Sujet Précédent Sujet Suivant

HClean : comment s'en débarrasser ???

Fermé
Naouel - 29 sept. 2005 à 22:11
 Naouel - 9 oct. 2005 à 16:57
Bonjour,

Je n'arrive pas à supprimer le virus HClean sur mon ordinateur.
Je suis desespérée... je ne sais plus quoi faire et je voudrais vraiment éviter de formater mon portable...

Pourriez vous m'aider ?

Je n'y connais pas grand chose alors j'espère que ça ne sera pas trop compliqué.

Voilà ce que j'ai déjà fait:

-analyse Norton antivirus mais il n'arrive pas à supprimer HClean
-Ad Aware SE bloque également dès qu'il tombe sur HClean
-CleanUp! n'a rien trouvé meme en mode sans echec
-a² StartCenter n'est pas efficace non plus
-spybot search and destroy ne trouve pas le virus
-spyware blaster non plus
-ccleaner non plus


Voici les rapports qui pourront peut etre apporter plus de renseignements:


Logfile of HijackThis v1.99.1
Scan saved at 22:03:53, on 29/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\MPB.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\PL15Co2K.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Extrafilm FotoFacil\Agent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Fichiers communs\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Naouel\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avacreat.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\syekk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\syekk.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MPB] C:\WINDOWS\System32\MPB.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] msoffice2.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [XML Service] msxml.exe
O4 - HKLM\..\Run: [wvsvc] wvsvc.exe
O4 - HKLM\..\Run: [WIN USB 2.0] winusb.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [Video Process] xxyvher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Nvidia Control Panel] ncsvc32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Windows Securety] wurguar.exe
O4 - HKLM\..\Run: [Microsoft Services] lssrv.exe
O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
O4 - HKLM\..\Run: [CRC Value Verifier] crsss32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Program Files\Extrafilm FotoFacil\Agent.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [WIN USB 2.0] winusb.exe
O4 - HKLM\..\RunServices: [Video Process] xxyvher.exe
O4 - HKLM\..\RunServices: [wvsvc] wvsvc.exe
O4 - HKLM\..\RunServices: [Windows Update] host32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] msoffice2.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Securety] wurguar.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Nvidia Control Panel] ncsvc32.exe
O4 - HKLM\..\RunServices: [CRC Value Verifier] crsss32.exe
O4 - HKLM\..\RunServices: [XML Service] msxml.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\RunServices: [Video Process] xxyvher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://kt.bar.need2find.com/KT/menusearch.html?p=KT
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr/secure/connexion/archives/ie4n4/teleir_cert.cab
O16 - DPF: {09C21411-B9A2-4DE6-8416-4E3B58577BE0} (France Telecom MDM ActiveX Control) - http://minitelweb.minitel.com/imin_data/ocx/MDM.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097671816628
O16 - DPF: {68C1822F-F5C7-4404-A73F-03C10E0E94DA} (telechargement-photoweb) - http://www2.photoweb.fr/telechargement/Photoweb_uploader.cab
O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://mypixmania.com/fr/fr/tools/activex/fpu.cab
O16 - DPF: {92E7E45A-D8C8-480E-AF99-176E43997CAA} (Aurigma Image Uploader 3.5 Combo Control) - http://www.pixdiscount.fr/clients/ImageUploader3.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp02.photoprintit.de/microsite/3462/defaults/activex/IPSUploader.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E279B4B-BCC0-479A-AF58-80AF322F8285}: NameServer = 69.50.168.178 85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3157E16-1D06-4B34-9570-8E2ACE98842A}: NameServer = 69.50.168.178,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{F208712A-72DC-49A9-BF90-91BB38C8B784}: NameServer = 69.50.168.178,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD2DC2F4-A141-484A-9939-C545335C9E00}: NameServer = 69.50.168.178,85.255.112.16
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Microsoft Windows Securety (Securety) - Unknown owner - C:\WINDOWS\System32\wurguar.exe" -netsvcs (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe








---------------------------------------------------------

Rapport fait à 21:44:24,86 le 29/09/2005
Executé à partir de C:\Documents and Settings\Naouel\Mes documents\AUTRES\Internet
OS: Microsoft Windows XP [version 5.1.2600]

