Sujet Précédent Sujet Suivant

Trojan-Dropper.Win32

Fermé
Starling - 28 sept. 2005 à 16:48
 Utilisateur anonyme - 3 oct. 2005 à 17:29
Bonjour à tous !

J'utilise XP sp2, Norton AV, a2, Spybot et Ad-Aware.

Pourtant, tous les jours en scannant avec a2, je trouve des Trojan-Dropper.Win 32 + Trojan.Win32.Qhost.qr sur mon System Volume Information.

Hier, j'ai fait un scan en désactivant puis réactivant mon système de restauration. Je n'ai naturellement plus rien trouvé.

Mais cet aprem, rebelotte ! Je refais un scan normal (sans désactiver ), et revoilà mon Dropper.

Pourriez-vous svp me dire que faire pour m'en débarrasser une bonne fois pour toute ?

Merci
A voir également:

34 réponses

  • 1
  • 2
Réponse 1 / 34
Utilisateur anonyme
28 sept. 2005 à 16:54
Pareil
desactive et reactive ta restauration systeme (il se trouve bien ds systeme volume information?)
a+
0
Réponse 2 / 34
Starling
28 sept. 2005 à 16:58
Salut

Oui, il se trouve bien dans mon système volume information.

Mais pourquoi revient-il tous les jours, malgré mes scans en désactivant ? Ca ne les élimine pas définitivement ?
0
Réponse 3 / 34
Utilisateur anonyme
28 sept. 2005 à 16:59
re,
tu pocedes comme ceci?
desactivation de la restau < scan< reactivation?

a+
0
Réponse 4 / 34
Starling
28 sept. 2005 à 17:02
Oui, Oui :

Désact., scan, puis réactiv. ( + nouveau point de restauration )
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 5 / 34
Utilisateur anonyme
28 sept. 2005 à 17:12
En effet c est curieux
Sinon tu fais l inverse:
tu scan avec a² < tu desactive et reactive ensuite ta restauration systeme < et c est tout ...

a+
0
Réponse 6 / 34
Starling
28 sept. 2005 à 17:19
OK

Je vais essayer ça ( scan a2, désactiver puis réactiver system restore ).
Je fais redémarrer mon PC et je te dis si Dropper est revenu à l'attaque.

Merci et à +
0
Réponse 7 / 34
Utilisateur anonyme
28 sept. 2005 à 17:26
de rien

A+
0
Réponse 8 / 34
Starling
28 sept. 2005 à 18:50
Rebonsoir

J'ai fait comme tu as dit :
scan a2 + désactivation + réactivation du système de restauration.

A nouveau scan : rien

Redémarrage du PC, puis rescan (sans désactivation cette fois ) :
et là : suspense ! : le Dropper (et ses jumeaux ) etait à nouveau là, toujours dans le System Volume Information.

Si je comprends bien, pour ne plus voir de Dropper, je devrai à chaque fois désactiver mon syst de restau à chaque scan a2 ?
0
Réponse 9 / 34
Utilisateur anonyme
28 sept. 2005 à 21:04
salut

toujours hclean32 ?

a+
0
Réponse 10 / 34
Starling
28 sept. 2005 à 22:34
Salut !

Pas seulement, mais, d'après le rapport d'audit de Norton, aussi C:\WINDOWS\system32\dmbvb.exe

Mais tout d'abord, pourrais-tu répondre à ma question précédente ?

Donc, un Dropper à chaque scan dans system volume information.
Dois-je, pour ne plus le revoir, à chaque scan, désactiver puis réactiver la restauration du système ?

Merci pour tes réponses
0
Réponse 11 / 34
Utilisateur anonyme
28 sept. 2005 à 22:42
salut

Je crois que tes 2 problemes sont liés, le dropper et autres reviennes à chaques redemarrages, donc si ton pc crée un point de sauvegarde il est automatiquement infecté.
Tant que que tu ne resoudra pas ton probleme de trojan, ca reviendra à chaque fois.
En plus, tu n'est pas tombé sur le plus facile à supprimer...

a+
0
Starling
28 sept. 2005 à 22:45
Ah bon !

Merci du renseignement !

Que dois-je faire à ton avis ?
0
Réponse 12 / 34
Utilisateur anonyme
28 sept. 2005 à 22:54
j'ai une petite demi heure avant d'arreter, si tu as le temps on peut essayer quelques manips, sinon je repasse demain, c'est toi qui vois.

a+
0
starling
28 sept. 2005 à 22:59
OK, on peut essayer dès ce soir, si tu le veux bien
Merci

Mais sache je suis complètement nulle en informatique
0
Réponse 13 / 34
Utilisateur anonyme
28 sept. 2005 à 23:01
c'est pas grave, demande si tu comprend pas une manip et je t'expliquerais.

commence par telecharger ces 3 progs:

telecharge la derniere version d'hijackthis ici:
http://www.merijn.org/files/hijackthis.zip
et reposte un rapport.

Telecharge aussi silentrunners ici:
http://www.silentrunners.org/Silent%20Runners.vbs
lance le et quand norton va te le demander, autorise le script
poste le rapport de silentrunners

telecharge ce prog ici:
http://cjoint.com/?jAu7RJ0V1J
dezippe le (clic droit sur le fichier > extraire tout) et lance hc.bat, le bloc note va s'ouvrir, copie et colle le contenu ici.

et surtout ne redemarre pas le pc pour l'instant.

a+
0
starling
28 sept. 2005 à 23:15
Voici déjà ceci:

Logfile of HijackThis v1.99.1
Scan saved at 23:05:19, on 28/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\DJSNETCN.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\Program Files\Outlook Express\OLD49.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NSMdtr.exe
C:\DOCUME~1\METIN\LOCALS~1\Temp\Répertoire temporaire 2 pour hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fr.msn.be/default.asp?DC=true
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Planetis
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1358E11F-ADE8-4D2B-9135-1A4CB9A23D7B} (Install Class) - https://genius.belgacom.be/esupport/download/IPGInstaller.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://selfcare.belgacom.net/static/pc/dlbridgesy/SymDlBrg.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://sc.communities.msn.com/controls/chat/msnchat4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{121A3E71-9482-4A61-BAD2-E71719EB0933}: NameServer = 195.95.218.1 85.255.112.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{121A3E71-9482-4A61-BAD2-E71719EB0933}: NameServer = 195.95.218.1 85.255.112.7
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\DJSNETCN.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe

deux :

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\Money Express.exe"" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"dmbvb.exe" = "C:\WINDOWS\system32\dmbvb.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

3:

Rapport fait à 23:12:50,29 le mer. 28/09/2005
Executé à partir de C:\Documents and Settings\METIN
OS: Microsoft Windows XP [version 5.1.2600]

