HCLEAN.EXE impossible à retirer

Pierre -  
 Utilisateur anonyme -
Bonjour,

j'ai un virus HCLEAN32.EXE que je n'arrive pas à enlever.

Kaspersky le trouve le supprime et il réapparait en permanence.

Comment puis-je m'y prendre ?

Merci

7 réponses

  1. Utilisateur anonyme
     
    salut, seul moe31 est calé sur cette infection

    pas facile à virer en plus... mais bon on va lui avancer le travail, si il a le temps il te fera la manip a son retour en fin d aprem..

    telecharge hc.zip ici
    http://cjoint.com/?jAu7RJ0V1J
    dezippe le, redemarre en mode sans echecs et lance hc.bat
    le bloc note va s'ouvrir, sauvegarde le rapport.
    redemarre normallement et poste le rapport ici.

    ensuite:
    telecharge hijackthis:
    http://www.merijn.org/files/hijackthis.zip
    Dezippe le dans un dossier prévu a cet effet.
    Par exemple C:\hijack
    et surtout pas dans un dossier temporaire (temp)
    lance le puis:
    clic sur "do a system scan and save logfile" et pas autre chose
    Le bloc note va s'ouvrir, copie tout le contenu et colle le ici a la suite de ton message.
    Si tu as du mal, regarde ceci:
    http://pageperso.aol.fr/balltrap34/demohijack.htm

    Silentrunners
    http://www.silentrunners.org/Silent%20Runners.vbs
    lance le et poste le rapport

    a+
    0
    1. pierre
       
      Ci-joint premier rapport.
      Les autres suivent.

      Merci pour l'aide.

      Question : que fait exactement HCLEAN32.EXE comme "dégats" ?



      Rapport fait à 15:28:50,81 le 03/10/2005
      Executé à partir de D:\antivirus\jAu
      OS: Microsoft Windows XP [version 5.1.2600]

