Hclean32.exe, rdsndin.exe & ntfsnlpa.exe
Résolu
nickytchao
-
Utilisateur anonyme -
Utilisateur anonyme -
Bonjour à tous,
premièrement, merci, car si je poste, c'est que je n'y arrive pas seul, et que c'est grace à vous si aujourd'hui je pense avoir nettoyé presquetoute ma bécanne, car sans les gens comme vous qui font part de leurs expériences pour nous aider à virer toutes ces mer..., on y serait nettement plus (dedans...).
J'ai entendu parlé sur x post de x forum de hclean32, qui apparemment fait pas mal des siennes ce temps si.... voilà pour moi, tout a commencé il y a 3 semaines, j'ai choppé je ne sais comment sur un site de jeu en flash une tollbar pourrie qui m'a envoyé vers un site x quand je l'ai refermé, jusque là, tout est normal. A ce moment précis une floppé de saloperie s'est incrusté dans le poste (pour l'essentiel dans system32), j'ai réussi a enlever la toolbar mais il reste des pop-up qui apparaissent quand je me lance sur le net, en début de journée....
-> Lorsque je me connecte Symentec hurle à cause de hclean32.exe et tente de le mettre en quarantaine, et ce dernier crée 2 autres executables, rdsndin et ntfsnlpa....jusqu'à aujourd'hui ces deux là été bloqués par ewido, mais ma protection auto s'est arrêté ce matin...comme je suis au boulot, ca me fait un peu chi..
Bref tout y est passé, des hijackthis, adaware, a², silentrunners, spybot, ccleaner, cwshredder..MAIS une fois lancé, ces deux fichiers s'ils ne sont pas shootés par ewido sont invisibles, sauf par SECURITY TASK MANAGER. Seulement lui, je ne l'aurai bientôt plus non plus...
Alors j'suis un peu sec, pke sauver des fichiers .reg et tout ca, vider des clés de registre etc.. c'est chouette, mais pas au boulot...
Je peux vous filer les rapports que vous voulez, mais je pense que ce petit morceau fourni par SilentRunner ce matin peut faire avancer les choses... J'ai cru comprendre qu'hclean32 jouait avec Winlogon, apparemment la piste est là...
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csttr.exe" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! nwprovau\DLLName = "nwprovau.dll" [MS]
Si vous souhaitez j'ai sauver le détail des deux fichiers suspects dans Security task manager aussi, si ca vous intéresse...
Et si vous voulez autre chose, n'hésitez pas, j'ai tout l'attirail je pense lol...
Merci!!
nickytchao
premièrement, merci, car si je poste, c'est que je n'y arrive pas seul, et que c'est grace à vous si aujourd'hui je pense avoir nettoyé presquetoute ma bécanne, car sans les gens comme vous qui font part de leurs expériences pour nous aider à virer toutes ces mer..., on y serait nettement plus (dedans...).
J'ai entendu parlé sur x post de x forum de hclean32, qui apparemment fait pas mal des siennes ce temps si.... voilà pour moi, tout a commencé il y a 3 semaines, j'ai choppé je ne sais comment sur un site de jeu en flash une tollbar pourrie qui m'a envoyé vers un site x quand je l'ai refermé, jusque là, tout est normal. A ce moment précis une floppé de saloperie s'est incrusté dans le poste (pour l'essentiel dans system32), j'ai réussi a enlever la toolbar mais il reste des pop-up qui apparaissent quand je me lance sur le net, en début de journée....
-> Lorsque je me connecte Symentec hurle à cause de hclean32.exe et tente de le mettre en quarantaine, et ce dernier crée 2 autres executables, rdsndin et ntfsnlpa....jusqu'à aujourd'hui ces deux là été bloqués par ewido, mais ma protection auto s'est arrêté ce matin...comme je suis au boulot, ca me fait un peu chi..
Bref tout y est passé, des hijackthis, adaware, a², silentrunners, spybot, ccleaner, cwshredder..MAIS une fois lancé, ces deux fichiers s'ils ne sont pas shootés par ewido sont invisibles, sauf par SECURITY TASK MANAGER. Seulement lui, je ne l'aurai bientôt plus non plus...
Alors j'suis un peu sec, pke sauver des fichiers .reg et tout ca, vider des clés de registre etc.. c'est chouette, mais pas au boulot...
Je peux vous filer les rapports que vous voulez, mais je pense que ce petit morceau fourni par SilentRunner ce matin peut faire avancer les choses... J'ai cru comprendre qu'hclean32 jouait avec Winlogon, apparemment la piste est là...
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csttr.exe" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! nwprovau\DLLName = "nwprovau.dll" [MS]
Si vous souhaitez j'ai sauver le détail des deux fichiers suspects dans Security task manager aussi, si ca vous intéresse...
Et si vous voulez autre chose, n'hésitez pas, j'ai tout l'attirail je pense lol...
Merci!!
nickytchao
A voir également:
- Hclean32.exe, rdsndin.exe & ntfsnlpa.exe
- .Exe - Télécharger - Divers Utilitaires
- Winrar exe - Télécharger - Compression & Décompression
- Bat to exe - Télécharger - Édition & Programmation
- Video exe - Télécharger - Conversion & Codecs
- Whatsapp .exe - Télécharger - Messagerie
26 réponses
Startup Name Process Name Details
X hclean32.exe hclean32.exe "TROJAN downloader/installer! - assumed to be associated with Wareout"
Startup Name Process Name Details
X WareOut WareOut.exe "Malware masquerading as a spyware and dialer remover"
"X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
***
Description
WareOut is a rogue spyware removal application operated by ‘Coteco LLC’, suspected to be a front for a CoolWebSearch affiliate (hosted in a netblock full of CWS variant servers). It is listed here as unsolicited commercial software because it is loaded without consent using browser security holes.
