End of scan: dimanche 28 août 2005 17:03
      Time taken: 33:22 min


      4995 directories were scanned
      59896 files were scanned
      9 warning messages were issued
      0 files were deleted
      0 files were repaired
      0 detections
      0
  18. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
     j'ai encore deux fenetres de détection qui sont apparues ..toujours sur ce fichier HCLEAN32.EXE


    donne le chemin
    0
    1. Yohan
       
      Les deux fenetres sont identiques. L'une est apparue en cours d'analyse AV (je pense quand un prog a tenté de se connecté au net), l'autre est apparue dès que j'ai lancé IExplorer.
      Chemin :

      C:\WINDOWS\SYSTEM32\HCLEAN32.EXE

      Is the Trojan horse TR/Qhost.QR
      0
  19. balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
     
    juste pour info moe sur le reg ceci vire toute la clef run
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    ????????
    0
    1. Yohan
       
      Balltrap,

      NOTA : afin de lancer correctement findT, j'ai du copier le fichier autoexec.nt qui se trouvait dans c:\windows\repair dan,s le répertoire c:\windows\system32. Puis j'ai lancé et voici le résultat

      Voici tout d'abord le rapport du findT :
      PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

      C:\WINDOWS\RDT.INI
      C:\WINDOWS\BALLOON.WAV

      Ensuite le rapport de hclsch :

      Rapport fait à 17:39:12,06 le 28/08/2005
      Executé à partir de C:\Program Files\hclsrch
      OS: Microsoft Windows XP [version 5.1.2600]

      Recherche registre ...


      ! REG.EXE VERSION 3.0

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      SiSUSBRG REG_SZ C:\WINDOWS\SiSUSBrg.exe
      Zone Labs Client REG_SZ "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
      Easy-PrintToolBox REG_SZ C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
      NeroFilterCheck REG_SZ C:\WINDOWS\system32\NeroCheck.exe
      AnyDVD REG_SZ "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
      AVGCtrl REG_SZ "C:\Program Files\AVPersonal\AVGNT.EXE" /min
      Tau Monitor REG_SZ C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

