probleme avec hclean32.exe Fermé

Question

Bonjour tout le monde,Je rencontre un problème actuellement, j'ai des messages qui n'arretent pas de sortir me signalant que ma machine est en danger, je sais que c a cause d'un troyen, je crois que c'est hclean32.exe (puisque norton le met en quaranatine a chaque fois), j'ai fais un scan avec hijackthis, je vous remercie pour toute aide :Logfile of HijackThis v1.99.1Scan saved at 14:58:49, on 29/08/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\csrss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exeC:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINNT\system32egsvc.exeC:\Program Files\Symantec AntiVirus\SavRoam.exeC:\WINNT\system32\MSTask.exeC:\Program Files\Analog Devices\SoundMAX\spkrmon.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\WINNT\System32\hkcmd.exeC:\Program Files\Fichiers communs\Symantec Shared\ccApp.exeC:\PROGRA~1\SYMANT~1\VPTray.exeC:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exeC:\WINNT\bfehfpxm.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\WINNT\system32\internat.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINNT\system32
otepad.exeC:\orant\BIN\RWBLD60.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXEC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEC:\WINNT\system32\wuauclt.exeC:\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aljazeera.net/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = LiensR3 - Default URLSearchHook is missingO1 - Hosts: 172.20.0.2 ntserver_pdcO1 - Hosts: 172.20.20.1 comptsrv.comptabiliteO1 - Hosts: 172.20.0.3 intranet_cdgO1 - Hosts: 172.20.10.10 isfs1-cdg loghost elsd_1_2100O1 - Hosts: 12.5.90.7 reuters-sourceO1 - Hosts: 12.5.90.6 amsnbrtO1 - Hosts: 172.20.10.3 kondorn0O1 - Hosts: 172.20.10.4 kondorn1O1 - Hosts: 172.20.10.10 isfs1-cdg elsd_1_2100 elsd-1-2100 isfs1O1 - Hosts: 172.20.10.2 kondor-aws awsO1 - Hosts: 172.20.10.5 sybase-lh krsO1 - Hosts: 172.20.40.3 laser_printerO1 - Hosts: 172.20.30.3 ressourcesrvO1 - Hosts: 172.20.0.222 siegemail1O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dllO3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exeO4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exeO4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exeO4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [absrq] C:\WINNT\bfehfpxm.exeO4 - HKCU\..\Run: [internat.exe] internat.exeO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exeO8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINNT\system32\shdocvw.dllO9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\webelated.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\webelated.htmO9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\TOADFO~2\RNetPin.dllO20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dllO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exeO23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXEO23 - Service: OracleHOME_9iClientCache - Unknown owner - D:\oracle9i\BIN\ONRSD.EXEO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exeO23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

M.Lavaux · Answer

Il existe un outil d'analyse en ligne qui propose des CONSEILS (attention être très attentif, ne pas tout supprimer, vérifier avant) : http://www.hijackthis.de/index.php?langselect=french

M.Lavaux · Answer

Il semblerai que hclean32 soit un problème qui se répend actuellement sur le net. Je vais faire quelques recherches à son propos.

M.Lavaux · Answer

J'ai trouvé ce lien :
http://www.bleepingcomputer.com/startups/Cat-H.html

Chercher vers le milieu de la page (ordre alphabetique) le fichier hclean32.exe
IL semblerait qu'il soit lié à CWS.

Peut être que cet exécutable pourra vous aider :
CWShredder sur http://www.intermute.com/products/cwshredder.html

issam · Answer

j'ai tout essayé jusqu'ici mais rien ne va!! (mode sans echec, spybot, hjcackthis.......) hclean n'est plus repere par norton mais les messages sortent toujours, comme quoi mon systeme risque un danger!!!! faut il formatter le pc pr ça??? en tt cas merci bcp bcp pour vos conseils les amis