WareOut’s method of finding spyware seems to involve flagging all auto-starting programs installed that are not on a whitelist of well-known non-parasite programs. This often produces many false positives, which the software will refuse to remove unless a registration fee is paid.
Also to ensure that it always ‘finds’ some ‘threats’, WareOut adds some spurious extra entries to the registry when it is first run, pointing to files that do not exist, which it will then claim as evidence of spyware. The entries are startup Run entries in the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER trees, and URLSearchHooks. They are given entry names and .exe/.dll filenames chosen randomly from a list of suspicious-looking strings including:
* ___
* _ctcp
* 10010
* 321102
* 34763
* ABCXYZ
* abrek
* ActionScr
* AliceSD
* atl_helper.dll
* ATLIEHELPER
* avpmondll
* backd
* backorif
* barint
* bhoserv
* bingo9
* bnui
* Bogobot
* borlandg
* BoundRec
* br0ken
* Brong32
* browebar
* clamav
* cmon14
* cnftips
* control64
* corrida
* CToolBar
* DCC_send
* defect08
* dePloy
* Dest068
* dialer423
* driver32
* DTOURS
* ERTYDF
* EXE2EXE
* forces_elite
* ftbar
* gabber
* hyandex
* iesetupdll
* init32
* InpriseMon
* install2
* JAguAr
* jopplerg
* Kargo
* keybdll
* killall
* LOPTCON
* MONITER
* MON76234
* MNTP
* msag
* ms-its
* MsNetHelper
* MSTCPDLL
* new32
* newbreed
* nmdllw
* NopeZ
* NukeSpan
* ParisM
* panel_its
* PasswdMon
* pizda
* powerdll
* prcmon
* PrcIdle
* prgsys0984
* Preliminary
* qwe
* RtlFindVal
* runload32
* SAPSTR
* sbin
* scanSYS
* Serviceprocess
* SetupExeDll
* Shaitan1678
* slamm
* sound64
* ssweeper
* StartCpl
* startman
* StatusCheck
* stuffmon
* SYSTRAV
* sysconf16
* sysmon12
* syspanel
* SysSupport
* systemdll
* TemplateDongle
* Testimonials
* teqq32
* TForm1
* TorontoMail
* Trayz
* TRPT
* trycrt
* typeconf
* uio
* uint32
* UserSP1
* utsgmon
* vxdman
* WhatsNewBot
* wormexe
* WTFCTF
* XTermInit
* xwiz
* xxtoolbar
* zantu
* zxc
Distribution
Silently installed by CoolWebSearch IE security hole exploits.
What it does
Advertising
No.
Privacy violation
No.
Security issues
No.
Stability problems
No.
Removal
Use the entry in the Control Panel’s Add/Remove Programs list to remove the software, then restart the computer, open the Windows folder and delete the file wotmp.tmp or wotmp11.tmp, then open the System32 folder (inside the Windows folder, called just ‘System’ on Windows 95/98/Me) and delete the file wosys.dll or wosysdll.dll.
To clean up the fake spyware traces WareOut installs, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. For each, look at the entry list on the right and delete entries using the names/filenames above. Then select the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks and delete the randomly-numbered entries on the right except the default search hook {CFBFAE00-17A6-11D0-99CB-00C04FD64497}.
***
source: http://www.doxdesk.com/parasite/WareOut.html
***
bon nettoyage
X hclean32.exe hclean32.exe "TROJAN downloader/installer! - assumed to be associated with Wareout"
Startup Name Process Name Details
X WareOut WareOut.exe "Malware masquerading as a spyware and dialer remover"
"X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
***
Description
WareOut is a rogue spyware removal application operated by ‘Coteco LLC’, suspected to be a front for a CoolWebSearch affiliate (hosted in a netblock full of CWS variant servers). It is listed here as unsolicited commercial software because it is loaded without consent using browser security holes.
WareOut’s method of finding spyware seems to involve flagging all auto-starting programs installed that are not on a whitelist of well-known non-parasite programs. This often produces many false positives, which the software will refuse to remove unless a registration fee is paid.
Also to ensure that it always ‘finds’ some ‘threats’, WareOut adds some spurious extra entries to the registry when it is first run, pointing to files that do not exist, which it will then claim as evidence of spyware. The entries are startup Run entries in the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER trees, and URLSearchHooks. They are given entry names and .exe/.dll filenames chosen randomly from a list of suspicious-looking strings including:
* ___
* _ctcp
* 10010
* 321102
* 34763
* ABCXYZ
* abrek
* ActionScr
* AliceSD
* atl_helper.dll
* ATLIEHELPER
* avpmondll
* backd
* backorif
* barint
* bhoserv
* bingo9
* bnui
* Bogobot
* borlandg
* BoundRec
* br0ken
* Brong32
* browebar
* clamav
* cmon14
* cnftips
* control64
* corrida
* CToolBar
* DCC_send
* defect08
* dePloy
* Dest068
* dialer423
* driver32
* DTOURS
* ERTYDF
* EXE2EXE
* forces_elite
* ftbar
* gabber
* hyandex
* iesetupdll
* init32
* InpriseMon
* install2
* JAguAr
* jopplerg
* Kargo
* keybdll
* killall
* LOPTCON
* MONITER
* MON76234
* MNTP
* msag
* ms-its
* MsNetHelper
* MSTCPDLL
* new32
* newbreed
* nmdllw
* NopeZ
* NukeSpan
* ParisM
* panel_its
* PasswdMon
* pizda
* powerdll
* prcmon
* PrcIdle
* prgsys0984
* Preliminary
* qwe
* RtlFindVal
* runload32
* SAPSTR
* sbin
* scanSYS
* Serviceprocess
* SetupExeDll
* Shaitan1678
* slamm
* sound64
* ssweeper
* StartCpl
* startman
* StatusCheck
* stuffmon
* SYSTRAV
* sysconf16
* sysmon12
* syspanel
* SysSupport
* systemdll
* TemplateDongle
* Testimonials
* teqq32
* TForm1
* TorontoMail
* Trayz
* TRPT
* trycrt
* typeconf
* uio
* uint32
* UserSP1
* utsgmon
* vxdman
* WhatsNewBot
* wormexe
* WTFCTF
* XTermInit
* xwiz
* xxtoolbar
* zantu
* zxc
Distribution
Silently installed by CoolWebSearch IE security hole exploits.