      ! REG.EXE VERSION 3.0

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
      system REG_SZ

      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
      "pgtshlld"=hex:58,03,00,00,29,59,61,6d,7e,71,7a,05,53,60,35,50,14,00,00,00
      "nidnsdr"=hex:fa,60,00,00,f9,c3,c8,c5,eb,de,ad,e5,8a,af,ba,13,00,00,00
      "23naelch"=hex:d6,72,00,00,ab,a4,e7,96,82,f9,cc,c5,d1,e6,ab,d6,14,00,00,00
      "aplnsftn"=hex:92,62,00,00,95,9b,5d,a8,b5,43,c7,3e,15,2a,ef,1a,14,00,00,00
      "23rtcdaol"=hex:60,5d,00,00,59,52,64,69,76,69,17,5e,47,53,20,35,30,15,00,00,00
      "8"=hex:3c,3d,00,00,31,02,0d,0c,28,17,aa,a3,bf,7c,51,4c,14,00,00,00
      "9"=hex:3c,3d,00,00,3b,3d,0a,07,15,18,6f,a7,74,69,44,13,00,00,00
      "10"=hex:3c,3d,00,00,3f,2d,07,02,1f,15,69,50,bf,7c,51,4c,14,00,00,00
      "11"=hex:4f,4a,00,00,22,2f,1e,19,05,00,47,4c,a8,69,22,59,14,00,00,00
      "12"=hex:4f,4a,00,00,54,2e,67,10,06,05,78,b0,61,1a,51,13,00,00,00
      "13"=hex:4f,4a,00,00,28,5e,10,6f,08,06,7a,7d,a8,69,22,59,14,00,00,00
      "14"=hex:73,0b,00,00,4e,4b,7a,75,61,5c,63,68,74,05,0e,35,14,00,00,00
      "15"=hex:a8,0b,00,00,8f,91,be,bb,b9,ac,d3,1b,d8,fd,e8,13,00,00,00
      "16"=hex:a8,0b,00,00,83,81,ab,b6,a3,a9,dd,c4,03,d0,c5,e0,14,00,00,00
      "17"=hex:06,20,00,00,fb,f4,d7,c6,d2,c9,fc,f5,e1,b6,9b,86,14,00,00,00
      "18"=hex:06,20,00,00,ed,f7,dc,d9,df,d2,b1,f9,be,a3,8e,13,00,00,00
      "19"=hex:06,20,00,00,e1,e7,c9,d4,c1,cf,b3,aa,e1,b6,9b,86,14,00,00,00
      "20"=hex:93,29,00,00,6e,6b,5a,55,41,bc,03,08,14,25,ee,15,14,00,00,00
      "21"=hex:c7,29,00,00,ac,b6,9f,98,9e,8d,f0,38,f9,e2,c9,13,00,00,00
      "22"=hex:c7,29,00,00,a0,a6,88,97,80,8e,f2,e5,20,f1,da,c1,14,00,00,00
      "23"=hex:1a,79,00,00,17,e0,23,d2,ce,35,88,81,9d,a2,77,92,14,00,00,00
      "24"=hex:1a,79,00,00,19,e3,28,25,cb,3e,4d,85,aa,4f,9a,13,00,00,00
      "25"=hex:1a,79,00,00,1d,13,25,20,3d,3b,4f,b6,9d,a2,77,92,14,00,00,00
      "26"=hex:e9,42,00,00,c4,d1,f0,e3,ff,ea,d9,d6,c2,93,84,a3,14,00,00,00
      "27"=hex:1a,43,00,00,19,e3,28,25,cb,3e,4d,85,aa,4f,9a,13,00,00,00
      "28"=hex:1a,43,00,00,1d,13,25,20,3d,3b,4f,b6,9d,a2,77,92,14,00,00,00
      "29"=hex:80,26,00,00,7d,7e,49,48,54,53,76,7f,7b,38,1d,08,14,00,00,00
      "30"=hex:b5,26,00,00,b2,84,8d,8e,ac,a3,e6,2e,cf,f0,ff,13,00,00,00
      "31"=hex:b5,26,00,00,b6,b4,be,85,96,9c,e0,db,36,c7,c8,f7,14,00,00,00
      "32"=hex:2c,56,00,00,01,12,3d,3c,38,27,9a,93,8f,4c,41,7c,14,00,00,00
      "33"=hex:95,56,00,00,92,64,ad,ae,4c,43,c6,0e,2f,d0,1f,13,00,00,00
      "34"=hex:c6,56,00,00,a1,a7,89,94,81,8f,f3,ea,21,f6,db,c6,14,00,00,00
      "35"=hex:1c,3b,00,00,11,e2,2d,2c,c8,37,8a,83,9f,5c,71,6c,14,00,00,00