Utilisateur anonyme · Answer

salut issamreposte un nouvel hijackthis + un rapport de ce prog:Silentrunnershttp://www.silentrunners.org/Silent%20Runners.vbslance le, et quand norton te le demandera, autorise le scripta+

issam · Answer

voici le log hijack :
Logfile of HijackThis v1.99.1
Scan saved at 11:24:51, on 30/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\orant\BIN\ifdbg60.EXE
C:\orant\BIN\ifbld60.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Quest Software\SQL Navigator 4\SQLNav4.exe
C:\WINNT\system32\WISPTIS.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\mhamedi\Bureau\Nouveau dossier (3)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aljazeera.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O1 - Hosts: 172.20.0.2 ntserver_pdc
O1 - Hosts: 172.20.20.1 comptsrv.comptabilite
O1 - Hosts: 172.20.0.3 intranet_cdg
O1 - Hosts: 172.20.40.3 laser_printer
O1 - Hosts: 172.20.30.3 ressourcesrv
O1 - Hosts: 172.20.0.222 siegemail1
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe

voici le log du startup :
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"(Default)" = (empty string)
"dmbxp.exe" = "C:\WINNT\system32\dmbxp.exe" [file not found]
"Synchronization Manager" = "mobsync.exe /logon" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cshmu.exe" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

merci encore

Utilisateur anonyme · Answer

salut

on dirait que tu as fais du menage avec hijackthis ?
ton silent runner n'est pas complet, reposte en un autreruins
et fais aussi ceci:

demarrer > executer tape cmd
copie et colle ceci dans la fenetre dos

regedit /e %systemdrive%\log.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins" & notepad %systemdrive%\log.txt

le bloc notes va s'ouvrir, copie et colle le resultat ici

a+

issam · Answer

oui biensur que g fais un peu l menage depuis mon premier poste, mais ça n'a malheureusement rien donné :) merci, voici le log j'espere qu'il est complet g fais un copie-coller de tout :

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"(Default)" = (empty string)
"dmbxp.exe" = "C:\WINNT\system32\dmbxp.exe" [file not found]
"Synchronization Manager" = "mobsync.exe /logon" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cshmu.exe" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\mhamedi\Application Data\Microsoft\Internet Explorer\Papier peint de Internet Explorer.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "(Aucun)" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{BF69DF00-2734-477F-8257-27CD04F88779}\
"ButtonText" = "Start spyware remover"
"MenuText" = "Start spyware remover"
"Exec" = "C:\Program Files\WareOut\WareOut.exe" [file not found]

Miscellaneous IE Hijack Points
------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HOSTS file
----------

C:\WINNT\System32\drivers\etc\HOSTS

maps: 7 domain names to IP addresses,
6 of the IP addresses are *not* localhost!

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Machine Debug Manager, MDM, ""C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
SAVRoam, SavRoam, ""C:\Program Files\Symantec AntiVirus\SavRoam.exe"" ["symantec"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Système d'événements de COM+, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 12 seconds, including 4 seconds for message boxes)

Utilisateur anonyme · Answer

reste ceci:
demarrer > executer tape cmd
copie et colle ceci dans la fenetre dos

regedit /e %systemdrive%\log.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins" & notepad %systemdrive%\log.txt

le bloc notes va s'ouvrir, copie et colle le resultat ici

désolé mais il me faut un maximum de details sur cette saleté

a+

issam · Answer

voila le resultat (desole je l'avais vu avant mais je l'avais fais et g oublié de mettre le copie-coller) :)
merci :
Windows Registry Editor Version 5.00

