[virus] Il annule mes setup et ralenti mon pc
Franckyll
Messages postés
10
Date d'inscription
Statut
Membre
Dernière intervention
-
don vincenzoo -
don vincenzoo -
Salut a tous,
Alors voila, j'ai récemment découvert que mon pc ramait de plus en plus, et j'ai remarqué dans mes processus,un fichier "guard.exe"(qui appartient au logiciel ewido 4.0),était activé et ne pouvait etre arrété, pourtant ewido n'était pas activé du tout sur mon pc ! J'ai envoyé ce fichier sur un multiscanner on line, et la totalité m'a répondu que ce fichier était infecté.
Autre chose,J'étais infecté par un certain virus "W32.virut.A" je crois, et il avait contaminé beacoup d'applications a moi dont , Ewido,Avast,Nero etc... Apres une longue tentative de désinfection,le virus ne semblait plus se manifester. Jusqu'au jour ou je voulais installer un autre anti-virus (AntiVir) mais lors de l'installation j'ai un message d'erreur : "The CRC...(Adresse du dossier temp\RarSFX0\upgrade.exe has been changed ! This could be due to a virus ! Do you want to shut down Setup ?" Et je n'ai que le réponse OK a choisir,donc ça m'annule le setup.
Ce virus est vraiment agaçant, je vous join un rapport Kaspersky et Hijack:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER - RAPPORT
dimanche 9 juillet 2006 13:52:53
Système d'exploitation : Microsoft Windows XP Professional, (Build 2600)
Version de Kaspersky On-line Scanner: 5.0.78.0
Dernière mise à jour de la base antivirus Kaspersky : 9/07/2006
Enregistrements dans la base antivirus Kaspersky : 205937
-------------------------------------------------------------------------------
Paramètres d'analyse:
Analyser avec la base antivirus suivante: étendue
Analyser les archives: vrai
Analyser les bases de messagerie.: vrai
Cible de l'analyse - Zones critiques:
H:\WINDOWS
H:\DOCUME~1\FR@NCK~1\LOCALS~1\Temp\
Statistiques de l'analyse:
Total d'objets analysés :: 11917
Nombre de virus trouvés: 2
Nombre d'objets infectés: 10
Nombre d'objets suspects: 0
Durée de l'analyse: 00:19:20
Nom de l'objet infecté / Nom du virus / Dernière action
H:\WINDOWS\Installer\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\IconE9F814234.exe Infecté: Virus.Win32.Virut.a ignoré
H:\WINDOWS\Installer\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\IconE9F814236.exe Infecté: Virus.Win32.Virut.a ignoré
H:\WINDOWS\system32\AVASTSS.scr Infecté: Virus.Win32.Virut.a ignoré
H:\WINDOWS\system32\config\systemprofile\Bureau\freeprodtb.exe/data0002 Infecté: not-a-virus:AdWare.Win32.Softomate.q ignoré
H:\WINDOWS\system32\config\systemprofile\Bureau\freeprodtb.exe NSIS: infecté - 1 ignoré
H:\WINDOWS\system32\pxhpinst.exe Infecté: Virus.Win32.Virut.a ignoré
H:\DOCUME~1\FR@NCK~1\LOCALS~1\Temp\AutoRun.exe Infecté: Virus.Win32.Virut.a ignoré
H:\DOCUME~1\FR@NCK~1\LOCALS~1\Temp\eauninstall.exe Infecté: Virus.Win32.Virut.a ignoré
H:\DOCUME~1\FR@NCK~1\LOCALS~1\Temp\Need for Speed Underground 2_uninst.exe Infecté: Virus.Win32.Virut.a ignoré
H:\DOCUME~1\FR@NCK~1\LOCALS~1\Temp\Set9E7.tmp Infecté: Virus.Win32.Virut.a ignoré
Analyse terminée.
----------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 14:14:57, on 09/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\SYSTEM32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\SYSTEM32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\windows\system32\msdntsrv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\WINDOWS\system32\NOTEPAD.EXE
H:\Program Files\HT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft DNT Service] c:\windows\system32\msdntsrv.exe
O4 - HKLM\..\Run: [TkBellExe] "H:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Windows Base Services] wbse32.exe
O4 - HKCU\..\Run: [Microsoft DNT Service] c:\windows\system32\msdntsrv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://H:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Pages liées - res://H:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://H:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://H:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://H:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: @H:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @H:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site....