*********************************************

Vérification HKLM\...\...\...\...\ruins

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
"pgtshlld"=hex:b0,23,00,00,81,81,b9,b5,96,99,d2,ed,0b,c8,cd,f8,14,00,00,00
"nidnsdr"=hex:e0,26,00,00,c7,d9,f6,e3,f1,f4,8b,c3,90,85,a0,13,00,00,00
"23naelch"=hex:6e,0b,00,00,43,4c,7f,7e,7a,61,64,6d,49,0e,03,3e,14,00,00,00
"aplnsftn"=hex:13,5f,00,00,14,1a,dc,2b,34,c2,46,b9,94,a5,6e,95,14,00,00,00
"23rtcdaol"=hex:dd,5f,00,00,dc,d1,9b,ec,f5,ec,8a,dd,da,d6,a7,b8,b7,15,00,00,00
"8"=hex:db,62,00,00,d6,a3,e2,ed,89,f4,cb,c0,dc,9d,b6,ad,14,00,00,00
"9"=hex:db,62,00,00,d8,a2,eb,e4,8a,f9,8c,c4,95,8e,a5,13,00,00,00
"10"=hex:db,62,00,00,dc,d2,e4,e3,fc,fa,8e,f1,dc,9d,b6,ad,14,00,00,00
"11"=hex:37,7c,00,00,0a,07,06,31,2d,18,af,a4,b0,41,4a,71,14,00,00,00
"12"=hex:68,7c,00,00,4f,51,7e,7b,79,6c,13,5b,18,3d,28,13,00,00,00
"13"=hex:68,7c,00,00,43,41,6b,76,63,69,1d,04,43,10,05,20,14,00,00,00
"14"=hex:77,2a,00,00,4a,47,46,71,6d,58,6f,64,70,01,0a,31,14,00,00,00
"15"=hex:77,2a,00,00,7c,46,4f,48,6e,5d,20,68,09,32,39,13,00,00,00
"16"=hex:a8,2a,00,00,83,81,ab,b6,a3,a9,dd,c4,03,d0,c5,e0,14,00,00,00
"17"=hex:db,45,00,00,d6,a3,e2,ed,89,f4,cb,c0,dc,9d,b6,ad,14,00,00,00
"18"=hex:db,45,00,00,d8,a2,eb,e4,8a,f9,8c,c4,95,8e,a5,13,00,00,00
"19"=hex:40,46,00,00,3b,29,03,1e,1b,11,75,6c,bb,78,5d,48,14,00,00,00
"20"=hex:0a,15,00,00,e7,f0,d3,c2,de,c5,f8,f1,ed,b2,67,82,14,00,00,00
"21"=hex:3f,15,00,00,24,3e,17,00,16,15,68,a0,71,6a,41,13,00,00,00
"22"=hex:3f,15,00,00,38,2e,00,1f,18,16,6a,6d,b8,79,52,49,14,00,00,00
"23"=hex:5d,48,00,00,50,5d,6c,6f,0b,76,55,42,5e,1f,30,2f,14,00,00,00
"24"=hex:5d,48,00,00,5a,5c,75,66,74,7b,0e,46,17,08,27,13,00,00,00
"25"=hex:92,48,00,00,95,9b,5d,a8,b5,43,c7,3e,15,2a,ef,1a,14,00,00,00
"26"=hex:fa,4a,00,00,f7,c0,c3,f2,ee,d5,e8,e1,fd,82,97,b2,14,00,00,00
"27"=hex:2b,4b,00,00,08,12,3b,34,3a,29,5c,94,45,7e,75,13,00,00,00
"28"=hex:2b,4b,00,00,0c,02,34,33,2c,2a,5e,41,8c,4d,46,7d,14,00,00,00
"phqgh"=hex:94,49,00,00,69,66,a0,51,b1,7f,3c,c1,2c,11,00,00,00
"29"=hex:08,32,00,00,e5,f6,d1,c0,dc,cb,fe,f7,e3,b0,65,80,14,00,00,00
"30"=hex:3c,32,00,00,3b,3d,0a,07,15,18,6f,a7,74,69,44,13,00,00,00
"31"=hex:3c,32,00,00,3f,2d,07,02,1f,15,69,50,bf,7c,51,4c,14,00,00,00
"32"=hex:5a,1a,00,00,57,20,63,12,0e,75,48,41,5d,62,37,52,14,00,00,00
"33"=hex:f0,1a,00,00,f7,c9,c6,f3,e1,e4,9b,d3,80,b5,b0,13,00,00,00
"34"=hex:f0,1a,00,00,cb,f9,f3,ce,eb,e1,a5,9c,cb,88,8d,b8,14,00,00,00
"35"=hex:cc,65,00,00,a1,b2,9d,9c,98,87,3a,33,2f,ec,a1,dc,14,00,00,00
"36"=hex:fd,65,00,00,fa,fc,d5,c6,d4,db,ae,e6,b7,a8,87,13,00,00,00
"37"=hex:32,66,00,00,35,3b,3d,08,15,23,67,5e,b5,4a,4f,7a,14,00,00,00
"38"=hex:1d,28,00,00,10,1d,2c,2f,cb,36,95,82,9e,5f,70,6f,14,00,00,00
"39"=hex:52,28,00,00,51,2b,60,6d,03,06,05,4d,62,17,52,13,00,00,00
"40"=hex:b7,28,00,00,b0,b6,b8,87,90,9e,e2,d5,30,c1,ca,f1,14,00,00,00
"41"=hex:d9,7d,00,00,d4,a1,e0,93,8f,fa,c9,c6,d2,e3,b4,d3,14,00,00,00
"42"=hex:0a,7e,00,00,e9,f3,d8,d5,db,ce,bd,f5,ba,5f,8a,13,00,00,00
"43"=hex:3e,7e,00,00,39,2f,01,1c,19,17,6b,52,b9,7e,53,4e,14,00,00,00
"44"=hex:2b,15,00,00,06,13,32,3d,39,24,9b,90,8c,4d,46,7d,14,00,00,00
"45"=hex:8e,17,00,00,95,6f,a4,51,47,4a,39,71,26,db,16,13,00,00,00
"46"=hex:c2,17,00,00,a5,ab,8d,98,85,93,f7,ee,25,fa,df,ca,14,00,00,00
"47"=hex:04,13,00,00,f9,fa,d5,c4,d0,cf,f2,fb,e7,b4,99,84,14,00,00,00
"48"=hex:69,13,00,00,4e,50,79,7a,78,6f,12,5a,1b,3c,2b,13,00,00,00
"49"=hex:02,14,00,00,e5,eb,cd,d8,c5,d3,b7,ae,e5,ba,9f,8a,14,00,00,00
"50"=hex:1b,4d,00,00,16,e3,22,2d,c9,34,8b,80,9c,5d,76,6d,14,00,00,00
"51"=hex:79,55,00,00,7e,40,49,4a,68,5f,22,6a,0b,2c,3b,13,00,00,00
"52"=hex:78,56,00,00,73,71,7b,46,53,59,2d,14,73,00,15,30,14,00,00,00
"53"=hex:18,37,00,00,15,e6,21,d0,cc,3b,8e,87,93,a0,75,90,14,00,00,00
"54"=hex:7d,37,00,00,7a,7c,55,46,54,5b,2e,66,37,28,07,13,00,00,00
"55"=hex:b1,37,00,00,8a,b8,b2,89,aa,a0,e4,df,0a,cb,cc,fb,14,00,00,00
"56"=hex:86,7d,00,00,7b,74,57,46,52,49,7c,75,61,36,1b,06,14,00,00,00
"57"=hex:54,7e,00,00,53,25,62,6f,0d,00,07,4f,6c,11,5c,13,00,00,00
"58"=hex:53,7f,00,00,54,5a,1c,6b,74,02,06,79,54,65,2e,55,14,00,00,00
