A moe31
Résolu
julo
-
Utilisateur anonyme -
Utilisateur anonyme -
Salut moe31, désolé de ne pas avoir répondut rapidement hier mais voila mon rapport hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 12:17:28, on 13/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
E:\taxe\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {62A836F2-D801-7BE0-491F-EE18F63323B4} - NukeSpan.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BoontyBox] "C:\Program Files\Boonty\BoontyBox\BoontyBox.exe" /boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
Logfile of HijackThis v1.99.1
Scan saved at 12:17:28, on 13/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
E:\taxe\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {62A836F2-D801-7BE0-491F-EE18F63323B4} - NukeSpan.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BoontyBox] "C:\Program Files\Boonty\BoontyBox\BoontyBox.exe" /boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
16 réponses
salut julo
je vais devoir repartir au boulot, mais je serais là, ce soir vers 18h
A partir de cette heure là, reposte un hijack, et telecharge ces 2 programmes:
http://get.yourfile.net/rb76127.zip
et silentrunners:
http://www.silentrunners.org/Silent%20Runners.vbs
dezippe les tout les 2, lance les et poste le rapport de chacuns.
Apres avoir fait ca, tu ne redemarre plus ton pc (certain fichiers infectés se renomme à chaques redemarrage).
a++
je vais devoir repartir au boulot, mais je serais là, ce soir vers 18h
A partir de cette heure là, reposte un hijack, et telecharge ces 2 programmes:
http://get.yourfile.net/rb76127.zip
et silentrunners:
http://www.silentrunners.org/Silent%20Runners.vbs
dezippe les tout les 2, lance les et poste le rapport de chacuns.
Apres avoir fait ca, tu ne redemarre plus ton pc (certain fichiers infectés se renomme à chaques redemarrage).
a++
voilà le rapport de hc:
Rapport fait à 16:12:46,77 le 13/09/2005
Executé à partir de E:\taxe\virus
OS: Microsoft Windows XP [version 5.1.2600]
Recherche registre ...
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMan REG_SZ soundman.exe
AtiPTA REG_SZ atiptaxx.exe
ccApp REG_SZ "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
SSC_UserPrompt REG_SZ C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
Symantec NetDriver Monitor REG_SZ C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
NeroCheck REG_SZ C:\WINDOWS\system32\NeroCheck.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
system REG_SZ
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
"pgtshlld"=hex:da,77,00,00,ab,db,e3,ef,f8,f3,84,87,dd,e2,b7,d2,14,00,00,00
"nidnsdr"=hex:30,7c,00,00,37,09,06,33,21,24,5b,93,40,75,70,13,00,00,00
"23naelch"=hex:7f,21,00,00,72,7f,4e,49,55,50,77,7c,78,39,12,09,14,00,00,00
"aplnsftn"=hex:1d,7e,00,00,1e,0c,26,3d,3e,34,48,b3,9e,5f,70,6f,14,00,00,00
"23rtcdaol"=hex:c1,7e,00,00,b8,ad,87,88,91,88,f6,39,26,32,c3,d4,d3,15,00,00,00
"7"=hex:93,04,00,00,6e,6b,5a,55,41,bc,03,08,14,25,ee,15,14,00,00,00
"8"=hex:b3,04,00,00,b0,8a,83,8c,a2,a1,e4,2c,cd,f6,fd,13,00,00,00
"9"=hex:b3,04,00,00,b4,ba,bc,8b,94,a2,e6,d9,34,c5,ce,f5,14,00,00,00
"10"=hex:a9,3c,00,00,84,91,b0,a3,bf,aa,19,16,02,d3,c4,e3,14,00,00,00
"11"=hex:a9,3c,00,00,8e,90,b9,ba,b8,af,d2,1a,db,fc,eb,13,00,00,00
"12"=hex:a9,3c,00,00,82,80,aa,b1,a2,a8,dc,c7,02,d3,c4,e3,14,00,00,00
"zyjmd"=hex:7a,31,00,00,4b,7a,41,5e,41,15,1a,3f,0a,11,00,00,00
"13"=hex:7e,6c,00,00,73,7c,4f,4e,6a,51,74,7d,79,3e,13,0e,14,00,00,00
"14"=hex:9f,6c,00,00,84,9e,b7,a0,b6,b5,c8,00,d1,ca,e1,13,00,00,00
"15"=hex:9f,6c,00,00,98,8e,a0,bf,b8,b6,ca,cd,18,d9,f2,e9,14,00,00,00
"16"=hex:4e,72,00,00,23,2c,1f,1e,1a,01,44,4d,a9,6e,23,5e,14,00,00,00
"17"=hex:6f,72,00,00,74,4e,47,70,66,65,18,50,01,3a,31,13,00,00,00
"18"=hex:6f,72,00,00,48,7e,70,4f,68,66,1a,1d,48,09,02,39,14,00,00,00
"19"=hex:43,62,00,00,3e,3b,0a,05,11,0c,b3,b8,a4,75,5e,45,14,00,00,00
"20"=hex:64,62,00,00,43,55,72,7f,7d,70,17,5f,1c,01,2c,13,00,00,00
"21"=hex:64,62,00,00,47,45,6f,7a,67,6d,11,08,47,14,39,24,14,00,00,00
"22"=hex:e4,30,00,00,d9,da,f5,e4,f0,ef,d2,db,c7,94,b9,a4,14,00,00,00