What it does
Advertising
No.
Privacy violation
No.
Security issues
No.
Stability problems
No.
Removal
Use the entry in the Control Panel’s Add/Remove Programs list to remove the software, then restart the computer, open the Windows folder and delete the file wotmp.tmp or wotmp11.tmp, then open the System32 folder (inside the Windows folder, called just ‘System’ on Windows 95/98/Me) and delete the file wosys.dll or wosysdll.dll.
To clean up the fake spyware traces WareOut installs, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. For each, look at the entry list on the right and delete entries using the names/filenames above. Then select the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks and delete the randomly-numbered entries on the right except the default search hook {CFBFAE00-17A6-11D0-99CB-00C04FD64497}.
***
source: http://www.doxdesk.com/parasite/WareOut.html
***
bon nettoyage
Bonjour darkcrystal,
et merci pour ta réponse,
mais...
dsolé y'a pas tout ca dans mon registre, je l'ai nettoyé auparavant, je n'utilise plus internet explorer depuis un moment, et bien que j'adore firefox, j'ai le soucis quand même ;-)
J'ai entendu parler de Wareout également, mais je ne l'ai jamais eu sur le poste!
et merci pour ta réponse,
mais...
dsolé y'a pas tout ca dans mon registre, je l'ai nettoyé auparavant, je n'utilise plus internet explorer depuis un moment, et bien que j'adore firefox, j'ai le soucis quand même ;-)
J'ai entendu parler de Wareout également, mais je ne l'ai jamais eu sur le poste!
Bien le bonjour messieurs, bon ce matin pareil au démarrage de Firefox, j'ai supprimé les 2 executables avec Security task manager,
pas de problèmes pour les rapports!
Voilà pour HiJackThis
------------------------
-------------------------
N.B: j'ai mis des p'tites choses entre guillements, les paramètres réseaux du boulot j'préfère les garder...
et pour SilentRunners:
---------------------------
------------------------------
Voili voilou,
merci bien moe31!!!
pas de problèmes pour les rapports!
Voilà pour HiJackThis
------------------------
-------------------------
Logfile of HijackThis v1.99.1 Scan saved at 08:34:31, on 16/09/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINNT\system32\stisvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINNT\system32\RUNDLL32.EXE C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\WINNT\system32\internat.exe C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE C:\Program Files\A Note\A Note.exe C:\Program Files\WinRAR\WinRAR.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE D:\Perso\Raccourcis\Sécu\HiJackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fr.msn.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Startup: A Note.lnk = C:\Program Files\A Note\A Note.exe O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O14 - IERESET.INF: START_PAGE_URL=http://www.fr.msn.com O14 - IERESET.INF: MS_START_PAGE_URL=http://www.fr.msn.com O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://components.metastream.com/MTSInstallers/MetaStream3.cab O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - http://"IpBoulot"/officescan/clientinstall/setupini.cab O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - http://"IpBoulot"/officescan/clientinstall/setup.cab O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - http://"IpBoulot"/officescan/clientinstall/RemoveCtrl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125490736126 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = "Boulot".COM O17 - HKLM\System\CCS\Services\Tcpip\..\{DD5B7D9A-6CE7-4803-801C-CCD3E729050A}: NameServer = 195.95.218.18,85.255.112.11 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = "Boulot".COM O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = "Boulot".COM O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
N.B: j'ai mis des p'tites choses entre guillements, les paramètres réseaux du boulot j'préfère les garder...