"59"=hex:e7,17,00,00,da,d7,f6,e1,fd,e8,df,d4,c0,91,ba,a1,14,00,00,00
"60"=hex:80,18,00,00,67,79,56,43,51,54,2b,63,30,25,00,13,00,00,00
"61"=hex:b3,19,00,00,b4,ba,bc,8b,94,a2,e6,d9,34,c5,ce,f5,14,00,00,00
"62"=hex:c5,22,00,00,b8,b5,94,87,93,8e,3d,3a,26,f7,d8,c7,14,00,00,00
"63"=hex:c2,24,00,00,a1,bb,90,9d,93,96,f5,3d,f2,e7,c2,13,00,00,00
"64"=hex:5b,25,00,00,5c,52,64,63,7c,7a,0e,71,5c,1d,36,2d,14,00,00,00
"65"=hex:80,3a,00,00,7d,7e,49,48,54,53,76,7f,7b,38,1d,08,14,00,00,00
"66"=hex:7f,3b,00,00,64,7e,57,40,56,55,28,60,31,2a,01,13,00,00,00
"67"=hex:49,3c,00,00,22,20,0a,11,02,08,7c,67,a2,73,24,43,14,00,00,00
"68"=hex:30,1e,00,00,0d,0e,39,38,24,23,a6,af,8b,48,4d,78,14,00,00,00
"69"=hex:ca,1e,00,00,a9,b3,98,95,9b,8e,fd,35,fa,9f,ca,13,00,00,00
"70"=hex:63,1f,00,00,44,4a,6c,7b,64,72,16,09,44,15,3e,25,14,00,00,00
"71"=hex:73,7a,00,00,4e,4b,7a,75,61,5c,63,68,74,05,0e,35,14,00,00,00
"72"=hex:6f,7d,00,00,74,4e,47,70,66,65,18,50,01,3a,31,13,00,00,00
"73"=hex:3c,7e,00,00,3f,2d,07,02,1f,15,69,50,bf,7c,51,4c,14,00,00,00
"74"=hex:b3,6e,00,00,8e,8b,ba,b5,a1,9c,23,28,34,c5,ce,f5,14,00,00,00
"75"=hex:b1,72,00,00,b6,88,81,b2,a0,a7,da,12,c3,f4,f3,13,00,00,00
"76"=hex:b0,73,00,00,8b,b9,b3,8e,ab,a1,e5,dc,0b,c8,cd,f8,14,00,00,00
"77"=hex:c9,73,00,00,a4,b1,90,83,9f,8a,39,36,22,f3,a4,c3,14,00,00,00
"78"=hex:96,74,00,00,9d,67,ac,a9,4f,42,c1,09,2e,d3,1e,13,00,00,00
"79"=hex:fa,75,00,00,fd,f3,c5,c0,dd,db,af,96,fd,82,97,b2,14,00,00,00
"80"=hex:64,28,00,00,59,5a,75,64,70,6f,52,5b,47,14,39,24,14,00,00,00
"81"=hex:62,2a,00,00,41,5b,70,7d,73,76,15,5d,12,07,22,13,00,00,00
"82"=hex:fa,2b,00,00,fd,f3,c5,c0,dd,db,af,96,fd,82,97,b2,14,00,00,00
"83"=hex:db,25,00,00,d6,a3,e2,ed,89,f4,cb,c0,dc,9d,b6,ad,14,00,00,00
"84"=hex:a7,27,00,00,8c,96,bf,b8,be,ad,d0,18,d9,c2,e9,13,00,00,00
"85"=hex:3f,29,00,00,38,2e,00,1f,18,16,6a,6d,b8,79,52,49,14,00,00,00
"86"=hex:7d,13,00,00,70,7d,4c,4f,6b,56,75,62,7e,3f,10,0f,14,00,00,00
"87"=hex:15,15,00,00,12,e4,2d,2e,cc,c3,46,8e,af,50,9f,13,00,00,00
"88"=hex:de,16,00,00,d9,cf,e1,fc,f9,f7,8b,f2,d9,9e,b3,ae,14,00,00,00
"89"=hex:75,28,00,00,48,45,44,77,63,5e,6d,6a,76,07,08,37,14,00,00,00
"90"=hex:d7,2d,00,00,dc,a6,ef,e8,8e,fd,80,c8,e9,92,d9,13,00,00,00
"91"=hex:70,2f,00,00,4b,79,73,4e,6b,61,25,1c,4b,08,0d,38,14,00,00,00
"92"=hex:25,6f,00,00,18,15,34,27,33,2e,9d,9a,86,57,78,67,14,00,00,00
"93"=hex:f2,70,00,00,f1,cb,c0,cd,e3,e6,a5,ed,82,b7,b2,13,00,00,00
"94"=hex:be,72,00,00,b9,af,81,9c,99,97,eb,d2,39,fe,d3,ce,14,00,00,00
"95"=hex:39,40,00,00,34,01,00,33,2f,1a,a9,a6,b2,43,54,73,14,00,00,00
"96"=hex:9d,41,00,00,9a,9c,b5,a6,b4,bb,ce,06,d7,c8,e7,13,00,00,00
"97"=hex:9e,43,00,00,99,8f,a1,bc,b9,b7,cb,32,19,de,f3,ee,14,00,00,00
"98"=hex:3a,40,00,00,37,00,03,32,2e,15,a8,a1,bd,42,57,72,14,00,00,00
"99"=hex:6c,42,00,00,4b,4d,7a,77,65,68,1f,57,04,39,34,13,00,00,00
"100"=hex:38,44,00,00,33,31,3b,06,13,19,6d,54,b3,40,55,70,14,00,00,00
"101"=hex:03,08,00,00,fe,fb,ca,c5,d1,cc,f3,f8,e4,b5,9e,85,14,00,00,00
"102"=hex:d0,09,00,00,d7,a9,e6,93,81,84,fb,33,e0,95,d0,13,00,00,00
"103"=hex:9c,0b,00,00,9f,8d,a7,a2,bf,b5,c9,30,1f,dc,f1,ec,14,00,00,00
"104"=hex:a6,2e,00,00,9b,94,b7,a6,b2,a9,1c,15,01,d6,fb,e6,14,00,00,00
"105"=hex:6e,31,00,00,75,4f,44,71,67,6a,19,51,06,3b,36,13,00,00,00
"106"=hex:a0,33,00,00,9b,89,a3,be,bb,b1,d5,cc,1b,d8,fd,e8,14,00,00,00
"107"=hex:3d,76,00,00,30,3d,0c,0f,2b,16,b5,a2,be,7f,50,4f,14,00,00,00
"108"=hex:9f,78,00,00,84,9e,b7,a0,b6,b5,c8,00,d1,ca,e1,13,00,00,00
"109"=hex:d1,7a,00,00,aa,d8,92,e9,8a,80,84,ff,2a,eb,ac,db,14,00,00,00
"110"=hex:bf,04,00,00,b2,bf,8e,89,95,90,37,3c,38,f9,d2,c9,14,00,00,00
"111"=hex:58,08,00,00,5f,21,6e,6b,09,7c,03,4b,68,0d,58,13,00,00,00
"112"=hex:22,0a,00,00,05,0b,2d,38,25,33,57,4e,85,5a,7f,6a,14,00,00,00
"113"=hex:1a,2e,00,00,17,e0,23,d2,ce,35,88,81,9d,a2,77,92,14,00,00,00
"114"=hex:48,35,00,00,2f,31,1e,1b,19,0c,73,bb,78,1d,48,13,00,00,00
"115"=hex:ab,37,00,00,8c,82,b4,b3,ac,aa,de,c1,0c,cd,c6,fd,14,00,00,00
"116"=hex:89,76,00,00,64,71,50,43,5f,4a,79,76,62,33,e4,03,14,00,00,00
"117"=hex:b8,7a,00,00,bf,81,8e,8b,a9,9c,e3,2b,c8,ed,f8,13,00,00,00