      *********************************************

      Vérification HKLM\...\...\...\...\ruins

      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
      "pgtshlld"=hex:a1,47,00,00,90,90,a8,a4,a1,a8,cd,dc,1a,db,fc,eb,14,00,00,00
      "nidnsdr"=hex:d4,48,00,00,d3,a5,e2,ef,8d,80,87,cf,ec,91,dc,13,00,00,00
      "23naelch"=hex:ba,42,00,00,b7,80,83,b2,ae,95,28,21,3d,c2,d7,f2,14,00,00,00
      "aplnsftn"=hex:68,4d,00,00,43,41,6b,76,63,69,1d,04,43,10,05,20,14,00,00,00
      "23rtcdaol"=hex:02,4e,00,00,fb,ec,c6,cb,d0,cb,b1,f8,e1,ed,82,97,92,15,00,00,00
      "lotmd"=hex:2d,36,00,00,04,07,04,31,2c,e6,57,68,47,11,00,00,00
      "7"=hex:54,5c,00,00,29,2a,65,14,00,7f,42,4b,57,64,29,54,14,00,00,00
      "8"=hex:54,5c,00,00,53,25,62,6f,0d,00,07,4f,6c,11,5c,13,00,00,00
      "9"=hex:54,5c,00,00,57,55,1f,6a,77,7d,01,78,57,64,29,54,14,00,00,00
      "10"=hex:10,3a,00,00,ed,ee,d9,d8,c4,c3,86,8f,eb,a8,6d,98,14,00,00,00
      "11"=hex:10,3a,00,00,17,e9,26,d3,c1,c4,bb,f3,a0,55,90,13,00,00,00
      "12"=hex:10,3a,00,00,eb,19,d3,2e,cb,c1,45,bc,eb,a8,6d,98,14,00,00,00
      "13"=hex:a8,15,00,00,85,96,b1,a0,bc,ab,1e,17,03,d0,c5,e0,14,00,00,00
      "14"=hex:a8,15,00,00,8f,91,be,bb,b9,ac,d3,1b,d8,fd,e8,13,00,00,00
      "15"=hex:dc,15,00,00,df,cd,e7,e2,ff,f5,89,f0,df,9c,b1,ac,14,00,00,00
      "16"=hex:cb,57,00,00,a6,b3,92,9d,99,84,3b,30,2c,ed,a6,dd,14,00,00,00
      "17"=hex:cb,57,00,00,a8,b2,9b,94,9a,89,fc,34,e5,9e,d5,13,00,00,00
      "18"=hex:cb,57,00,00,ac,a2,94,93,8c,8a,fe,e1,2c,ed,a6,dd,14,00,00,00
      "19"=hex:bc,45,00,00,b1,82,8d,8c,a8,97,2a,23,3f,fc,d1,cc,14,00,00,00
      "20"=hex:bc,45,00,00,bb,bd,8a,87,95,98,ef,27,f4,e9,c4,13,00,00,00
      "21"=hex:bc,45,00,00,bf,ad,87,82,9f,95,e9,d0,3f,fc,d1,cc,14,00,00,00
      "22"=hex:b6,7e,00,00,8b,84,87,b6,a2,99,2c,25,31,c6,cb,f6,14,00,00,00
      "23"=hex:b6,7e,00,00,bd,87,8c,89,af,a2,e1,29,ce,f3,fe,13,00,00,00
      "24"=hex:e7,7e,00,00,c0,c6,e8,f7,e0,ee,92,85,c0,91,ba,a1,14,00,00,00
      "25"=hex:03,6a,00,00,fe,fb,ca,c5,d1,cc,f3,f8,e4,b5,9e,85,14,00,00,00
      "26"=hex:03,6a,00,00,e0,fa,d3,dc,d2,d1,b4,fc,bd,a6,8d,13,00,00,00
      "27"=hex:34,6a,00,00,37,35,3f,0a,17,1d,61,58,b7,44,49,74,14,00,00,00
      "28"=hex:4a,41,00,00,27,30,13,02,1e,05,b8,b1,ad,72,27,42,14,00,00,00
      "29"=hex:4a,41,00,00,29,33,18,15,1b,0e,7d,b5,7a,1f,4a,13,00,00,00
      "30"=hex:4a,41,00,00,2d,23,15,10,0d,0b,7f,66,ad,72,27,42,14,00,00,00
      "31"=hex:56,04,00,00,2b,24,67,16,02,79,4c,45,51,66,2b,56,14,00,00,00
      "32"=hex:56,04,00,00,5d,27,6c,69,0f,02,01,49,6e,13,5e,13,00,00,00
      "33"=hex:8a,04,00,00,6d,63,55,50,4d,4b,3f,26,6d,32,e7,02,14,00,00,00
      "34"=hex:e6,01,00,00,db,d4,f7,e6,f2,e9,dc,d5,c1,96,bb,a6,14,00,00,00
      "35"=hex:e6,01,00,00,cd,d7,fc,f9,ff,f2,91,d9,9e,83,ae,13,00,00,00
      "36"=hex:e6,01,00,00,c1,c7,e9,f4,e1,ef,93,8a,c1,96,bb,a6,14,00,00,00
      "37"=hex:9d,62,00,00,90,9d,ac,af,4b,b6,15,02,1e,df,f0,ef,14,00,00,00
      "38"=hex:9d,62,00,00,9a,9c,b5,a6,b4,bb,ce,06,d7,c8,e7,13,00,00,00
      "39"=hex:d1,62,00,00,aa,d8,92,e9,8a,80,84,ff,2a,eb,ac,db,14,00,00,00
      "40"=hex:8c,4e,00,00,61,72,5d,5c,58,47,7a,73,6f,2c,e1,1c,14,00,00,00
      "41"=hex:c0,4e,00,00,a7,b9,96,83,91,94,eb,23,f0,e5,c0,13,00,00,00
      "42"=hex:f4,4e,00,00,f7,f5,ff,ca,d7,dd,a1,98,f7,84,89,b4,14,00,00,00
      "43"=hex:ba,67,00,00,b7,80,83,b2,ae,95,28,21,3d,c2,d7,f2,14,00,00,00
      "44"=hex:ba,67,00,00,b9,83,88,85,ab,9e,ed,25,ca,ef,fa,13,00,00,00
      "45"=hex:ef,67,00,00,c8,fe,f0,cf,e8,e6,9a,9d,c8,89,82,b9,14,00,00,00
      "46"=hex:6f,1f,00,00,42,4f,7e,79,65,60,67,6c,48,09,02,39,14,00,00,00
      "47"=hex:6f,1f,00,00,74,4e,47,70,66,65,18,50,01,3a,31,13,00,00,00
      "48"=hex:a0,1f,00,00,9b,89,a3,be,bb,b1,d5,cc,1b,d8,fd,e8,14,00,00,00
      "49"=hex:d9,4d,00,00,d4,a1,e0,93,8f,fa,c9,c6,d2,e3,b4,d3,14,00,00,00
      "50"=hex:0e,4e,00,00,15,ef,24,d1,c7,ca,b9,f1,a6,5b,96,13,00,00,00
      "51"=hex:3f,4e,00,00,38,2e,00,1f,18,16,6a,6d,b8,79,52,49,14,00,00,00
      "52"=hex:e5,2a,00,00,d8,d5,f4,e7,f3,ee,dd,da,c6,97,b8,a7,14,00,00,00
      "53"=hex:19,2b,00,00,1e,e0,29,2a,c8,3f,42,8a,ab,4c,9b,13,00,00,00
      "54"=hex:19,2b,00,00,12,10,da,21,32,38,4c,b7,92,a3,74,93,14,00,00,00
      "55"=hex:8f,10,00,00,62,6f,5e,59,45,40,07,0c,68,29,e2,19,14,00,00,00
      "56"=hex:c3,10,00,00,a0,ba,93,9c,92,91,f4,3c,fd,e6,cd,13,00,00,00
      "57"=hex:f7,10,00,00,f0,f6,f8,c7,d0,de,a2,95,f0,81,8a,b1,14,00,00,00
      "58"=hex:ca,33,00,00,a7,b0,93,82,9e,85,38,31,2d,f2,a7,c2,14,00,00,00
      "59"=hex:fe,33,00,00,e5,ff,d4,c1,d7,da,a9,e1,b6,ab,86,13,00,00,00
      "60"=hex:63,34,00,00,44,4a,6c,7b,64,72,16,09,44,15,3e,25,14,00,00,00
      "61"=hex:06,17,00,00,fb,f4,d7,c6,d2,c9,fc,f5,e1,b6,9b,86,14,00,00,00
      "62"=hex:37,17,00,00,3c,06,0f,08,2e,1d,60,a8,49,72,79,13,00,00,00
      "63"=hex:6b,17,00,00,4c,42,74,73,6c,6a,1e,01,4c,0d,06,3d,14,00,00,00
      "64"=hex:48,18,00,00,25,36,11,00,1c,0b,be,b7,a3,70,25,40,14,00,00,00
      "65"=hex:7c,18,00,00,7b,7d,4a,47,55,58,2f,67,34,29,04,13,00,00,00
      "66"=hex:e1,18,00,00,da,c8,e2,f9,fa,f0,94,8f,da,9b,bc,ab,14,00,00,00
      "67"=hex:90,51,00,00,6d,6e,59,58,44,43,06,0f,6b,28,ed,18,14,00,00,00
      "68"=hex:f8,51,00,00,ff,c1,ce,cb,e9,dc,a3,eb,88,ad,b8,13,00,00,00
      "69"=hex:29,52,00,00,02,00,2a,31,22,28,5c,47,82,53,44,63,14,00,00,00
      "70"=hex:f4,77,00,00,c9,ca,c5,f4,e0,df,e2,eb,f7,84,89,b4,14,00,00,00
      "71"=hex:59,78,00,00,5e,20,69,6a,08,7f,02,4a,6b,0c,5b,13,00,00,00
      "72"=hex:be,78,00,00,b9,af,81,9c,99,97,eb,d2,39,fe,d3,ce,14,00,00,00
      "73"=hex:e9,17,00,00,c4,d1,f0,e3,ff,ea,d9,d6,c2,93,84,a3,14,00,00,00
      "74"=hex:4e,18,00,00,55,2f,64,11,07,0a,79,b1,66,1b,56,13,00,00,00
      "75"=hex:b7,18,00,00,b0,b6,b8,87,90,9e,e2,d5,30,c1,ca,f1,14,00,00,00
      "76"=hex:c7,0d,00,00,ba,b7,96,81,9d,88,3f,34,20,f1,da,c1,14,00,00,00
      "77"=hex:2d,0e,00,00,0a,0c,05,36,24,2b,5e,96,47,78,77,13,00,00,00