"23"=hex:04,31,00,00,e3,f5,d2,df,dd,d0,b7,ff,bc,a1,8c,13,00,00,00
"24"=hex:04,31,00,00,e7,e5,cf,da,c7,cd,b1,a8,e7,b4,99,84,14,00,00,00
"25"=hex:fc,0f,00,00,f1,c2,cd,cc,e8,d7,ea,e3,ff,bc,91,8c,14,00,00,00
"26"=hex:fc,0f,00,00,fb,fd,ca,c7,d5,d8,af,e7,b4,a9,84,13,00,00,00
"27"=hex:1d,10,00,00,1e,0c,26,3d,3e,34,48,b3,9e,5f,70,6f,14,00,00,00
"28"=hex:30,05,00,00,0d,0e,39,38,24,23,a6,af,8b,48,4d,78,14,00,00,00
"29"=hex:51,05,00,00,56,28,61,12,00,07,7a,b2,63,14,53,13,00,00,00
"30"=hex:72,05,00,00,75,7b,7d,48,55,63,27,1e,75,0a,0f,3a,14,00,00,00
"31"=hex:16,03,00,00,eb,e4,27,d6,c2,39,8c,85,91,a6,6b,96,14,00,00,00
"32"=hex:37,03,00,00,3c,06,0f,08,2e,1d,60,a8,49,72,79,13,00,00,00
"33"=hex:57,03,00,00,50,56,18,67,70,7e,02,75,50,61,2a,51,14,00,00,00
"34"=hex:a3,5a,00,00,9e,9b,aa,a5,b1,ac,13,18,04,d5,fe,e5,14,00,00,00
"35"=hex:c4,5a,00,00,a3,b5,92,9f,9d,90,f7,3f,fc,e1,cc,13,00,00,00
"36"=hex:e5,5a,00,00,c6,c4,ee,f5,e6,ec,90,8b,c6,97,b8,a7,14,00,00,00
"37"=hex:d3,2f,00,00,ae,ab,9a,95,81,fc,c3,c8,d4,e5,ae,d5,14,00,00,00
"38"=hex:14,30,00,00,13,e5,22,2f,cd,c0,47,8f,ac,51,9c,13,00,00,00
"39"=hex:35,30,00,00,36,34,3e,05,16,1c,60,5b,b6,47,48,77,14,00,00,00
"40"=hex:06,0a,00,00,fb,f4,d7,c6,d2,c9,fc,f5,e1,b6,9b,86,14,00,00,00
"41"=hex:27,0a,00,00,0c,16,3f,38,3e,2d,50,98,59,42,69,13,00,00,00
"42"=hex:47,0a,00,00,20,26,08,17,00,0e,72,65,a0,71,5a,41,14,00,00,00
"43"=hex:9a,7c,00,00,97,60,a3,52,4e,b5,08,01,1d,22,f7,12,14,00,00,00
"44"=hex:ba,7c,00,00,b9,83,88,85,ab,9e,ed,25,ca,ef,fa,13,00,00,00
"45"=hex:fb,7c,00,00,fc,f2,c4,c3,dc,da,ae,91,fc,bd,96,8d,14,00,00,00
"46"=hex:94,37,00,00,69,6a,a5,54,40,bf,02,0b,17,24,e9,14,14,00,00,00
"47"=hex:d5,37,00,00,d2,a4,ed,ee,8c,83,86,ce,ef,90,df,13,00,00,00
"48"=hex:37,38,00,00,30,36,38,07,10,1e,62,55,b0,41,4a,71,14,00,00,00
"49"=hex:b8,21,00,00,b5,86,81,b0,ac,9b,2e,27,33,c0,d5,f0,14,00,00,00
"50"=hex:f9,21,00,00,fe,c0,c9,ca,e8,df,a2,ea,8b,ac,bb,13,00,00,00
"51"=hex:5b,22,00,00,5c,52,64,63,7c,7a,0e,71,5c,1d,36,2d,14,00,00,00
"52"=hex:4f,1b,00,00,22,2f,1e,19,05,00,47,4c,a8,69,22,59,14,00,00,00
"53"=hex:b1,1b,00,00,b6,88,81,b2,a0,a7,da,12,c3,f4,f3,13,00,00,00
"54"=hex:f2,1b,00,00,f5,fb,fd,c8,d5,e3,a7,9e,f5,8a,8f,ba,14,00,00,00
"55"=hex:35,5f,00,00,08,05,04,37,23,1e,ad,aa,b6,47,48,77,14,00,00,00
"56"=hex:97,5f,00,00,9c,66,af,a8,4e,bd,c0,08,29,d2,19,13,00,00,00
"57"=hex:1a,60,00,00,1d,13,25,20,3d,3b,4f,b6,9d,a2,77,92,14,00,00,00
"58"=hex:2d,50,00,00,00,0d,3c,3f,3b,26,a5,92,8e,4f,40,7f,14,00,00,00
"59"=hex:d1,50,00,00,d6,a8,e1,92,80,87,fa,32,e3,94,d3,13,00,00,00
"60"=hex:53,51,00,00,54,5a,1c,6b,74,02,06,79,54,65,2e,55,14,00,00,00
"61"=hex:01,5b,00,00,fc,f9,c8,cb,d7,d2,f1,fe,fa,bb,9c,8b,14,00,00,00
"62"=hex:63,5b,00,00,40,5a,73,7c,72,71,14,5c,1d,06,2d,13,00,00,00
"63"=hex:c5,5b,00,00,a6,a4,8e,95,86,8c,f0,eb,26,f7,d8,c7,14,00,00,00
"64"=hex:af,65,00,00,82,8f,be,b9,a5,a0,27,2c,08,c9,c2,f9,14,00,00,00
"65"=hex:11,66,00,00,16,e8,21,d2,c0,c7,ba,f2,a3,54,93,13,00,00,00
"66"=hex:94,66,00,00,97,95,5f,aa,b7,bd,c1,38,17,24,e9,14,14,00,00,00
"67"=hex:96,3c,00,00,6b,64,a7,56,42,b9,0c,05,11,26,eb,16,14,00,00,00
"68"=hex:19,3d,00,00,1e,e0,29,2a,c8,3f,42,8a,ab,4c,9b,13,00,00,00
"69"=hex:fd,3d,00,00,fe,ec,c6,dd,de,d4,a8,93,fe,bf,90,8f,14,00,00,00
"70"=hex:a3,68,00,00,9e,9b,aa,a5,b1,ac,13,18,04,d5,fe,e5,14,00,00,00
"71"=hex:47,69,00,00,2c,36,1f,18,1e,0d,70,b8,79,62,49,13,00,00,00
"72"=hex:c9,69,00,00,a2,a0,8a,91,82,88,fc,e7,22,f3,a4,c3,14,00,00,00
"73"=hex:ee,12,00,00,c3,cc,ff,fe,fa,e1,e4,ed,c9,8e,83,be,14,00,00,00
"74"=hex:b2,13,00,00,b1,8b,80,8d,a3,a6,e5,2d,c2,f7,f2,13,00,00,00
"75"=hex:55,14,00,00,56,54,1e,65,76,7c,00,7b,56,67,28,57,14,00,00,00
"76"=hex:82,41,00,00,7f,78,4b,4a,56,4d,70,79,65,3a,1f,0a,14,00,00,00
"77"=hex:08,42,00,00,ef,f1,de,db,d9,cc,b3,fb,b8,5d,88,13,00,00,00
"78"=hex:6a,42,00,00,4d,43,75,70,6d,6b,1f,06,4d,12,07,22,14,00,00,00
"79"=hex:9d,49,00,00,90,9d,ac,af,4b,b6,15,02,1e,df,f0,ef,14,00,00,00
"80"=hex:60,4a,00,00,47,59,76,63,71,74,0b,43,10,05,20,13,00,00,00
"81"=hex:04,4b,00,00,e7,e5,cf,da,c7,cd,b1,a8,e7,b4,99,84,14,00,00,00
"82"=hex:f2,5c,00,00,cf,c8,fb,fa,e6,dd,e0,e9,f5,8a,8f,ba,14,00,00,00