"118"=hex:4f,7d,00,00,28,5e,10,6f,08,06,7a,7d,a8,69,22,59,14,00,00,00
"119"=hex:0b,4f,00,00,e6,f3,d2,dd,d9,c4,fb,f0,ec,ad,66,9d,14,00,00,00
"120"=hex:a2,51,00,00,81,9b,b0,bd,b3,b6,d5,1d,d2,c7,e2,13,00,00,00
"121"=hex:05,54,00,00,e6,e4,ce,d5,c6,cc,b0,ab,e6,b7,98,87,14,00,00,00
"122"=hex:24,45,00,00,19,1a,35,24,30,2f,92,9b,87,54,79,64,14,00,00,00
"123"=hex:87,47,00,00,6c,76,5f,58,5e,4d,30,78,39,22,09,13,00,00,00
"124"=hex:1f,4b,00,00,18,0e,20,3f,38,36,4a,4d,98,59,72,69,14,00,00,00
"125"=hex:98,75,00,00,95,66,a1,50,4c,bb,0e,07,13,20,f5,10,14,00,00,00
"126"=hex:2e,79,00,00,35,0f,04,31,27,2a,59,91,46,7b,76,13,00,00,00
"127"=hex:5d,7d,00,00,5e,4c,66,7d,7e,74,08,73,5e,1f,30,2f,14,00,00,00
"128"=hex:2e,17,00,00,03,0c,3f,3e,3a,21,a4,ad,89,4e,43,7e,14,00,00,00
"129"=hex:c7,1a,00,00,ac,b6,9f,98,9e,8d,f0,38,f9,e2,c9,13,00,00,00
"130"=hex:c2,1e,00,00,a5,ab,8d,98,85,93,f7,ee,25,fa,df,ca,14,00,00,00
"131"=hex:ac,4e,00,00,81,92,bd,bc,b8,a7,1a,13,0f,cc,c1,fc,14,00,00,00
"132"=hex:76,52,00,00,7d,47,4c,49,6f,62,21,69,0e,33,3e,13,00,00,00
"133"=hex:db,55,00,00,dc,d2,e4,e3,fc,fa,8e,f1,dc,9d,b6,ad,14,00,00,00
"134"=hex:c8,14,00,00,a5,b6,91,80,9c,8b,3e,37,23,f0,a5,c0,14,00,00,00
"135"=hex:2a,1a,00,00,09,13,38,35,3b,2e,5d,95,5a,7f,6a,13,00,00,00
"136"=hex:59,1e,00,00,52,50,1a,61,72,78,0c,77,52,63,34,53,14,00,00,00
"137"=hex:b5,7a,00,00,88,85,84,b7,a3,9e,2d,2a,36,c7,c8,f7,14,00,00,00
"138"=hex:b0,7e,00,00,b7,89,86,b3,a1,a4,db,13,c0,f5,f0,13,00,00,00
"139"=hex:7a,02,00,00,7d,73,45,40,5d,5b,2f,16,7d,02,17,32,14,00,00,00
"140"=hex:93,1d,00,00,6e,6b,5a,55,41,bc,03,08,14,25,ee,15,14,00,00,00
"141"=hex:c3,23,00,00,a0,ba,93,9c,92,91,f4,3c,fd,e6,cd,13,00,00,00
"142"=hex:23,28,00,00,04,0a,2c,3b,24,32,56,49,84,55,7e,65,14,00,00,00
"143"=hex:6e,47,00,00,43,4c,7f,7e,7a,61,64,6d,49,0e,03,3e,14,00,00,00
"144"=hex:d1,4b,00,00,d6,a8,e1,92,80,87,fa,32,e3,94,d3,13,00,00,00
"145"=hex:01,50,00,00,fa,e8,c2,d9,da,d0,b4,af,fa,bb,9c,8b,14,00,00,00
"146"=hex:fa,66,00,00,f7,c0,c3,f2,ee,d5,e8,e1,fd,82,97,b2,14,00,00,00
"147"=hex:29,6b,00,00,0e,10,39,3a,38,2f,52,9a,5b,7c,6b,13,00,00,00
"148"=hex:27,6f,00,00,00,06,28,37,20,2e,52,45,80,51,7a,61,14,00,00,00
"149"=hex:c4,4d,00,00,b9,ba,95,84,90,8f,32,3b,27,f4,d9,c4,14,00,00,00
"150"=hex:f4,53,00,00,f3,c5,c2,cf,ed,e0,a7,ef,8c,b1,bc,13,00,00,00
"151"=hex:88,58,00,00,63,61,4b,56,43,49,3d,24,63,30,e5,00,14,00,00,00
"152"=hex:5a,3b,00,00,57,20,63,12,0e,75,48,41,5d,62,37,52,14,00,00,00
"153"=hex:8a,3f,00,00,69,73,58,55,5b,4e,3d,75,3a,df,0a,13,00,00,00
"154"=hex:84,43,00,00,67,65,4f,5a,47,4d,31,28,67,34,19,04,14,00,00,00
"155"=hex:7c,2c,00,00,71,42,4d,4c,68,57,6a,63,7f,3c,11,0c,14,00,00,00
"156"=hex:46,30,00,00,2d,37,1c,19,1f,12,71,b9,7e,63,4e,13,00,00,00
"157"=hex:aa,33,00,00,8d,83,b5,b0,ad,ab,df,c6,0d,d2,c7,e2,14,00,00,00
"158"=hex:e5,47,00,00,d8,d5,f4,e7,f3,ee,dd,da,c6,97,b8,a7,14,00,00,00
"159"=hex:46,4e,00,00,2d,37,1c,19,1f,12,71,b9,7e,63,4e,13,00,00,00
"160"=hex:74,53,00,00,77,75,7f,4a,57,5d,21,18,77,04,09,34,14,00,00,00
"161"=hex:cd,3a,00,00,a0,ad,9c,9f,9b,86,c5,32,2e,ef,a0,df,14,00,00,00
"162"=hex:61,3f,00,00,46,58,71,62,70,77,0a,42,13,04,23,13,00,00,00
"163"=hex:5e,44,00,00,59,4f,61,7c,79,77,0b,72,59,1e,33,2e,14,00,00,00
"164"=hex:87,5e,00,00,7a,77,56,41,5d,48,7f,74,60,31,1a,01,14,00,00,00
"165"=hex:4e,62,00,00,55,2f,64,11,07,0a,79,b1,66,1b,56,13,00,00,00
"166"=hex:4c,66,00,00,2f,5d,17,12,0f,05,79,60,af,6c,21,5c,14,00,00,00
"167"=hex:77,4d,00,00,4a,47,46,71,6d,58,6f,64,70,01,0a,31,14,00,00,00
"168"=hex:a4,52,00,00,83,95,b2,bf,bd,b0,d7,1f,dc,c1,ec,13,00,00,00
"169"=hex:6f,58,00,00,48,7e,70,4f,68,66,1a,1d,48,09,02,39,14,00,00,00
"170"=hex:45,4f,00,00,38,35,14,07,13,0e,bd,ba,a6,77,58,47,14,00,00,00
"171"=hex:6f,57,00,00,74,4e,47,70,66,65,18,50,01,3a,31,13,00,00,00
"172"=hex:9f,5d,00,00,98,8e,a0,bf,b8,b6,ca,cd,18,d9,f2,e9,14,00,00,00
"173"=hex:d5,3a,00,00,a8,a5,e4,97,83,fe,cd,ca,d6,e7,a8,d7,14,00,00,00
"174"=hex:9b,41,00,00,98,62,ab,a4,4a,b9,cc,04,d5,ce,e5,13,00,00,00
"175"=hex:2e,4a,00,00,09,3f,31,0c,29,27,5b,42,89,4e,43,7e,14,00,00,00
"bvbmd"=hex:a2,05,00,00,93,92,a1,b5,b1,6d,c2,d7,d2,11,00,00,00