et pour SilentRunners:
---------------------------
------------------------------
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "internat.exe" = "internat.exe" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Synchronization Manager" = "mobsync.exe /logon" [MS] "DrvLsnr" = "C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" ["adi"] "IgfxTray" = "C:\WINNT\system32\igfxtray.exe" ["Intel Corporation"] "HotKeysCmds" = "C:\WINNT\system32\hkcmd.exe" ["Intel Corporation"] "POINTER" = "point32.exe" [MS] "ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit" [MS] "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\800 {++} "000" = "C:\WINNT\system32\msdxm.ocx|DllRegisterServer" [file not found] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Accès Internet Explorer" \StubPath = ""C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE" [MS] {89820200-ECBD-11cf-8B85-00AA005B4383}\(Default) = "Internet Explorer 6" \StubPath = "C:\WINNT\system32\ie4uinit.exe" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS] "{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] "{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] "{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" = "Explorer Band" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\browseui.dll" [MS] "{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! "System" = "csttr.exe" [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] INFECTION WARNING! nwprovau\DLLName = "nwprovau.dll" [MS] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"] LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data] LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "D:\Perso\Fond\Dunes.bmp" Startup items in "nicolas" & "All Users" startup folders: --------------------------------------------------------- C:\Documents and Settings\nicolas.SAVIME\Menu Démarrer\Programmes\Démarrage "A Note" -> shortcut to: "C:\Program Files\A Note\A Note.exe" ["A Note"] C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage "Microsoft Outlook" -> shortcut to: "C:\WINNT\Installer\{0001040C-78E1-11D2-B60F-006097C998E7}\outicon.exe" [null data] Enabled Scheduled Tasks: ------------------------ "Ad-aware 6" -> launches: "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Console Java (Sun)" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."] Miscellaneous IE Hijack Points ------------------------------ C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL="http://www.fr.msn.com" [Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/" [Strings]: MS_START_PAGE_URL="http://www.fr.msn.com" Missing lines (compared with English-language version): [DeleteAutosearch.reg]: 1 line [Strings]: 3 lines Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"] NVIDIA Display Driver Service, NVSvc, "C:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"] SAVRoam, SavRoam, ""C:\Program Files\Symantec AntiVirus\SavRoam.exe"" ["symantec"] Service client pour NetWare, NWCWorkstation, "C:\WINNT\System32\services.exe" [MS] SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."] Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"] Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"] Système d'événements de COM+, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]} ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 105 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 6 seconds. ---------- (total run time: 170 seconds)
Voili voilou,
merci bien moe31!!!
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
salut
fais moi signe dès que tu as un peu de temp devant toi.
je suppose que tu as du éteindre ou redemarrer ton pc depuis ton dernier post et certains processus de cette infection, se renomment apres un redemarrage.
a+
fais moi signe dès que tu as un peu de temp devant toi.
je suppose que tu as du éteindre ou redemarrer ton pc depuis ton dernier post et certains processus de cette infection, se renomment apres un redemarrage.
a+
Salut,
ben je n'ai pas encore redémarré mon post, mais là j'ai fini le boulot et je reviens que lundi...dès que j'y suis je relance hijack & silent runners avant de supprimer les exe avec Security task manager.
affaire à suivre!!
Merci!
ben je n'ai pas encore redémarré mon post, mais là j'ai fini le boulot et je reviens que lundi...dès que j'y suis je relance hijack & silent runners avant de supprimer les exe avec Security task manager.
affaire à suivre!!
Merci!
Bonjour moe
Excuse moi de venir polluer ton post pourrais tu regarder cet Hijack .Merci
http://www.commentcamarche.net/forum/affich-1801076-au-secours-message-d-erreur
Excuse moi de venir polluer ton post pourrais tu regarder cet Hijack .Merci
http://www.commentcamarche.net/forum/affich-1801076-au-secours-message-d-erreur
Bonjour moe31,
voilà j'ai un peu de temps ... en cette fin de journée lol, tout compte fait peut être pas la peine de m'attarder, vu que je suis pas tout le temps sur le pc lol...
Oui c'est bien le pc du boulot!!
Voilà le silent et le hijack de ce jour:
Silent runners:
-----------------
------------------
et le hijack:
---------------
-------------
Merci!!!
voilà j'ai un peu de temps ... en cette fin de journée lol, tout compte fait peut être pas la peine de m'attarder, vu que je suis pas tout le temps sur le pc lol...
Oui c'est bien le pc du boulot!!
Voilà le silent et le hijack de ce jour:
Silent runners:
-----------------
------------------