      "78"=hex:f7,0e,00,00,f0,f6,f8,c7,d0,de,a2,95,f0,81,8a,b1,14,00,00,00
      "79"=hex:cd,45,00,00,a0,ad,9c,9f,9b,86,c5,32,2e,ef,a0,df,14,00,00,00
      "80"=hex:67,46,00,00,4c,56,7f,78,7e,6d,10,58,19,02,29,13,00,00,00
      "81"=hex:cc,46,00,00,af,dd,97,92,8f,85,f9,e0,2f,ec,a1,dc,14,00,00,00
      "82"=hex:43,5a,00,00,3e,3b,0a,05,11,0c,b3,b8,a4,75,5e,45,14,00,00,00
      "83"=hex:11,5b,00,00,16,e8,21,d2,c0,c7,ba,f2,a3,54,93,13,00,00,00
      "84"=hex:db,5b,00,00,dc,d2,e4,e3,fc,fa,8e,f1,dc,9d,b6,ad,14,00,00,00
      "85"=hex:51,6a,00,00,2c,29,18,1b,07,02,41,4e,aa,6b,2c,5b,14,00,00,00
      "86"=hex:eb,6a,00,00,c8,d2,fb,f4,fa,e9,9c,d4,85,be,b5,13,00,00,00
      "87"=hex:b9,6b,00,00,b2,b0,ba,81,92,98,ec,d7,32,c3,d4,f3,14,00,00,00
      "88"=hex:50,6c,00,00,2d,2e,19,18,04,03,46,4f,ab,68,2d,58,14,00,00,00
      "89"=hex:b5,6c,00,00,b2,84,8d,8e,ac,a3,e6,2e,cf,f0,ff,13,00,00,00
      "90"=hex:4e,6d,00,00,29,5f,11,6c,09,07,7b,62,a9,6e,23,5e,14,00,00,00
      "91"=hex:eb,1f,00,00,c6,d3,f2,fd,f9,e4,db,d0,cc,8d,86,bd,14,00,00,00
      "92"=hex:81,20,00,00,66,78,51,42,50,57,2a,62,33,24,03,13,00,00,00
      "93"=hex:4f,21,00,00,28,5e,10,6f,08,06,7a,7d,a8,69,22,59,14,00,00,00
      "94"=hex:e9,16,00,00,c4,d1,f0,e3,ff,ea,d9,d6,c2,93,84,a3,14,00,00,00
      "95"=hex:b6,17,00,00,bd,87,8c,89,af,a2,e1,29,ce,f3,fe,13,00,00,00
      "96"=hex:4d,18,00,00,2e,5c,16,6d,0e,04,78,63,ae,6f,20,5f,14,00,00,00
      "97"=hex:5f,26,00,00,52,5f,6e,69,75,70,57,5c,58,19,32,29,14,00,00,00
      "98"=hex:f8,26,00,00,ff,c1,ce,cb,e9,dc,a3,eb,88,ad,b8,13,00,00,00
      "99"=hex:c6,27,00,00,a1,a7,89,94,81,8f,f3,ea,21,f6,db,c6,14,00,00,00
      "100"=hex:b1,4c,00,00,8c,89,b8,bb,a7,a2,21,2e,0a,cb,cc,fb,14,00,00,00
      "101"=hex:7b,4d,00,00,78,42,4b,44,6a,59,2c,64,35,2e,05,13,00,00,00
      "102"=hex:49,4e,00,00,22,20,0a,11,02,08,7c,67,a2,73,24,43,14,00,00,00
      "103"=hex:5e,06,00,00,53,5c,6f,6e,0a,71,54,5d,59,1e,33,2e,14,00,00,00
      "104"=hex:5d,07,00,00,5a,5c,75,66,74,7b,0e,46,17,08,27,13,00,00,00
      "105"=hex:27,08,00,00,00,06,28,37,20,2e,52,45,80,51,7a,61,14,00,00,00
      "106"=hex:57,57,00,00,2a,27,66,11,0d,78,4f,44,50,61,2a,51,14,00,00,00
      "107"=hex:25,58,00,00,02,14,3d,3e,3c,33,56,9e,5f,40,6f,13,00,00,00
      "108"=hex:23,59,00,00,04,0a,2c,3b,24,32,56,49,84,55,7e,65,14,00,00,00
      "109"=hex:01,76,00,00,fc,f9,c8,cb,d7,d2,f1,fe,fa,bb,9c,8b,14,00,00,00
      "110"=hex:cb,76,00,00,a8,b2,9b,94,9a,89,fc,34,e5,9e,d5,13,00,00,00
      "111"=hex:ca,77,00,00,ad,a3,95,90,8d,8b,ff,e6,2d,f2,a7,c2,14,00,00,00
      "112"=hex:2d,3b,00,00,00,0d,3c,3f,3b,26,a5,92,8e,4f,40,7f,14,00,00,00
      "113"=hex:f9,3c,00,00,fe,c0,c9,ca,e8,df,a2,ea,8b,ac,bb,13,00,00,00
      "114"=hex:f8,3d,00,00,f3,f1,fb,c6,d3,d9,ad,94,f3,80,95,b0,14,00,00,00
      "115"=hex:5c,61,00,00,51,22,6d,6c,08,77,4a,43,5f,1c,31,2c,14,00,00,00
      "116"=hex:c0,62,00,00,a7,b9,96,83,91,94,eb,23,f0,e5,c0,13,00,00,00
      "117"=hex:bf,63,00,00,b8,ae,80,9f,98,96,ea,ed,38,f9,d2,c9,14,00,00,00
      "118"=hex:6f,23,00,00,42,4f,7e,79,65,60,67,6c,48,09,02,39,14,00,00,00
      "119"=hex:d6,24,00,00,dd,a7,ec,e9,8f,82,81,c9,ee,93,de,13,00,00,00
      "120"=hex:06,26,00,00,e1,e7,c9,d4,c1,cf,b3,aa,e1,b6,9b,86,14,00,00,00
      "121"=hex:31,07,00,00,0c,09,38,3b,27,22,a1,ae,8a,4b,4c,7b,14,00,00,00
      "122"=hex:95,08,00,00,92,64,ad,ae,4c,43,c6,0e,2f,d0,1f,13,00,00,00
      "123"=hex:92,0a,00,00,95,9b,5d,a8,b5,43,c7,3e,15,2a,ef,1a,14,00,00,00
      "124"=hex:f5,2c,00,00,c8,c5,c4,f7,e3,de,ed,ea,f6,87,88,b7,14,00,00,00
      "125"=hex:8d,2e,00,00,6a,6c,a5,56,44,4b,3e,76,27,d8,17,13,00,00,00
      "126"=hex:8e,30,00,00,69,9f,51,ac,49,47,3b,22,69,2e,e3,1e,14,00,00,00
      "127"=hex:2d,55,00,00,00,0d,3c,3f,3b,26,a5,92,8e,4f,40,7f,14,00,00,00
      "128"=hex:c5,56,00,00,a2,b4,9d,9e,9c,93,f6,3e,ff,e0,cf,13,00,00,00
      "129"=hex:29,58,00,00,02,00,2a,31,22,28,5c,47,82,53,44,63,14,00,00,00
      "130"=hex:08,18,00,00,e5,f6,d1,c0,dc,cb,fe,f7,e3,b0,65,80,14,00,00,00
      "131"=hex:3b,19,00,00,38,02,0b,04,2a,19,6c,a4,75,6e,45,13,00,00,00
      "132"=hex:d4,1a,00,00,d7,d5,9f,ea,f7,fd,81,f8,d7,e4,a9,d4,14,00,00,00
      "133"=hex:1a,12,00,00,17,e0,23,d2,ce,35,88,81,9d,a2,77,92,14,00,00,00
      "134"=hex:4d,13,00,00,2a,2c,65,16,04,0b,7e,b6,67,18,57,13,00,00,00
      "135"=hex:80,14,00,00,7b,69,43,5e,5b,51,35,2c,7b,38,1d,08,14,00,00,00
      "136"=hex:33,7e,00,00,0e,0b,3a,35,21,1c,a3,a8,b4,45,4e,75,14,00,00,00
      "137"=hex:ca,00,00,00,a9,b3,98,95,9b,8e,fd,35,fa,9f,ca,13,00,00,00
      "138"=hex:95,03,00,00,96,94,5e,a5,b6,bc,c0,3b,16,27,e8,17,14,00,00,00
      "139"=hex:26,2f,00,00,1b,14,37,26,32,29,9c,95,81,56,7b,66,14,00,00,00
      "140"=hex:be,30,00,00,a5,bf,94,81,97,9a,e9,21,f6,eb,c6,13,00,00,00
      "141"=hex:87,32,00,00,60,66,48,57,40,4e,32,25,60,31,1a,01,14,00,00,00
      "142"=hex:f7,66,00,00,ca,c7,c6,f1,ed,d8,ef,e4,f0,81,8a,b1,14,00,00,00
      "143"=hex:5f,68,00,00,44,5e,77,60,76,75,08,40,11,0a,21,13,00,00,00
      "144"=hex:28,6a,00,00,03,01,2b,36,23,29,5d,44,83,50,45,60,14,00,00,00
      "145"=hex:c4,77,00,00,b9,ba,95,84,90,8f,32,3b,27,f4,d9,c4,14,00,00,00
      "146"=hex:2a,7a,00,00,09,13,38,35,3b,2e,5d,95,5a,7f,6a,13,00,00,00
      "147"=hex:f2,7c,00,00,f5,fb,fd,c8,d5,e3,a7,9e,f5,8a,8f,ba,14,00,00,00
      "148"=hex:4c,6f,00,00,21,32,1d,1c,18,07,ba,b3,af,6c,21,5c,14,00,00,00
      "149"=hex:49,71,00,00,2e,30,19,1a,18,0f,72,ba,7b,1c,4b,13,00,00,00
      "150"=hex:7b,73,00,00,7c,72,44,43,5c,5a,2e,11,7c,3d,16,0d,14,00,00,00
      "151"=hex:70,48,00,00,4d,4e,79,78,64,63,66,6f,4b,08,0d,38,14,00,00,00
      "152"=hex:6d,4a,00,00,4a,4c,45,76,64,6b,1e,56,07,38,37,13,00,00,00
      "153"=hex:3a,4c,00,00,3d,33,05,00,1d,1b,6f,56,bd,42,57,72,14,00,00,00
      "154"=hex:88,5c,00,00,65,76,51,40,5c,4b,7e,77,63,30,e5,00,14,00,00,00
      "155"=hex:85,5e,00,00,62,74,5d,5e,5c,53,36,7e,3f,20,0f,13,00,00,00