"83"=hex:b6,5d,00,00,bd,87,8c,89,af,a2,e1,29,ce,f3,fe,13,00,00,00
"84"=hex:9a,5e,00,00,9d,93,a5,a0,bd,bb,cf,36,1d,22,f7,12,14,00,00,00
"85"=hex:f1,26,00,00,cc,c9,f8,fb,e7,e2,e1,ee,ca,8b,8c,bb,14,00,00,00
"86"=hex:58,28,00,00,5f,21,6e,6b,09,7c,03,4b,68,0d,58,13,00,00,00
"87"=hex:3c,29,00,00,3f,2d,07,02,1f,15,69,50,bf,7c,51,4c,14,00,00,00
"88"=hex:eb,76,00,00,c6,d3,f2,fd,f9,e4,db,d0,cc,8d,86,bd,14,00,00,00
"89"=hex:10,78,00,00,17,e9,26,d3,c1,c4,bb,f3,a0,55,90,13,00,00,00
"90"=hex:d4,78,00,00,d7,d5,9f,ea,f7,fd,81,f8,d7,e4,a9,d4,14,00,00,00
"91"=hex:0a,10,00,00,e7,f0,d3,c2,de,c5,f8,f1,ed,b2,67,82,14,00,00,00
"92"=hex:10,11,00,00,17,e9,26,d3,c1,c4,bb,f3,a0,55,90,13,00,00,00
"93"=hex:db,18,00,00,dc,d2,e4,e3,fc,fa,8e,f1,dc,9d,b6,ad,14,00,00,00
"94"=hex:60,2f,00,00,5d,5e,69,68,74,73,56,5f,5b,18,3d,28,14,00,00,00
"95"=hex:69,30,00,00,4e,50,79,7a,78,6f,12,5a,1b,3c,2b,13,00,00,00
"96"=hex:6e,31,00,00,49,7f,71,4c,69,67,1b,02,49,0e,03,3e,14,00,00,00
"97"=hex:c6,5f,00,00,bb,b4,97,86,92,89,3c,35,21,f6,db,c6,14,00,00,00
"98"=hex:cb,60,00,00,a8,b2,9b,94,9a,89,fc,34,e5,9e,d5,13,00,00,00
"99"=hex:d1,61,00,00,aa,d8,92,e9,8a,80,84,ff,2a,eb,ac,db,14,00,00,00
"100"=hex:8f,34,00,00,62,6f,5e,59,45,40,07,0c,68,29,e2,19,14,00,00,00
"101"=hex:94,35,00,00,93,65,a2,af,4d,40,c7,0f,2c,d1,1c,13,00,00,00
"102"=hex:ba,36,00,00,bd,b3,85,80,9d,9b,ef,d6,3d,c2,d7,f2,14,00,00,00
"103"=hex:cf,1d,00,00,a2,af,9e,99,85,80,c7,cc,28,e9,a2,d9,14,00,00,00
"104"=hex:57,1f,00,00,5c,26,6f,68,0e,7d,00,48,69,12,59,13,00,00,00
"105"=hex:61,21,00,00,5a,48,62,79,7a,70,14,0f,5a,1b,3c,2b,14,00,00,00
"106"=hex:90,33,00,00,6d,6e,59,58,44,43,06,0f,6b,28,ed,18,14,00,00,00
"107"=hex:20,36,00,00,07,19,36,23,31,34,4b,83,50,45,60,13,00,00,00
"108"=hex:46,37,00,00,21,27,09,14,01,0f,73,6a,a1,76,5b,46,14,00,00,00
"109"=hex:f2,0f,00,00,cf,c8,fb,fa,e6,dd,e0,e9,f5,8a,8f,ba,14,00,00,00
"110"=hex:39,11,00,00,3e,00,09,0a,28,1f,62,aa,4b,6c,7b,13,00,00,00
"111"=hex:a4,12,00,00,87,85,af,ba,a7,ad,d1,c8,07,d4,f9,e4,14,00,00,00
"112"=hex:5f,6d,00,00,52,5f,6e,69,75,70,57,5c,58,19,32,29,14,00,00,00
"113"=hex:6a,6f,00,00,49,53,78,75,7b,6e,1d,55,1a,3f,2a,13,00,00,00
"114"=hex:b0,70,00,00,8b,b9,b3,8e,ab,a1,e5,dc,0b,c8,cd,f8,14,00,00,00
"115"=hex:6f,79,00,00,42,4f,7e,79,65,60,67,6c,48,09,02,39,14,00,00,00
"116"=hex:f6,7a,00,00,fd,c7,cc,c9,ef,e2,a1,e9,8e,b3,be,13,00,00,00
"117"=hex:5e,7c,00,00,59,4f,61,7c,79,77,0b,72,59,1e,33,2e,14,00,00,00
"118"=hex:7b,26,00,00,76,43,42,4d,69,54,6b,60,7c,3d,16,0d,14,00,00,00
"119"=hex:e2,27,00,00,c1,db,f0,fd,f3,f6,95,dd,92,87,a2,13,00,00,00
"120"=hex:4c,29,00,00,2f,5d,17,12,0f,05,79,60,af,6c,21,5c,14,00,00,00
"121"=hex:52,6c,00,00,2f,28,1b,1a,06,7d,40,49,55,6a,2f,5a,14,00,00,00
"122"=hex:80,6e,00,00,67,79,56,43,51,54,2b,63,30,25,00,13,00,00,00
"123"=hex:49,70,00,00,22,20,0a,11,02,08,7c,67,a2,73,24,43,14,00,00,00
"124"=hex:dc,79,00,00,d1,a2,ed,ec,88,f7,ca,c3,df,9c,b1,ac,14,00,00,00
"125"=hex:64,7b,00,00,43,55,72,7f,7d,70,17,5f,1c,01,2c,13,00,00,00
"126"=hex:0d,7d,00,00,ee,1c,d6,2d,ce,c4,b8,a3,ee,af,60,9f,14,00,00,00
"127"=hex:55,0b,00,00,28,25,64,17,03,7e,4d,4a,56,67,28,57,14,00,00,00
"128"=hex:00,0d,00,00,e7,f9,d6,c3,d1,d4,ab,e3,b0,a5,80,13,00,00,00
"129"=hex:a9,0e,00,00,82,80,aa,b1,a2,a8,dc,c7,02,d3,c4,e3,14,00,00,00
"130"=hex:f6,15,00,00,cb,c4,c7,f6,e2,d9,ec,e5,f1,86,8b,b6,14,00,00,00
"131"=hex:c0,17,00,00,a7,b9,96,83,91,94,eb,23,f0,e5,c0,13,00,00,00
"132"=hex:08,1f,00,00,e3,e1,cb,d6,c3,c9,bd,a4,e3,b0,65,80,14,00,00,00
"133"=hex:da,1e,00,00,d7,a0,e3,92,8e,f5,c8,c1,dd,e2,b7,d2,14,00,00,00
"134"=hex:82,20,00,00,61,7b,50,5d,53,56,35,7d,32,27,02,13,00,00,00
"135"=hex:ce,22,00,00,a9,df,91,ec,89,87,fb,e2,29,ee,a3,de,14,00,00,00
"136"=hex:e5,5f,00,00,d8,d5,f4,e7,f3,ee,dd,da,c6,97,b8,a7,14,00,00,00
"137"=hex:ef,61,00,00,f4,ce,c7,f0,e6,e5,98,d0,81,ba,b1,13,00,00,00
"138"=hex:80,64,00,00,7b,69,43,5e,5b,51,35,2c,7b,38,1d,08,14,00,00,00
"139"=hex:ce,0c,00,00,a3,ac,9f,9e,9a,81,c4,cd,29,ee,a3,de,14,00,00,00
"140"=hex:b7,0e,00,00,bc,86,8f,88,ae,9d,e0,28,c9,f2,f9,13,00,00,00
"141"=hex:a1,10,00,00,9a,88,a2,b9,ba,b0,d4,cf,1a,db,fc,eb,14,00,00,00
C:\WINDOWS\balloon.wav Présent !