      "36"=hex:50,3b,00,00,57,29,66,13,01,04,7b,b3,60,15,50,13,00,00,00
      "37"=hex:81,3b,00,00,7a,68,42,59,5a,50,34,2f,7a,3b,1c,0b,14,00,00,00
      "38"=hex:c4,1c,00,00,b9,ba,95,84,90,8f,32,3b,27,f4,d9,c4,14,00,00,00
      "39"=hex:f8,1c,00,00,ff,c1,ce,cb,e9,dc,a3,eb,88,ad,b8,13,00,00,00
      "40"=hex:5e,1d,00,00,59,4f,61,7c,79,77,0b,72,59,1e,33,2e,14,00,00,00
      "41"=hex:c0,4d,00,00,bd,be,89,88,94,93,36,3f,3b,f8,dd,c8,14,00,00,00
      "42"=hex:f1,4d,00,00,f6,c8,c1,f2,e0,e7,9a,d2,83,b4,b3,13,00,00,00
      "43"=hex:26,4e,00,00,01,07,29,34,21,2f,53,4a,81,56,7b,66,14,00,00,00
      "44"=hex:b3,5e,00,00,8e,8b,ba,b5,a1,9c,23,28,34,c5,ce,f5,14,00,00,00
      "45"=hex:e4,5e,00,00,c3,d5,f2,ff,fd,f0,97,df,9c,81,ac,13,00,00,00
      "46"=hex:4d,5f,00,00,2e,5c,16,6d,0e,04,78,63,ae,6f,20,5f,14,00,00,00
      "47"=hex:75,10,00,00,48,45,44,77,63,5e,6d,6a,76,07,08,37,14,00,00,00
      "48"=hex:a9,10,00,00,8e,90,b9,ba,b8,af,d2,1a,db,fc,eb,13,00,00,00
      "49"=hex:de,10,00,00,d9,cf,e1,fc,f9,f7,8b,f2,d9,9e,b3,ae,14,00,00,00
      "50"=hex:11,42,00,00,ec,e9,d8,db,c7,c2,81,8e,ea,ab,6c,9b,14,00,00,00
      "51"=hex:76,42,00,00,7d,47,4c,49,6f,62,21,69,0e,33,3e,13,00,00,00
      "52"=hex:aa,42,00,00,8d,83,b5,b0,ad,ab,df,c6,0d,d2,c7,e2,14,00,00,00
      "53"=hex:b3,47,00,00,8e,8b,ba,b5,a1,9c,23,28,34,c5,ce,f5,14,00,00,00
      "54"=hex:1b,48,00,00,18,e2,2b,24,ca,39,4c,84,55,4e,65,13,00,00,00
      "55"=hex:81,48,00,00,7a,68,42,59,5a,50,34,2f,7a,3b,1c,0b,14,00,00,00
      "56"=hex:a9,5d,00,00,84,91,b0,a3,bf,aa,19,16,02,d3,c4,e3,14,00,00,00
      "57"=hex:dd,5d,00,00,da,dc,f5,e6,f4,fb,8e,c6,97,88,a7,13,00,00,00
      "58"=hex:42,5e,00,00,25,2b,0d,18,05,13,77,6e,a5,7a,5f,4a,14,00,00,00
      "59"=hex:8c,00,00,00,61,72,5d,5c,58,47,7a,73,6f,2c,e1,1c,14,00,00,00
      "60"=hex:5a,01,00,00,59,23,68,65,0b,7e,0d,45,6a,0f,5a,13,00,00,00
      "61"=hex:f3,01,00,00,f4,fa,fc,cb,d4,e2,a6,99,f4,85,8e,b5,14,00,00,00
      "62"=hex:f1,77,00,00,cc,c9,f8,fb,e7,e2,e1,ee,ca,8b,8c,bb,14,00,00,00
      "63"=hex:56,78,00,00,5d,27,6c,69,0f,02,01,49,6e,13,5e,13,00,00,00
      "64"=hex:bb,78,00,00,bc,b2,84,83,9c,9a,ee,d1,3c,fd,d6,cd,14,00,00,00
      "65"=hex:29,32,00,00,04,11,30,23,3f,2a,99,96,82,53,44,63,14,00,00,00
      "66"=hex:5c,33,00,00,5b,5d,6a,67,75,78,0f,47,14,09,24,13,00,00,00
      "67"=hex:8d,35,00,00,6e,9c,56,ad,4e,44,38,23,6e,2f,e0,1f,14,00,00,00
      "68"=hex:1d,0b,00,00,10,1d,2c,2f,cb,36,95,82,9e,5f,70,6f,14,00,00,00
      "69"=hex:83,0b,00,00,60,7a,53,5c,52,51,34,7c,3d,26,0d,13,00,00,00
      "70"=hex:eb,0b,00,00,cc,c2,f4,f3,ec,ea,9e,81,cc,8d,86,bd,14,00,00,00