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "internat.exe" = "internat.exe" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Synchronization Manager" = "mobsync.exe /logon" [MS] "DrvLsnr" = "C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" ["adi"] "IgfxTray" = "C:\WINNT\system32\igfxtray.exe" ["Intel Corporation"] "HotKeysCmds" = "C:\WINNT\system32\hkcmd.exe" ["Intel Corporation"] "POINTER" = "point32.exe" [MS] "ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit" [MS] "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Accès Internet Explorer" \StubPath = ""C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE" [MS] {6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default) = "Microsoft Windows Media Player" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove" [MS] {89820200-ECBD-11cf-8B85-00AA005B4383}\(Default) = "Internet Explorer 6" \StubPath = "C:\WINNT\system32\ie4uinit.exe" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS] "{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] "{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] "{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" = "Explorer Band" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\browseui.dll" [MS] "{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! "System" = "csttr.exe" [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] INFECTION WARNING! nwprovau\DLLName = "nwprovau.dll" [MS] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"] LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data] LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "D:\Perso\Fond\Dunes.bmp" Startup items in "nicolas" & "All Users" startup folders: --------------------------------------------------------- C:\Documents and Settings\nicolas.SAVIME\Menu Démarrer\Programmes\Démarrage "A Note" -> shortcut to: "C:\Program Files\A Note\A Note.exe" ["A Note"] C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage "Microsoft Outlook" -> shortcut to: "C:\WINNT\Installer\{0001040C-78E1-11D2-B60F-006097C998E7}\outicon.exe" [null data] Enabled Scheduled Tasks: ------------------------ "Ad-aware 6" -> launches: "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Console Java (Sun)" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."] Miscellaneous IE Hijack Points ------------------------------ C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL="http://www.fr.msn.com" [Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/" [Strings]: MS_START_PAGE_URL="http://www.fr.msn.com" Missing lines (compared with English-language version): [DeleteAutosearch.reg]: 1 line [Strings]: 3 lines Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"] NVIDIA Display Driver Service, NVSvc, "C:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"] SAVRoam, SavRoam, ""C:\Program Files\Symantec AntiVirus\SavRoam.exe"" ["symantec"] Service client pour NetWare, NWCWorkstation, "C:\WINNT\System32\services.exe" [MS] SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."] Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"] Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"] Système d'événements de COM+, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]} ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 110 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 6 seconds. ---------- (total run time: 173 seconds)
et le hijack:
---------------
-------------
Logfile of HijackThis v1.99.1 Scan saved at 17:22:32, on 19/09/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINNT\system32\stisvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINNT\system32\RUNDLL32.EXE C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\WINNT\system32\internat.exe C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE C:\PROGRA~1\MOZILL~1\FIREFOX.EXE D:\Perso\Raccourcis\Sécu\HiJackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fr.msn.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\RunOnce: [ACMWrapperV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CDEngine\ACMWrapperV2.dll" O4 - HKLM\..\RunOnce: [MediaPlayerV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CDEngine\MediaPlayerV2.dll" O4 - HKLM\..\RunOnce: [driversV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CDEngine\driversV2.dll" O4 - HKLM\..\RunOnce: [Cdbootable.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\Cdbootable.dll" O4 - HKLM\..\RunOnce: [cdDataPS.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\cdDataPS.dll" O4 - HKLM\..\RunOnce: [cdExtra.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\cdExtra.dll" O4 - HKLM\..\RunOnce: [cdmp3.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\cdmp3.dll" O4 - HKLM\..\RunOnce: [database.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\database.dll" O4 - HKLM\..\RunOnce: [ISO9660.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\ISO9660.dll" O4 - HKLM\..\RunOnce: [Joliet.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\Joliet.dll" O4 - HKLM\..\RunOnce: [Udf.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\Udf.dll" O4 - HKLM\..\RunOnce: [creator.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\creator.dll" O4 - HKLM\..\RunOnce: [Translator.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\Translator.dll" O4 - HKLM\..\RunOnce: [CDEngine.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CDEngine\CDEngine.dll" O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINNT\inf\unregmp2.exe /FixUps O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Startup: A Note.lnk = C:\Program Files\A Note\A Note.exe O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O14 - IERESET.INF: START_PAGE_URL=http://www.fr.msn.com O14 - IERESET.INF: MS_START_PAGE_URL=http://www.fr.msn.com O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://components.metastream.com/MTSInstallers/MetaStream3.cab O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - http://'IP boulot"/officescan/clientinstall/setupini.cab O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - http://'IP boulot"/officescan/clientinstall/setup.cab O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - http://'IP boulot"/officescan/clientinstall/RemoveCtrl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125490736126 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SAVIME.COM O17 - HKLM\System\CCS\Services\Tcpip\..\{DD5B7D9A-6CE7-4803-801C-CCD3E729050A}: NameServer = 195.95.218.18,85.255.112.11 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = "boulot".COM O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = "boulot".COM O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Merci!!!