Recherche presence hclean32.exe...
non trouvé...
et voila le rapport de silent runners:
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [file not found]
"BoontyBox" = ""C:\Program Files\Boonty\BoontyBox\BoontyBox.exe" /boot" [file not found]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "soundman.exe" ["Avance Logic, Inc."]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
mainteneant je ne redémarre pas et je t'attend!!
Rapport fait à 16:12:46,77 le 13/09/2005
Executé à partir de E:\taxe\virus
OS: Microsoft Windows XP [version 5.1.2600]
Recherche registre ...
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMan REG_SZ soundman.exe
AtiPTA REG_SZ atiptaxx.exe
ccApp REG_SZ "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
SSC_UserPrompt REG_SZ C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
Symantec NetDriver Monitor REG_SZ C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
NeroCheck REG_SZ C:\WINDOWS\system32\NeroCheck.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
system REG_SZ
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
"pgtshlld"=hex:da,77,00,00,ab,db,e3,ef,f8,f3,84,87,dd,e2,b7,d2,14,00,00,00
"nidnsdr"=hex:30,7c,00,00,37,09,06,33,21,24,5b,93,40,75,70,13,00,00,00
"23naelch"=hex:7f,21,00,00,72,7f,4e,49,55,50,77,7c,78,39,12,09,14,00,00,00
"aplnsftn"=hex:1d,7e,00,00,1e,0c,26,3d,3e,34,48,b3,9e,5f,70,6f,14,00,00,00
"23rtcdaol"=hex:c1,7e,00,00,b8,ad,87,88,91,88,f6,39,26,32,c3,d4,d3,15,00,00,00
"7"=hex:93,04,00,00,6e,6b,5a,55,41,bc,03,08,14,25,ee,15,14,00,00,00
"8"=hex:b3,04,00,00,b0,8a,83,8c,a2,a1,e4,2c,cd,f6,fd,13,00,00,00
"9"=hex:b3,04,00,00,b4,ba,bc,8b,94,a2,e6,d9,34,c5,ce,f5,14,00,00,00
"10"=hex:a9,3c,00,00,84,91,b0,a3,bf,aa,19,16,02,d3,c4,e3,14,00,00,00
"11"=hex:a9,3c,00,00,8e,90,b9,ba,b8,af,d2,1a,db,fc,eb,13,00,00,00
"12"=hex:a9,3c,00,00,82,80,aa,b1,a2,a8,dc,c7,02,d3,c4,e3,14,00,00,00
"zyjmd"=hex:7a,31,00,00,4b,7a,41,5e,41,15,1a,3f,0a,11,00,00,00
"13"=hex:7e,6c,00,00,73,7c,4f,4e,6a,51,74,7d,79,3e,13,0e,14,00,00,00
"14"=hex:9f,6c,00,00,84,9e,b7,a0,b6,b5,c8,00,d1,ca,e1,13,00,00,00
"15"=hex:9f,6c,00,00,98,8e,a0,bf,b8,b6,ca,cd,18,d9,f2,e9,14,00,00,00
"16"=hex:4e,72,00,00,23,2c,1f,1e,1a,01,44,4d,a9,6e,23,5e,14,00,00,00
"17"=hex:6f,72,00,00,74,4e,47,70,66,65,18,50,01,3a,31,13,00,00,00
"18"=hex:6f,72,00,00,48,7e,70,4f,68,66,1a,1d,48,09,02,39,14,00,00,00
"19"=hex:43,62,00,00,3e,3b,0a,05,11,0c,b3,b8,a4,75,5e,45,14,00,00,00
"20"=hex:64,62,00,00,43,55,72,7f,7d,70,17,5f,1c,01,2c,13,00,00,00
"21"=hex:64,62,00,00,47,45,6f,7a,67,6d,11,08,47,14,39,24,14,00,00,00
"22"=hex:e4,30,00,00,d9,da,f5,e4,f0,ef,d2,db,c7,94,b9,a4,14,00,00,00
"23"=hex:04,31,00,00,e3,f5,d2,df,dd,d0,b7,ff,bc,a1,8c,13,00,00,00
"24"=hex:04,31,00,00,e7,e5,cf,da,c7,cd,b1,a8,e7,b4,99,84,14,00,00,00
"25"=hex:fc,0f,00,00,f1,c2,cd,cc,e8,d7,ea,e3,ff,bc,91,8c,14,00,00,00
"26"=hex:fc,0f,00,00,fb,fd,ca,c7,d5,d8,af,e7,b4,a9,84,13,00,00,00
"27"=hex:1d,10,00,00,1e,0c,26,3d,3e,34,48,b3,9e,5f,70,6f,14,00,00,00
"28"=hex:30,05,00,00,0d,0e,39,38,24,23,a6,af,8b,48,4d,78,14,00,00,00
"29"=hex:51,05,00,00,56,28,61,12,00,07,7a,b2,63,14,53,13,00,00,00
"30"=hex:72,05,00,00,75,7b,7d,48,55,63,27,1e,75,0a,0f,3a,14,00,00,00
"31"=hex:16,03,00,00,eb,e4,27,d6,c2,39,8c,85,91,a6,6b,96,14,00,00,00
"32"=hex:37,03,00,00,3c,06,0f,08,2e,1d,60,a8,49,72,79,13,00,00,00
"33"=hex:57,03,00,00,50,56,18,67,70,7e,02,75,50,61,2a,51,14,00,00,00
"34"=hex:a3,5a,00,00,9e,9b,aa,a5,b1,ac,13,18,04,d5,fe,e5,14,00,00,00
"35"=hex:c4,5a,00,00,a3,b5,92,9f,9d,90,f7,3f,fc,e1,cc,13,00,00,00
"36"=hex:e5,5a,00,00,c6,c4,ee,f5,e6,ec,90,8b,c6,97,b8,a7,14,00,00,00
"37"=hex:d3,2f,00,00,ae,ab,9a,95,81,fc,c3,c8,d4,e5,ae,d5,14,00,00,00
"38"=hex:14,30,00,00,13,e5,22,2f,cd,c0,47,8f,ac,51,9c,13,00,00,00
"39"=hex:35,30,00,00,36,34,3e,05,16,1c,60,5b,b6,47,48,77,14,00,00,00