      "156"=hex:50,61,00,00,2b,59,13,6e,0b,01,05,7c,ab,68,2d,58,14,00,00,00
      "157"=hex:cc,54,00,00,a1,b2,9d,9c,98,87,3a,33,2f,ec,a1,dc,14,00,00,00
      "158"=hex:cd,56,00,00,aa,ac,e5,96,84,8b,fe,36,e7,98,d7,13,00,00,00
      "159"=hex:ca,58,00,00,ad,a3,95,90,8d,8b,ff,e6,2d,f2,a7,c2,14,00,00,00
      "160"=hex:4d,69,00,00,20,2d,1c,1f,1b,06,45,b2,ae,6f,20,5f,14,00,00,00
      "161"=hex:7f,6b,00,00,64,7e,57,40,56,55,28,60,31,2a,01,13,00,00,00
      "162"=hex:b0,6d,00,00,8b,b9,b3,8e,ab,a1,e5,dc,0b,c8,cd,f8,14,00,00,00
      "163"=hex:f4,40,00,00,c9,ca,c5,f4,e0,df,e2,eb,f7,84,89,b4,14,00,00,00
      "164"=hex:24,44,00,00,03,15,32,3f,3d,30,57,9f,5c,41,6c,13,00,00,00
      "165"=hex:eb,47,00,00,cc,c2,f4,f3,ec,ea,9e,81,cc,8d,86,bd,14,00,00,00
      "166"=hex:ab,04,00,00,86,93,b2,bd,b9,a4,1b,10,0c,cd,c6,fd,14,00,00,00
      "167"=hex:42,07,00,00,21,3b,10,1d,13,16,75,bd,72,67,42,13,00,00,00
      "168"=hex:0d,0a,00,00,ee,1c,d6,2d,ce,c4,b8,a3,ee,af,60,9f,14,00,00,00
      "169"=hex:23,21,00,00,1e,1b,2a,25,31,2c,93,98,84,55,7e,65,14,00,00,00
      "170"=hex:85,26,00,00,62,74,5d,5e,5c,53,36,7e,3f,20,0f,13,00,00,00
      "171"=hex:d2,3c,00,00,af,a8,9b,9a,86,fd,c0,c9,d5,ea,af,da,14,00,00,00
      "172"=hex:01,41,00,00,e6,f8,d1,c2,d0,d7,aa,e2,b3,a4,83,13,00,00,00
      "173"=hex:96,44,00,00,91,97,59,a4,b1,bf,c3,3a,11,26,eb,16,14,00,00,00
      "174"=hex:69,76,00,00,44,51,70,63,7f,6a,59,56,42,13,04,23,14,00,00,00
      "175"=hex:34,79,00,00,33,05,02,0f,2d,20,67,af,4c,71,7c,13,00,00,00
      "176"=hex:cb,7b,00,00,ac,a2,94,93,8c,8a,fe,e1,2c,ed,a6,dd,14,00,00,00
      "177"=hex:4d,02,00,00,20,2d,1c,1f,1b,06,45,b2,ae,6f,20,5f,14,00,00,00
      "178"=hex:7e,05,00,00,65,7f,54,41,57,5a,29,61,36,2b,06,13,00,00,00
      "179"=hex:14,08,00,00,17,15,df,2a,37,3d,41,b8,97,a4,69,94,14,00,00,00
      "180"=hex:35,29,00,00,08,05,04,37,23,1e,ad,aa,b6,47,48,77,14,00,00,00
      "181"=hex:cc,2b,00,00,ab,ad,9a,97,85,88,ff,37,e4,99,d4,13,00,00,00
      "182"=hex:97,2e,00,00,90,96,58,a7,b0,be,c2,35,10,21,ea,11,14,00,00,00
      "183"=hex:34,5b,00,00,09,0a,05,34,20,1f,a2,ab,b7,44,49,74,14,00,00,00
      "184"=hex:fe,5e,00,00,e5,ff,d4,c1,d7,da,a9,e1,b6,ab,86,13,00,00,00
      "185"=hex:c7,63,00,00,a0,a6,88,97,80,8e,f2,e5,20,f1,da,c1,14,00,00,00
      "186"=hex:de,50,00,00,d3,dc,ef,ee,8a,f1,d4,dd,d9,9e,b3,ae,14,00,00,00
      "187"=hex:aa,53,00,00,89,93,b8,b5,bb,ae,dd,15,da,ff,ea,13,00,00,00
      "188"=hex:40,56,00,00,3b,29,03,1e,1b,11,75,6c,bb,78,5d,48,14,00,00,00
      "189"=hex:f2,2a,00,00,cf,c8,fb,fa,e6,dd,e0,e9,f5,8a,8f,ba,14,00,00,00
      "190"=hex:54,2e,00,00,53,25,62,6f,0d,00,07,4f,6c,11,5c,13,00,00,00
      "191"=hex:1e,32,00,00,19,0f,21,3c,39,37,4b,b2,99,5e,73,6e,14,00,00,00
      "192"=hex:a5,64,00,00,98,95,b4,a7,b3,ae,1d,1a,06,d7,f8,e7,14,00,00,00
      "193"=hex:6e,68,00,00,75,4f,44,71,67,6a,19,51,06,3b,36,13,00,00,00
      "194"=hex:38,6c,00,00,33,31,3b,06,13,19,6d,54,b3,40,55,70,14,00,00,00
      "195"=hex:33,50,00,00,0e,0b,3a,35,21,1c,a3,a8,b4,45,4e,75,14,00,00,00
      "196"=hex:fd,55,00,00,fa,fc,d5,c6,d4,db,ae,e6,b7,a8,87,13,00,00,00
      "197"=hex:2b,5b,00,00,0c,02,34,33,2c,2a,5e,41,8c,4d,46,7d,14,00,00,00
      "198"=hex:5e,4b,00,00,53,5c,6f,6e,0a,71,54,5d,59,1e,33,2e,14,00,00,00
      "199"=hex:8f,50,00,00,94,6e,a7,50,46,45,38,70,21,da,11,13,00,00,00
      "200"=hex:ef,54,00,00,c8,fe,f0,cf,e8,e6,9a,9d,c8,89,82,b9,14,00,00,00
      "201"=hex:e0,6f,00,00,dd,de,e9,e8,f4,f3,d6,df,db,98,bd,a8,14,00,00,00
      "202"=hex:a8,74,00,00,8f,91,be,bb,b9,ac,d3,1b,d8,fd,e8,13,00,00,00
      "203"=hex:a2,79,00,00,85,8b,ad,b8,a5,b3,d7,ce,05,da,ff,ea,14,00,00,00
      "204"=hex:de,6f,00,00,d3,dc,ef,ee,8a,f1,d4,dd,d9,9e,b3,ae,14,00,00,00
      "205"=hex:a7,74,00,00,8c,96,bf,b8,be,ad,d0,18,d9,c2,e9,13,00,00,00
      "206"=hex:6f,79,00,00,48,7e,70,4f,68,66,1a,1d,48,09,02,39,14,00,00,00
      "207"=hex:4e,09,00,00,23,2c,1f,1e,1a,01,44,4d,a9,6e,23,5e,14,00,00,00
      "208"=hex:47,0e,00,00,2c,36,1f,18,1e,0d,70,b8,79,62,49,13,00,00,00
      "209"=hex:de,13,00,00,d9,cf,e1,fc,f9,f7,8b,f2,d9,9e,b3,ae,14,00,00,00
      "210"=hex:40,45,00,00,3d,3e,09,08,14,13,b6,bf,bb,78,5d,48,14,00,00,00
      "211"=hex:d4,49,00,00,d3,a5,e2,ef,8d,80,87,cf,ec,91,dc,13,00,00,00
      "212"=hex:9d,4e,00,00,9e,8c,a6,bd,be,b4,c8,33,1e,df,f0,ef,14,00,00,00
      "213"=hex:64,72,00,00,59,5a,75,64,70,6f,52,5b,47,14,39,24,14,00,00,00
      "214"=hex:f9,76,00,00,fe,c0,c9,ca,e8,df,a2,ea,8b,ac,bb,13,00,00,00
      "215"=hex:90,7b,00,00,6b,99,53,ae,4b,41,c5,3c,6b,28,ed,18,14,00,00,00
      "216"=hex:8d,1d,00,00,60,6d,5c,5f,5b,46,05,72,6e,2f,e0,1f,14,00,00,00
      "217"=hex:8a,22,00,00,69,73,58,55,5b,4e,3d,75,3a,df,0a,13,00,00,00
      "218"=hex:83,27,00,00,64,6a,4c,5b,44,52,36,29,64,35,1e,05,14,00,00,00
      "219"=hex:0f,06,00,00,e2,ef,de,d9,c5,c0,87,8c,e8,a9,62,99,14,00,00,00
      "220"=hex:a6,0b,00,00,8d,97,bc,b9,bf,b2,d1,19,de,c3,ee,13,00,00,00
      "221"=hex:9f,10,00,00,98,8e,a0,bf,b8,b6,ca,cd,18,d9,f2,e9,14,00,00,00
      "222"=hex:fa,04,00,00,f7,c0,c3,f2,ee,d5,e8,e1,fd,82,97,b2,14,00,00,00
      "223"=hex:5c,0a,00,00,5b,5d,6a,67,75,78,0f,47,14,09,24,13,00,00,00
      "224"=hex:8a,0f,00,00,6d,63,55,50,4d,4b,3f,26,6d,32,e7,02,14,00,00,00
      "225"=hex:97,18,00,00,6a,67,a6,51,4d,b8,0f,04,10,21,ea,11,14,00,00,00
      "226"=hex:91,1f,00,00,96,68,a1,52,40,47,3a,72,23,d4,13,13,00,00,00
      "227"=hex:bf,24,00,00,b8,ae,80,9f,98,96,ea,ed,38,f9,d2,c9,14,00,00,00
      "228"=hex:a0,25,00,00,9d,9e,a9,a8,b4,b3,16,1f,1b,d8,fd,e8,14,00,00,00
      "229"=hex:97,2e,00,00,9c,66,af,a8,4e,bd,c0,08,29,d2,19,13,00,00,00
      "230"=hex:f7,35,00,00,f0,f6,f8,c7,d0,de,a2,95,f0,81,8a,b1,14,00,00,00
      "231"=hex:53,46,00,00,2e,2b,1a,15,01,7c,43,48,54,65,2e,55,14,00,00,00
      "232"=hex:4e,4c,00,00,55,2f,64,11,07,0a,79,b1,66,1b,56,13,00,00,00
      "233"=hex:46,52,00,00,21,27,09,14,01,0f,73,6a,a1,76,5b,46,14,00,00,00