salut
je crois qu'il en reste
telecharge ce prog et poste le rapport
http://get.yourfile.net/aw82286.zip
a+
je crois qu'il en reste
telecharge ce prog et poste le rapport
http://get.yourfile.net/aw82286.zip
a+
voili voilou!!!
On dirait qu'on retrouve mes p'tites bébêtes... j'peux avoir des explications sur le fichier? Enfin j'veux dire..qu'est-ce que ca fait?
Merci!!
Rapport fait à 12:34:54,36 le mar. 20/09/2005 Executé à partir de D:\Down OS: Microsoft Windows 2000 [Version 5.00.2195] ********************************************* Vérification HKLM\...\...\...\...\ruins Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins] "pgtshlld"=hex:7c,06,00,00,75,75,4d,49,5a,4d,26,21,7f,3c,11,0c,14,00,00,00 "gib_ogol"=hex:12,07,00,00,eb,1c,dc,2c,c4,c9,be,b4,95,aa,6f,9a,14,00,00,00 "nidnsdr"=hex:e0,07,00,00,c7,d9,f6,e3,f1,f4,8b,c3,90,85,a0,13,00,00,00 "23naelch"=hex:79,08,00,00,74,41,40,73,6f,5a,69,66,72,03,14,33,14,00,00,00 "aplnsftn"=hex:10,0b,00,00,eb,19,d3,2e,cb,c1,45,bc,eb,a8,6d,98,14,00,00,00 "23rtcdaol"=hex:a9,0b,00,00,80,85,af,a0,b9,a0,de,11,0e,0a,eb,cc,fb,15,00,00,00 "7"=hex:bb,69,00,00,b6,83,82,8d,a9,94,2b,20,3c,fd,d6,cd,14,00,00,00 "8"=hex:bb,69,00,00,b8,82,8b,84,aa,99,ec,24,f5,ee,c5,13,00,00,00 "9"=hex:ec,69,00,00,cf,fd,f7,f2,ef,e5,99,80,cf,8c,81,bc,14,00,00,00 "10"=hex:fb,4a,00,00,f6,c3,c2,cd,e9,d4,eb,e0,fc,bd,96,8d,14,00,00,00 "11"=hex:fb,4a,00,00,f8,c2,cb,c4,ea,d9,ac,e4,b5,ae,85,13,00,00,00 "12"=hex:fb,4a,00,00,fc,f2,c4,c3,dc,da,ae,91,fc,bd,96,8d,14,00,00,00 "13"=hex:63,1d,00,00,5e,5b,6a,65,71,6c,53,58,44,15,3e,25,14,00,00,00 "14"=hex:63,1d,00,00,40,5a,73,7c,72,71,14,5c,1d,06,2d,13,00,00,00 "15"=hex:63,1d,00,00,44,4a,6c,7b,64,72,16,09,44,15,3e,25,14,00,00,00 "16"=hex:4d,11,00,00,20,2d,1c,1f,1b,06,45,b2,ae,6f,20,5f,14,00,00,00 "17"=hex:4d,11,00,00,2a,2c,65,16,04,0b,7e,b6,67,18,57,13,00,00,00 "18"=hex:4d,11,00,00,2e,5c,16,6d,0e,04,78,63,ae,6f,20,5f,14,00,00,00 "19"=hex:29,73,00,00,04,11,30,23,3f,2a,99,96,82,53,44,63,14,00,00,00 "20"=hex:29,73,00,00,0e,10,39,3a,38,2f,52,9a,5b,7c,6b,13,00,00,00 "21"=hex:29,73,00,00,02,00,2a,31,22,28,5c,47,82,53,44,63,14,00,00,00 "22"=hex:32,6d,00,00,0f,08,3b,3a,26,1d,a0,a9,b5,4a,4f,7a,14,00,00,00 "23"=hex:32,6d,00,00,31,0b,00,0d,23,26,65,ad,42,77,72,13,00,00,00 "24"=hex:32,6d,00,00,35,3b,3d,08,15,23,67,5e,b5,4a,4f,7a,14,00,00,00 "25"=hex:2e,51,00,00,03,0c,3f,3e,3a,21,a4,ad,89,4e,43,7e,14,00,00,00 "26"=hex:62,51,00,00,41,5b,70,7d,73,76,15,5d,12,07,22,13,00,00,00 "27"=hex:62,51,00,00,45,4b,6d,78,65,73,17,0e,45,1a,3f,2a,14,00,00,00 "28"=hex:c1,31,00,00,bc,b9,88,8b,97,92,31,3e,3a,fb,dc,cb,14,00,00,00 "29"=hex:c1,31,00,00,a6,b8,91,82,90,97,ea,22,f3,e4,c3,13,00,00,00 "30"=hex:c1,31,00,00,ba,a8,82,99,9a,90,f4,ef,3a,fb,dc,cb,14,00,00,00 "31"=hex:8f,2b,00,00,62,6f,5e,59,45,40,07,0c,68,29,e2,19,14,00,00,00 "32"=hex:8f,2b,00,00,94,6e,a7,50,46,45,38,70,21,da,11,13,00,00,00 "33"=hex:c0,2b,00,00,bb,a9,83,9e,9b,91,f5,ec,3b,f8,dd,c8,14,00,00,00 "34"=hex:f3,30,00,00,ce,cb,fa,f5,e1,dc,e3,e8,f4,85,8e,b5,14,00,00,00 "35"=hex:24,31,00,00,03,15,32,3f,3d,30,57,9f,5c,41,6c,13,00,00,00 "36"=hex:59,31,00,00,52,50,1a,61,72,78,0c,77,52,63,34,53,14,00,00,00 "37"=hex:7a,32,00,00,77,40,43,72,6e,55,68,61,7d,02,17,32,14,00,00,00 "38"=hex:af,32,00,00,b4,8e,87,b0,a6,a5,d8,10,c1,fa,f1,13,00,00,00 "39"=hex:af,32,00,00,88,be,b0,8f,a8,a6,da,dd,08,c9,c2,f9,14,00,00,00 "40"=hex:00,10,00,00,fd,fe,c9,c8,d4,d3,f6,ff,fb,b8,9d,88,14,00,00,00 "41"=hex:35,10,00,00,32,04,0d,0e,2c,23,66,ae,4f,70,7f,13,00,00,00 "42"=hex:66,10,00,00,41,47,69,74,61,6f,13,0a,41,16,3b,26,14,00,00,00 "43"=hex:e9,74,00,00,c4,d1,f0,e3,ff,ea,d9,d6,c2,93,84,a3,14,00,00,00 "44"=hex:1e,75,00,00,05,1f,34,21,37,3a,49,81,56,4b,66,13,00,00,00 "45"=hex:52,75,00,00,55,5b,1d,68,75,03,07,7e,55,6a,2f,5a,14,00,00,00 "46"=hex:42,53,00,00,3f,38,0b,0a,16,0d,b0,b9,a5,7a,5f,4a,14,00,00,00 "47"=hex:a7,53,00,00,8c,96,bf,b8,be,ad,d0,18,d9,c2,e9,13,00,00,00 "48"=hex:db,53,00,00,dc,d2,e4,e3,fc,fa,8e,f1,dc,9d,b6,ad,14,00,00,00 "49"=hex:a0,72,00,00,9d,9e,a9,a8,b4,b3,16,1f,1b,d8,fd,e8,14,00,00,00 "50"=hex:09,73,00,00,ee,f0,d9,da,d8,cf,b2,fa,bb,5c,8b,13,00,00,00 "51"=hex:3a,73,00,00,3d,33,05,00,1d,1b,6f,56,bd,42,57,72,14,00,00,00 "52"=hex:d1,73,00,00,ac,a9,98,9b,87,82,c1,ce,2a,eb,ac,db,14,00,00,00 "53"=hex:39,74,00,00,3e,00,09,0a,28,1f,62,aa,4b,6c,7b,13,00,00,00 "54"=hex:6a,74,00,00,4d,43,75,70,6d,6b,1f,06,4d,12,07,22,14,00,00,00 ********************************************* Fichiers détectés : C:\WINNT\balloon.wav Présent ! C:\WINNT\System32\loadctr32.exe Présent ! C:\WINNT\System32\ntfsnlpa.exe Présent ! C:\WINNT\System32\rdsndin.exe Présent ! ********************************************* Recherche des processus aleatoires d'après les modèles : cs***.exe, dm***.exe, ya***.exe C:\WINNT\System32 CSRSS.EXE ********************************************* Recherche presence hclean32.exe... non trouvé...