*********************************************

Vérification HKLM\...\...\...\...\ruins

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
"pgtshlld"=hex:40,0f,00,00,31,31,09,05,06,09,62,7d,bb,78,5d,48,14,00,00,00
"nidnsdr"=hex:c8,10,00,00,af,b1,9e,9b,99,8c,f3,3b,f8,9d,c8,13,00,00,00
"23naelch"=hex:6c,11,00,00,41,52,7d,7c,78,67,5a,53,4f,0c,01,3c,14,00,00,00
"aplnsftn"=hex:55,13,00,00,56,54,1e,65,76,7c,00,7b,56,67,28,57,14,00,00,00
"23rtcdaol"=hex:a1,53,00,00,98,8d,a7,a8,b1,a8,d6,19,06,12,e3,f4,f3,15,00,00,00
"7"=hex:50,2a,00,00,2d,2e,19,18,04,03,46,4f,ab,68,2d,58,14,00,00,00
"8"=hex:50,2a,00,00,57,29,66,13,01,04,7b,b3,60,15,50,13,00,00,00
"9"=hex:50,2a,00,00,2b,59,13,6e,0b,01,05,7c,ab,68,2d,58,14,00,00,00
"1dedoc"=hex:f7,1b,00,00,cf,fb,fe,f1,ee,95,e0,91,ba,81,12,00,00,00
"llams_ogol"=hex:9a,1c,00,00,93,94,a4,a4,4c,b0,c2,36,d3,db,2d,12,e7,02,16,00,\
00,00
"repiwh"=hex:8e,0d,00,00,63,98,52,53,46,bd,79,3e,d3,2e,12,00,00,00
"domdnb"=hex:07,1f,00,00,fc,e8,ce,d9,c3,d6,f0,a1,aa,b1,12,00,00,00
"orcimlh"=hex:ef,1f,00,00,c2,c6,f9,f5,e7,dc,9b,d0,81,ba,b1,13,00,00,00
"23tsniow"=hex:0a,58,00,00,14,e4,d6,d5,c8,c3,f8,f1,ed,b2,67,82,14,00,00,00
"flmmd"=hex:0a,39,00,00,fb,ea,d2,db,c5,85,aa,4f,ba,11,00,00,00
"16"=hex:3c,65,00,00,31,02,0d,0c,28,17,aa,a3,bf,7c,51,4c,14,00,00,00
"17"=hex:3c,65,00,00,3b,3d,0a,07,15,18,6f,a7,74,69,44,13,00,00,00
"18"=hex:3c,65,00,00,3f,2d,07,02,1f,15,69,50,bf,7c,51,4c,14,00,00,00
"19"=hex:2c,44,00,00,01,12,3d,3c,38,27,9a,93,8f,4c,41,7c,14,00,00,00
"20"=hex:2c,44,00,00,0b,0d,3a,37,25,28,5f,97,44,79,74,13,00,00,00
"21"=hex:2c,44,00,00,0f,3d,37,32,2f,25,59,40,8f,4c,41,7c,14,00,00,00
"22"=hex:64,5c,00,00,59,5a,75,64,70,6f,52,5b,47,14,39,24,14,00,00,00
"23"=hex:85,5c,00,00,62,74,5d,5e,5c,53,36,7e,3f,20,0f,13,00,00,00
"24"=hex:85,5c,00,00,66,64,4e,55,46,4c,30,2b,66,37,18,07,14,00,00,00
"25"=hex:e7,1e,00,00,da,d7,f6,e1,fd,e8,df,d4,c0,91,ba,a1,14,00,00,00
"26"=hex:e7,1e,00,00,cc,d6,ff,f8,fe,ed,90,d8,99,82,a9,13,00,00,00
"27"=hex:07,1f,00,00,e0,e6,c8,d7,c0,ce,b2,a5,e0,b1,9a,81,14,00,00,00
"28"=hex:ed,6f,00,00,c0,cd,fc,ff,fb,e6,e5,d2,ce,8f,80,bf,14,00,00,00
"29"=hex:ed,6f,00,00,ca,cc,c5,f6,e4,eb,9e,d6,87,b8,b7,13,00,00,00
"30"=hex:0d,70,00,00,ee,1c,d6,2d,ce,c4,b8,a3,ee,af,60,9f,14,00,00,00
"31"=hex:57,08,00,00,2a,27,66,11,0d,78,4f,44,50,61,2a,51,14,00,00,00
"32"=hex:78,08,00,00,7f,41,4e,4b,69,5c,23,6b,08,2d,38,13,00,00,00
"33"=hex:78,08,00,00,73,71,7b,46,53,59,2d,14,73,00,15,30,14,00,00,00
"34"=hex:41,71,00,00,3c,39,08,0b,17,12,b1,be,ba,7b,5c,4b,14,00,00,00
"35"=hex:61,71,00,00,46,58,71,62,70,77,0a,42,13,04,23,13,00,00,00
"36"=hex:82,71,00,00,65,6b,4d,58,45,53,37,2e,65,3a,1f,0a,14,00,00,00
"37"=hex:00,07,00,00,fd,fe,c9,c8,d4,d3,f6,ff,fb,b8,9d,88,14,00,00,00
"38"=hex:a4,07,00,00,83,95,b2,bf,bd,b0,d7,1f,dc,c1,ec,13,00,00,00
"39"=hex:93,0a,00,00,94,9a,5c,ab,b4,42,c6,39,14,25,ee,15,14,00,00,00
"40"=hex:18,59,00,00,15,e6,21,d0,cc,3b,8e,87,93,a0,75,90,14,00,00,00
"41"=hex:39,59,00,00,3e,00,09,0a,28,1f,62,aa,4b,6c,7b,13,00,00,00
"42"=hex:39,59,00,00,32,30,3a,01,12,18,6c,57,b2,43,54,73,14,00,00,00
"43"=hex:31,30,00,00,0c,09,38,3b,27,22,a1,ae,8a,4b,4c,7b,14,00,00,00
"44"=hex:52,30,00,00,51,2b,60,6d,03,06,05,4d,62,17,52,13,00,00,00
"45"=hex:72,30,00,00,75,7b,7d,48,55,63,27,1e,75,0a,0f,3a,14,00,00,00
"46"=hex:dc,58,00,00,d1,a2,ed,ec,88,f7,ca,c3,df,9c,b1,ac,14,00,00,00
"47"=hex:fd,58,00,00,fa,fc,d5,c6,d4,db,ae,e6,b7,a8,87,13,00,00,00
"48"=hex:1d,59,00,00,1e,0c,26,3d,3e,34,48,b3,9e,5f,70,6f,14,00,00,00
"49"=hex:7e,2b,00,00,73,7c,4f,4e,6a,51,74,7d,79,3e,13,0e,14,00,00,00
"50"=hex:4d,2e,00,00,2a,2c,65,16,04,0b,7e,b6,67,18,57,13,00,00,00
"51"=hex:cf,2e,00,00,a8,de,90,ef,88,86,fa,fd,28,e9,a2,d9,14,00,00,00
"52"=hex:cd,58,00,00,a0,ad,9c,9f,9b,86,c5,32,2e,ef,a0,df,14,00,00,00
"53"=hex:d2,59,00,00,d1,ab,e0,ed,83,86,85,cd,e2,97,d2,13,00,00,00
"54"=hex:13,5a,00,00,14,1a,dc,2b,34,c2,46,b9,94,a5,6e,95,14,00,00,00
"55"=hex:63,15,00,00,5e,5b,6a,65,71,6c,53,58,44,15,3e,25,14,00,00,00
"56"=hex:84,15,00,00,63,75,52,5f,5d,50,37,7f,3c,21,0c,13,00,00,00
"57"=hex:c5,15,00,00,a6,a4,8e,95,86,8c,f0,eb,26,f7,d8,c7,14,00,00,00
"58"=hex:53,46,00,00,2e,2b,1a,15,01,7c,43,48,54,65,2e,55,14,00,00,00
"59"=hex:95,46,00,00,92,64,ad,ae,4c,43,c6,0e,2f,d0,1f,13,00,00,00
"60"=hex:17,47,00,00,10,16,d8,27,30,3e,42,b5,90,a1,6a,91,14,00,00,00
"61"=hex:16,10,00,00,eb,e4,27,d6,c2,39,8c,85,91,a6,6b,96,14,00,00,00
"62"=hex:58,10,00,00,5f,21,6e,6b,09,7c,03,4b,68,0d,58,13,00,00,00
"63"=hex:99,10,00,00,92,90,5a,a1,b2,b8,cc,37,12,23,f4,13,14,00,00,00


*********************************************

Fichiers détectés :

C:\WINDOWS\balloon.wav Présent !

*********************************************

Recherche des processus aleatoires
d'après les modèles : cs***.exe, dm***.exe, ya***.exe

C:\WINDOWS\System32
dmcpl.exe

*********************************************

Recherche presence hclean32.exe...
non trouvé...





Merci pour toute l'aide que vous pourrez m'apporter.......

Naouel

41 réponses

Réponse 1 / 41
Utilisateur anonyme
29 sept. 2005 à 22:21
salut naouel

est ce que tu as redemarré ton pc depuis que tu as fais ton hijack et hc.bat ?

Telecharge aussi silentrunners ici:
http://www.silentrunners.org/Silent%20Runners.vbs
lance le et quand norton va te le demander, autorise le script
poste le rapport de silentrunners

a+
0
Réponse 2 / 41
Naouel
1 oct. 2005 à 01:35
Tout d'abord, merci beaucoup de me répondre.
Voilà ce que j'ai obtenu:

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATnotes.exe" = "C:\Program Files\ATnotes\ATnotes.exe" ["Thomas Ascher"]
"WareOut" = ""C:\Program Files\WareOut\WareOut.exe"" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MPB" = "C:\WINDOWS\System32\MPB.exe" ["MiTAC Technology Corp."]
"Microsoft Windows Update" = "msoffice2.exe" [file not found]
"Microsoft Features" = "ms32cfg.exe" [file not found]
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"XML Service" = "msxml.exe" [file not found]
"wvsvc" = "wvsvc.exe" [file not found]
"WIN USB 2.0" = "winusb.exe" [file not found]
"webHancer Survey Companion" = ""C:\Program Files\webHancer\Programs\whSurvey.exe"" [file not found]
"Video Process" = "xxyvher.exe" [file not found]
"TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"]
"Nvidia Control Panel" = "ncsvc32.exe" [file not found]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"Microsoft Windows Securety" = "wurguar.exe" [file not found]
"Microsoft Services" = "lssrv.exe" [file not found]
"HI-SPEED USB DEVICE Coinstaller" = "PL15Co2K.exe" ["Prolific Technology Inc."]
"CRC Value Verifier" = "crsss32.exe" [file not found]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"Camera Detector" = "C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun" ["ACD Systems, Ltd."]
"ExtraFilmHemmaAgent" = ""C:\Program Files\Extrafilm FotoFacil\Agent.exe"" [null data]
"hwiper.exe" = "C:\WINDOWS\System32\hwiper.exe" [null data]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{08BEC6AA-49FC-4379-3587-4B21E286C19E}\(Default) = "SearchToolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\syekk.dll" [file not found]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Explorateur de Bureau"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]
"{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Previous Versions Property Page"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{9DB7A13C-F208-4981-8353-73CC61AE2783}" = "Previous Versions"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csmtk.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Naouel\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]


Startup items in "Naouel" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"hpoddt01.exe" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
"Lancement rapide d'Adobe Reader" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Analyser mon ordinateur - Naouel" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\syekk.dll" [file not found]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\syekk.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\syekk.dll" [file not found]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