      *********************************************

      Fichiers détectés :

      C:\WINDOWS\balloon.wav Présent !
      C:\WINDOWS\rdt.ini Présent !

      *********************************************

      Recherche des processus aleatoires
      d'après les modèles : cs***.exe, dm***.exe, ya***.exe

      C:\WINDOWS\System32

      *********************************************

      Recherche presence hclean32.exe...
      non trouvé...
      0
    2. pierre
       
      Voilà la suite

      ---------------
      log hijack :
      ---------------

      Logfile of HijackThis v1.99.1
      Scan saved at 15:35:37, on 03/10/2005
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\csrss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Sygate\SPF\smc.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
      C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
      C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
      C:\Program Files\ewido\security suite\ewidoctrl.exe
      C:\Program Files\ewido\security suite\ewidoguard.exe
      C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
      c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
      C:\WINDOWS\system32\nvsvc32.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
      C:\WINDOWS\system32\RUNDLL32.EXE
      C:\WINDOWS\System32\wbem\wmiprvse.exe
      C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Messenger\msmsgs.exe
      D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
      D:\software\PeerGuardian 2 Beta\pg2.exe
      C:\WINDOWS\System32\alg.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\WINDOWS\system32\drwtsn32.exe
      C:\WINDOWS\system32\drwtsn32.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Hijack\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
      O1 - Hosts: localhost 127.0.0.1
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
      O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
      O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - Startup: Raccourci vers pg2.lnk = D:\software\PeerGuardian 2 Beta\pg2.exe
      O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
      O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O4 - Global Startup: SonicWALL VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
      O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
      O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
      O17 - HKLM\System\CCS\Services\Tcpip\..\{35BFD203-4759-483A-8371-41D90CA97191}: NameServer = 69.50.176.198,85.255.112.12
      O17 - HKLM\System\CCS\Services\Tcpip\..\{4B80F726-26A6-4EED-B754-3DC2458B4708}: NameServer = 69.50.176.198,85.255.112.12
      O17 - HKLM\System\CCS\Services\Tcpip\..\{5A7436A0-A80E-4B10-9E83-F04356E9678D}: NameServer = 69.50.176.198,85.255.112.12
      O17 - HKLM\System\CCS\Services\Tcpip\..\{5B6A33F9-29BD-49FB-A6DF-77E5098E2E6E}: NameServer = 69.50.176.198,85.255.112.12
      O17 - HKLM\System\CCS\Services\Tcpip\..\{7E145BB1-A896-48E0-875A-DC39CA86A286}: NameServer = 69.50.176.198,85.255.112.12
      O17 - HKLM\System\CCS\Services\Tcpip\..\{87FBC40E-D3FA-4C12-A0FD-84AF102B52D7}: NameServer = 69.50.176.198,85.255.112.12
      O17 - HKLM\System\CS1\Services\Tcpip\..\{35BFD203-4759-483A-8371-41D90CA97191}: NameServer = 69.50.176.198,85.255.112.12
      O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
      O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
      O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
      O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
      O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
      O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
      O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
      O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
      O23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
      O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
      O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe



      --------------------
      RAPPORT SilentRunner
      ---------------------

      "Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
      Operating System: Windows XP SP2
      Output limited to non-default values, except where indicated by "{++}"


      Startup items buried in registry:
      ---------------------------------

      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
      "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
      "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
      "NVMixerTray" = ""C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"]
      "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
      "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
      "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
      "SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
      "Miramar Systems, Inc." = "C:\Program Files\Miramar\PC MACLAN\atmsg.exe" ["Miramar Systems Inc."]
      "EPSON Stylus CX3200" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"" ["SEIKO EPSON CORPORATION"]
      "dmtol.exe" = "C:\WINDOWS\system32\dmtol.exe" [file not found]
      "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
      "KAVPersonal50" = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize" ["Kaspersky Labs"]
      "hclean32.exe" = "C:\WINDOWS\system32\hclean32.exe" [file not found]

      HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
      {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
      -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

      HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
      "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
      -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
      "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
      "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
      -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
      "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
      -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
      "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
      -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
      "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
      "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
      "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
      "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
      "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
      "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
      "{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
      "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 DragDrop Shell Extension"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
      "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
      "{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Property Sheet Shell Extension"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
      "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]

      HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
      INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
      INFECTION WARNING! "System" = "csmaj.exe" [null data]

      HKLM\Software\Classes\PROTOCOLS\Filter\
      INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

      HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
      ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
      Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
      TheCleaner\(Default) = "{2DE506B9-4320-11d3-8E42-002035221EDA}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
      WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
      ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

      HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
      ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
      Miramar_AppleTalk\(Default) = "{327700A0-1ABB-11CF-BD20-4CAA03C10000}"
      -> {CLSID}\InProcServer32\(Default) = "atshel32.dll" ["Miramar Systems Inc."]
      TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
      WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
      ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

      HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
      Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
      MiramarNPMenu\(Default) = "{EA075FE0-9229-11CF-AEEE-00AA00A06FE4}"
      -> {CLSID}\InProcServer32\(Default) = "atnp32.dll" ["Miramar Systems Inc."]
      Miramar_Printers\(Default) = "{36C959A0-7CF9-11CF-AEEE-00AA00A06FE4}"
      -> {CLSID}\InProcServer32\(Default) = "atpp32.dll" ["Miramar Systems Inc."]
      TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
      WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


      Active Desktop and Wallpaper:
      -----------------------------

      Active Desktop is disabled at this entry:
      HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

      HKCU\Control Panel\Desktop\
      "Wallpaper" = "C:\Documents and Settings\Pierrot (Admin)\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


      Enabled Screen Saver:
      ---------------------

      HKCU\Control Panel\Desktop\
      "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


      Startup items in "Pierrot (Admin)" & "All Users" startup folders:
      -----------------------------------------------------------------

      C:\Documents and Settings\Pierrot (Admin)\Menu Démarrer\Programmes\Démarrage
      "Raccourci vers pg2" -> shortcut to: "D:\software\PeerGuardian 2 Beta\pg2.exe" ["Methlabs"]

      C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
      "Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
      "Lancement rapide d'Adobe Reader" -> shortcut to: "D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
      "SonicWALL VPN Client" -> shortcut to: "C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe" ["SafeNet"]


      Enabled Scheduled Tasks:
      ------------------------

      "XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]


      Winsock2 Service Provider DLLs:
      -------------------------------

      Namespace Service Providers

      HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
      000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
      000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
      000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

      Transport Service Providers

      HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
      0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
      %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
      %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


      Toolbars, Explorer Bars, Extensions:
      ------------------------------------

      Extensions (Tools menu items, main toolbar menu buttons)

      HKLM\Software\Microsoft\Internet Explorer\Extensions\
      {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
      "ButtonText" = "Recherche"

      {FB5F1910-F110-11D2-BB9E-00C04F795683}\
      "ButtonText" = "Messenger"
      "MenuText" = "Windows Messenger"
      "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


      Miscellaneous IE Hijack Points
      ------------------------------

      C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

      Added lines (compared with English-language version):
      [Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

      Missing lines (compared with English-language version):
      [Strings]: 1 line


      HOSTS file
      ----------

      C:\WINDOWS\System32\drivers\etc\HOSTS

      maps: 1 domain name to an IP address,
      1 of the IP addresses is *not* localhost!


      Running Services (Display Name, Service Name, Path {Service DLL}):
      ------------------------------------------------------------------

      AppleTalk Messenger, ATMsg, "C:\Program Files\Miramar\PC MACLAN\ATMsg.exe -service" ["Miramar Systems Inc."]
      EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
      EpsonBidirectionalService, EpsonBidirectionalService, "C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe" [null data]
      ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
      ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
      kavsvc, kavsvc, "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe" ["Kaspersky Labs"]
      Miramar AppleTalk Print Server, Miramar AppleTalk Print Server, ""c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE"" ["Miramar Systems Inc."]
      NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
      SafeNet IKE Service, IreIKE, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe"" ["SafeNet"]
      SafeNet Monitor Service, IPSECMON, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe"" ["SafeNet"]
      Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]


      ----------
      + This report excludes default entries except where indicated.
      + To see *everywhere* the script checks and *everything* it finds,
      launch it from a command prompt or a shortcut with the -all parameter.
      + To search all directories of local fixed drives for DESKTOP.INI
      DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
      use the -supp parameter or answer "No" at the first message box.
      ---------- (total run time: 26 seconds, including 8 seconds for message boxes)
      0
  2. Utilisateur anonyme
     
    re,
    Telecharge: Pocket Killbox ici
    http://www.downloads.subratam.org/KillBox.exe
    l'aide détaillé de la manip est en video ici:
    http://pageperso.aol.fr/balltrap34/killbox.htm
    (methode bloc note)

    Imprime, ou enregistre la manip dans un fichier txt (bloc notes) pour etre sur ne rien oublier et de tout faire dans l'ordre.

    -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

    Lance hijackthis et clic sur [do a system scan only]
    cocher la case au début des lignes suivantes:
    O1 - Hosts: localhost 127.0.0.1

    O17 - HKLM\System\CCS\Services\Tcpip\..\{35BFD203-4759-483A-8371-41D90CA97191}: NameServer = 69.50.176.198,85.255.112.12
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4B80F726-26A6-4EED-B754-3DC2458B4708}: NameServer = 69.50.176.198,85.255.112.12
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5A7436A0-A80E-4B10-9E83-F04356E9678D}: NameServer = 69.50.176.198,85.255.112.12
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5B6A33F9-29BD-49FB-A6DF-77E5098E2E6E}: NameServer = 69.50.176.198,85.255.112.12
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7E145BB1-A896-48E0-875A-DC39CA86A286}: NameServer = 69.50.176.198,85.255.112.12
    O17 - HKLM\System\CCS\Services\Tcpip\..\{87FBC40E-D3FA-4C12-A0FD-84AF102B52D7}: NameServer = 69.50.176.198,85.255.112.12
    O17 - HKLM\System\CS1\Services\Tcpip\..\{35BFD203-4759-483A-8371-41D90CA97191}: NameServer = 69.50.176.198,85.255.112.12

    valider en cliquant sur le bouton [fix checked]

    -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

    puis vérifie ceci:
    demarrer > connection > clic droit sur ta connection > propriétés
    gestion de reseau
    assure toi que protocole internet tcp/ip est en surbrillance (attention, ne décoche pas la case)> clic sur propriétés > selectionne "obtenir les adresses DNS des serveurs automatiquement"
    valide avec ok
    -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

    Déconnecte toi d'internet et ferme tout les programmes en cours.

    -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

    ouvre le bloc note et copie et colle ceci à l'interieur:

    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\HCLEAN32.EXE]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=-
    "System"=""

    Puis enregistrer sous et dans:
    Nom du fichier, met fix.reg
    Type de fichier: selectionne "tous les fichiers"
    clic sur enregistrer

    ensuite double clic sur fix.reg et accepte de fusionner
    -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

    ouvre le bloc note et copie et colle la liste des fichiers à supprimerci-dessous
    une fois fait, enregistre le à un endroit ou tu pourras le retrouver facilement (sur le bureau par exemple).

    C:\WINDOWS\System32\hclean32.exe
    C:\WINDOWS\system32\dmtol.exe
    C:\WINDOWS\balloon.wav
    C:\WINDOWS\rdt.ini
    C:\WINDOWS\System32\csmaj.exe

    1/ lance killbox.exe
    2/ ouvre le fichier txt qui contient la liste des fichiers à supprimer, clic sur edition dans le menu du haut et clic sur "selectionner tout"
    3/ clic une seconde fois sur "edition" et clic sur "copier"
    4/ referme le bloc note.
    5/ Dans killbox, selectionne "Delete on Reboot"
    6/ Dans le menu du haut clic sur File, puis sur paste from clipboard
    (tu devrais voir apparaitre la liste des fichier qu'il va supprimer)
    7/ clic sur le rond rouge
    8/ une fenetre va apparaitre pour confirmation clic sur OUI
    9/ une seconde fenetre te demande si tu veux redemarrer clic sur OUI

    Si le pc ne redemarre pas automatiquement ou si killbox t'envois ce message:
    "Pending file Rename Operations Registry Data has been Removed by External Process"
    ignore le et redemarre le pc normallement

    -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

    de retour en mode mormal, reposte les rapports des 3 programmes:
    hijackthis, silentrunners et hc.bat

    a+
    0
    1. pierre
       
      Maintenant ça donne ça

      ------------
      hc.bat
      --------------

      Rapport fait à 17:45:36,59 le 03/10/2005
      Executé à partir de D:\antivirus\jAu
      OS: Microsoft Windows XP [version 5.1.2600]

      *********************************************

      Vérification HKLM\...\...\...\...\ruins


      *********************************************

      Fichiers détectés :

      C:\WINDOWS\System32\loadctr32.exe Présent !