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://www.trendmicro.com/en_us/forHome/products/housecall.html
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - https://www.f-secure.com/en/home/support
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A28092-578D-406D-ACAB-743FEC840A4F}: NameServer = 86.64.145.145 84.103.237.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: h:\windows\system32\wmfhotfix.dll MsgPlusLoader.dll
O20 - Winlogon Notify: WgaLogon - H:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - H:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - H:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Service de la passerelle de la couche Application (ALG) - Unknown owner - H:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nvsec(nvsec) (NvSec) - Unknown owner - H:\WINDOWS\system32\nvsec.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - H:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - H:\WINDOWS\update\updmgr.exe (file missing)
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - H:\WINDOWS\winsock\csrss.exe (file missing)
Alors voila, j'ai récemment découvert que mon pc ramait de plus en plus, et j'ai remarqué dans mes processus,un fichier "guard.exe"(qui appartient au logiciel ewido 4.0),était activé et ne pouvait etre arrété, pourtant ewido n'était pas activé du tout sur mon pc ! J'ai envoyé ce fichier sur un multiscanner on line, et la totalité m'a répondu que ce fichier était infecté.
Autre chose,J'étais infecté par un certain virus "W32.virut.A" je crois, et il avait contaminé beacoup d'applications a moi dont , Ewido,Avast,Nero etc... Apres une longue tentative de désinfection,le virus ne semblait plus se manifester. Jusqu'au jour ou je voulais installer un autre anti-virus (AntiVir) mais lors de l'installation j'ai un message d'erreur : "The CRC...(Adresse du dossier temp\RarSFX0\upgrade.exe has been changed ! This could be due to a virus ! Do you want to shut down Setup ?" Et je n'ai que le réponse OK a choisir,donc ça m'annule le setup.
Ce virus est vraiment agaçant, je vous join un rapport Kaspersky et Hijack:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER - RAPPORT
dimanche 9 juillet 2006 13:52:53
Système d'exploitation : Microsoft Windows XP Professional, (Build 2600)
Version de Kaspersky On-line Scanner: 5.0.78.0
Dernière mise à jour de la base antivirus Kaspersky : 9/07/2006
Enregistrements dans la base antivirus Kaspersky : 205937
-------------------------------------------------------------------------------
Paramètres d'analyse:
Analyser avec la base antivirus suivante: étendue
Analyser les archives: vrai
Analyser les bases de messagerie.: vrai
Cible de l'analyse - Zones critiques:
H:\WINDOWS
H:\DOCUME~1\FR@NCK~1\LOCALS~1\Temp\
Statistiques de l'analyse:
Total d'objets analysés :: 11917
Nombre de virus trouvés: 2
Nombre d'objets infectés: 10
Nombre d'objets suspects: 0
Durée de l'analyse: 00:19:20
Nom de l'objet infecté / Nom du virus / Dernière action
H:\WINDOWS\Installer\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\IconE9F814234.exe Infecté: Virus.Win32.Virut.a ignoré
H:\WINDOWS\Installer\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\IconE9F814236.exe Infecté: Virus.Win32.Virut.a ignoré
H:\WINDOWS\system32\AVASTSS.scr Infecté: Virus.Win32.Virut.a ignoré
H:\WINDOWS\system32\config\systemprofile\Bureau\freeprodtb.exe/data0002 Infecté: not-a-virus:AdWare.Win32.Softomate.q ignoré
H:\WINDOWS\system32\config\systemprofile\Bureau\freeprodtb.exe NSIS: infecté - 1 ignoré
H:\WINDOWS\system32\pxhpinst.exe Infecté: Virus.Win32.Virut.a ignoré
H:\DOCUME~1\FR@NCK~1\LOCALS~1\Temp\AutoRun.exe Infecté: Virus.Win32.Virut.a ignoré
H:\DOCUME~1\FR@NCK~1\LOCALS~1\Temp\eauninstall.exe Infecté: Virus.Win32.Virut.a ignoré
H:\DOCUME~1\FR@NCK~1\LOCALS~1\Temp\Need for Speed Underground 2_uninst.exe Infecté: Virus.Win32.Virut.a ignoré
H:\DOCUME~1\FR@NCK~1\LOCALS~1\Temp\Set9E7.tmp Infecté: Virus.Win32.Virut.a ignoré
Analyse terminée.