Missing lines (compared with English-language version):
[Strings]: 2 lines


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Norton AntiVirus Firewall Monitor Service, NPFMntor, "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" ["Symantec Corporation"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Service Bonjour, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
Service Norton AntiVirus Auto-Protect, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 49 seconds, including 4 seconds for message boxes)
0
Réponse 3 / 41
Naouel
1 oct. 2005 à 01:37
Au fait, je n'ai pas répondu à ta question, la réponse est oui, j'ai redémarré mon ordi.
J'ai bien été obligée car il bug de plus en plus et hier je n'arrivais meme plus à ouvrir mes dossiers sur Mes Documents..... ce virus devient très gênant.
0
Réponse 4 / 41
Utilisateur anonyme
1 oct. 2005 à 19:20
salut naouel

fais moi signe dès que tu as un peu de temps devant toi, pour s'occuper de hclean

a+
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 5 / 41
godzillas001 Messages postés 25 Date d'inscription dimanche 2 octobre 2005 Statut Membre Dernière intervention 12 février 2008
2 oct. 2005 à 16:11
Salut naouel,
peux-tu me dire si tu as pu résoudre ton problème( HCLEAN32.exe) et si oui peux-tu me dire comment car mon problème est apparement la copie conforme du tiens.
merci et a+
0
Réponse 6 / 41
Utilisateur anonyme
3 oct. 2005 à 15:58
salut nouel, j ai remarqué que ca fait un moment que tu nous alerte sur le forum,
, seul moe31 est calé sur cette infection

pas facile à virer en plus... mais bon on va lui avancer le travail, si il a le temps il te fera la manip a son retour en fin d aprem..

telecharge hc.zip ici
http://cjoint.com/?jAu7RJ0V1J
dezippe le, redemarre en mode sans echecs et lance hc.bat
le bloc note va s'ouvrir, sauvegarde le rapport.
redemarre normallement et poste le rapport ici.

ensuite:
telecharge hijackthis:
http://www.merijn.org/files/hijackthis.zip
Dezippe le dans un dossier prévu a cet effet.
Par exemple C:\hijack
et surtout pas dans un dossier temporaire (temp)
lance le puis:
clic sur "do a system scan and save logfile" et pas autre chose
Le bloc note va s'ouvrir, copie tout le contenu et colle le ici a la suite de ton message.
Si tu as du mal, regarde ceci:
http://pageperso.aol.fr/balltrap34/demohijack.htm

Silentrunners
http://www.silentrunners.org/Silent%20Runners.vbs
lance le et poste le rapport

a+
0
Réponse 7 / 41
Naouel
3 oct. 2005 à 23:59
Bonjour !
En fait je n'ai pas posté de message depuis qq jours car j'attendais de voir....
et oui HClean semble avoir disparu de mon ordi.
J'ai viré Norton et l'ai remplacé par Avast et étonnemment il a supprimé plein de Trojan qu'aucun autres anti virus (et autres ad aware, spybot, a², cleanup, spywareblaster...) n'avaient ne serait-ce que repéré !
En ce qui concerne HClean, j'ai pas eu la confirmation de Avast comme quoi il l'avait bien détruit.... c'est pour ça que je suis méfiante mais pour le moment..... windows XP ne me signale plus qu'un virus est dans mon ordi (comme il le faisait il y a qq jours).

Alors essayez Avast vous aussi... et dites moi si ça marche aussi pour vous !
En plus c'est un anti virus gratuit.

Naouel
0
Réponse 8 / 41
Naouel
4 oct. 2005 à 00:00
A ton avis moe31, Avast aurait supprimé mon virus ?
Quel est ton avis sur Avast ?
0
Réponse 9 / 41
Utilisateur anonyme
4 oct. 2005 à 09:51
salut naouel

C'est possible, pour en etre sur, poste le rapport des 3 programmes cités plus haut, et on verra s'il en reste ou pas.

a+
0
Naouel
4 oct. 2005 à 21:48
Bonsoir,

Tout d'abord, pour le moment pas de nouvelle de HCLEAN sur mon ordi.
En revanche j'ai deux soucis:
1) mon ordi s'est éteint à 4 reprises (à n'importe quel moment) brutalement. Il y a un écran bleu avec des écritures blanches (je n'ai pas le temps de lire, l'écran ne reste pas assez longtemps) et l'ordi redemarre automatiquement. Ensuite Windows me dit qu'il y a eu une erreur système importante et me demande si je veux envoyer le rapport. Ca me fait un peu peur surtout que ça arrive a n'importe quel moment.

2) Quand je lance spybot, il me trouve un spyware nommé All-In One Telcom. Il me dit qu'il le supprime mais à chaque relance de Spybot il est encore là. Voici le rapport:

--- Search result list ---
All-In-One Telcom: Réglages utilisateur (Clé du registre, nothing done)
HKEY_USERS\S-1-5-21-1409082233-842925246-1343024091-1002\Software\Mpb

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-09-11 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-09-30 Includes\Cookies.sbi (*)
2005-09-30 Includes\Dialer.sbi (*)
2005-09-30 Includes\Hijackers.sbi (*)
2005-09-30 Includes\Keyloggers.sbi (*)
2005-09-30 Includes\Malware.sbi (*)
2005-09-30 Includes\PUPS.sbi (*)
2005-09-30 Includes\Revision.sbi (*)
2005-09-30 Includes\Security.sbi (*)
2005-09-30 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-09-30 Includes\Trojans.sbi (*)



3) Sinon voici les autres rapports obtenus:


SILENT RUNNERS:


"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATnotes.exe" = "C:\Program Files\ATnotes\ATnotes.exe" ["Thomas Ascher"]
"WareOut" = ""C:\Program Files\WareOut\WareOut.exe"" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MPB" = "C:\WINDOWS\System32\MPB.exe" ["MiTAC Technology Corp."]
"Microsoft Windows Update" = "msoffice2.exe" [file not found]
"Microsoft Features" = "ms32cfg.exe" [file not found]
"XML Service" = "msxml.exe" [file not found]
"wvsvc" = "wvsvc.exe" [file not found]
"WIN USB 2.0" = "winusb.exe" [file not found]
"webHancer Survey Companion" = ""C:\Program Files\webHancer\Programs\whSurvey.exe"" [file not found]
"Video Process" = "xxyvher.exe" [file not found]
"TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"]
"Nvidia Control Panel" = "ncsvc32.exe" [file not found]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"Microsoft Windows Securety" = "wurguar.exe" [file not found]
"Microsoft Services" = "lssrv.exe" [file not found]
"HI-SPEED USB DEVICE Coinstaller" = "PL15Co2K.exe" [file not found]
"CRC Value Verifier" = "crsss32.exe" [file not found]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"Camera Detector" = "C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun" ["ACD Systems, Ltd."]
"ExtraFilmHemmaAgent" = ""C:\Program Files\Extrafilm FotoFacil\Agent.exe"" [null data]
"hwiper.exe" = "C:\WINDOWS\System32\hwiper.exe" [null data]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]




HC.BAT:


Rapport fait à 21:43:12,85 le 04/10/2005
Executé à partir de C:\Documents and Settings\Naouel\Bureau\VIRUS
OS: Microsoft Windows XP [version 5.1.2600]