"40"=hex:06,0a,00,00,fb,f4,d7,c6,d2,c9,fc,f5,e1,b6,9b,86,14,00,00,00
"41"=hex:27,0a,00,00,0c,16,3f,38,3e,2d,50,98,59,42,69,13,00,00,00
"42"=hex:47,0a,00,00,20,26,08,17,00,0e,72,65,a0,71,5a,41,14,00,00,00
"43"=hex:9a,7c,00,00,97,60,a3,52,4e,b5,08,01,1d,22,f7,12,14,00,00,00
"44"=hex:ba,7c,00,00,b9,83,88,85,ab,9e,ed,25,ca,ef,fa,13,00,00,00
"45"=hex:fb,7c,00,00,fc,f2,c4,c3,dc,da,ae,91,fc,bd,96,8d,14,00,00,00
"46"=hex:94,37,00,00,69,6a,a5,54,40,bf,02,0b,17,24,e9,14,14,00,00,00
"47"=hex:d5,37,00,00,d2,a4,ed,ee,8c,83,86,ce,ef,90,df,13,00,00,00
"48"=hex:37,38,00,00,30,36,38,07,10,1e,62,55,b0,41,4a,71,14,00,00,00
"49"=hex:b8,21,00,00,b5,86,81,b0,ac,9b,2e,27,33,c0,d5,f0,14,00,00,00
"50"=hex:f9,21,00,00,fe,c0,c9,ca,e8,df,a2,ea,8b,ac,bb,13,00,00,00
"51"=hex:5b,22,00,00,5c,52,64,63,7c,7a,0e,71,5c,1d,36,2d,14,00,00,00
"52"=hex:4f,1b,00,00,22,2f,1e,19,05,00,47,4c,a8,69,22,59,14,00,00,00
"53"=hex:b1,1b,00,00,b6,88,81,b2,a0,a7,da,12,c3,f4,f3,13,00,00,00
"54"=hex:f2,1b,00,00,f5,fb,fd,c8,d5,e3,a7,9e,f5,8a,8f,ba,14,00,00,00
"55"=hex:35,5f,00,00,08,05,04,37,23,1e,ad,aa,b6,47,48,77,14,00,00,00
"56"=hex:97,5f,00,00,9c,66,af,a8,4e,bd,c0,08,29,d2,19,13,00,00,00
"57"=hex:1a,60,00,00,1d,13,25,20,3d,3b,4f,b6,9d,a2,77,92,14,00,00,00
"58"=hex:2d,50,00,00,00,0d,3c,3f,3b,26,a5,92,8e,4f,40,7f,14,00,00,00
"59"=hex:d1,50,00,00,d6,a8,e1,92,80,87,fa,32,e3,94,d3,13,00,00,00
"60"=hex:53,51,00,00,54,5a,1c,6b,74,02,06,79,54,65,2e,55,14,00,00,00
"61"=hex:01,5b,00,00,fc,f9,c8,cb,d7,d2,f1,fe,fa,bb,9c,8b,14,00,00,00
"62"=hex:63,5b,00,00,40,5a,73,7c,72,71,14,5c,1d,06,2d,13,00,00,00
"63"=hex:c5,5b,00,00,a6,a4,8e,95,86,8c,f0,eb,26,f7,d8,c7,14,00,00,00
"64"=hex:af,65,00,00,82,8f,be,b9,a5,a0,27,2c,08,c9,c2,f9,14,00,00,00
"65"=hex:11,66,00,00,16,e8,21,d2,c0,c7,ba,f2,a3,54,93,13,00,00,00
"66"=hex:94,66,00,00,97,95,5f,aa,b7,bd,c1,38,17,24,e9,14,14,00,00,00
"67"=hex:96,3c,00,00,6b,64,a7,56,42,b9,0c,05,11,26,eb,16,14,00,00,00
"68"=hex:19,3d,00,00,1e,e0,29,2a,c8,3f,42,8a,ab,4c,9b,13,00,00,00
"69"=hex:fd,3d,00,00,fe,ec,c6,dd,de,d4,a8,93,fe,bf,90,8f,14,00,00,00
"70"=hex:a3,68,00,00,9e,9b,aa,a5,b1,ac,13,18,04,d5,fe,e5,14,00,00,00
"71"=hex:47,69,00,00,2c,36,1f,18,1e,0d,70,b8,79,62,49,13,00,00,00
"72"=hex:c9,69,00,00,a2,a0,8a,91,82,88,fc,e7,22,f3,a4,c3,14,00,00,00
"73"=hex:ee,12,00,00,c3,cc,ff,fe,fa,e1,e4,ed,c9,8e,83,be,14,00,00,00
"74"=hex:b2,13,00,00,b1,8b,80,8d,a3,a6,e5,2d,c2,f7,f2,13,00,00,00
"75"=hex:55,14,00,00,56,54,1e,65,76,7c,00,7b,56,67,28,57,14,00,00,00
"76"=hex:82,41,00,00,7f,78,4b,4a,56,4d,70,79,65,3a,1f,0a,14,00,00,00
"77"=hex:08,42,00,00,ef,f1,de,db,d9,cc,b3,fb,b8,5d,88,13,00,00,00
"78"=hex:6a,42,00,00,4d,43,75,70,6d,6b,1f,06,4d,12,07,22,14,00,00,00
"79"=hex:9d,49,00,00,90,9d,ac,af,4b,b6,15,02,1e,df,f0,ef,14,00,00,00
"80"=hex:60,4a,00,00,47,59,76,63,71,74,0b,43,10,05,20,13,00,00,00
"81"=hex:04,4b,00,00,e7,e5,cf,da,c7,cd,b1,a8,e7,b4,99,84,14,00,00,00
"82"=hex:f2,5c,00,00,cf,c8,fb,fa,e6,dd,e0,e9,f5,8a,8f,ba,14,00,00,00
"83"=hex:b6,5d,00,00,bd,87,8c,89,af,a2,e1,29,ce,f3,fe,13,00,00,00
"84"=hex:9a,5e,00,00,9d,93,a5,a0,bd,bb,cf,36,1d,22,f7,12,14,00,00,00
"85"=hex:f1,26,00,00,cc,c9,f8,fb,e7,e2,e1,ee,ca,8b,8c,bb,14,00,00,00
"86"=hex:58,28,00,00,5f,21,6e,6b,09,7c,03,4b,68,0d,58,13,00,00,00
"87"=hex:3c,29,00,00,3f,2d,07,02,1f,15,69,50,bf,7c,51,4c,14,00,00,00
"88"=hex:eb,76,00,00,c6,d3,f2,fd,f9,e4,db,d0,cc,8d,86,bd,14,00,00,00
"89"=hex:10,78,00,00,17,e9,26,d3,c1,c4,bb,f3,a0,55,90,13,00,00,00
"90"=hex:d4,78,00,00,d7,d5,9f,ea,f7,fd,81,f8,d7,e4,a9,d4,14,00,00,00
"91"=hex:0a,10,00,00,e7,f0,d3,c2,de,c5,f8,f1,ed,b2,67,82,14,00,00,00
"92"=hex:10,11,00,00,17,e9,26,d3,c1,c4,bb,f3,a0,55,90,13,00,00,00
"93"=hex:db,18,00,00,dc,d2,e4,e3,fc,fa,8e,f1,dc,9d,b6,ad,14,00,00,00
"94"=hex:60,2f,00,00,5d,5e,69,68,74,73,56,5f,5b,18,3d,28,14,00,00,00