----------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 14:14:57, on 09/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\SYSTEM32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\SYSTEM32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\windows\system32\msdntsrv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\WINDOWS\system32\NOTEPAD.EXE
H:\Program Files\HT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft DNT Service] c:\windows\system32\msdntsrv.exe
O4 - HKLM\..\Run: [TkBellExe] "H:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Windows Base Services] wbse32.exe
O4 - HKCU\..\Run: [Microsoft DNT Service] c:\windows\system32\msdntsrv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://H:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Pages liées - res://H:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://H:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://H:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://H:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: @H:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @H:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site....
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://www.trendmicro.com/en_us/forHome/products/housecall.html
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - https://www.f-secure.com/en/home/support
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A28092-578D-406D-ACAB-743FEC840A4F}: NameServer = 86.64.145.145 84.103.237.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: h:\windows\system32\wmfhotfix.dll MsgPlusLoader.dll
O20 - Winlogon Notify: WgaLogon - H:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - H:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - H:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Service de la passerelle de la couche Application (ALG) - Unknown owner - H:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nvsec(nvsec) (NvSec) - Unknown owner - H:\WINDOWS\system32\nvsec.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - H:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - H:\WINDOWS\update\updmgr.exe (file missing)
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - H:\WINDOWS\winsock\csrss.exe (file missing)
A voir également:
- [virus] Il annule mes setup et ralenti mon pc
- Pc ralenti - Guide
- Reinitialiser pc - Guide
- Test performance pc - Guide
- Plus de son sur mon pc - Guide
- Downloader for pc - Télécharger - Téléchargement & Transfert
37 réponses
t'es sur qu'en le rédemarrant Manuellement, pocket killbox va quand meme exécuter sa suppression ? Et faut il que je redémarre avec le message d'erreur afficher ou je clique sur ok , puis je ferme pocket killbox ?
Salut
Oui oui t inquietes pas lol
Tu clik sur ok, tu fermes kill box et toutes les applications et tu redemarres.
A+
Oui oui t inquietes pas lol
Tu clik sur ok, tu fermes kill box et toutes les applications et tu redemarres.
A+
"Silent Runners.vbs", revision 46, https://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"WinUpdate.exe" = "H:\Program Files\Windows\WinUpdate.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TkBellExe" = ""H:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "H:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "H:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e OODBS" [file not found], [MS], [file not found], [file not found], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\photos\logo\logo noir & vert plastik.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "H:\WINDOWS\System32\sstext3d.scr" [MS]
Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------
E:\
INFECTION WARNING! E:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"]
Startup items in "Fr@nckyll" & "All Users" startup folders:
-----------------------------------------------------------
H:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "H:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{052B12F7-86FA-4921-8482-26C42316B522}"
-> {HKLM...CLSID} = "Safety Bar"
\InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{F053C368-5458-45B2-9B4D-D8914BDDDBFF}" = (no title provided)
-> {HKLM...CLSID} = "TextAloud"
\InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{052B12F7-86FA-4921-8482-26C42316B522}\(Default) = "Safety Bar"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Classes\CLSID\{F053C368-5458-45B2-9B4D-D8914BDDDBFF}\(Default) = "TextAloud"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Console Java (Sun)"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"MenuText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"Exec" = "H:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
H:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fhome.microsoft.com%2fintl%2ffr%2f%3f"
Missing lines (compared with English-language version):
[Strings]: 2 lines
HOSTS file
----------
H:\WINDOWS\System32\drivers\etc\HOSTS
maps: 3 domain names to IP addresses,
2 of the IP addresses are *not* localhost!
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "H:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "H:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 156 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 25 seconds.
