[virus] log hijackthis de mon Pc
juanmarco
-
juanmarco Messages postés 3 Statut Membre -
juanmarco Messages postés 3 Statut Membre -
Bonjour, je suis nouveau sur le forum et j'ai un gros problème avec mon pc depuis une semaine au bout de quelque minutes (voir même secondes parfois) j'ai un ralentissement considérable de ma machine et le processeur est toujours à 100% utilisé. Je pense fortement être infecté. Voice log mon Hijackthis :
Logfile of HijackThis v1.99.1
Scan saved at 19:54:11, on 17/06/2005
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\shost.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Fichiers communs\ACD Systems\EN\DevDetect.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\ESNAULT'FAMILY\Bureau\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cegetel.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINNT\System32\yabxx.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINNT\System32\efede.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Fichiers communs\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120278006245
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O20 - Winlogon Notify: efede - C:\WINNT\SYSTEM32\efede.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: yabxx - C:\WINNT\System32\yabxx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Est-ce qu'une âme charitable pourrait-elle me venir en aide sachant que je ne suis pas un génie en informatique. D'avance Merci.
Logfile of HijackThis v1.99.1
Scan saved at 19:54:11, on 17/06/2005
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\shost.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Fichiers communs\ACD Systems\EN\DevDetect.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\ESNAULT'FAMILY\Bureau\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cegetel.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINNT\System32\yabxx.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINNT\System32\efede.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Fichiers communs\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120278006245
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O20 - Winlogon Notify: efede - C:\WINNT\SYSTEM32\efede.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: yabxx - C:\WINNT\System32\yabxx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Est-ce qu'une âme charitable pourrait-elle me venir en aide sachant que je ne suis pas un génie en informatique. D'avance Merci.
A voir également:
- [virus] log hijackthis de mon Pc
- Mon pc est lent - Guide
- Plus de son sur mon pc - Guide
- Reinitialiser pc - Guide
- Downloader for pc - Télécharger - Téléchargement & Transfert
- Double ecran pc - Guide
3 réponses
Salut,
Télécharge VirtumundoBegone sur le bureau:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
Double clique ensuite sur VirtumundoBeGone.exe et suis les instructions.
Une fois terminé, redémarre et poste le rapport VBG.TXT créé sur le bureau dans ta prochaine réponse avec un nouveau rapport HijackThis.
Ne t'inquiète pas si tu vois un message Ecran bleu "Erreur fatale", c'est normal et attendu, puis remet un rapport HijackThis en precisant les logiciels anti-spyware que tu as.
Télécharge VirtumundoBegone sur le bureau:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
Double clique ensuite sur VirtumundoBeGone.exe et suis les instructions.
Une fois terminé, redémarre et poste le rapport VBG.TXT créé sur le bureau dans ta prochaine réponse avec un nouveau rapport HijackThis.
Ne t'inquiète pas si tu vois un message Ecran bleu "Erreur fatale", c'est normal et attendu, puis remet un rapport HijackThis en precisant les logiciels anti-spyware que tu as.
juanmarco
Messages postés
3
Statut
Membre
Ok merci pour l'info, je fais ça ce soir et te tiens au courant dés demain matin. Merci à Demain.
Bonjour Boulepate, voice donc le rapport VBG ainsi que le nouveau rapport Hijackthis :
VBG.TXT
[06/18/2005, 2:48:20] - VirtumundoBeGone v1.5 ( "C:\VirtumundoBeGone.exe" )
[06/18/2005, 2:48:32] - Detected System Information:
[06/18/2005, 2:48:32] - Windows Version: 5.0.2195, Service Pack 1
[06/18/2005, 2:48:32] - Current Username: ESNAULT'FAMILY (Admin)
[06/18/2005, 2:48:32] - Windows is in NORMAL mode.
[06/18/2005, 2:48:32] - Searching for Browser Helper Objects:
[06/18/2005, 2:48:32] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[06/18/2005, 2:48:32] - BHO 2: {2353FCBC-012D-487B-8BF3-865C0929FBEB} (ATLDistrib Object)
[06/18/2005, 2:48:32] - ALERT: Found ATLDistrib Object!