"95"=hex:69,30,00,00,4e,50,79,7a,78,6f,12,5a,1b,3c,2b,13,00,00,00
"96"=hex:6e,31,00,00,49,7f,71,4c,69,67,1b,02,49,0e,03,3e,14,00,00,00
"97"=hex:c6,5f,00,00,bb,b4,97,86,92,89,3c,35,21,f6,db,c6,14,00,00,00
"98"=hex:cb,60,00,00,a8,b2,9b,94,9a,89,fc,34,e5,9e,d5,13,00,00,00
"99"=hex:d1,61,00,00,aa,d8,92,e9,8a,80,84,ff,2a,eb,ac,db,14,00,00,00
"100"=hex:8f,34,00,00,62,6f,5e,59,45,40,07,0c,68,29,e2,19,14,00,00,00
"101"=hex:94,35,00,00,93,65,a2,af,4d,40,c7,0f,2c,d1,1c,13,00,00,00
"102"=hex:ba,36,00,00,bd,b3,85,80,9d,9b,ef,d6,3d,c2,d7,f2,14,00,00,00
"103"=hex:cf,1d,00,00,a2,af,9e,99,85,80,c7,cc,28,e9,a2,d9,14,00,00,00
"104"=hex:57,1f,00,00,5c,26,6f,68,0e,7d,00,48,69,12,59,13,00,00,00
"105"=hex:61,21,00,00,5a,48,62,79,7a,70,14,0f,5a,1b,3c,2b,14,00,00,00
"106"=hex:90,33,00,00,6d,6e,59,58,44,43,06,0f,6b,28,ed,18,14,00,00,00
"107"=hex:20,36,00,00,07,19,36,23,31,34,4b,83,50,45,60,13,00,00,00
"108"=hex:46,37,00,00,21,27,09,14,01,0f,73,6a,a1,76,5b,46,14,00,00,00
"109"=hex:f2,0f,00,00,cf,c8,fb,fa,e6,dd,e0,e9,f5,8a,8f,ba,14,00,00,00
"110"=hex:39,11,00,00,3e,00,09,0a,28,1f,62,aa,4b,6c,7b,13,00,00,00
"111"=hex:a4,12,00,00,87,85,af,ba,a7,ad,d1,c8,07,d4,f9,e4,14,00,00,00
"112"=hex:5f,6d,00,00,52,5f,6e,69,75,70,57,5c,58,19,32,29,14,00,00,00
"113"=hex:6a,6f,00,00,49,53,78,75,7b,6e,1d,55,1a,3f,2a,13,00,00,00
"114"=hex:b0,70,00,00,8b,b9,b3,8e,ab,a1,e5,dc,0b,c8,cd,f8,14,00,00,00
"115"=hex:6f,79,00,00,42,4f,7e,79,65,60,67,6c,48,09,02,39,14,00,00,00
"116"=hex:f6,7a,00,00,fd,c7,cc,c9,ef,e2,a1,e9,8e,b3,be,13,00,00,00
"117"=hex:5e,7c,00,00,59,4f,61,7c,79,77,0b,72,59,1e,33,2e,14,00,00,00
"118"=hex:7b,26,00,00,76,43,42,4d,69,54,6b,60,7c,3d,16,0d,14,00,00,00
"119"=hex:e2,27,00,00,c1,db,f0,fd,f3,f6,95,dd,92,87,a2,13,00,00,00
"120"=hex:4c,29,00,00,2f,5d,17,12,0f,05,79,60,af,6c,21,5c,14,00,00,00
"121"=hex:52,6c,00,00,2f,28,1b,1a,06,7d,40,49,55,6a,2f,5a,14,00,00,00
"122"=hex:80,6e,00,00,67,79,56,43,51,54,2b,63,30,25,00,13,00,00,00
"123"=hex:49,70,00,00,22,20,0a,11,02,08,7c,67,a2,73,24,43,14,00,00,00
"124"=hex:dc,79,00,00,d1,a2,ed,ec,88,f7,ca,c3,df,9c,b1,ac,14,00,00,00
"125"=hex:64,7b,00,00,43,55,72,7f,7d,70,17,5f,1c,01,2c,13,00,00,00
"126"=hex:0d,7d,00,00,ee,1c,d6,2d,ce,c4,b8,a3,ee,af,60,9f,14,00,00,00
"127"=hex:55,0b,00,00,28,25,64,17,03,7e,4d,4a,56,67,28,57,14,00,00,00
"128"=hex:00,0d,00,00,e7,f9,d6,c3,d1,d4,ab,e3,b0,a5,80,13,00,00,00
"129"=hex:a9,0e,00,00,82,80,aa,b1,a2,a8,dc,c7,02,d3,c4,e3,14,00,00,00
"130"=hex:f6,15,00,00,cb,c4,c7,f6,e2,d9,ec,e5,f1,86,8b,b6,14,00,00,00
"131"=hex:c0,17,00,00,a7,b9,96,83,91,94,eb,23,f0,e5,c0,13,00,00,00
"132"=hex:08,1f,00,00,e3,e1,cb,d6,c3,c9,bd,a4,e3,b0,65,80,14,00,00,00
"133"=hex:da,1e,00,00,d7,a0,e3,92,8e,f5,c8,c1,dd,e2,b7,d2,14,00,00,00
"134"=hex:82,20,00,00,61,7b,50,5d,53,56,35,7d,32,27,02,13,00,00,00
"135"=hex:ce,22,00,00,a9,df,91,ec,89,87,fb,e2,29,ee,a3,de,14,00,00,00
"136"=hex:e5,5f,00,00,d8,d5,f4,e7,f3,ee,dd,da,c6,97,b8,a7,14,00,00,00
"137"=hex:ef,61,00,00,f4,ce,c7,f0,e6,e5,98,d0,81,ba,b1,13,00,00,00
"138"=hex:80,64,00,00,7b,69,43,5e,5b,51,35,2c,7b,38,1d,08,14,00,00,00
"139"=hex:ce,0c,00,00,a3,ac,9f,9e,9a,81,c4,cd,29,ee,a3,de,14,00,00,00
"140"=hex:b7,0e,00,00,bc,86,8f,88,ae,9d,e0,28,c9,f2,f9,13,00,00,00
"141"=hex:a1,10,00,00,9a,88,a2,b9,ba,b0,d4,cf,1a,db,fc,eb,14,00,00,00
C:\WINDOWS\balloon.wav Présent !
Recherche presence hclean32.exe...
non trouvé...
et voila le rapport de silent runners:
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [file not found]
"BoontyBox" = ""C:\Program Files\Boonty\BoontyBox\BoontyBox.exe" /boot" [file not found]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "soundman.exe" ["Avance Logic, Inc."]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
mainteneant je ne redémarre pas et je t'attend!!