---------- (total run time: 278 seconds)
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"WinUpdate.exe" = "H:\Program Files\Windows\WinUpdate.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TkBellExe" = ""H:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "H:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "H:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e OODBS" [file not found], [MS], [file not found], [file not found], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\photos\logo\logo noir & vert plastik.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "H:\WINDOWS\System32\sstext3d.scr" [MS]
Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------
E:\
INFECTION WARNING! E:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"]
Startup items in "Fr@nckyll" & "All Users" startup folders:
-----------------------------------------------------------
H:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "H:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{052B12F7-86FA-4921-8482-26C42316B522}"
-> {HKLM...CLSID} = "Safety Bar"
\InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{F053C368-5458-45B2-9B4D-D8914BDDDBFF}" = (no title provided)
-> {HKLM...CLSID} = "TextAloud"
\InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{052B12F7-86FA-4921-8482-26C42316B522}\(Default) = "Safety Bar"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Classes\CLSID\{F053C368-5458-45B2-9B4D-D8914BDDDBFF}\(Default) = "TextAloud"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Console Java (Sun)"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"MenuText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"Exec" = "H:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
H:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fhome.microsoft.com%2fintl%2ffr%2f%3f"
Missing lines (compared with English-language version):
[Strings]: 2 lines
HOSTS file
----------
H:\WINDOWS\System32\drivers\etc\HOSTS
maps: 3 domain names to IP addresses,
2 of the IP addresses are *not* localhost!
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "H:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "H:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 156 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 25 seconds.
---------- (total run time: 278 seconds)
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
Salut
Ahh le bougre, il resiste lol mais on l aura :-)
Regarde s il apparait maintenant:
H:\Program Files\Windows\WinUpdate.exe
(il est dans le H)
Et aussi fais ceci stp:
demarer < poste de travail < c < windows < systeme32< drivers < etc < host, ouvre le avec le bloc note, copie/colle ici ce qu il contient.
A+
Ahh le bougre, il resiste lol mais on l aura :-)
Regarde s il apparait maintenant:
H:\Program Files\Windows\WinUpdate.exe
(il est dans le H)
Et aussi fais ceci stp:
demarer < poste de travail < c < windows < systeme32< drivers < etc < host, ouvre le avec le bloc note, copie/colle ici ce qu il contient.
A+
Le fichier H:\Program Files\Windows\WinUpdate.exe est toujours introuvable ( même en affichant les fichier cachés et systèmes)
Voici le rapport :
# Copyright (c) 1993-2004 Microsoft Corp.
#
# AutoGenerated by Microsoft (R) Windows (R) Malicious Software Removal Tool.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
0.0.0.0 www.zango.com
0.0.0.0 zango.com
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
Voici le rapport :
# Copyright (c) 1993-2004 Microsoft Corp.
#
# AutoGenerated by Microsoft (R) Windows (R) Malicious Software Removal Tool.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
0.0.0.0 www.zango.com
0.0.0.0 zango.com
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
Salut
Tu les supprimes, pour qu il ne reste plus que ceci:
Puis clik fichier < enregistrer.
Redemarre, verifie que c est toujours comme au dessu et regarde si tu vois le fichier maintenant
a+
Tu les supprimes, pour qu il ne reste plus que ceci:
# Copyright (c) 1993-2004 Microsoft Corp. # # AutoGenerated by Microsoft (R) Windows (R) Malicious Software Removal Tool. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost
Puis clik fichier < enregistrer.