*********************************************

Vérification HKLM\...\...\...\...\ruins

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
"pgtshlld"=hex:40,0f,00,00,31,31,09,05,06,09,62,7d,bb,78,5d,48,14,00,00,00
"nidnsdr"=hex:c8,10,00,00,af,b1,9e,9b,99,8c,f3,3b,f8,9d,c8,13,00,00,00
"23naelch"=hex:6c,11,00,00,41,52,7d,7c,78,67,5a,53,4f,0c,01,3c,14,00,00,00
"aplnsftn"=hex:55,13,00,00,56,54,1e,65,76,7c,00,7b,56,67,28,57,14,00,00,00
"23rtcdaol"=hex:a1,53,00,00,98,8d,a7,a8,b1,a8,d6,19,06,12,e3,f4,f3,15,00,00,00
"7"=hex:50,2a,00,00,2d,2e,19,18,04,03,46,4f,ab,68,2d,58,14,00,00,00
"8"=hex:50,2a,00,00,57,29,66,13,01,04,7b,b3,60,15,50,13,00,00,00
"9"=hex:50,2a,00,00,2b,59,13,6e,0b,01,05,7c,ab,68,2d,58,14,00,00,00
"1dedoc"=hex:f7,1b,00,00,cf,fb,fe,f1,ee,95,e0,91,ba,81,12,00,00,00
"llams_ogol"=hex:9a,1c,00,00,93,94,a4,a4,4c,b0,c2,36,d3,db,2d,12,e7,02,16,00,\
00,00
"repiwh"=hex:78,18,00,00,75,72,44,45,68,57,63,10,25,00,12,00,00,00
"domdnb"=hex:07,1f,00,00,fc,e8,ce,d9,c3,d6,f0,a1,aa,b1,12,00,00,00
"orcimlh"=hex:ef,1f,00,00,c2,c6,f9,f5,e7,dc,9b,d0,81,ba,b1,13,00,00,00
"23tsniow"=hex:0a,58,00,00,14,e4,d6,d5,c8,c3,f8,f1,ed,b2,67,82,14,00,00,00
"flmmd"=hex:0a,39,00,00,fb,ea,d2,db,c5,85,aa,4f,ba,11,00,00,00
"16"=hex:3c,65,00,00,31,02,0d,0c,28,17,aa,a3,bf,7c,51,4c,14,00,00,00
"17"=hex:3c,65,00,00,3b,3d,0a,07,15,18,6f,a7,74,69,44,13,00,00,00
"18"=hex:3c,65,00,00,3f,2d,07,02,1f,15,69,50,bf,7c,51,4c,14,00,00,00
"19"=hex:2c,44,00,00,01,12,3d,3c,38,27,9a,93,8f,4c,41,7c,14,00,00,00
"20"=hex:2c,44,00,00,0b,0d,3a,37,25,28,5f,97,44,79,74,13,00,00,00
"21"=hex:2c,44,00,00,0f,3d,37,32,2f,25,59,40,8f,4c,41,7c,14,00,00,00
"22"=hex:64,5c,00,00,59,5a,75,64,70,6f,52,5b,47,14,39,24,14,00,00,00
"23"=hex:85,5c,00,00,62,74,5d,5e,5c,53,36,7e,3f,20,0f,13,00,00,00
"24"=hex:85,5c,00,00,66,64,4e,55,46,4c,30,2b,66,37,18,07,14,00,00,00
"25"=hex:e7,1e,00,00,da,d7,f6,e1,fd,e8,df,d4,c0,91,ba,a1,14,00,00,00
"26"=hex:e7,1e,00,00,cc,d6,ff,f8,fe,ed,90,d8,99,82,a9,13,00,00,00
"27"=hex:07,1f,00,00,e0,e6,c8,d7,c0,ce,b2,a5,e0,b1,9a,81,14,00,00,00
"28"=hex:ed,6f,00,00,c0,cd,fc,ff,fb,e6,e5,d2,ce,8f,80,bf,14,00,00,00
"29"=hex:ed,6f,00,00,ca,cc,c5,f6,e4,eb,9e,d6,87,b8,b7,13,00,00,00
"30"=hex:0d,70,00,00,ee,1c,d6,2d,ce,c4,b8,a3,ee,af,60,9f,14,00,00,00
"31"=hex:57,08,00,00,2a,27,66,11,0d,78,4f,44,50,61,2a,51,14,00,00,00
"32"=hex:78,08,00,00,7f,41,4e,4b,69,5c,23,6b,08,2d,38,13,00,00,00
"33"=hex:78,08,00,00,73,71,7b,46,53,59,2d,14,73,00,15,30,14,00,00,00
"34"=hex:41,71,00,00,3c,39,08,0b,17,12,b1,be,ba,7b,5c,4b,14,00,00,00
"35"=hex:61,71,00,00,46,58,71,62,70,77,0a,42,13,04,23,13,00,00,00
"36"=hex:82,71,00,00,65,6b,4d,58,45,53,37,2e,65,3a,1f,0a,14,00,00,00
"37"=hex:00,07,00,00,fd,fe,c9,c8,d4,d3,f6,ff,fb,b8,9d,88,14,00,00,00
"38"=hex:a4,07,00,00,83,95,b2,bf,bd,b0,d7,1f,dc,c1,ec,13,00,00,00
"39"=hex:93,0a,00,00,94,9a,5c,ab,b4,42,c6,39,14,25,ee,15,14,00,00,00
"40"=hex:18,59,00,00,15,e6,21,d0,cc,3b,8e,87,93,a0,75,90,14,00,00,00
"41"=hex:39,59,00,00,3e,00,09,0a,28,1f,62,aa,4b,6c,7b,13,00,00,00
"42"=hex:39,59,00,00,32,30,3a,01,12,18,6c,57,b2,43,54,73,14,00,00,00
"43"=hex:31,30,00,00,0c,09,38,3b,27,22,a1,ae,8a,4b,4c,7b,14,00,00,00
"44"=hex:52,30,00,00,51,2b,60,6d,03,06,05,4d,62,17,52,13,00,00,00
"45"=hex:72,30,00,00,75,7b,7d,48,55,63,27,1e,75,0a,0f,3a,14,00,00,00
"46"=hex:dc,58,00,00,d1,a2,ed,ec,88,f7,ca,c3,df,9c,b1,ac,14,00,00,00
"47"=hex:fd,58,00,00,fa,fc,d5,c6,d4,db,ae,e6,b7,a8,87,13,00,00,00
"48"=hex:1d,59,00,00,1e,0c,26,3d,3e,34,48,b3,9e,5f,70,6f,14,00,00,00
"49"=hex:7e,2b,00,00,73,7c,4f,4e,6a,51,74,7d,79,3e,13,0e,14,00,00,00
"50"=hex:4d,2e,00,00,2a,2c,65,16,04,0b,7e,b6,67,18,57,13,00,00,00
"51"=hex:cf,2e,00,00,a8,de,90,ef,88,86,fa,fd,28,e9,a2,d9,14,00,00,00
"52"=hex:cd,58,00,00,a0,ad,9c,9f,9b,86,c5,32,2e,ef,a0,df,14,00,00,00
"53"=hex:d2,59,00,00,d1,ab,e0,ed,83,86,85,cd,e2,97,d2,13,00,00,00
"54"=hex:13,5a,00,00,14,1a,dc,2b,34,c2,46,b9,94,a5,6e,95,14,00,00,00
"55"=hex:63,15,00,00,5e,5b,6a,65,71,6c,53,58,44,15,3e,25,14,00,00,00
"56"=hex:84,15,00,00,63,75,52,5f,5d,50,37,7f,3c,21,0c,13,00,00,00
"57"=hex:c5,15,00,00,a6,a4,8e,95,86,8c,f0,eb,26,f7,d8,c7,14,00,00,00
"58"=hex:53,46,00,00,2e,2b,1a,15,01,7c,43,48,54,65,2e,55,14,00,00,00
"59"=hex:95,46,00,00,92,64,ad,ae,4c,43,c6,0e,2f,d0,1f,13,00,00,00
"60"=hex:17,47,00,00,10,16,d8,27,30,3e,42,b5,90,a1,6a,91,14,00,00,00
"61"=hex:16,10,00,00,eb,e4,27,d6,c2,39,8c,85,91,a6,6b,96,14,00,00,00
"62"=hex:58,10,00,00,5f,21,6e,6b,09,7c,03,4b,68,0d,58,13,00,00,00
"63"=hex:99,10,00,00,92,90,5a,a1,b2,b8,cc,37,12,23,f4,13,14,00,00,00
"64"=hex:36,25,00,00,0b,04,07,36,22,19,ac,a5,b1,46,4b,76,14,00,00,00
"65"=hex:78,25,00,00,7f,41,4e,4b,69,5c,23,6b,08,2d,38,13,00,00,00
"66"=hex:da,25,00,00,dd,d3,e5,e0,fd,fb,8f,f6,dd,e2,b7,d2,14,00,00,00
"67"=hex:49,0f,00,00,24,31,10,03,1f,0a,b9,b6,a2,73,24,43,14,00,00,00
"68"=hex:ec,0f,00,00,cb,cd,fa,f7,e5,e8,9f,d7,84,b9,b4,13,00,00,00
"69"=hex:6f,10,00,00,48,7e,70,4f,68,66,1a,1d,48,09,02,39,14,00,00,00