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [file not found]
"BoontyBox" = ""C:\Program Files\Boonty\BoontyBox\BoontyBox.exe" /boot" [file not found]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "soundman.exe" ["Avance Logic, Inc."]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (value not set)
"run" = (value not set)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csenu.exe" [null data]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Startup items in "Administrateur" & "All Users" startup folders:
----------------------------------------------------------------
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
Enabled Scheduled Tasks:
------------------------
"Norton AntiVirus - Analyser mon ordinateur - Administrateur" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"
Missing lines (compared with English-language version):
[Strings]: 2 lines
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{62A836F2-D801-7BE0-491F-EE18F63323B4}" = "startman"
-> {CLSID}\InProcServer32\(Default) = "NukeSpan.dll" [file not found]
HOSTS file
----------
C:\WINDOWS\System32\drivers\etc\HOSTS
maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\System32\drivers\CDAC11BA.EXE" ["Macrovision"]
ISSvc, ISSVC, "C:\Program Files\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"]
Service Norton AntiVirus Auto-Protect, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework,
salut moe31, es-ce que là ca va mieux? il est entier?
UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 41 seconds, including 2 seconds for message boxes)
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [file not found]
"BoontyBox" = ""C:\Program Files\Boonty\BoontyBox\BoontyBox.exe" /boot" [file not found]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "soundman.exe" ["Avance Logic, Inc."]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (value not set)
"run" = (value not set)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csenu.exe" [null data]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Startup items in "Administrateur" & "All Users" startup folders:
----------------------------------------------------------------
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
Enabled Scheduled Tasks:
------------------------
"Norton AntiVirus - Analyser mon ordinateur - Administrateur" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"
Missing lines (compared with English-language version):
[Strings]: 2 lines
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{62A836F2-D801-7BE0-491F-EE18F63323B4}" = "startman"
-> {CLSID}\InProcServer32\(Default) = "NukeSpan.dll" [file not found]
HOSTS file
----------
C:\WINDOWS\System32\drivers\etc\HOSTS
maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\System32\drivers\CDAC11BA.EXE" ["Macrovision"]
ISSvc, ISSVC, "C:\Program Files\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"]
Service Norton AntiVirus Auto-Protect, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework,
salut moe31, es-ce que là ca va mieux? il est entier?
UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 41 seconds, including 2 seconds for message boxes)
Imprime, ou enregistre la manip dans le bloc note pour etre sur ne rien oublier et de tout faire dans l'ordre
Ferme toutes les fenetres de tous les programmes en cours
Si tu as spybot:
Désactive le temps de la manip, le Tea timer de spybot
lance spybot >> mode avancé >> outils >> résident
Décoche la case résident "tea timer"
referme spybot
(n'oublie pas de le remettre après la manip)
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Déconnecte toi d'internet c'est important
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Lance hijackthis et clic sur [do a system scan only]
cocher la case au début des lignes suivantes:
R3 - URLSearchHook: (no name) - {62A836F2-D801-7BE0-491F-EE18F63323B4} - NukeSpan.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
valider en cliquant sur [fix checked]
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
ouvre le bloc note et copie et colle ceci à l'interieur:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\HCLEAN32.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\ruins]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
"Disabled"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""
[-HKEY_LOCAL_MACHINE\SOFTWARE\WareOut]
Puis enregistrer sous et dans:
Nom du fichier, met fix.reg
Type de fichier: selectionne "tous les fichiers"
clic sur enregistrer
ensuite double clic sur fix.reg et accepte de fusionner
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Rend visible les fichiers cachés et systeme
panneau de configuration > options des dossiers > onglet affichage
Cocher la case devant " afficher les fichiers et dossiers cachés "
Décocher la case devant " masquer les extentions des fichiers dont le type est connu"
Décocher la case devant " masquer les fichiers protégés du système"
clic sur [Appliquer] puis sur [ok] pour valider
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
recherche et supprime:
C:\WINDOWS\system32\csenu.exe
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Redémarre en mode sans échec
Redemarre le pc, laisse passer l'écran du bios, puis tapote sur la touche F8 avant qu'apparaisse l'écran de chargement de windows.
Choisis le mode sans échec dans les options et valide avec entrée.
Vide le cache de tous tes navigateurs et supprime les cookies:
Pour Internet Explorer:
* Panneau de configuration >> Options internet >> Onglet "Général"
- Clic sur [supprimer les cookies]
- Clic sur [Supprimer les fichiers] et coche la case "Supprimer tout le contenu hors connexion"
Valide avec ok
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Recherche et supprime:
C:\WINDOWS\SYSTEM32\dmjyz.exe
C:\WINDOWS\SYSTEM32\rdsndin.exe
C:\WINDOWS\SYSTEM32\loadctr32.exe
C:\WINDOWS\SYSTEM32\ntfsnlpa.exe
C:\WINDOWS\SYSTEM32\dllhstgp.exe
C:\Program Files\WareOut
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Ensuite, tres important:
:: Supprimer les fichiers temporaires ::
vider tout le contenu des dossiers Temp:
* C:\Documents and Settings\ton compte\Local Settings\Temp
* C:\Windows\Temp
:: Le contenu du dossier prefetch ::
* C:\WINDOWS\Prefetch <= sauf le fichier layout.ini
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
redemarre le pc et fais un scan ici, et poste le rapport:
http://www.bitdefender.fr
Ne pas oublier après les manips de recacher les fichiers systeme dans les options des dossiers
Ferme toutes les fenetres de tous les programmes en cours
Si tu as spybot:
Désactive le temps de la manip, le Tea timer de spybot
lance spybot >> mode avancé >> outils >> résident
Décoche la case résident "tea timer"
referme spybot
(n'oublie pas de le remettre après la manip)
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Déconnecte toi d'internet c'est important
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Lance hijackthis et clic sur [do a system scan only]
cocher la case au début des lignes suivantes:
R3 - URLSearchHook: (no name) - {62A836F2-D801-7BE0-491F-EE18F63323B4} - NukeSpan.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
valider en cliquant sur [fix checked]
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
ouvre le bloc note et copie et colle ceci à l'interieur:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\HCLEAN32.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\ruins]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
"Disabled"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""
[-HKEY_LOCAL_MACHINE\SOFTWARE\WareOut]
Puis enregistrer sous et dans:
Nom du fichier, met fix.reg
Type de fichier: selectionne "tous les fichiers"
clic sur enregistrer
ensuite double clic sur fix.reg et accepte de fusionner
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Rend visible les fichiers cachés et systeme
panneau de configuration > options des dossiers > onglet affichage
Cocher la case devant " afficher les fichiers et dossiers cachés "
Décocher la case devant " masquer les extentions des fichiers dont le type est connu"
Décocher la case devant " masquer les fichiers protégés du système"
clic sur [Appliquer] puis sur [ok] pour valider
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
recherche et supprime:
C:\WINDOWS\system32\csenu.exe
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Redémarre en mode sans échec
Redemarre le pc, laisse passer l'écran du bios, puis tapote sur la touche F8 avant qu'apparaisse l'écran de chargement de windows.