      *********************************************

      Recherche des processus aleatoires
      d'après les modèles : cs***.exe, dm***.exe, ya***.exe

      C:\WINDOWS\System32

      *********************************************

      Recherche presence hclean32.exe...
      non trouvé...



      -----------------------
      silentrunners
      -------------------------

      "Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
      Operating System: Windows XP SP2
      Output limited to non-default values, except where indicated by "{++}"


      Startup items buried in registry:
      ---------------------------------

      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
      "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
      "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
      "NVMixerTray" = ""C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"]
      "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
      "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
      "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
      "SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
      "Miramar Systems, Inc." = "C:\Program Files\Miramar\PC MACLAN\atmsg.exe" ["Miramar Systems Inc."]
      "EPSON Stylus CX3200" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"" ["SEIKO EPSON CORPORATION"]
      "dmtol.exe" = "C:\WINDOWS\system32\dmtol.exe" [file not found]
      "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
      "KAVPersonal50" = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize" ["Kaspersky Labs"]
      "hclean32.exe" = "C:\WINDOWS\system32\hclean32.exe" [file not found]

      HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
      {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
      -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

      HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
      "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
      -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
      "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
      "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
      -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
      "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
      -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
      "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
      -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
      "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
      "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
      "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
      "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
      "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
      "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
      "{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
      "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 DragDrop Shell Extension"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
      "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
      "{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Property Sheet Shell Extension"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
      "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]

      HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
      INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

      HKLM\Software\Classes\PROTOCOLS\Filter\
      INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

      HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
      ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
      Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
      TheCleaner\(Default) = "{2DE506B9-4320-11d3-8E42-002035221EDA}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
      WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
      ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

      HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
      ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
      Miramar_AppleTalk\(Default) = "{327700A0-1ABB-11CF-BD20-4CAA03C10000}"
      -> {CLSID}\InProcServer32\(Default) = "atshel32.dll" ["Miramar Systems Inc."]
      TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
      WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
      ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

      HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
      Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
      MiramarNPMenu\(Default) = "{EA075FE0-9229-11CF-AEEE-00AA00A06FE4}"
      -> {CLSID}\InProcServer32\(Default) = "atnp32.dll" ["Miramar Systems Inc."]
      Miramar_Printers\(Default) = "{36C959A0-7CF9-11CF-AEEE-00AA00A06FE4}"
      -> {CLSID}\InProcServer32\(Default) = "atpp32.dll" ["Miramar Systems Inc."]
      TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
      WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


      Active Desktop and Wallpaper:
      -----------------------------

      Active Desktop is disabled at this entry:
      HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

      HKCU\Control Panel\Desktop\
      "Wallpaper" = "C:\Documents and Settings\Pierrot (Admin)\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


      Enabled Screen Saver:
      ---------------------

      HKCU\Control Panel\Desktop\
      "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


      Startup items in "Pierrot (Admin)" & "All Users" startup folders:
      -----------------------------------------------------------------

      C:\Documents and Settings\Pierrot (Admin)\Menu Démarrer\Programmes\Démarrage
      "Raccourci vers pg2" -> shortcut to: "D:\software\PeerGuardian 2 Beta\pg2.exe" ["Methlabs"]

      C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
      "Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
      "Lancement rapide d'Adobe Reader" -> shortcut to: "D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
      "SonicWALL VPN Client" -> shortcut to: "C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe" ["SafeNet"]


      Enabled Scheduled Tasks:
      ------------------------

      "XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]


      Winsock2 Service Provider DLLs:
      -------------------------------

      Namespace Service Providers

      HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
      000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
      000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
      000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

      Transport Service Providers

      HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
      0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
      %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
      %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


      Toolbars, Explorer Bars, Extensions:
      ------------------------------------

      Extensions (Tools menu items, main toolbar menu buttons)

      HKLM\Software\Microsoft\Internet Explorer\Extensions\
      {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
      "ButtonText" = "Recherche"

      {FB5F1910-F110-11D2-BB9E-00C04F795683}\
      "ButtonText" = "Messenger"
      "MenuText" = "Windows Messenger"
      "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


      Miscellaneous IE Hijack Points
      ------------------------------

      C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

      Added lines (compared with English-language version):
      [Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

      Missing lines (compared with English-language version):
      [Strings]: 1 line


      Running Services (Display Name, Service Name, Path {Service DLL}):
      ------------------------------------------------------------------

      AppleTalk Messenger, ATMsg, "C:\Program Files\Miramar\PC MACLAN\ATMsg.exe -service" ["Miramar Systems Inc."]
      EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
      EpsonBidirectionalService, EpsonBidirectionalService, "C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe" [null data]
      ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
      ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
      kavsvc, kavsvc, "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe" ["Kaspersky Labs"]
      Miramar AppleTalk Print Server, Miramar AppleTalk Print Server, ""c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE"" ["Miramar Systems Inc."]
      NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
      SafeNet IKE Service, IreIKE, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe"" ["SafeNet"]
      SafeNet Monitor Service, IPSECMON, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe"" ["SafeNet"]
      Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]


      ----------
      + This report excludes default entries except where indicated.
      + To see *everywhere* the script checks and *everything* it finds,
      launch it from a command prompt or a shortcut with the -all parameter.
      + To search all directories of local fixed drives for DESKTOP.INI
      DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
      use the -supp parameter or answer "No" at the first message box.
      ---------- (total run time: 27 seconds, including 3 seconds for message boxes)




      -------------------
      hijackthis
      ---------------------


      Logfile of HijackThis v1.99.1
      Scan saved at 17:41:48, on 03/10/2005
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Sygate\SPF\smc.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
      C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
      C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
      C:\Program Files\ewido\security suite\ewidoctrl.exe
      C:\Program Files\ewido\security suite\ewidoguard.exe
      C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
      c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
      C:\WINDOWS\system32\nvsvc32.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
      C:\WINDOWS\system32\RUNDLL32.EXE
      C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Messenger\msmsgs.exe
      D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
      D:\software\PeerGuardian 2 Beta\pg2.exe
      C:\WINDOWS\system32\wuauclt.exe
      E:\Bin\demo32.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Hijack\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
      O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
      O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
      O4 - HKLM\..\Run: [dmtol.exe] C:\WINDOWS\system32\dmtol.exe
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
      O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\system32\hclean32.exe
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - Startup: Raccourci vers pg2.lnk = D:\software\PeerGuardian 2 Beta\pg2.exe
      O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
      O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O4 - Global Startup: SonicWALL VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
      O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
      O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
      O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
      O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
      O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
      O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
      O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
      O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
      O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
      O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
      O23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
      O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
      O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe




      Vraiment MERCI pour le temps passé à m'aider
      0
  3. Utilisateur anonyme
     
    salut pierre

    Rend visible les fichiers cachés et systeme
    panneau de configuration > options des dossiers > onglet affichage
    Cocher la case devant " afficher les fichiers et dossiers cachés "
    Décocher la case devant " masquer les extentions des fichiers dont le type est connu"
    Décocher la case devant " masquer les fichiers protégés du système"
    clic sur [Appliquer] puis sur [ok] pour valider

    -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

    Lance hijackthis et clic sur [do a system scan only]
    cocher la case au début des lignes suivantes:

    O4 - HKLM\..\Run: [dmtol.exe] C:\WINDOWS\system32\dmtol.exe
    O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\system32\hclean32.exe

    valider en cliquant sur le bouton [fix checked]