*********************************************

Fichiers détectés :

C:\WINDOWS\rdt.ini Présent !
C:\WINDOWS\System32\hwiper.exe Présent !
C:\WINDOWS\System32\loadctr32.exe Présent !
C:\WINDOWS\System32\woinst32.exe Présent !

*********************************************

Recherche des processus aleatoires
d'après les modèles : cs***.exe, dm***.exe, ya***.exe

C:\WINDOWS\System32
dmcpl.exe

*********************************************

Recherche presence hclean32.exe...
non trouvé...



HIJACK THIS:


Logfile of HijackThis v1.99.1
Scan saved at 21:45:04, on 04/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MPB.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Extrafilm FotoFacil\Agent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Naouel\Bureau\VIRUS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avacreat.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\syekk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\syekk.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MPB] C:\WINDOWS\System32\MPB.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] msoffice2.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [XML Service] msxml.exe
O4 - HKLM\..\Run: [wvsvc] wvsvc.exe
O4 - HKLM\..\Run: [WIN USB 2.0] winusb.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [Video Process] xxyvher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Nvidia Control Panel] ncsvc32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Windows Securety] wurguar.exe
O4 - HKLM\..\Run: [Microsoft Services] lssrv.exe
O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
O4 - HKLM\..\Run: [CRC Value Verifier] crsss32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Program Files\Extrafilm FotoFacil\Agent.exe"
O4 - HKLM\..\Run: [hwiper.exe] C:\WINDOWS\System32\hwiper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [WIN USB 2.0] winusb.exe
O4 - HKLM\..\RunServices: [Video Process] xxyvher.exe
O4 - HKLM\..\RunServices: [wvsvc] wvsvc.exe
O4 - HKLM\..\RunServices: [Windows Update] host32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] msoffice2.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Securety] wurguar.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Nvidia Control Panel] ncsvc32.exe
O4 - HKLM\..\RunServices: [CRC Value Verifier] crsss32.exe
O4 - HKLM\..\RunServices: [XML Service] msxml.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\RunServices: [Video Process] xxyvher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://kt.bar.need2find.com/KT/menusearch.html?p=KT
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr/secure/connexion/archives/ie4n4/teleir_cert.cab
O16 - DPF: {09C21411-B9A2-4DE6-8416-4E3B58577BE0} (France Telecom MDM ActiveX Control) - http://minitelweb.minitel.com/imin_data/ocx/MDM.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097671816628
O16 - DPF: {68C1822F-F5C7-4404-A73F-03C10E0E94DA} (telechargement-photoweb) - http://www2.photoweb.fr/telechargement/Photoweb_uploader.cab
O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://mypixmania.com/fr/fr/tools/activex/fpu.cab
O16 - DPF: {92E7E45A-D8C8-480E-AF99-176E43997CAA} (Aurigma Image Uploader 3.5 Combo Control) - http://www.pixdiscount.fr/clients/ImageUploader3.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp02.photoprintit.de/microsite/3462/defaults/activex/IPSUploader.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E279B4B-BCC0-479A-AF58-80AF322F8285}: NameServer = 69.50.168.178 85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3157E16-1D06-4B34-9570-8E2ACE98842A}: NameServer = 69.50.168.178,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{F208712A-72DC-49A9-BF90-91BB38C8B784}: NameServer = 69.50.168.178,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD2DC2F4-A141-484A-9939-C545335C9E00}: NameServer = 69.50.168.178,85.255.112.16
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Microsoft Windows Securety (Securety) - Unknown owner - C:\WINDOWS\System32\wurguar.exe" -netsvcs (file missing)




Voilà...
Merci encore pour ton aide.
0
Réponse 10 / 41
Utilisateur anonyme
5 oct. 2005 à 17:32
salut naouel

l'infection augmente de jours en jours,.
il faudrait que tu puisses poster et etre dispo un peu plus d'une heure, histoire de s'atteler au probleme une bonne fois pour toute.
Ce qui est embetant, c'est que certains processus, se renomment à chaques redemarrage, et c'est pas facile de te mettre une manip si tu as redemarrer ton pc entre temps.
en general je suis là, à partir de 18h tous les jours.

a++
0
Réponse 11 / 41
Naouel
6 oct. 2005 à 19:24
Voilà !
Je suis là, pour encore 1h30.
Alors si tu es devant ton PC fais moi signe !
0
Réponse 12 / 41
Utilisateur anonyme
6 oct. 2005 à 19:45
salut naouel

Poste les rapport de hijackthis, silentrunners et hc.bat
Pour hc.bat, la derniere version est ici:
http://cjoint.com/?jAu7RJ0V1J

a+
0
Naouel
6 oct. 2005 à 20:12
Voilà le premier:


Rapport fait à 20:05:27,59 le 06/10/2005
Executé à partir de C:\Documents and Settings\Naouel\Bureau\VIRUS
OS: Microsoft Windows XP [version 5.1.2600]