*********************************************

Fichiers détectés :

C:\WINDOWS\balloon.wav Présent !

*********************************************

Recherche des processus aleatoires
d'après les modèles : cs***.exe, dm***.exe, ya***.exe

C:\WINDOWS\System32

*********************************************

Recherche presence hclean32.exe...
non trouvé...
0
Réponse 14 / 34
Utilisateur anonyme
28 sept. 2005 à 23:21
celui de silentrunners n'est pas en entier, reposte le

a+
0
starling
28 sept. 2005 à 23:26
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\Money Express.exe"" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"dmbvb.exe" = "C:\WINDOWS\system32\dmbvb.exe" [null data]

j'espère que c'est bon cette fois-ci. Mon dieu, comme j'ai la trouille!
0
starling > starling
28 sept. 2005 à 23:31
Cette fois, j'ai la bonne ! Sincèrement Désolée

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\Money Express.exe"" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"dmbvb.exe" = "C:\WINDOWS\system32\dmbvb.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1036\UNBIND.DLL" [MS]
"{A0752120-6D75-D111-B5B1-0800095A2318}" = "HandyBits EasyCrypto Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tsseCryp.dll" [null data]
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csavv.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
EasyCryptoMenu\(Default) = "{A0752120-6D75-D111-B5B1-0800095A2318}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tsseCryp.dll" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
EasyCryptoMenu\(Default) = "{A0752120-6D75-D111-B5B1-0800095A2318}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tsseCryp.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\METIN\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssstars.scr" [MS]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Analyser mon ordinateur - METIN" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton AntiVirus - Analyser mon ordinateur" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{6224F700-CBA3-4071-B251-47CB894244CD}\
"ButtonText" = "ICQ Pro"
"MenuText" = "ICQ"
"Exec" = "C:\PROGRA~1\ICQ\ICQ.exe" ["ICQ Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "MGINavigationCanceled" = "C:\Program Files\MGI\MGI PhotoSuite 4\Internet\NavigationCanceled.html" [null data]
HIJACK WARNING! "MGIWelcome" = "C:\Program Files\MGI\MGI PhotoSuite 4\Internet\W_Welcome.html" [null data]
HIJACK WARNING! "MGIOfflineInformation" = "C:\Program Files\MGI\MGI PhotoSuite 4\Internet\OfflineInformation.html" [null data]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]
ISSvc, ISSVC, "C:\Program Files\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"]
Netropa NHK Server, nhksrv, "C:\Apps\ActivBoard\nhksrv.exe" [null data]
Service Norton AntiVirus Auto-Protect, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Licensing Detect Internet Connection, DJSNETCN, "C:\Program Files\Fichiers communs\Symantec Shared\DJSNETCN.exe" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech"], INFECTION WARNING! "msikbd2k" ["Netropa Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 51 seconds, including 6 seconds for message boxes)
0
Réponse 15 / 34
Utilisateur anonyme
28 sept. 2005 à 23:34
bah non il en manque, quand tu ouvre le rapport, tu clic sur le menu edition du bloc note et tu clic sur selectionner tout puis tu fais clic droit sur le texte > copier
et tu colle ici.