    -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

    recherche et supprime:

    C:\WINDOWS\System32\loadctr32.exe
    s'il resiste, supprime le avec killbox

    verifie aussi si :
    C:\WINDOWS\system32\dmtol.exe
    C:\WINDOWS\system32\hclean32.exe
    n'existent plus. (normallement ils ne devraient plus y etre)

    redemarre le pc, puis reposte les rapports des trois progs
    (pour hijackthis, fais le rapport apres t'etre connecté au net)

    a+
    0
  4. pierre
     
    Bonsoir,

    ci-joint les derniers logs

    -------------
    Hijack
    -------------

    Logfile of HijackThis v1.99.1
    Scan saved at 18:25:43, on 03/10/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
    C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
    c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
    D:\software\PeerGuardian 2 Beta\pg2.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Hijack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
    O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Raccourci vers pg2.lnk = D:\software\PeerGuardian 2 Beta\pg2.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: SonicWALL VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
    O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
    O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
    O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
    O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
    O23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

    -------------
    silentrunners
    ---------------

    "Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"

    Startup items buried in registry:
    ---------------------------------

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "NVMixerTray" = ""C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"]
    "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
    "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
    "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
    "SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
    "Miramar Systems, Inc." = "C:\Program Files\Miramar\PC MACLAN\atmsg.exe" ["Miramar Systems Inc."]
    "EPSON Stylus CX3200" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"" ["SEIKO EPSON CORPORATION"]
    "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
    "KAVPersonal50" = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize" ["Kaspersky Labs"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
    -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
    "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 DragDrop Shell Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
    "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
    "{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Property Sheet Shell Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

    HKLM\Software\Classes\PROTOCOLS\Filter\
    INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
    Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
    TheCleaner\(Default) = "{2DE506B9-4320-11d3-8E42-002035221EDA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
    Miramar_AppleTalk\(Default) = "{327700A0-1ABB-11CF-BD20-4CAA03C10000}"
    -> {CLSID}\InProcServer32\(Default) = "atshel32.dll" ["Miramar Systems Inc."]
    TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Labs"]
    MiramarNPMenu\(Default) = "{EA075FE0-9229-11CF-AEEE-00AA00A06FE4}"
    -> {CLSID}\InProcServer32\(Default) = "atnp32.dll" ["Miramar Systems Inc."]
    Miramar_Printers\(Default) = "{36C959A0-7CF9-11CF-AEEE-00AA00A06FE4}"
    -> {CLSID}\InProcServer32\(Default) = "atpp32.dll" ["Miramar Systems Inc."]
    TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop is disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\Pierrot (Admin)\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

    Enabled Screen Saver:
    ---------------------

    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

    Startup items in "Pierrot (Admin)" & "All Users" startup folders:
    -----------------------------------------------------------------

    C:\Documents and Settings\Pierrot (Admin)\Menu Démarrer\Programmes\Démarrage
    "Raccourci vers pg2" -> shortcut to: "D:\software\PeerGuardian 2 Beta\pg2.exe" ["Methlabs"]

    C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
    "Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
    "Lancement rapide d'Adobe Reader" -> shortcut to: "D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
    "SonicWALL VPN Client" -> shortcut to: "C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe" ["SafeNet"]

    Enabled Scheduled Tasks:
    ------------------------

    "XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]

    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
    "ButtonText" = "Recherche"

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

    Miscellaneous IE Hijack Points
    ------------------------------

    C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

    Added lines (compared with English-language version):
    [Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

    Missing lines (compared with English-language version):
    [Strings]: 1 line

    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    AppleTalk Messenger, ATMsg, "C:\Program Files\Miramar\PC MACLAN\ATMsg.exe -service" ["Miramar Systems Inc."]
    EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
    EpsonBidirectionalService, EpsonBidirectionalService, "C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe" [null data]
    ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
    ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
    kavsvc, kavsvc, "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe" ["Kaspersky Labs"]
    Miramar AppleTalk Print Server, Miramar AppleTalk Print Server, ""c:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE"" ["Miramar Systems Inc."]
    NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
    SafeNet IKE Service, IreIKE, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe"" ["SafeNet"]
    SafeNet Monitor Service, IPSECMON, ""C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe"" ["SafeNet"]
    Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]

    ----------
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
    use the -supp parameter or answer "No" at the first message box.
    ---------- (total run time: 27 seconds, including 10 seconds for message boxes)

    ----------
    jAu
    ---------------

    Rapport fait à 18:23:36,65 le 03/10/2005
    Executé à partir de D:\antivirus\jAu
    OS: Microsoft Windows XP [version 5.1.2600]

    *********************************************

    Vérification HKLM\...\...\...\...\ruins

    *********************************************

    Fichiers détectés :

    *********************************************

    Recherche des processus aleatoires
    d'après les modèles : cs***.exe, dm***.exe, ya***.exe

    C:\WINDOWS\System32

    *********************************************

    Recherche presence hclean32.exe...
    non trouvé...
    0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. Utilisateur anonyme
     
    ca a l'air ok
    Des soucis de ton coté ?

    fais quand meme un scan av de controle:

    ici:
    http://webscanner.kaspersky.fr/
    apres le chargement du control active X, clic sur suivant
    puis clic sur configuration et choisis "étendue"
    Choisis l'analyse répertoire et choisis ton ou tes disques durs
    ou là:
    http://www.bitdefender.fr

    A la fin de l'analyse, copier/coller le rapport ici

    a++
    0
    1. pierre
       
      Merci,

      je vais faire un scan et je posterai le rapport.

      Il fait quoi ce hclean32.exe ?

      et ça s'attrape comment en général ?
      0
    2. pierre
       
      Le rapport est clean

      -------------------------------------------------------------------------------
      KASPERSKY ON-LINE SCANNER REPORT
      Monday, October 03, 2005 19:09:30
      Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
      Kaspersky On-line Scanner version: 5.0.67.0
      Kaspersky Anti-Virus database last update: 3/10/2005
      Kaspersky Anti-Virus database records: 143069
      -------------------------------------------------------------------------------

      Scan Settings:
      Scan using the following antivirus database: standard
      Scan Archives: true
      Scan Mail Bases: true

      Scan Target - Folders:
      C:\
      D:\

      Scan Statistics:
      Total number of scanned objects: 39941
      Number of viruses found: 0
      Number of infected objects: 0
      Number of suspicious objects: 0
      Duration of the scan process: 1305 sec
      No malware has been detected. The sections that have been scanned are CLEAN.

      Scan process completed.


      Merci beaucoup à tous les 2

      Et si vous avez des infos sur ce que fait hclean32 je suis preneur (pour info)

      Merci encore
      0
  7. Utilisateur anonyme
     
    moe,
    les 2 que l ont a retrouver apres ma manip, je l avais oublié du depart ou pas?
    0
  8. Utilisateur anonyme
     
    salut

    je crois que hclean32 n'est que le debut d'infection, en fait, il modifie tes dns (017 dans hijackthis), pour te rediriger vers des urls piégées qui permettent surement d'executer ou de telecharger un fichier à distance.
    Il est lié avec wareout, (la 2eme partie de l'infection à mon avis) un faux antispyware qui s'installe sans te demander ton avis sur ton pc.
    hclean et detecté selon les av comme:
    trojan.flush
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.flush.a.html
    /trojruindla
    http://www.sophos.com/virusinfo/analyses/trojruindla.html

    Pour regis:
    il manquait juste les 04 et la 01 dans hijack à faire fixer.
    Mais bon, en général c'est rare que les 04 apparaissent dans hijack à part en tout début d'infection, ensuite il faut un silentrunners pour les debusquer.
    Je crois que tu as pigé le truc.

    a+
    0