[06/18/2005, 2:48:32] - BHO 3: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} ()
[06/18/2005, 2:48:32] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/18/2005, 2:48:32] - Checking for HKLM\...\Winlogon\Notify\efede
[06/18/2005, 2:48:32] - Found: HKLM\...\Winlogon\Notify\efede - This is probably Virtumundo.
[06/18/2005, 2:48:32] - Assigning {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} MSEvents Object
[06/18/2005, 2:48:32] - BHO list has been changed! Starting over...
[06/18/2005, 2:48:32] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[06/18/2005, 2:48:32] - BHO 2: {2353FCBC-012D-487B-8BF3-865C0929FBEB} (ATLDistrib Object)
[06/18/2005, 2:48:32] - ALERT: Found ATLDistrib Object!
[06/18/2005, 2:48:32] - BHO 3: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} (MSEvents Object)
[06/18/2005, 2:48:32] - ALERT: Found MSEvents Object!
[06/18/2005, 2:48:32] - Finished Searching Browser Helper Objects
[06/18/2005, 2:48:32] - *** Detected ATLDistrib Object
[06/18/2005, 2:48:32] - *** Detected MSEvents Object
[06/18/2005, 2:48:32] - Trying to remove ATLDistrib Object...
[06/18/2005, 2:48:33] - Terminating Process: IEXPLORE.EXE
[06/18/2005, 2:48:33] - Terminating Process: RUNDLL32.EXE
[06/18/2005, 2:48:34] - Disabling Automatic Shell Restart
[06/18/2005, 2:48:34] - Terminating Process: EXPLORER.EXE
[06/18/2005, 2:48:34] - Suspending the NT Session Manager System Service
[06/18/2005, 2:48:34] - Terminating Windows NT Logon/Logoff Manager
[06/18/2005, 2:48:34] - Re-enabling Automatic Shell Restart
[06/18/2005, 2:48:34] - File to disable: C:\WINNT\System32\yabxx.dll
[06/18/2005, 2:48:34] - Renaming C:\WINNT\System32\yabxx.dll -> C:\WINNT\System32\yabxx.dll.vir
[06/18/2005, 2:48:34] - ! File rename was unsucessful.
[06/18/2005, 2:48:34] - Attempting to Deny Access to C:\WINNT\System32\yabxx.dll
[06/18/2005, 2:48:35] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[06/18/2005, 2:48:35] - ERROR: Le mappage entre les noms de compte et les ID de sécurité n'a pas été effectué.
[06/18/2005, 2:48:35] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[06/18/2005, 2:48:35] - Removing HKLM\...\Browser Helper Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
[06/18/2005, 2:48:35] - Removing HKCR\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
[06/18/2005, 2:48:35] - Adding Kill Bit for ActiveX for GUID: {2353FCBC-012D-487B-8BF3-865C0929FBEB}
[06/18/2005, 2:48:35] - Deleting ATLEvents/MSEvents Registry entries
[06/18/2005, 2:48:35] - Removing HKLM\...\Winlogon\Notify\yabxx
[06/18/2005, 2:48:35] - Trying to remove MSEvents Object...
[06/18/2005, 2:48:36] - Terminating Process: IEXPLORE.EXE
[06/18/2005, 2:48:36] - Terminating Process: RUNDLL32.EXE
[06/18/2005, 2:48:36] - Disabling Automatic Shell Restart
[06/18/2005, 2:48:36] - Terminating Process: EXPLORER.EXE
[06/18/2005, 2:48:36] - Suspending the NT Session Manager System Service
[06/18/2005, 2:48:37] - Terminating Windows NT Logon/Logoff Manager
[06/18/2005, 2:48:37] - Re-enabling Automatic Shell Restart
[06/18/2005, 2:48:37] - File to disable: C:\WINNT\System32\efede.dll
[06/18/2005, 2:48:37] - Renaming C:\WINNT\System32\efede.dll -> C:\WINNT\System32\efede.dll.vir
[06/18/2005, 2:48:37] - ! File rename was unsucessful.