T'inquiete, c'est juste des verifications, seulement on peut pas tout voir avec hijackthis et il faut l'aide d'autres prog pour cerner comme il faut ton trojan.

a+

edit:
ne tiens pas compte de ce post, j'avais pas vu le rapport de silentrunners
0
starling
28 sept. 2005 à 23:40
J'ai bien fait comme tu m'as dit et je m'étonne que ce ne soit pas complet :

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\Money Express.exe"" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"dmbvb.exe" = "C:\WINDOWS\system32\dmbvb.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1036\UNBIND.DLL" [MS]
"{A0752120-6D75-D111-B5B1-0800095A2318}" = "HandyBits EasyCrypto Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tsseCryp.dll" [null data]
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csavv.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
EasyCryptoMenu\(Default) = "{A0752120-6D75-D111-B5B1-0800095A2318}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tsseCryp.dll" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
EasyCryptoMenu\(Default) = "{A0752120-6D75-D111-B5B1-0800095A2318}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tsseCryp.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\METIN\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssstars.scr" [MS]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Analyser mon ordinateur - METIN" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton AntiVirus - Analyser mon ordinateur" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{6224F700-CBA3-4071-B251-47CB894244CD}\
"ButtonText" = "ICQ Pro"
"MenuText" = "ICQ"
"Exec" = "C:\PROGRA~1\ICQ\ICQ.exe" ["ICQ Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "MGINavigationCanceled" = "C:\Program Files\MGI\MGI PhotoSuite 4\Internet\NavigationCanceled.html" [null data]
HIJACK WARNING! "MGIWelcome" = "C:\Program Files\MGI\MGI PhotoSuite 4\Internet\W_Welcome.html" [null data]
HIJACK WARNING! "MGIOfflineInformation" = "C:\Program Files\MGI\MGI PhotoSuite 4\Internet\OfflineInformation.html" [null data]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]
ISSvc, ISSVC, "C:\Program Files\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"]
Netropa NHK Server, nhksrv, "C:\Apps\ActivBoard\nhksrv.exe" [null data]
Service Norton AntiVirus Auto-Protect, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Licensing Detect Internet Connection, DJSNETCN, "C:\Program Files\Fichiers communs\Symantec Shared\DJSNETCN.exe" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech"], INFECTION WARNING! "msikbd2k" ["Netropa Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 41 seconds, including 4 seconds for message boxes)
0
Réponse 16 / 34
Utilisateur anonyme
28 sept. 2005 à 23:53
si, si c'etait complet, mais j'avais pas vu que tu l'avais reposté en entier au moment ou j'ai ecrit le message.

Imprime, ou enregistre la manip dansun fichier txt (bloc notes) pour etre sur ne rien oublier et de tout faire dans l'ordre.

Déconnecte toi d'internet et ferme tout les programmes en cours.

 Rend visible les fichiers cachés et systeme
panneau de configuration > options des dossiers > onglet affichage
Cocher la case devant " afficher les fichiers et dossiers cachés "
Décocher la case devant " masquer les extentions des fichiers dont le type est connu"
Décocher la case devant " masquer les fichiers protégés du système"
clic sur [Appliquer] puis sur [ok] pour valider

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

 Lance hijackthis et clic sur [do a system scan only]
cocher la case au début des lignes suivantes:

O1 - Hosts: localhost 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{121A3E71-9482-4A61-BAD2-E71719EB0933}: NameServer = 195.95.218.1 85.255.112.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{121A3E71-9482-4A61-BAD2-E71719EB0933}: NameServer = 195.95.218.1 85.255.112.7

valider en cliquant sur le bouton [fix checked]

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

ouvre le bloc note et fais un copier coller de ce qui est en gras ci-dessous:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\HCLEAN32.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
"Disabled"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dmbvb.exe"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""


Puis clic sur fichier>enregistrer sous et dans:
Nom du fichier, met fix.reg
Type de fichier: selectionne "tous les fichiers" <- n'oublie pas cette etape
clic sur enregistrer

ensuite double clic sur fix.reg et accepte de fusionner

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

Maintenant, recherche et supprime s'ils sont présents:

C:\WINDOWS\system32\dmbvb.exe
C:\WINDOWS\system32\csavv.exe
C:\WINDOWS\balloon.wav
C:\WINDOWS\SYSTEM32\dllhstgp.exe
C:\WINDOWS\System32\rdsndin.exe
C:\WINDOWS\rdt.ini
C:\WINDOWS\System32\ntfsnlpa.exe
C:\WINDOWS\System32\rdsndin.exe
C:\WINDOWS\System32\loadctr32.exe


tous ne seront peut etre pas présents...

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

et fais un scan av ici:
http://www.bitdefender.fr
et poste le rapport

Ne pas oublier après les manips de recacher les fichiers systeme dans les options des dossiers.

je dois arreter pour ce soir, je repasse demain pour la suite

a+++
0
Starling
29 sept. 2005 à 00:22
Quelqu'un pourrait-il m'aider SVP ???

Selon les instruction de Moe31, je dois aller dans panneau de configuration pour trouver l'option dossier. (voir plus haut ! )

Mais je ne trouve pas cette fichu option !!!!

Merci à quiconque pourrait m'aider car Moe31 est parti .
0
Utilisateur anonyme > Starling
29 sept. 2005 à 03:53
Salut,
C'est la barre de menu tout en haut, regarde à côtè tu as même rechercher ;)
0
Starling > Utilisateur anonyme
29 sept. 2005 à 04:29
Merci pour ton conseil. En fait, j'ai trouvé en cliquant sur "Outils", au-dessus de rechercher ;)

Bonne nuit et à bientôt
0
Réponse 17 / 34
starling
29 sept. 2005 à 03:57
Voici les résultats du scan bitdefender.
Désolée, mais j'ai du en faire deux car j'ai enregistré le rapport du premier en format texte.
Voilà ce que j'ai pu en tirer:

Rapport d'analyse généré à: Thu, Sep 29, 2005 - 01:55:07

Statistiques
Temps
00:38:00
Fichiers
119461
Directoires
3101
Secteurs de boot
3
Archives
972
Paquets programmes
23473

Résultats

Virus identifiés
4
Fichiers infectés
5
Fichiers suspects
0
Avertissements
0
Désinfectés
0
Fichiers effacés
5
Info sur les moteurs
Définition virus
213151
Version des moteurs
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Analyse des plugins
13
Archive des plugins
39
Unpack des plugins
4
E-mail plugins
6
Système plugins
1

Paramètres d'analyse

Première action
Désinfecté
Seconde Action
Supprimé
Heuristique
Oui
Acceptez les avertissements
Oui

Extensions analysées
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas

Excludez les extensions

Analyse d'emails
Oui
Analyse des Archives
Oui
Analyser paquets programmes
Oui
Analyse des fichiers
Oui
Analyse de boot
Oui

Fichier analysé
Statut

C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005262.exe
Infecté par: Trojan.Dropper.Vidro.U

C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005262.exe
Echec de la désinfection

C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005262.exe
Supprimé

C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005270.exe
Infecté par: Trojan.Dropper.Vidro.U

C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005270.exe
Echec de la désinfection

C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005270.exe
Supprimé

C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005281.exe
Infecté par: Trojan.Click.526

C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005281.exe
Echec de la désinfection

C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005281.exe
Supprimé

C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005282.exe
Infecté par: Trojan.Fakealert

C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005282.exe
Echec de la désinfection

C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005282.exe
Supprimé

C:\WINDOWS\system32\spnping.exe
Infecté par: Trojan.Small.Attc

C:\WINDOWS\system32\spnping.exe
Echec de la désinfection

C:\WINDOWS\system32\spnping.exe
Supprimé


Et le second scan bitdefender a donné ceci :

BitDefender Online Scanner

Rapport d'analyse généré à: Thu, Sep 29, 2005 - 02:45:51

Voie d'analyse: A:\;C:\;Q:\;