      "71"=hex:3d,7a,00,00,30,3d,0c,0f,2b,16,b5,a2,be,7f,50,4f,14,00,00,00
      "72"=hex:d4,7a,00,00,d3,a5,e2,ef,8d,80,87,cf,ec,91,dc,13,00,00,00
      "73"=hex:6d,7b,00,00,4e,7c,76,4d,6e,64,18,03,4e,0f,00,3f,14,00,00,00
      "74"=hex:61,22,00,00,5c,59,68,6b,77,72,51,5e,5a,1b,3c,2b,14,00,00,00
      "75"=hex:c6,22,00,00,ad,b7,9c,99,9f,92,f1,39,fe,e3,ce,13,00,00,00
      "76"=hex:60,23,00,00,5b,49,63,7e,7b,71,15,0c,5b,18,3d,28,14,00,00,00
      "77"=hex:cd,66,00,00,a0,ad,9c,9f,9b,86,c5,32,2e,ef,a0,df,14,00,00,00
      "78"=hex:67,67,00,00,4c,56,7f,78,7e,6d,10,58,19,02,29,13,00,00,00
      "79"=hex:cc,67,00,00,af,dd,97,92,8f,85,f9,e0,2f,ec,a1,dc,14,00,00,00
      "80"=hex:11,58,00,00,ec,e9,d8,db,c7,c2,81,8e,ea,ab,6c,9b,14,00,00,00
      "81"=hex:a7,58,00,00,8c,96,bf,b8,be,ad,d0,18,d9,c2,e9,13,00,00,00
      "82"=hex:41,59,00,00,3a,28,02,19,1a,10,74,6f,ba,7b,5c,4b,14,00,00,00
      "83"=hex:70,17,00,00,4d,4e,79,78,64,63,66,6f,4b,08,0d,38,14,00,00,00
      "84"=hex:3e,18,00,00,25,3f,14,01,17,1a,69,a1,76,6b,46,13,00,00,00
      "85"=hex:08,19,00,00,e3,e1,cb,d6,c3,c9,bd,a4,e3,b0,65,80,14,00,00,00
      "86"=hex:62,7e,00,00,5f,58,6b,6a,76,6d,50,59,45,1a,3f,2a,14,00,00,00
      "87"=hex:95,7f,00,00,92,64,ad,ae,4c,43,c6,0e,2f,d0,1f,13,00,00,00
      "88"=hex:f9,00,00,00,f2,f0,fa,c1,d2,d8,ac,97,f2,83,94,b3,14,00,00,00
      "89"=hex:78,6d,00,00,75,46,41,70,6c,5b,6e,67,73,00,15,30,14,00,00,00
      "90"=hex:42,6e,00,00,21,3b,10,1d,13,16,75,bd,72,67,42,13,00,00,00
      "91"=hex:10,6f,00,00,eb,19,d3,2e,cb,c1,45,bc,eb,a8,6d,98,14,00,00,00
      "yqamd"=hex:26,3e,00,00,1f,0e,22,3a,2a,e9,4e,53,5e,11,00,00,00
      "92"=hex:a5,50,00,00,98,95,b4,a7,b3,ae,1d,1a,06,d7,f8,e7,14,00,00,00
      "93"=hex:73,51,00,00,70,4a,43,4c,62,61,24,6c,0d,36,3d,13,00,00,00
      "94"=hex:3e,52,00,00,39,2f,01,1c,19,17,6b,52,b9,7e,53,4e,14,00,00,00
      "95"=hex:b9,0e,00,00,b4,81,80,b3,af,9a,29,26,32,c3,d4,f3,14,00,00,00
      "96"=hex:b7,10,00,00,bc,86,8f,88,ae,9d,e0,28,c9,f2,f9,13,00,00,00
      "97"=hex:4e,13,00,00,29,5f,11,6c,09,07,7b,62,a9,6e,23,5e,14,00,00,00
      "98"=hex:5c,4e,00,00,51,22,6d,6c,08,77,4a,43,5f,1c,31,2c,14,00,00,00
      "99"=hex:f4,4f,00,00,f3,c5,c2,cf,ed,e0,a7,ef,8c,b1,bc,13,00,00,00
      "100"=hex:bd,51,00,00,be,ac,86,9d,9e,94,e8,d3,3e,ff,d0,cf,14,00,00,00
      "101"=hex:42,27,00,00,3f,38,0b,0a,16,0d,b0,b9,a5,7a,5f,4a,14,00,00,00
      "102"=hex:74,29,00,00,73,45,42,4f,6d,60,27,6f,0c,31,3c,13,00,00,00
      "103"=hex:40,2b,00,00,3b,29,03,1e,1b,11,75,6c,bb,78,5d,48,14,00,00,00
      "104"=hex:9b,02,00,00,96,63,a2,ad,49,b4,0b,00,1c,dd,f6,ed,14,00,00,00