[06/18/2005, 2:48:37] - Attempting to Deny Access to C:\WINNT\System32\efede.dll
[06/18/2005, 2:48:37] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[06/18/2005, 2:48:37] - ERROR: Le mappage entre les noms de compte et les ID de sécurité n'a pas été effectué.
[06/18/2005, 2:48:37] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[06/18/2005, 2:48:37] - Removing HKLM\...\Browser Helper Objects\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[06/18/2005, 2:48:37] - Removing HKCR\CLSID\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[06/18/2005, 2:48:37] - Adding Kill Bit for ActiveX for GUID: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[06/18/2005, 2:48:37] - Deleting ATLEvents/MSEvents Registry entries
[06/18/2005, 2:48:37] - Removing HKLM\...\Winlogon\Notify\efede
[06/18/2005, 2:48:37] - Searching for Browser Helper Objects:
[06/18/2005, 2:48:37] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[06/18/2005, 2:48:37] - Finished Searching Browser Helper Objects
[06/18/2005, 2:48:37] - Finishing up...
[06/18/2005, 2:48:37] - A restart is needed.
[06/18/2005, 2:48:49] - Attempting to Restart via STOP error (Blue Screen!)
HIJACKTHIS :
Logfile of HijackThis v1.99.1
Scan saved at 02:58:48, on 18/06/2005
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\shost.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Fichiers communs\ACD Systems\EN\DevDetect.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
C:\Documents and Settings\ESNAULT'FAMILY\Bureau\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cegetel.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Fichiers communs\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120278006245
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Voilà, en attendant tes solutions, Merci.
VBG.TXT
[06/18/2005, 2:48:20] - VirtumundoBeGone v1.5 ( "C:\VirtumundoBeGone.exe" )
[06/18/2005, 2:48:32] - Detected System Information:
[06/18/2005, 2:48:32] - Windows Version: 5.0.2195, Service Pack 1
[06/18/2005, 2:48:32] - Current Username: ESNAULT'FAMILY (Admin)
[06/18/2005, 2:48:32] - Windows is in NORMAL mode.
[06/18/2005, 2:48:32] - Searching for Browser Helper Objects:
[06/18/2005, 2:48:32] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[06/18/2005, 2:48:32] - BHO 2: {2353FCBC-012D-487B-8BF3-865C0929FBEB} (ATLDistrib Object)
[06/18/2005, 2:48:32] - ALERT: Found ATLDistrib Object!
[06/18/2005, 2:48:32] - BHO 3: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} ()
[06/18/2005, 2:48:32] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/18/2005, 2:48:32] - Checking for HKLM\...\Winlogon\Notify\efede
[06/18/2005, 2:48:32] - Found: HKLM\...\Winlogon\Notify\efede - This is probably Virtumundo.
[06/18/2005, 2:48:32] - Assigning {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} MSEvents Object
[06/18/2005, 2:48:32] - BHO list has been changed! Starting over...
[06/18/2005, 2:48:32] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[06/18/2005, 2:48:32] - BHO 2: {2353FCBC-012D-487B-8BF3-865C0929FBEB} (ATLDistrib Object)
[06/18/2005, 2:48:32] - ALERT: Found ATLDistrib Object!
[06/18/2005, 2:48:32] - BHO 3: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} (MSEvents Object)
[06/18/2005, 2:48:32] - ALERT: Found MSEvents Object!
[06/18/2005, 2:48:32] - Finished Searching Browser Helper Objects
[06/18/2005, 2:48:32] - *** Detected ATLDistrib Object
[06/18/2005, 2:48:32] - *** Detected MSEvents Object
[06/18/2005, 2:48:32] - Trying to remove ATLDistrib Object...