Statistiques

Temps
00:40:09

Fichiers
119490

Directoires
3102

Secteurs de boot
3

Archives
972

Paquets programmes
23472




Résultats

Virus identifiés
1

Fichiers infectés
1

Fichiers suspects
0

Avertissements
0

Désinfectés
0

Fichiers effacés
1




Info sur les moteurs

Définition virus
213151

Version des moteurs
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Analyse des plugins
13

Archive des plugins
39

Unpack des plugins
4

E-mail plugins
6

Système plugins
1




Paramètres d'analyse

Première action
Désinfecté

Seconde Action
Supprimé

Heuristique
Oui

Acceptez les avertissements
Oui

Extensions analysées
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Excludez les extensions


Analyse d'emails
Oui

Analyse des Archives
Oui

Analyser paquets programmes
Oui

Analyse des fichiers
Oui

Analyse de boot
Oui




Fichier analysé
Statut

C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005283.exe
Infecté par: Trojan.Small.Attc

C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005283.exe
Echec de la désinfection

C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005283.exe
Supprimé



Bonne analyse et d'avance merci pour l'aide de demain

Bonne nuit
0
Réponse 18 / 34
Utilisateur anonyme
29 sept. 2005 à 07:48
salut

apparement bitdefender à supprimé tout ce qu'il a trouvé.

Ou en sont tes soucis, toujours des alertes de ton av ?
reposte un hijackthis + le rapport de hc.bat + silentrunners pour verifier si tout est ok.

a++
0
Starling
29 sept. 2005 à 12:51
Salut

Bitdefender a effectivement supprimé tout ce qu'il a trouvé, mais j'ai été bombardé toute la nuit par des Trojan pendant le scan (Trojan.Flush.A -supprimé par Norton-, PWSteal.Trojan - idem - , + nos amis hclean + dmbvb ).

J'ai fait un scan a2 après bitdefender et en voici les résultats:

a² Report
Nom du fichier Diagnostic
C:\Documents and Settings\METIN\Cookies\metin@metriweb[1].txt Trace.TrackingCookie
C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005268.exe Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005276.exe Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{A9C7C618-D116-477F-A055-B61991414290}\RP14\A0005280.exe Trojan.Win32.Qhost.qr
C:\WINDOWS\system32\ntfsnlpa.exe Adware.Msnagent.b
C:\WINDOWS\system32\rdsndin.exe Adware.FindSpy.a

-------------------------------------------------------------------
Mais ce midi, quand j'ai lancé IE, je n'ai plus reçu (pour le moment) d'alerte hclean et dmbvb.

Quoi qu'il en soit, voici :


Logfile of HijackThis v1.99.1
Scan saved at 12:34:14, on 29/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\DJSNETCN.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\OLD49.tmp
C:\DOCUME~1\METIN\LOCALS~1\Temp\Répertoire temporaire 3 pour hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fr.msn.be/default.asp?DC=true
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Planetis
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1358E11F-ADE8-4D2B-9135-1A4CB9A23D7B} (Install Class) - https://genius.belgacom.be/esupport/download/IPGInstaller.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://selfcare.belgacom.net/static/pc/dlbridgesy/SymDlBrg.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://sc.communities.msn.com/controls/chat/msnchat4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{121A3E71-9482-4A61-BAD2-E71719EB0933}: NameServer = 195.95.218.1 85.255.112.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{121A3E71-9482-4A61-BAD2-E71719EB0933}: NameServer = 195.95.218.1 85.255.112.7
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\DJSNETCN.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe


-----------------------------------------------------------------------

Rapport fait à 12:44:49,60 le jeu. 29/09/2005
Executé à partir de C:\Documents and Settings\METIN
OS: Microsoft Windows XP [version 5.1.2600]

*********************************************

Vérification HKLM\...\...\...\...\ruins

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
"0"=hex:0b,2d,00,00,e6,f3,d2,dd,d9,c4,fb,f0,ec,ad,66,9d,14,00,00,00
"2"=hex:0b,2d,00,00,e8,f2,db,d4,da,c9,bc,f4,a5,5e,95,13,00,00,00
"3"=hex:0b,2d,00,00,ec,e2,d4,d3,cc,ca,be,a1,ec,ad,66,9d,14,00,00,00


*********************************************

Fichiers détectés :

C:\WINDOWS\balloon.wav Présent !
C:\WINDOWS\System32\loadctr32.exe Présent !

*********************************************

Recherche des processus aleatoires
d'après les modèles : cs***.exe, dm***.exe, ya***.exe

C:\WINDOWS\System32
dmbvb.exe

*********************************************

Recherche presence hclean32.exe...
hclean.exe Présent !

Recherche des processus crées à la meme date:
C:\WINDOWS\.
C:\WINDOWS\..
C:\WINDOWS\0.log
C:\WINDOWS\balloon.wav
C:\WINDOWS\BDOSCAN8
C:\WINDOWS\bootstat.dat
C:\WINDOWS\Downloaded
C:\WINDOWS\inf
C:\WINDOWS\ModemLog_Aztech
C:\WINDOWS\SchedLgU.Txt
C:\WINDOWS\setupapi.log
C:\WINDOWS\system32
C:\WINDOWS\Temp
C:\WINDOWS\wiadebug.log
C:\WINDOWS\wiaservc.log
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\wmsetup.log
C:\WINDOWS\System32\.
C:\WINDOWS\System32\..
C:\WINDOWS\System32\CatRoot2
C:\WINDOWS\System32\hclean32.exe

*************** Fin du rapport ******************

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\Money Express.exe"" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1036\UNBIND.DLL" [MS]
"{A0752120-6D75-D111-B5B1-0800095A2318}" = "HandyBits EasyCrypto Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tsseCryp.dll" [null data]
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
EasyCryptoMenu\(Default) = "{A0752120-6D75-D111-B5B1-0800095A2318}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tsseCryp.dll" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
EasyCryptoMenu\(Default) = "{A0752120-6D75-D111-B5B1-0800095A2318}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tsseCryp.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\METIN\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssstars.scr" [MS]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Analyser mon ordinateur - METIN" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton AntiVirus - Analyser mon ordinateur" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{6224F700-CBA3-4071-B251-47CB894244CD}\
"ButtonText" = "ICQ Pro"
"MenuText" = "ICQ"
"Exec" = "C:\PROGRA~1\ICQ\ICQ.exe" ["ICQ Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "MGINavigationCanceled" = "C:\Program Files\MGI\MGI PhotoSuite 4\Internet\NavigationCanceled.html" [null data]
HIJACK WARNING! "MGIWelcome" = "C:\Program Files\MGI\MGI PhotoSuite 4\Internet\W_Welcome.html" [null data]
HIJACK WARNING! "MGIOfflineInformation" = "C:\Program Files\MGI\MGI PhotoSuite 4\Internet\OfflineInformation.html" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]
ISSvc, ISSVC, "C:\Program Files\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"]
Netropa NHK Server, nhksrv, "C:\Apps\ActivBoard\nhksrv.exe" [null data]
Service Norton AntiVirus Auto-Protect, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Licensing Detect Internet Connection, DJSNETCN, "C:\Program Files\Fichiers communs\Symantec Shared\DJSNETCN.exe" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech"], INFECTION WARNING! "msikbd2k" ["Netropa Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 55 seconds, including 3 seconds for message boxes)
0
Starling
29 sept. 2005 à 16:43
Resalut !