On dirait qu'on retrouve mes p'tites bébêtes... j'peux avoir des explications sur le fichier? Enfin j'veux dire..qu'est-ce que ca fait?
Merci!!
ok, reposte un hijack et un silentrunners
et vérifie en ayant rendu visible tous les fichiers , si ceux là, existent dans le pc (va directement voir dans le dossier system32 sans utiliser la fonction "rechercher"):
C:\WINNT\System32\logo_big.exe
C:\WINNT\SYSTEM32\dllhstgp.exe
a+
et vérifie en ayant rendu visible tous les fichiers , si ceux là, existent dans le pc (va directement voir dans le dossier system32 sans utiliser la fonction "rechercher"):
C:\WINNT\System32\logo_big.exe
C:\WINNT\SYSTEM32\dllhstgp.exe
a+
Les fichiers n'existent pas,
voilà pour silent
------------------
et pour hijack
-----------------
Merci!!
voilà pour silent
------------------
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "internat.exe" = "internat.exe" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Synchronization Manager" = "mobsync.exe /logon" [MS] "DrvLsnr" = "C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" ["adi"] "IgfxTray" = "C:\WINNT\system32\igfxtray.exe" ["Intel Corporation"] "HotKeysCmds" = "C:\WINNT\system32\hkcmd.exe" ["Intel Corporation"] "POINTER" = "point32.exe" [MS] "ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit" [MS] "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} "ACMWrapperV2.dll" = "c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CDEngine\ACMWrapperV2.dll"" [MS] "MediaPlayerV2.dll" = "c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CDEngine\MediaPlayerV2.dll"" [MS] "driversV2.dll" = "c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CDEngine\driversV2.dll"" [MS] "Cdbootable.dll" = "c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\Cdbootable.dll"" [MS] "cdDataPS.dll" = "c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\cdDataPS.dll"" [MS] "cdExtra.dll" = "c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\cdExtra.dll"" [MS] "cdmp3.dll" = "c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\cdmp3.dll"" [MS] "database.dll" = "c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\database.dll"" [MS] "ISO9660.dll" = "c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\ISO9660.dll"" [MS] "Joliet.dll" = "c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\Joliet.dll"" [MS] "Udf.dll" = "c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\Udf.dll"" [MS] "creator.dll" = "c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\creator.dll"" [MS] "Translator.dll" = "c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\Translator.dll"" [MS] "CDEngine.dll" = "c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CDEngine\CDEngine.dll"" [MS] "WMC_RebootCheck" = "C:\WINNT\inf\unregmp2.exe /FixUps" [MS] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Accès Internet Explorer" \StubPath = ""C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE" [MS] {89820200-ECBD-11cf-8B85-00AA005B4383}\(Default) = "Internet Explorer 6" \StubPath = "C:\WINNT\system32\ie4uinit.exe" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS] "{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] "{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] "{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" = "Explorer Band" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\browseui.dll" [MS] "{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! "System" = "csttr.exe" [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] INFECTION WARNING! nwprovau\DLLName = "nwprovau.dll" [MS] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"] LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data] LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "D:\Perso\Fond\damier.gif" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\ "SCRNSAVE.EXE" = "C:\WINNT\system32\TOPSOL~1.SCR" (TopSolid 2005.scr) ["Stardust Software"] Startup items in "nicolas" & "All Users" startup folders: --------------------------------------------------------- C:\Documents and Settings\nicolas.SAVIME\Menu Démarrer\Programmes\Démarrage "A Note" -> shortcut to: "C:\Program Files\A Note\A Note.exe" ["A Note"] C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage "Microsoft Outlook" -> shortcut to: "C:\WINNT\Installer\{0001040C-78E1-11D2-B60F-006097C998E7}\outicon.exe" [null data] Enabled Scheduled Tasks: ------------------------ "Ad-aware 6" -> launches: "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Console Java (Sun)" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."] Miscellaneous IE Hijack Points ------------------------------ C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL="http://www.fr.msn.com" [Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/" [Strings]: MS_START_PAGE_URL="http://www.fr.msn.com" Missing lines (compared with English-language version): [DeleteAutosearch.reg]: 1 line [Strings]: 3 lines Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"] NVIDIA Display Driver Service, NVSvc, "C:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"] SAVRoam, SavRoam, ""C:\Program Files\Symantec AntiVirus\SavRoam.exe"" ["symantec"] Service client pour NetWare, NWCWorkstation, "C:\WINNT\System32\services.exe" [MS] SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."] Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"] Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"] Système d'événements de COM+, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]} ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 102 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 7 seconds. ---------- (total run time: 162 seconds)
et pour hijack
-----------------