      "105"=hex:ca,06,00,00,a9,b3,98,95,9b,8e,fd,35,fa,9f,ca,13,00,00,00
      "106"=hex:93,08,00,00,94,9a,5c,ab,b4,42,c6,39,14,25,ee,15,14,00,00,00
      "107"=hex:5b,24,00,00,56,23,62,6d,09,74,4b,40,5c,1d,36,2d,14,00,00,00
      "108"=hex:58,26,00,00,5f,21,6e,6b,09,7c,03,4b,68,0d,58,13,00,00,00
      "109"=hex:f0,2a,00,00,cb,f9,f3,ce,eb,e1,a5,9c,cb,88,8d,b8,14,00,00,00
      "110"=hex:20,33,00,00,1d,1e,29,28,34,33,96,9f,9b,58,7d,68,14,00,00,00
      "111"=hex:53,34,00,00,50,2a,63,6c,02,01,04,4c,6d,16,5d,13,00,00,00
      "112"=hex:1c,36,00,00,1f,0d,27,22,3f,35,49,b0,9f,5c,71,6c,14,00,00,00
      "113"=hex:10,08,00,00,ed,ee,d9,d8,c4,c3,86,8f,eb,a8,6d,98,14,00,00,00
      "114"=hex:a7,0a,00,00,8c,96,bf,b8,be,ad,d0,18,d9,c2,e9,13,00,00,00
      "115"=hex:0b,0f,00,00,ec,e2,d4,d3,cc,ca,be,a1,ec,ad,66,9d,14,00,00,00
      "116"=hex:af,7a,00,00,82,8f,be,b9,a5,a0,27,2c,08,c9,c2,f9,14,00,00,00
      "117"=hex:e0,7c,00,00,c7,d9,f6,e3,f1,f4,8b,c3,90,85,a0,13,00,00,00
      "118"=hex:dd,7f,00,00,de,cc,e6,fd,fe,f4,88,f3,de,9f,b0,af,14,00,00,00
      "119"=hex:38,7b,00,00,35,06,01,30,2c,1b,ae,a7,b3,40,55,70,14,00,00,00
      "120"=hex:9d,7d,00,00,9a,9c,b5,a6,b4,bb,ce,06,d7,c8,e7,13,00,00,00
      "121"=hex:34,00,00,00,37,35,3f,0a,17,1d,61,58,b7,44,49,74,14,00,00,00
      "122"=hex:fc,16,00,00,f1,c2,cd,cc,e8,d7,ea,e3,ff,bc,91,8c,14,00,00,00
      "123"=hex:93,19,00,00,90,6a,a3,ac,42,41,c4,0c,2d,d6,1d,13,00,00,00
      "124"=hex:f9,1b,00,00,f2,f0,fa,c1,d2,d8,ac,97,f2,83,94,b3,14,00,00,00
      "125"=hex:c2,03,00,00,bf,b8,8b,8a,96,8d,30,39,25,fa,df,ca,14,00,00,00
      "126"=hex:26,05,00,00,0d,17,3c,39,3f,32,51,99,5e,43,6e,13,00,00,00
      "127"=hex:8d,06,00,00,6e,9c,56,ad,4e,44,38,23,6e,2f,e0,1f,14,00,00,00
      "128"=hex:ac,47,00,00,81,92,bd,bc,b8,a7,1a,13,0f,cc,c1,fc,14,00,00,00
      "129"=hex:44,49,00,00,23,35,12,1f,1d,10,77,bf,7c,61,4c,13,00,00,00
      "130"=hex:dc,4a,00,00,df,cd,e7,e2,ff,f5,89,f0,df,9c,b1,ac,14,00,00,00
      "131"=hex:ab,4c,00,00,86,93,b2,bd,b9,a4,1b,10,0c,cd,c6,fd,14,00,00,00
      "132"=hex:43,4e,00,00,20,3a,13,1c,12,11,74,bc,7d,66,4d,13,00,00,00
      "133"=hex:d9,51,00,00,d2,d0,9a,e1,f2,f8,8c,f7,d2,e3,b4,d3,14,00,00,00
      "134"=hex:ba,0c,00,00,b7,80,83,b2,ae,95,28,21,3d,c2,d7,f2,14,00,00,00
      "135"=hex:20,0f,00,00,07,19,36,23,31,34,4b,83,50,45,60,13,00,00,00
      "136"=hex:ea,10,00,00,cd,c3,f5,f0,ed,eb,9f,86,cd,92,87,a2,14,00,00,00
      "137"=hex:d1,0a,00,00,ac,a9,98,9b,87,82,c1,ce,2a,eb,ac,db,14,00,00,00
      "138"=hex:02,0d,00,00,e1,fb,d0,dd,d3,d6,b5,fd,b2,a7,82,13,00,00,00
      "139"=hex:54,73,00,00,57,55,1f,6a,77,7d,01,78,57,64,29,54,14,00,00,00