*********************************************

Vérification HKLM\...\...\...\...\ruins

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
"pgtshlld"=hex:40,0f,00,00,31,31,09,05,06,09,62,7d,bb,78,5d,48,14,00,00,00
"nidnsdr"=hex:c8,10,00,00,af,b1,9e,9b,99,8c,f3,3b,f8,9d,c8,13,00,00,00
"23naelch"=hex:6c,11,00,00,41,52,7d,7c,78,67,5a,53,4f,0c,01,3c,14,00,00,00
"aplnsftn"=hex:55,13,00,00,56,54,1e,65,76,7c,00,7b,56,67,28,57,14,00,00,00
"23rtcdaol"=hex:a1,53,00,00,98,8d,a7,a8,b1,a8,d6,19,06,12,e3,f4,f3,15,00,00,00
"7"=hex:50,2a,00,00,2d,2e,19,18,04,03,46,4f,ab,68,2d,58,14,00,00,00
"8"=hex:50,2a,00,00,57,29,66,13,01,04,7b,b3,60,15,50,13,00,00,00
"9"=hex:50,2a,00,00,2b,59,13,6e,0b,01,05,7c,ab,68,2d,58,14,00,00,00
"1dedoc"=hex:f7,1b,00,00,cf,fb,fe,f1,ee,95,e0,91,ba,81,12,00,00,00
"llams_ogol"=hex:9a,1c,00,00,93,94,a4,a4,4c,b0,c2,36,d3,db,2d,12,e7,02,16,00,\
00,00
"repiwh"=hex:38,43,00,00,35,32,04,05,28,17,a3,50,65,40,12,00,00,00
"domdnb"=hex:07,1f,00,00,fc,e8,ce,d9,c3,d6,f0,a1,aa,b1,12,00,00,00
"orcimlh"=hex:ef,1f,00,00,c2,c6,f9,f5,e7,dc,9b,d0,81,ba,b1,13,00,00,00
"23tsniow"=hex:0a,58,00,00,14,e4,d6,d5,c8,c3,f8,f1,ed,b2,67,82,14,00,00,00
"flmmd"=hex:0a,39,00,00,fb,ea,d2,db,c5,85,aa,4f,ba,11,00,00,00
"16"=hex:3c,65,00,00,31,02,0d,0c,28,17,aa,a3,bf,7c,51,4c,14,00,00,00
"17"=hex:3c,65,00,00,3b,3d,0a,07,15,18,6f,a7,74,69,44,13,00,00,00
"18"=hex:3c,65,00,00,3f,2d,07,02,1f,15,69,50,bf,7c,51,4c,14,00,00,00
"19"=hex:2c,44,00,00,01,12,3d,3c,38,27,9a,93,8f,4c,41,7c,14,00,00,00
"20"=hex:2c,44,00,00,0b,0d,3a,37,25,28,5f,97,44,79,74,13,00,00,00
"21"=hex:2c,44,00,00,0f,3d,37,32,2f,25,59,40,8f,4c,41,7c,14,00,00,00
"22"=hex:64,5c,00,00,59,5a,75,64,70,6f,52,5b,47,14,39,24,14,00,00,00
"23"=hex:85,5c,00,00,62,74,5d,5e,5c,53,36,7e,3f,20,0f,13,00,00,00
"24"=hex:85,5c,00,00,66,64,4e,55,46,4c,30,2b,66,37,18,07,14,00,00,00
"25"=hex:e7,1e,00,00,da,d7,f6,e1,fd,e8,df,d4,c0,91,ba,a1,14,00,00,00
"26"=hex:e7,1e,00,00,cc,d6,ff,f8,fe,ed,90,d8,99,82,a9,13,00,00,00
"27"=hex:07,1f,00,00,e0,e6,c8,d7,c0,ce,b2,a5,e0,b1,9a,81,14,00,00,00
"28"=hex:ed,6f,00,00,c0,cd,fc,ff,fb,e6,e5,d2,ce,8f,80,bf,14,00,00,00
"29"=hex:ed,6f,00,00,ca,cc,c5,f6,e4,eb,9e,d6,87,b8,b7,13,00,00,00
"30"=hex:0d,70,00,00,ee,1c,d6,2d,ce,c4,b8,a3,ee,af,60,9f,14,00,00,00
"31"=hex:57,08,00,00,2a,27,66,11,0d,78,4f,44,50,61,2a,51,14,00,00,00
"32"=hex:78,08,00,00,7f,41,4e,4b,69,5c,23,6b,08,2d,38,13,00,00,00
"33"=hex:78,08,00,00,73,71,7b,46,53,59,2d,14,73,00,15,30,14,00,00,00
"34"=hex:41,71,00,00,3c,39,08,0b,17,12,b1,be,ba,7b,5c,4b,14,00,00,00
"35"=hex:61,71,00,00,46,58,71,62,70,77,0a,42,13,04,23,13,00,00,00
"36"=hex:82,71,00,00,65,6b,4d,58,45,53,37,2e,65,3a,1f,0a,14,00,00,00
"37"=hex:00,07,00,00,fd,fe,c9,c8,d4,d3,f6,ff,fb,b8,9d,88,14,00,00,00
"38"=hex:a4,07,00,00,83,95,b2,bf,bd,b0,d7,1f,dc,c1,ec,13,00,00,00
"39"=hex:93,0a,00,00,94,9a,5c,ab,b4,42,c6,39,14,25,ee,15,14,00,00,00
"40"=hex:18,59,00,00,15,e6,21,d0,cc,3b,8e,87,93,a0,75,90,14,00,00,00
"41"=hex:39,59,00,00,3e,00,09,0a,28,1f,62,aa,4b,6c,7b,13,00,00,00
"42"=hex:39,59,00,00,32,30,3a,01,12,18,6c,57,b2,43,54,73,14,00,00,00
"43"=hex:31,30,00,00,0c,09,38,3b,27,22,a1,ae,8a,4b,4c,7b,14,00,00,00
"44"=hex:52,30,00,00,51,2b,60,6d,03,06,05,4d,62,17,52,13,00,00,00
"45"=hex:72,30,00,00,75,7b,7d,48,55,63,27,1e,75,0a,0f,3a,14,00,00,00
"46"=hex:dc,58,00,00,d1,a2,ed,ec,88,f7,ca,c3,df,9c,b1,ac,14,00,00,00
"47"=hex:fd,58,00,00,fa,fc,d5,c6,d4,db,ae,e6,b7,a8,87,13,00,00,00
"48"=hex:1d,59,00,00,1e,0c,26,3d,3e,34,48,b3,9e,5f,70,6f,14,00,00,00
"49"=hex:7e,2b,00,00,73,7c,4f,4e,6a,51,74,7d,79,3e,13,0e,14,00,00,00
"50"=hex:4d,2e,00,00,2a,2c,65,16,04,0b,7e,b6,67,18,57,13,00,00,00
"51"=hex:cf,2e,00,00,a8,de,90,ef,88,86,fa,fd,28,e9,a2,d9,14,00,00,00
"52"=hex:cd,58,00,00,a0,ad,9c,9f,9b,86,c5,32,2e,ef,a0,df,14,00,00,00
"53"=hex:d2,59,00,00,d1,ab,e0,ed,83,86,85,cd,e2,97,d2,13,00,00,00
"54"=hex:13,5a,00,00,14,1a,dc,2b,34,c2,46,b9,94,a5,6e,95,14,00,00,00
"55"=hex:63,15,00,00,5e,5b,6a,65,71,6c,53,58,44,15,3e,25,14,00,00,00
"56"=hex:84,15,00,00,63,75,52,5f,5d,50,37,7f,3c,21,0c,13,00,00,00
"57"=hex:c5,15,00,00,a6,a4,8e,95,86,8c,f0,eb,26,f7,d8,c7,14,00,00,00
"58"=hex:53,46,00,00,2e,2b,1a,15,01,7c,43,48,54,65,2e,55,14,00,00,00
"59"=hex:95,46,00,00,92,64,ad,ae,4c,43,c6,0e,2f,d0,1f,13,00,00,00
"60"=hex:17,47,00,00,10,16,d8,27,30,3e,42,b5,90,a1,6a,91,14,00,00,00
"61"=hex:16,10,00,00,eb,e4,27,d6,c2,39,8c,85,91,a6,6b,96,14,00,00,00
"62"=hex:58,10,00,00,5f,21,6e,6b,09,7c,03,4b,68,0d,58,13,00,00,00
"63"=hex:99,10,00,00,92,90,5a,a1,b2,b8,cc,37,12,23,f4,13,14,00,00,00
"64"=hex:36,25,00,00,0b,04,07,36,22,19,ac,a5,b1,46,4b,76,14,00,00,00
"65"=hex:78,25,00,00,7f,41,4e,4b,69,5c,23,6b,08,2d,38,13,00,00,00
"66"=hex:da,25,00,00,dd,d3,e5,e0,fd,fb,8f,f6,dd,e2,b7,d2,14,00,00,00
"67"=hex:49,0f,00,00,24,31,10,03,1f,0a,b9,b6,a2,73,24,43,14,00,00,00
"68"=hex:ec,0f,00,00,cb,cd,fa,f7,e5,e8,9f,d7,84,b9,b4,13,00,00,00
"69"=hex:6f,10,00,00,48,7e,70,4f,68,66,1a,1d,48,09,02,39,14,00,00,00


*********************************************

Fichiers détectés :

C:\WINDOWS\rdt.ini Présent !
C:\WINDOWS\System32\hwiper.exe Présent !
C:\WINDOWS\System32\loadctr32.exe Présent !
C:\WINDOWS\System32\woinst32.exe Présent !

*********************************************

Recherche des processus aleatoires
d'après les modèles : cs***.exe, dm***.exe, ya***.exe

C:\WINDOWS\System32
dmcpl.exe

*********************************************

Recherche presence hclean32.exe...
non trouvé...



Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 20:07:07, on 06/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MPB.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Extrafilm FotoFacil\Agent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Naouel\Bureau\VIRUS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avacreat.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\syekk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\syekk.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MPB] C:\WINDOWS\System32\MPB.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] msoffice2.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [XML Service] msxml.exe
O4 - HKLM\..\Run: [wvsvc] wvsvc.exe
O4 - HKLM\..\Run: [WIN USB 2.0] winusb.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [Video Process] xxyvher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Nvidia Control Panel] ncsvc32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Windows Securety] wurguar.exe
O4 - HKLM\..\Run: [Microsoft Services] lssrv.exe
O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
O4 - HKLM\..\Run: [CRC Value Verifier] crsss32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Program Files\Extrafilm FotoFacil\Agent.exe"
O4 - HKLM\..\Run: [hwiper.exe] C:\WINDOWS\System32\hwiper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [WIN USB 2.0] winusb.exe
O4 - HKLM\..\RunServices: [Video Process] xxyvher.exe
O4 - HKLM\..\RunServices: [wvsvc] wvsvc.exe
O4 - HKLM\..\RunServices: [Windows Update] host32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] msoffice2.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Securety] wurguar.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Nvidia Control Panel] ncsvc32.exe
O4 - HKLM\..\RunServices: [CRC Value Verifier] crsss32.exe
O4 - HKLM\..\RunServices: [XML Service] msxml.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\RunServices: [Video Process] xxyvher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://kt.bar.need2find.com/KT/menusearch.html?p=KT
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr/secure/connexion/archives/ie4n4/teleir_cert.cab
O16 - DPF: {09C21411-B9A2-4DE6-8416-4E3B58577BE0} (France Telecom MDM ActiveX Control) - http://minitelweb.minitel.com/imin_data/ocx/MDM.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097671816628
O16 - DPF: {68C1822F-F5C7-4404-A73F-03C10E0E94DA} (telechargement-photoweb) - http://www2.photoweb.fr/telechargement/Photoweb_uploader.cab
O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://mypixmania.com/fr/fr/tools/activex/fpu.cab
O16 - DPF: {92E7E45A-D8C8-480E-AF99-176E43997CAA} (Aurigma Image Uploader 3.5 Combo Control) - http://www.pixdiscount.fr/clients/ImageUploader3.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp02.photoprintit.de/microsite/3462/defaults/activex/IPSUploader.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E279B4B-BCC0-479A-AF58-80AF322F8285}: NameServer = 69.50.168.178 85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3157E16-1D06-4B34-9570-8E2ACE98842A}: NameServer = 69.50.168.178,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{F208712A-72DC-49A9-BF90-91BB38C8B784}: NameServer = 69.50.168.178,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD2DC2F4-A141-484A-9939-C545335C9E00}: NameServer = 69.50.168.178,85.255.112.16
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Microsoft Windows Securety (Securety) - Unknown owner - C:\WINDOWS\System32\wurguar.exe" -netsvcs (file missing)



Silent runners:

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATnotes.exe" = "C:\Program Files\ATnotes\ATnotes.exe" ["Thomas Ascher"]
"WareOut" = ""C:\Program Files\WareOut\WareOut.exe"" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MPB" = "C:\WINDOWS\System32\MPB.exe" ["MiTAC Technology Corp."]
"Microsoft Windows Update" = "msoffice2.exe" [file not found]
"Microsoft Features" = "ms32cfg.exe" [file not found]
"XML Service" = "msxml.exe" [file not found]
"wvsvc" = "wvsvc.exe" [file not found]
"WIN USB 2.0" = "winusb.exe" [file not found]
"webHancer Survey Companion" = ""C:\Program Files\webHancer\Programs\whSurvey.exe"" [file not found]
"Video Process" = "xxyvher.exe" [file not found]
"TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"]
"Nvidia Control Panel" = "ncsvc32.exe" [file not found]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"Microsoft Windows Securety" = "wurguar.exe" [file not found]
"Microsoft Services" = "lssrv.exe" [file not found]
"HI-SPEED USB DEVICE Coinstaller" = "PL15Co2K.exe" [file not found]
"CRC Value Verifier" = "crsss32.exe" [file not found]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]




J'ai encore le virus ??
est ce que j'ai autre chose que HClean ?
est ce que tu connais les conséquences du virus ?

merci
0
Réponse 13 / 41
Utilisateur anonyme
6 oct. 2005 à 20:21
salut

je vais te mettre la manip à faire, mais le rapport de silentrunners n'est pas complet, reposte le en entier
0
Naouel
6 oct. 2005 à 20:23
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATnotes.exe" = "C:\Program Files\ATnotes\ATnotes.exe" ["Thomas Ascher"]
"WareOut" = ""C:\Program Files\WareOut\WareOut.exe"" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MPB" = "C:\WINDOWS\System32\MPB.exe" ["MiTAC Technology Corp."]
"Microsoft Windows Update" = "msoffice2.exe" [file not found]
"Microsoft Features" = "ms32cfg.exe" [file not found]
"XML Service" = "msxml.exe" [file not found]
"wvsvc" = "wvsvc.exe" [file not found]
"WIN USB 2.0" = "winusb.exe" [file not found]
"webHancer Survey Companion" = ""C:\Program Files\webHancer\Programs\whSurvey.exe"" [file not found]
"Video Process" = "xxyvher.exe" [file not found]
"TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"]
"Nvidia Control Panel" = "ncsvc32.exe" [file not found]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"Microsoft Windows Securety" = "wurguar.exe" [file not found]
"Microsoft Services" = "lssrv.exe" [file not found]
"HI-SPEED USB DEVICE Coinstaller" = "PL15Co2K.exe" [file not found]
"CRC Value Verifier" = "crsss32.exe" [file not found]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"Camera Detector" = "C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun" ["ACD Systems, Ltd."]
"ExtraFilmHemmaAgent" = ""C:\Program Files\Extrafilm FotoFacil\Agent.exe"" [null data]
"hwiper.exe" = "C:\WINDOWS\System32\hwiper.exe" [null data]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{08BEC6AA-49FC-4379-3587-4B21E286C19E}\(Default) = "SearchToolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\syekk.dll" [file not found]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Explorateur de Bureau"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]
"{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Previous Versions Property Page"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{9DB7A13C-F208-4981-8353-73CC61AE2783}" = "Previous Versions"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "lsass.exe" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Naouel\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]


Startup items in "Naouel" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"hpoddt01.exe" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
"Lancement rapide d'Adobe Reader" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\syekk.dll" [file not found]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\syekk.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\syekk.dll" [file not found]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

Missing lines (compared with English-language version):
[Strings]: 2 lines


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 57 seconds, including 5 seconds for message boxes)
0
Réponse 14 / 41
Utilisateur anonyme
6 oct. 2005 à 20:26
merci

je te met la manip d'ici quelques minute, le temps de decortiquer les log

a++
0
Réponse 15 / 41
Utilisateur anonyme
6 oct. 2005 à 20:47
Imprime, ou enregistre la manip dans le bloc note pour etre sur ne rien oublier et de tout faire dans l'ordre

Ferme toutes les fenetres de tous les programmes en cours

Si tu as spybot, met le à jour

 Lance hijackthis et clic sur [do a system scan only]
cocher la case au début des lignes suivantes:

R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\syekk.dll (file missing)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\syekk.dll (file missing)
O4 - HKLM\..\Run: [Microsoft Windows Update] msoffice2.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [XML Service] msxml.exe
O4 - HKLM\..\Run: [wvsvc] wvsvc.exe
O4 - HKLM\..\Run: [WIN USB 2.0] winusb.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [Video Process] xxyvher.exe
O4 - HKLM\..\Run: [Microsoft Windows Securety] wurguar.exe
O4 - HKLM\..\Run: [Microsoft Services] lssrv.exe
O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
O4 - HKLM\..\Run: [CRC Value Verifier] crsss32.exe
O4 - HKLM\..\Run: [hwiper.exe] C:\WINDOWS\System32\hwiper.exe
O4 - HKLM\..\RunServices: [WIN USB 2.0] winusb.exe
O4 - HKLM\..\RunServices: [Video Process] xxyvher.exe
O4 - HKLM\..\RunServices: [wvsvc] wvsvc.exe
O4 - HKLM\..\RunServices: [Windows Update] host32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] msoffice2.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Securety] wurguar.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Nvidia Control Panel] ncsvc32.exe
O4 - HKLM\..\RunServices: [CRC Value Verifier] crsss32.exe
O4 - HKLM\..\RunServices: [XML Service] msxml.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\RunServices: [Video Process] xxyvher.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E279B4B-BCC0-479A-AF58-80AF322F8285}: NameServer = 69.50.168.178 85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3157E16-1D06-4B34-9570-8E2ACE98842A}: NameServer = 69.50.168.178,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{F208712A-72DC-49A9-BF90-91BB38C8B784}: NameServer = 69.50.168.178,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD2DC2F4-A141-484A-9939-C545335C9E00}: NameServer = 69.50.168.178,85.255.112.16

valider en cliquant sur [fix checked]

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

Déconnecte toi d'internet c'est important

puis vérifie ceci:
demarrer > connection > clic droit sur ta connection > propriétés
gestion de reseau
assure toi que protocole internet tcp/ip est en surbrillance (attention, ne décoche pas la case)> clic sur propriétés > selectionne "obtenir les adresses des serveurs automatiquement"
valide avec ok

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

ouvre le bloc note et copie et colle ceci à l'interieur: 

REGEDIT4 

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\HCLEAN32.EXE] 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion] 
"Disabled"=- 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins] 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}"=-

[HKEY_LOCAL_MACHINE\\Software\Microsoft\Internet Explorer\Toolbar]
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut] 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls] 

[-HKEY_LOCAL_MACHINE\SOFTWARE\WareOut]


Puis enregistrer sous et dans:
Nom du fichier, met fix.reg
Type de fichier: selectionne "tous les fichiers"
clic sur enregistrer

ensuite double clic sur fix.reg et accepte de fusionner

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

 Redémarre en mode sans échec
Redemarre le pc, laisse passer l'écran du bios, puis tapote sur la touche F8 avant qu'apparaisse l'écran de chargement de windows.
Choisis le mode sans échec dans les options et valide avec entrée.

 Rend visible les fichiers cachés et systeme
panneau de configuration > options des dossiers > onglet affichage
Cocher la case devant " afficher les fichiers et dossiers cachés "
Décocher la case devant " masquer les extentions des fichiers dont le type est connu"
Décocher la case devant " masquer les fichiers protégés du système"
clic sur [Appliquer] puis sur [ok] pour valider

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

 Vide le cache de tous tes navigateurs et supprime les cookies:

Pour Internet Explorer:
* Panneau de configuration >> Options internet >> Onglet "Général"
- Clic sur [supprimer les cookies]
- Clic sur [Supprimer les fichiers] et coche la case "Supprimer tout le contenu hors connexion"
Valide avec ok

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

 Recherche et supprime:

s'ils sont présents, supprime:

C:\WINDOWS\SYSTEM32\rdsndin.exe
C:\WINDOWS\SYSTEM32\ntfsnlpa.exe
C:\WINDOWS\SYSTEM32\dllhstgp.exe
C:\WINDOWS\rdt.ini
C:\WINDOWS\System32\hwiper.exe
C:\WINDOWS\System32\loadctr32.exe
C:\WINDOWS\System32\woinst32.exe
C:\WINDOWS\System32\dmcpl.exe
C:\Program Files\WareOut
winusb.exe
xxyvher.exe
wvsvc.exe
host32.exe
msoffice2.exe
wurguar.exe
ms32cfg.exe
ncsvc32.exe
crsss32.exe
msxml.exe
lssrv.exe

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

Ensuite, tres important:

:: Supprimer les fichiers temporaires ::

vider tout le contenu des dossiers Temp:

* C:\Documents and Settings\ton compte\Local Settings\Temp
* C:\Documents and Settings\tous les autres comptes\Local Settings\Temp
* C:\Windows\Temp

:: Le contenu du dossier prefetch ::

* C:\WINDOWS\Prefetch <= sauf le fichier layout.ini
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

passe spybot et supprime tout ce qu'il trouve

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

redemarre le pc et fais un scan ici, et poste le rapport:
http://www.bitdefender.fr

Ne pas oublier après les manips de recacher les fichiers systeme dans les options des dossiers
0
Naouel
6 oct. 2005 à 21:18
Je suis obligee de me reconnecter sur le net.....
Le fichier fix.reg ne fonctionne pas. "impossible d'importer... erreur d'acces"

je continue quand meme ?
0
Naouel
6 oct. 2005 à 21:18
Je suis obligee de me reconnecter sur le net.....
Le fichier fix.reg ne fonctionne pas. "impossible d'importer... erreur d'acces"

je continue quand meme ?
0
Naouel
6 oct. 2005 à 21:21
Je suis obligee de me reconnecter sur le net.....
Le fichier fix.reg ne fonctionne pas. "impossible d'importer... erreur d'acces"

je continue quand meme ?
0
Réponse 16 / 41
Utilisateur anonyme
6 oct. 2005 à 21:20
oui continue, ca fais rien on verra plus tard pour le reg
0
Réponse 17 / 41
Utilisateur anonyme
6 oct. 2005 à 21:23
oui continue
0
Naouel
6 oct. 2005 à 22:15
Le scan de Bit defender estime le temps de scan à 1h30....
normal ?
0
Réponse 18 / 41
Utilisateur anonyme
6 oct. 2005 à 22:18
ben oui je pense.

tu as fini les manips ?

si oui, reposte les 3 rapports

a+
0
Naouel
6 oct. 2005 à 22:23
Rapport fait à 22:20:30,16 le 06/10/2005
Executé à partir de C:\Documents and Settings\Naouel\Bureau\VIRUS
OS: Microsoft Windows XP [version 5.1.2600]

*********************************************

Vérification HKLM\...\...\...\...\ruins


*********************************************

Fichiers détectés :


*********************************************

Recherche des processus aleatoires
d'après les modèles : cs***.exe, dm***.exe, ya***.exe

C:\WINDOWS\System32

*********************************************

Recherche presence hclean32.exe...
non trouvé...
0
Naouel > Naouel
6 oct. 2005 à 22:26
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATnotes.exe" = "C:\Program Files\ATnotes\ATnotes.exe" ["Thomas Ascher"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MPB" = "C:\WINDOWS\System32\MPB.exe" ["MiTAC Technology Corp."]
"TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"Camera Detector" = "C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun" ["ACD Systems, Ltd."]
"ExtraFilmHemmaAgent" = ""C:\Program Files\Extrafilm FotoFacil\Agent.exe"" [null data]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Explorateur de Bureau"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]
"{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Previous Versions Property Page"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{9DB7A13C-F208-4981-8353-73CC61AE2783}" = "Previous Versions"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "lsass.exe" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Naouel\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]


Startup items in "Naouel" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"hpoddt01.exe" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
"Lancement rapide d'Adobe Reader" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

Missing lines (compared with English-language version):
[Strings]: 2 lines


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 93 seconds, including 5 seconds for message boxes)
0
Réponse 19 / 41
Utilisateur anonyme
6 oct. 2005 à 22:25
le rapport hc.bat à l'air correct

poste un silentrunners et un hijackthis aussi

a+
0
Naouel
6 oct. 2005 à 22:28
bon
je n'arrive pas lancer Hijack
ca me dit qu'il est déjà en marche
0
Réponse 20 / 41
Utilisateur anonyme
6 oct. 2005 à 22:31
regarde dans le gestionnaire des tache et termine hijackthis.exe, ensuite relance le.
0