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
"pgtshlld"=hex:33,69,00,00,02,02,3a,36,13,1a,5f,6e,b4,45,4e,75,14,00,00,00
"nidnsdr"=hex:cb,6a,00,00,a8,b2,9b,94,9a,89,fc,34,e5,9e,d5,13,00,00,00
"23naelch"=hex:99,6b,00,00,94,61,a0,53,4f,ba,09,06,12,23,f4,13,14,00,00,00
"aplnsftn"=hex:c9,6e,00,00,a2,a0,8a,91,82,88,fc,e7,22,f3,a4,c3,14,00,00,00
"23rtcdaol"=hex:94,6f,00,00,95,9e,50,55,42,b5,c3,0a,13,1f,1c,e1,0c,15,00,00,00
"7"=hex:1b,5b,00,00,16,e3,22,2d,c9,34,8b,80,9c,5d,76,6d,14,00,00,00
"8"=hex:4c,5b,00,00,2b,2d,1a,17,05,08,7f,b7,64,19,54,13,00,00,00
"9"=hex:4c,5b,00,00,2f,5d,17,12,0f,05,79,60,af,6c,21,5c,14,00,00,00
"10"=hex:3f,13,00,00,32,3f,0e,09,15,10,b7,bc,b8,79,52,49,14,00,00,00
"11"=hex:3f,13,00,00,24,3e,17,00,16,15,68,a0,71,6a,41,13,00,00,00
"12"=hex:3f,13,00,00,38,2e,00,1f,18,16,6a,6d,b8,79,52,49,14,00,00,00
"13"=hex:e0,12,00,00,dd,de,e9,e8,f4,f3,d6,df,db,98,bd,a8,14,00,00,00
"14"=hex:e0,12,00,00,c7,d9,f6,e3,f1,f4,8b,c3,90,85,a0,13,00,00,00
"15"=hex:e0,12,00,00,db,c9,e3,fe,fb,f1,95,8c,db,98,bd,a8,14,00,00,00
"16"=hex:82,6a,00,00,7f,78,4b,4a,56,4d,70,79,65,3a,1f,0a,14,00,00,00
"17"=hex:82,6a,00,00,61,7b,50,5d,53,56,35,7d,32,27,02,13,00,00,00
"18"=hex:82,6a,00,00,65,6b,4d,58,45,53,37,2e,65,3a,1f,0a,14,00,00,00
"pxbmd"=hex:bb,3a,00,00,8a,b5,b8,9e,9e,54,e5,fe,f5,11,00,00,00
"19"=hex:86,41,00,00,7b,74,57,46,52,49,7c,75,61,36,1b,06,14,00,00,00
"20"=hex:86,41,00,00,6d,77,5c,59,5f,52,31,79,3e,23,0e,13,00,00,00
"21"=hex:86,41,00,00,61,67,49,54,41,4f,33,2a,61,36,1b,06,14,00,00,00

Utilisateur anonyme · Answer

salut

est ce que tu as du temps devant toi, car apres un redemarrage, certains processus infectés, se renomment et il faut repasser tout les progs pour pouvoir le cerner.

Donc, si tu as du temps, reposte un hijack + un silentrunners et ne redemarre pas ton pc.
si tu n'a pas trop de temps, fais moi signe quand se sera bon
je suis là dans la soirée en general

a+

issam · Answer

Merci tt d'abord pr le temps que t'as passé sur mon probleme, c hyper sympa de ta part, là g quitté mon bureau mais demain je me consacrerai a 100% à ce probleme, encore merci et desole pour le derangement, demain matin je te posterai toutes les infos

Utilisateur anonyme · Answer

salut issamje suis sur le forum à partir de la fin d'apres midi, si tu est dispo, poste les infos à ce moment làa+

issam · Answer

Re-bonjour :)
voilà je piste tout ce que tu m'as demandé et entre temps je vais pas redemarrer ma machine, tu y jetteras un coup d'oeil qd t'auras du temps, merci mon ami :

hijackthis :

Logfile of HijackThis v1.99.1
Scan saved at 08:55:02, on 01/09/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\orant\BIN\PLUS80W.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\mhamedi\Bureau\Nouveau dossier (3)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aljazeera.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe

Silent runner :

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"(Default)" = (empty string)
"dmbxp.exe" = "C:\WINNT\system32\dmbxp.exe" [file not found]
"Synchronization Manager" = "mobsync.exe /logon" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csfeb.exe" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\mhamedi\Application Data\Microsoft\Internet Explorer\Papier peint de Internet Explorer.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "(Aucun)" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{BF69DF00-2734-477F-8257-27CD04F88779}\
"ButtonText" = "Start spyware remover"
"MenuText" = "Start spyware remover"
"Exec" = "C:\Program Files\WareOut\WareOut.exe" [file not found]

Miscellaneous IE Hijack Points
------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HOSTS file
----------

C:\WINNT\System32\drivers\etc\HOSTS

maps: 7 domain names to IP addresses,
6 of the IP addresses are *not* localhost!