      Recherche dossier Internet Explorer...

      Le volume dans le lecteur C n'a pas de nom.
      Le num‚ro de s‚rie du volume est CCE8-7B91

      R‚pertoire de C:\Program Files\Internet Explorer

      29/08/2002 11:45 91ÿ136 iexplore.exe
      1 fichier(s) 91ÿ136 octets
      0 R‚p(s) 30ÿ672ÿ687ÿ104 octets libres

      Recherche presence hclean32.exe...
      non trouvé...


      Enfin, un hijack en étant connecté :


      Logfile of HijackThis v1.99.1
      Scan saved at 17:40:45, on 28/08/2005
      Platform: Windows XP SP1 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\csrss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\AVPersonal\AVGUARD.EXE
      C:\Program Files\AVPersonal\AVWUPSRV.EXE
      C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\ZoneLabs\vsmon.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
      C:\Program Files\AVPersonal\AVGNT.EXE
      C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
      C:\WINDOWS\System32\ctfmon.exe
      C:\Program Files\Ensemble clavier et souris sans fil Labtec\MagicKey.exe
      C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
      C:\Program Files\Ensemble clavier et souris sans fil Labtec\MulMouse.exe
      C:\Program Files\Ensemble clavier et souris sans fil Labtec\OSD.EXE
      C:\WINDOWS\System32\wuauclt.exe
      C:\WINDOWS\system32\DfrgNtfs.exe
      C:\Program Files\AVPersonal\GUARDGUI.EXE
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\AVPersonal\GUARDGUI.EXE
      C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe
      C:\Program Files\Ahead\nero\nero.exe
      C:\WINDOWS\System32\imapi.exe
      C:\hijack\hijackthis\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
      O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
      O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
      O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
      O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
      O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
      O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - Global Startup: Activer l'ensemble clavier et souris sans fil Labtec.lnk = C:\Program Files\Ensemble clavier et souris sans fil Labtec\MagicKey.exe
      O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
      O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
      O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
      O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
      O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
      O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
      O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
      O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
      O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
      O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
      O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan8/oscan8.cab
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114460605218
      O17 - HKLM\System\CCS\Services\Tcpip\..\{0914A442-A758-4B09-9FA6-2A8CAEE26F60}: NameServer = 69.50.176.158,85.255.112.8
      O17 - HKLM\System\CS1\Services\Tcpip\..\{0914A442-A758-4B09-9FA6-2A8CAEE26F60}: NameServer = 69.50.176.158,85.255.112.8
      O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
      O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
      O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
      O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
      O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

      Bon courage !
      0
  20. Utilisateur anonyme
     
    perso j'ai pas cette clé, et elle est sur d'autres reg

    j'ai été un peu vite ?
    0
  • 1
  • 2
  • 3