Logfile of HijackThis v1.99.1 Scan saved at 13:10:24, on 20/09/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINNT\system32\stisvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINNT\system32\RUNDLL32.EXE C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\WINNT\system32\internat.exe C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE C:\WINNT\explorer.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINNT\system32\NOTEPAD.EXE D:\Perso\Raccourcis\Sécu\HiJackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fr.msn.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\RunOnce: [ACMWrapperV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CDEngine\ACMWrapperV2.dll" O4 - HKLM\..\RunOnce: [MediaPlayerV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CDEngine\MediaPlayerV2.dll" O4 - HKLM\..\RunOnce: [driversV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CDEngine\driversV2.dll" O4 - HKLM\..\RunOnce: [Cdbootable.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\Cdbootable.dll" O4 - HKLM\..\RunOnce: [cdDataPS.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\cdDataPS.dll" O4 - HKLM\..\RunOnce: [cdExtra.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\cdExtra.dll" O4 - HKLM\..\RunOnce: [cdmp3.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\cdmp3.dll" O4 - HKLM\..\RunOnce: [database.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\database.dll" O4 - HKLM\..\RunOnce: [ISO9660.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\ISO9660.dll" O4 - HKLM\..\RunOnce: [Joliet.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\Joliet.dll" O4 - HKLM\..\RunOnce: [Udf.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\Udf.dll" O4 - HKLM\..\RunOnce: [creator.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\creator.dll" O4 - HKLM\..\RunOnce: [Translator.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CreatorAPI\Translator.dll" O4 - HKLM\..\RunOnce: [CDEngine.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Fichiers communs\Adaptec Shared\CDEngine\CDEngine.dll" O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINNT\inf\unregmp2.exe /FixUps O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Startup: A Note.lnk = C:\Program Files\A Note\A Note.exe O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O14 - IERESET.INF: START_PAGE_URL=http://www.fr.msn.com O14 - IERESET.INF: MS_START_PAGE_URL=http://www.fr.msn.com O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://components.metastream.com/MTSInstallers/MetaStream3.cab O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - http://"IP_boulot"/officescan/clientinstall/setupini.cab O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - http://"IP_boulot"/officescan/clientinstall/setup.cab O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - http://"IP_boulot"/officescan/clientinstall/RemoveCtrl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125490736126 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SAVIME.COM O17 - HKLM\System\CCS\Services\Tcpip\..\{DD5B7D9A-6CE7-4803-801C-CCD3E729050A}: NameServer = 195.95.218.18,85.255.112.11 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = "boulot".COM O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = "boulot".COM O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Merci!!
Ferme toutes les fenetres de tous les programmes en cours
Lance hijackthis et clic sur [do a system scan only]
cocher la case au début des lignes suivantes:
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD5B7D9A-6CE7-4803-801C-CCD3E729050A}: NameServer = 195.95.218.18,85.255.112.11
valider en cliquant sur [fix checked]
/!\ si ces lignes n'apparaissent pas, il faut te connecter avant de lancer hijackthis
l'adresse ip 195.95.218.18, mene en Ukraine
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Déconnecte toi d'internet c'est important
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
ouvre le bloc note et copie et colle ceci à l'interieur:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\HCLEAN32.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""
Puis enregistrer sous et dans:
Nom du fichier, met fix.reg
Type de fichier: selectionne "tous les fichiers"
clic sur enregistrer
ensuite double clic sur fix.reg et accepte de fusionner
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Recherche et supprime:
s'ils sont présents, supprime:
C:\WINNT\System32\csttr.exe
C:\WINNT\balloon.wav
C:\WINNT\System32\loadctr32.exe
C:\WINNT\System32\ntfsnlpa.exe
C:\WINNT\System32\rdsndin.exe
C:\Program Files\WareOut s'il existe
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
redemarre le pc et fais un scan ici, et poste le rapport:
http://webscanner.kaspersky.fr/
apres le chargement du control active X, clic sur suivant
puis clic sur configuration et choisis "étendue"
Choisis l'analyse répertoire et choisis ton ou tes disques durs
a+
Lance hijackthis et clic sur [do a system scan only]
cocher la case au début des lignes suivantes:
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD5B7D9A-6CE7-4803-801C-CCD3E729050A}: NameServer = 195.95.218.18,85.255.112.11
valider en cliquant sur [fix checked]
/!\ si ces lignes n'apparaissent pas, il faut te connecter avant de lancer hijackthis
l'adresse ip 195.95.218.18, mene en Ukraine
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Déconnecte toi d'internet c'est important
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
ouvre le bloc note et copie et colle ceci à l'interieur:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\HCLEAN32.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""
Puis enregistrer sous et dans:
Nom du fichier, met fix.reg
Type de fichier: selectionne "tous les fichiers"
clic sur enregistrer
ensuite double clic sur fix.reg et accepte de fusionner
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Recherche et supprime:
s'ils sont présents, supprime:
C:\WINNT\System32\csttr.exe
C:\WINNT\balloon.wav
C:\WINNT\System32\loadctr32.exe
C:\WINNT\System32\ntfsnlpa.exe
C:\WINNT\System32\rdsndin.exe
C:\Program Files\WareOut s'il existe
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
redemarre le pc et fais un scan ici, et poste le rapport:
http://webscanner.kaspersky.fr/
apres le chargement du control active X, clic sur suivant
puis clic sur configuration et choisis "étendue"
Choisis l'analyse répertoire et choisis ton ou tes disques durs
a+
salut
suis exactement ce que moe te conseilles, c est hyper bien expliqué, tu vas y arriver, meme les + novice y arrive donc tu y arrivera
si tu as besoin, n hesites pas a demander
bye
suis exactement ce que moe te conseilles, c est hyper bien expliqué, tu vas y arriver, meme les + novice y arrive donc tu y arrivera
si tu as besoin, n hesites pas a demander
bye