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Machine Debug Manager, MDM, ""C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
SAVRoam, SavRoam, ""C:\Program Files\Symantec AntiVirus\SavRoam.exe"" ["symantec"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Système d'événements de COM+, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 14 seconds, including 2 seconds for message boxes)

La commande cmd que tu m'as donné :

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
"pgtshlld"=hex:33,69,00,00,02,02,3a,36,13,1a,5f,6e,b4,45,4e,75,14,00,00,00
"nidnsdr"=hex:cb,6a,00,00,a8,b2,9b,94,9a,89,fc,34,e5,9e,d5,13,00,00,00
"23naelch"=hex:99,6b,00,00,94,61,a0,53,4f,ba,09,06,12,23,f4,13,14,00,00,00
"aplnsftn"=hex:c9,6e,00,00,a2,a0,8a,91,82,88,fc,e7,22,f3,a4,c3,14,00,00,00
"23rtcdaol"=hex:94,6f,00,00,95,9e,50,55,42,b5,c3,0a,13,1f,1c,e1,0c,15,00,00,00
"7"=hex:1b,5b,00,00,16,e3,22,2d,c9,34,8b,80,9c,5d,76,6d,14,00,00,00
"8"=hex:4c,5b,00,00,2b,2d,1a,17,05,08,7f,b7,64,19,54,13,00,00,00
"9"=hex:4c,5b,00,00,2f,5d,17,12,0f,05,79,60,af,6c,21,5c,14,00,00,00
"10"=hex:3f,13,00,00,32,3f,0e,09,15,10,b7,bc,b8,79,52,49,14,00,00,00
"11"=hex:3f,13,00,00,24,3e,17,00,16,15,68,a0,71,6a,41,13,00,00,00
"12"=hex:3f,13,00,00,38,2e,00,1f,18,16,6a,6d,b8,79,52,49,14,00,00,00
"13"=hex:e0,12,00,00,dd,de,e9,e8,f4,f3,d6,df,db,98,bd,a8,14,00,00,00
"14"=hex:e0,12,00,00,c7,d9,f6,e3,f1,f4,8b,c3,90,85,a0,13,00,00,00
"15"=hex:e0,12,00,00,db,c9,e3,fe,fb,f1,95,8c,db,98,bd,a8,14,00,00,00
"16"=hex:82,6a,00,00,7f,78,4b,4a,56,4d,70,79,65,3a,1f,0a,14,00,00,00
"17"=hex:82,6a,00,00,61,7b,50,5d,53,56,35,7d,32,27,02,13,00,00,00
"18"=hex:82,6a,00,00,65,6b,4d,58,45,53,37,2e,65,3a,1f,0a,14,00,00,00
"pxbmd"=hex:bb,3a,00,00,8a,b5,b8,9e,9e,54,e5,fe,f5,11,00,00,00
"19"=hex:86,41,00,00,7b,74,57,46,52,49,7c,75,61,36,1b,06,14,00,00,00
"20"=hex:86,41,00,00,6d,77,5c,59,5f,52,31,79,3e,23,0e,13,00,00,00
"21"=hex:86,41,00,00,61,67,49,54,41,4f,33,2a,61,36,1b,06,14,00,00,00
"22"=hex:14,5f,00,00,e9,ea,25,d4,c0,3f,82,8b,97,a4,69,94,14,00,00,00
"23"=hex:45,5f,00,00,22,34,1d,1e,1c,13,76,be,7f,60,4f,13,00,00,00
"24"=hex:45,5f,00,00,26,24,0e,15,06,0c,70,6b,a6,77,58,47,14,00,00,00
"25"=hex:12,7a,00,00,ef,e8,db,da,c6,3d,80,89,95,aa,6f,9a,14,00,00,00
"26"=hex:12,7a,00,00,11,eb,20,2d,c3,c6,45,8d,a2,57,92,13,00,00,00
"27"=hex:12,7a,00,00,15,1b,dd,28,35,c3,47,be,95,aa,6f,9a,14,00,00,00

encore merci pour ton aide :)
issam

Utilisateur anonyme · Answer

salut issamest ce que tu peux mettre un hijack, fait en etant connecté au netensuite on s'y attaque.a+

issam · Answer

salut :)
voilà je suis connecté maintenant, voici mon log hijack :
Logfile of HijackThis v1.99.1
Scan saved at 16:03:40, on 01/09/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\orant\BIN\ifbld60.EXE
C:\orant\BIN\PLUS80W.EXE
C:\orant\BIN\ifdbg60.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aljazeera.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe

Utilisateur anonyme · Answer

saluttu l'as fais après t'etre connecté ?normallement, il devrait apparaitre des lignes 017 dans hijack

issam · Answer

Ah oui biensur, je les ai enlevé! si qq les voit ici et tombe dessus il sera capable de pas mal de trucs, y'a que les adresses de domaine et serveur :
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = XXX.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C56E6E40-3AB1-4494-8B37-A2AF738E0F8F}: Domain = XXX.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C56E6E40-3AB1-4494-8B37-A2AF738E0F8F}: NameServer = xx.xx.xxx.xxx,xx.xxx.xxx.x
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = XXX.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = XXX.com,XXX.ma
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = XXXXX
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = XXX.com,XXX.ma
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = XXX.com,XXX.ma

Utilisateur anonyme · Answer

tu es sur des ip qui apparaissent ?normallement cette saleté change les dns

issam · Answer

oui tout à fait sur, je savais que sur le host aussi ça ajoutait des lignes, mais c pas mon cas, t'en fais pas, sinon le reste y'a des trucs suspects?

Utilisateur anonyme · Answer

ok1/ Lance hijackthis et clic sur [do a system scan only]cocher la case au début des lignes suivantes:R3 - Default URLSearchHook is missing valider en cliquant sur [fix checked]2/deconnecte toi d'internetouvre le bloc note et fais un copier coller de ce qui est en gras ci-dessous:REGEDIT4[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\HCLEAN32.EXE][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersionuins][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion] "Disabled"=- [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersionuins][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hclean32.exe"=- "dmbxp.exe"=-[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"=- "System"=""  [-HKEY_LOCAL_MACHINE\SOFTWARE\WareOut] [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{BF69DF00-2734-477F-8257-27CD04F88779}][-HKEY_CURRENT_USER\Software\WareOut] Puis enregistrer sous et dans: Nom du fichier, met fix.reg Type de fichier: selectionne "tous les fichiers" clic sur enregistrer ensuite double clic sur fix.reg et accepte de fusionner3/ouvre le bloc note et fais un copier coller de ce qui est en gras ci-dessous:@echo offattrib -r -s -h %windir%\System32dsndin.exedel /a /f %windir%\System32dsndin.exeattrib -r -s -h %windir%\System32\loadctr32.exedel /a /f %windir%\System32\loadctr32.exeattrib -r -s -h %windir%\System32\dmbxp.exedel /a /f %windir%\System32\dmbxp.exeattrib -r -s -h %windir%\System32\hclean32.exedel /a /f %windir%\System32\hclean32.exeattrib -r -s -h %windir%\System32
tfsnlpa.exedel /a /f %windir%\System32
tfsnlpa.exeattrib -r -s -h %windir%\System32\dllhstgp.exedel /a /f %windir%\System32\dllhstgp.exeattrib -r -s -h %windir%\System32\csfeb.exedel /a /f %windir%\System32\csfeb.exePuis enregistrer sous et dans: Nom du fichier, met hcfix.bat Type de fichier: selectionne "tous les fichiers" clic sur enregistrer ensuite double clic sur hcfix.batsupprime le dossier C:\program files\WareOut s'il existe4/redemarre le pc en mode sans echec et vide le cache de ton navigateur.vider tout le contenu des dossiers Temp:* C:\Documents and Settings	on compte\Local Settings\Temp* C:\Documents and Settings	ous les autres comptes\Local Settings\Temp* C:\Temp <- s'il existe* C:\Windows\Temprepasse hcfix.bat5/redemarre le pc normallement et reposte un hijack + un silentrunnera+

Naouel · Answer

Bonjour,J'ai également le Trojan Hclean32.J'ai du mal a suivre votre conversation, concretement est ce qu'il y a une solution ??Grâce aux conseils de quelqu'un sur ce forum, j'ai déjà essayé AdAware SE, Spy bot, a²free, smirtfraudfix et tout ça en mode sans échec. Mais ça n'a rien donné...Est ce que vous connaissez le conséquences de ce virus ?

Probleme avec hclean32.exe

22 réponses

Discussions similaires