[06/18/2005, 2:48:33] - Terminating Process: IEXPLORE.EXE
[06/18/2005, 2:48:33] - Terminating Process: RUNDLL32.EXE
[06/18/2005, 2:48:34] - Disabling Automatic Shell Restart
[06/18/2005, 2:48:34] - Terminating Process: EXPLORER.EXE
[06/18/2005, 2:48:34] - Suspending the NT Session Manager System Service
[06/18/2005, 2:48:34] - Terminating Windows NT Logon/Logoff Manager
[06/18/2005, 2:48:34] - Re-enabling Automatic Shell Restart
[06/18/2005, 2:48:34] - File to disable: C:\WINNT\System32\yabxx.dll
[06/18/2005, 2:48:34] - Renaming C:\WINNT\System32\yabxx.dll -> C:\WINNT\System32\yabxx.dll.vir
[06/18/2005, 2:48:34] - ! File rename was unsucessful.
[06/18/2005, 2:48:34] - Attempting to Deny Access to C:\WINNT\System32\yabxx.dll
[06/18/2005, 2:48:35] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[06/18/2005, 2:48:35] - ERROR: Le mappage entre les noms de compte et les ID de sécurité n'a pas été effectué.
[06/18/2005, 2:48:35] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[06/18/2005, 2:48:35] - Removing HKLM\...\Browser Helper Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
[06/18/2005, 2:48:35] - Removing HKCR\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
[06/18/2005, 2:48:35] - Adding Kill Bit for ActiveX for GUID: {2353FCBC-012D-487B-8BF3-865C0929FBEB}
[06/18/2005, 2:48:35] - Deleting ATLEvents/MSEvents Registry entries
[06/18/2005, 2:48:35] - Removing HKLM\...\Winlogon\Notify\yabxx
[06/18/2005, 2:48:35] - Trying to remove MSEvents Object...
[06/18/2005, 2:48:36] - Terminating Process: IEXPLORE.EXE
[06/18/2005, 2:48:36] - Terminating Process: RUNDLL32.EXE
[06/18/2005, 2:48:36] - Disabling Automatic Shell Restart
[06/18/2005, 2:48:36] - Terminating Process: EXPLORER.EXE
[06/18/2005, 2:48:36] - Suspending the NT Session Manager System Service
[06/18/2005, 2:48:37] - Terminating Windows NT Logon/Logoff Manager
[06/18/2005, 2:48:37] - Re-enabling Automatic Shell Restart
[06/18/2005, 2:48:37] - File to disable: C:\WINNT\System32\efede.dll
[06/18/2005, 2:48:37] - Renaming C:\WINNT\System32\efede.dll -> C:\WINNT\System32\efede.dll.vir
[06/18/2005, 2:48:37] - ! File rename was unsucessful.
[06/18/2005, 2:48:37] - Attempting to Deny Access to C:\WINNT\System32\efede.dll
[06/18/2005, 2:48:37] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[06/18/2005, 2:48:37] - ERROR: Le mappage entre les noms de compte et les ID de sécurité n'a pas été effectué.
[06/18/2005, 2:48:37] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[06/18/2005, 2:48:37] - Removing HKLM\...\Browser Helper Objects\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[06/18/2005, 2:48:37] - Removing HKCR\CLSID\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[06/18/2005, 2:48:37] - Adding Kill Bit for ActiveX for GUID: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[06/18/2005, 2:48:37] - Deleting ATLEvents/MSEvents Registry entries
[06/18/2005, 2:48:37] - Removing HKLM\...\Winlogon\Notify\efede
[06/18/2005, 2:48:37] - Searching for Browser Helper Objects:
[06/18/2005, 2:48:37] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[06/18/2005, 2:48:37] - Finished Searching Browser Helper Objects
[06/18/2005, 2:48:37] - Finishing up...
[06/18/2005, 2:48:37] - A restart is needed.
[06/18/2005, 2:48:49] - Attempting to Restart via STOP error (Blue Screen!)
HIJACKTHIS :
Logfile of HijackThis v1.99.1
Scan saved at 02:58:48, on 18/06/2005
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\shost.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Fichiers communs\ACD Systems\EN\DevDetect.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
C:\Documents and Settings\ESNAULT'FAMILY\Bureau\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cegetel.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Fichiers communs\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120278006245
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Voilà, en attendant tes solutions, Merci.