Ca y est ! Ca recommence.
Juste un petit mot pour rectifier le message ci-dessous:
je viens tout juste de recevoir des alertes concernant hclean et dmbvb.
Je commence à désespérer, d'autant plus qu'en voulant me connecter sur internet et recevoir mon courrier tout à l'heure, j'ai eu quelques problèmes de blocage. Tout est rentré dans l'ordre quand j'ai lancé un scan avec a2.
Aie, aie, aie, ca va de mal en pis, j'ai l'impression.

Merci de ton aide et a+
0
Réponse 19 / 34
Utilisateur anonyme
29 sept. 2005 à 17:34
salut

est ce que tu as redemarré ton pc depuis que tu as posté les derniers rapports ?

a+
0
Starling
29 sept. 2005 à 20:49
Bonsoir

Oui, oui, je l'ai redémarré.

a+
0
Réponse 20 / 34
Utilisateur anonyme
29 sept. 2005 à 20:55
salut

alors reposte les 3 rapports des 3 progs:
hijackthis
silentrunners
hc.bat

a+
0
Starling
29 sept. 2005 à 21:02
Oki!
Voici :

Logfile of HijackThis v1.99.1
Scan saved at 20:55:53, on 29/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\DJSNETCN.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\Program Files\Outlook Express\OLD49.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NSMdtr.exe
C:\DOCUME~1\METIN\LOCALS~1\Temp\Répertoire temporaire 4 pour hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fr.msn.be/default.asp?DC=true
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Planetis
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1358E11F-ADE8-4D2B-9135-1A4CB9A23D7B} (Install Class) - https://genius.belgacom.be/esupport/download/IPGInstaller.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://selfcare.belgacom.net/static/pc/dlbridgesy/SymDlBrg.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://sc.communities.msn.com/controls/chat/msnchat4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{121A3E71-9482-4A61-BAD2-E71719EB0933}: NameServer = 195.95.218.1 85.255.112.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{121A3E71-9482-4A61-BAD2-E71719EB0933}: NameServer = 195.95.218.1 85.255.112.7
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\DJSNETCN.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe

----------------------------------------------------------------------

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\Money Express.exe"" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1036\UNBIND.DLL" [MS]
"{A0752120-6D75-D111-B5B1-0800095A2318}" = "HandyBits EasyCrypto Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tsseCryp.dll" [null data]
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
EasyCryptoMenu\(Default) = "{A0752120-6D75-D111-B5B1-0800095A2318}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tsseCryp.dll" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
EasyCryptoMenu\(Default) = "{A0752120-6D75-D111-B5B1-0800095A2318}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\tsseCryp.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\METIN\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssstars.scr" [MS]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Analyser mon ordinateur - METIN" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton AntiVirus - Analyser mon ordinateur" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{6224F700-CBA3-4071-B251-47CB894244CD}\
"ButtonText" = "ICQ Pro"
"MenuText" = "ICQ"
"Exec" = "C:\PROGRA~1\ICQ\ICQ.exe" ["ICQ Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "MGINavigationCanceled" = "C:\Program Files\MGI\MGI PhotoSuite 4\Internet\NavigationCanceled.html" [null data]
HIJACK WARNING! "MGIWelcome" = "C:\Program Files\MGI\MGI PhotoSuite 4\Internet\W_Welcome.html" [null data]
HIJACK WARNING! "MGIOfflineInformation" = "C:\Program Files\MGI\MGI PhotoSuite 4\Internet\OfflineInformation.html" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]
ISSvc, ISSVC, "C:\Program Files\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"]
Netropa NHK Server, nhksrv, "C:\Apps\ActivBoard\nhksrv.exe" [null data]
Service Norton AntiVirus Auto-Protect, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Licensing Detect Internet Connection, DJSNETCN, "C:\Program Files\Fichiers communs\Symantec Shared\DJSNETCN.exe" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech"], INFECTION WARNING! "msikbd2k" ["Netropa Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 67 seconds, including 15 seconds for message boxes)

--------------------------------------------------------------------------

Rapport fait à 21:00:03,29 le jeu. 29/09/2005
Executé à partir de C:\Documents and Settings\METIN
OS: Microsoft Windows XP [version 5.1.2600]

*********************************************

Vérification HKLM\...\...\...\...\ruins

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
"0"=hex:0b,2d,00,00,e6,f3,d2,dd,d9,c4,fb,f0,ec,ad,66,9d,14,00,00,00
"2"=hex:0b,2d,00,00,e8,f2,db,d4,da,c9,bc,f4,a5,5e,95,13,00,00,00
"3"=hex:0b,2d,00,00,ec,e2,d4,d3,cc,ca,be,a1,ec,ad,66,9d,14,00,00,00


*********************************************

Fichiers détectés :

C:\WINDOWS\System32\loadctr32.exe Présent !

*********************************************

Recherche des processus aleatoires
d'après les modèles : cs***.exe, dm***.exe, ya***.exe

C:\WINDOWS\System32
dmbvb.exe

*********************************************

Recherche presence hclean32.exe...
hclean.exe Présent !

Recherche des processus crées à la meme date:
C:\WINDOWS\.
C:\WINDOWS\..
C:\WINDOWS\0.log
C:\WINDOWS\BDOSCAN8
C:\WINDOWS\bootstat.dat
C:\WINDOWS\Downloaded
C:\WINDOWS\inf
C:\WINDOWS\ModemLog_Aztech
C:\WINDOWS\SchedLgU.Txt
C:\WINDOWS\setupapi.log
C:\WINDOWS\system32
C:\WINDOWS\Temp
C:\WINDOWS\wiadebug.log
C:\WINDOWS\wiaservc.log
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\wmsetup.log
C:\WINDOWS\System32\.
C:\WINDOWS\System32\..
C:\WINDOWS\System32\CatRoot2
C:\WINDOWS\System32\hclean32.exe

*************** Fin du rapport ******************

Voilà
a+
0

Discussions similaires

Comment supprimer le virus Trojan
vitsou -
vitsou -

18 réponses
Aide pour un virus
cerise92700 -
MisteryBean -

41 réponses
Trojan impossible à supprimer!
Gridouu -
Malekal_morte- -

12 réponses
Virus : trojan:win32/wacatac.h!ml
Alky09 -
bazfile -

8 réponses
Comment éliminer manuellement virus trojan?
ballag -
RClog -

12 réponses