Choisis le mode sans échec dans les options et valide avec entrée.
Vide le cache de tous tes navigateurs et supprime les cookies:
Pour Internet Explorer:
* Panneau de configuration >> Options internet >> Onglet "Général"
- Clic sur [supprimer les cookies]
- Clic sur [Supprimer les fichiers] et coche la case "Supprimer tout le contenu hors connexion"
Valide avec ok
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Recherche et supprime:
C:\WINDOWS\SYSTEM32\dmjyz.exe
C:\WINDOWS\SYSTEM32\rdsndin.exe
C:\WINDOWS\SYSTEM32\loadctr32.exe
C:\WINDOWS\SYSTEM32\ntfsnlpa.exe
C:\WINDOWS\SYSTEM32\dllhstgp.exe
C:\Program Files\WareOut
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Ensuite, tres important:
:: Supprimer les fichiers temporaires ::
vider tout le contenu des dossiers Temp:
* C:\Documents and Settings\ton compte\Local Settings\Temp
* C:\Windows\Temp
:: Le contenu du dossier prefetch ::
* C:\WINDOWS\Prefetch <= sauf le fichier layout.ini
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
redemarre le pc et fais un scan ici, et poste le rapport:
http://www.bitdefender.fr
Ne pas oublier après les manips de recacher les fichiers systeme dans les options des dossiers
Salut moe31, je suis désolé, je suis parti 2 jours pour le boulot et j'ouvre l'ordi à l'instant je fais tout ça, suremment demain, et je te tiens au courant,
dans tout les cas je te remerci beaucoup c'est bien sympas d'avoir des "démerdarre" comme toi!! qui "apparemment " se font plaisir à aider les autres, encore merci à toi
@+ julo
dans tout les cas je te remerci beaucoup c'est bien sympas d'avoir des "démerdarre" comme toi!! qui "apparemment " se font plaisir à aider les autres, encore merci à toi
@+ julo
Salut moe, un peu à la bourre j'avoue!! mais voilà enfin mon scan comme tu me l'a demandé, en épérant que ca puisse t'aider merci d'avance.
http://cjoint.com/?jsiGbMBNcC
http://cjoint.com/?jsiGbMBNcC
j'ai l'impression que le lien ne marche pas alors peut-etre comme ça:
BitDefender Online Scanner
Rapport d'analyse généré à: Sun, Sep 18, 2005 - 00:43:20
Voie d'analyse: A:\;C:\;D:\;E:\;
Statistiques
Temps
00:23:10
Fichiers
97609
Directoires
2063
Secteurs de boot
3
Archives
1260
Paquets programmes
14234
Résultats
Virus identifiés
1
Fichiers infectés
1
Fichiers suspects
0
Avertissements
0
Désinfectés
0
Fichiers effacés
2
Info sur les moteurs
Définition virus
208610
Version des moteurs
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Analyse des plugins
13
Archive des plugins
39
Unpack des plugins
4
E-mail plugins
6
Système plugins
1
Paramètres d'analyse
Première action
Désinfecté
Seconde Action
Supprimé
Heuristique
Oui
Acceptez les avertissements
Oui
Extensions analysées
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;
Excludez les extensions
Analyse d'emails
Oui
Analyse des Archives
Oui
Analyser paquets programmes
Oui
Analyse des fichiers
Oui
Analyse de boot
Oui
Fichier analysé
Statut
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7FE60501.exe=>(Quarantine-2)
Infecté par: Trojan.Downloader.Delf.KS
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7FE60501.exe=>(Quarantine-2)
Supprimé
BitDefender Online Scanner
Rapport d'analyse généré à: Sun, Sep 18, 2005 - 00:43:20
Voie d'analyse: A:\;C:\;D:\;E:\;
Statistiques
Temps
00:23:10
Fichiers
97609
Directoires
2063
Secteurs de boot
3
Archives
1260
Paquets programmes
14234
Résultats
Virus identifiés
1
Fichiers infectés
1
Fichiers suspects
0
Avertissements
0
Désinfectés
0
Fichiers effacés
2
Info sur les moteurs
Définition virus
208610
Version des moteurs
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Analyse des plugins
13
Archive des plugins
39
Unpack des plugins
4
E-mail plugins
6
Système plugins
1
Paramètres d'analyse
Première action
Désinfecté
Seconde Action
Supprimé
Heuristique
Oui
Acceptez les avertissements
Oui
Extensions analysées
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;
Excludez les extensions
Analyse d'emails
Oui
Analyse des Archives
Oui
Analyser paquets programmes
Oui
Analyse des fichiers
Oui
Analyse de boot
Oui
Fichier analysé
Statut
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7FE60501.exe=>(Quarantine-2)
Infecté par: Trojan.Downloader.Delf.KS
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7FE60501.exe=>(Quarantine-2)
Supprimé
voici le rapport Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 10:51:37, on 18/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\taxe\antivirus\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BoontyBox] "C:\Program Files\Boonty\BoontyBox\BoontyBox.exe" /boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
Et voilà le rapport silentrunners:
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [file not found]
"BoontyBox" = ""C:\Program Files\Boonty\BoontyBox\BoontyBox.exe" /boot" [file not found]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "soundman.exe" ["Avance Logic, Inc."]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (value not set)
"run" = (value not set)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Startup items in "Administrateur" & "All Users" startup folders:
----------------------------------------------------------------
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
Enabled Scheduled Tasks:
------------------------
"Norton AntiVirus - Analyser mon ordinateur - Administrateur" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"
Missing lines (compared with English-language version):
[Strings]: 2 lines
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\System32\drivers\CDAC11BA.EXE" ["Macrovision"]
ISSvc, ISSVC, "C:\Program Files\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"]
Service Norton AntiVirus Auto-Protect, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 50 seconds, including 10 seconds for message boxes)
Logfile of HijackThis v1.99.1
Scan saved at 10:51:37, on 18/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\taxe\antivirus\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BoontyBox] "C:\Program Files\Boonty\BoontyBox\BoontyBox.exe" /boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
Et voilà le rapport silentrunners:
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [file not found]
"BoontyBox" = ""C:\Program Files\Boonty\BoontyBox\BoontyBox.exe" /boot" [file not found]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "soundman.exe" ["Avance Logic, Inc."]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (value not set)
"run" = (value not set)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Startup items in "Administrateur" & "All Users" startup folders:
----------------------------------------------------------------
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
Enabled Scheduled Tasks:
------------------------
"Norton AntiVirus - Analyser mon ordinateur - Administrateur" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"
Missing lines (compared with English-language version):
[Strings]: 2 lines
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\System32\drivers\CDAC11BA.EXE" ["Macrovision"]
ISSvc, ISSVC, "C:\Program Files\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"]
Service Norton AntiVirus Auto-Protect, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 50 seconds, including 10 seconds for message boxes)