Redemarre, verifie que c est toujours comme au dessu et regarde si tu vois le fichier maintenant
a+
Le fichier Hosts a bien été modifié , mais le fichier WinUpdate.exe reste toujours introuvable ... :/
Je joint aussi un rapport bitdefender au cas où :
--------------------------------------------------------------------------
BitDefender Online Scanner
Rapport d'analyse généré à: Wed, Jul 19, 2006 - 04:48:03
Voie d'analyse: A:\;C:\;D:\;E:\;F:\;G:\;H:\;
Statistiques
Temps
01:54:30
Fichiers
319109
Directoires
5762
Secteurs de boot
5
Archives
10112
Paquets programmes
22767
Résultats
Virus identifiés
2
Fichiers infectés
43
Fichiers suspects
0
Avertissements
0
Désinfectés
39
Fichiers effacés
0
Info sur les moteurs
Définition virus
411865
Version des moteurs
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)
Analyse des plugins
13
Archive des plugins
39
Unpack des plugins
5
E-mail plugins
6
Système plugins
1
Paramètres d'analyse
Première action
Désinfecté
Seconde Action
Supprimé
Heuristique
Oui
Acceptez les avertissements
Oui
Extensions analysées
*;
Excludez les extensions
Analyse d'emails
Oui
Analyse des Archives
Oui
Analyser paquets programmes
Oui
Analyse des fichiers
Oui
Analyse de boot
Oui
Fichier analysé
Statut
C:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dc3\wwpClean.exe
Infecté par: Win32.Virtob.C
C:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dc3\wwpClean.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\GenericRenosFix.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\GenericRenosFix.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Process.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Process.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Reboot.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Reboot.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\restart.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\restart.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swreg.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swreg.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swsc.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swsc.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5B.tmp
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5B.tmp
Désinfecté
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5C.tmp
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5C.tmp
Désinfecté
H:\Documents and Settings\Fr@nckyll\Local Settings\Temporary Internet Files\Content.IE5\RK5VBL56\WoW-1.11.2.5464-to-0.12.0.5496-frFR-downloader[1].exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Local Settings\Temporary Internet Files\Content.IE5\RK5VBL56\WoW-1.11.2.5464-to-0.12.0.5496-frFR-downloader[1].exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Menu Démarrer\Programmes\IntelliTamper\IntelliTamper.lnk=>H:\Program Files\IntelliTamper\intellitamper.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Menu Démarrer\Programmes\IntelliTamper\IntelliTamper.lnk=>H:\Program Files\IntelliTamper\intellitamper.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Menu Démarrer\Programmes\IntelliTamper\IntelliTamper.lnk
Mis à jour
H:\Program Files\ewido anti-malware\ewidoguard.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-malware\ewidoguard.exe
Désinfecté
H:\Program Files\ewido anti-malware\SecuritySuite.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-malware\SecuritySuite.exe
Désinfecté
H:\Program Files\ewido anti-spyware 4.0\ewido.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-spyware 4.0\ewido.exe
Désinfecté
H:\Program Files\ewido anti-spyware 4.0\guard.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-spyware 4.0\guard.exe
Echec de la désinfection
H:\Program Files\ewido anti-spyware 4.0\guard.exe
Echec de la suppression
H:\Program Files\MSN Messenger\msnmsgr.exe
Infecté par: Win32.Virtob.C
H:\Program Files\MSN Messenger\msnmsgr.exe
Echec de la désinfection
H:\Program Files\MSN Messenger\msnmsgr.exe
Echec de la suppression
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh53\WoW.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh53\WoW.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh56.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh56.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh57.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh57.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh62.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh62.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh66.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh66.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046500.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046500.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046573.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046573.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046574.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046574.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046575.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046575.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046576.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046576.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046578.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046578.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046579.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046579.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046592.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046592.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046607.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046607.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046608.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046608.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046728.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046728.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046730.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046730.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046731.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046731.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046732.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046732.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046733.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046733.exe
Désinfecté
H:\WINDOWS\system32\ati2evxx.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\ati2evxx.exe
Echec de la désinfection
H:\WINDOWS\system32\ati2evxx.exe
Echec de la suppression
H:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
Désinfecté
H:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
Désinfecté
H:\WINDOWS\system32\Process.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\Process.exe
Désinfecté
H:\WINDOWS\system32\spoolsv.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\spoolsv.exe
Echec de la désinfection
H:\WINDOWS\system32\spoolsv.exe
Echec de la suppression
H:\WINDOWS\system32\swreg.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\swreg.exe
Désinfecté
H:\WINDOWS\system32\swsc.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\swsc.exe
Désinfecté
--------------------------------------------------------------------------
BitDefender Online Scanner
Rapport d'analyse généré à: Wed, Jul 19, 2006 - 04:48:03
Voie d'analyse: A:\;C:\;D:\;E:\;F:\;G:\;H:\;
Statistiques
Temps
01:54:30
Fichiers
319109
Directoires
5762
Secteurs de boot
5
Archives
10112
Paquets programmes
22767
Résultats
Virus identifiés
2
Fichiers infectés
43
Fichiers suspects
0
Avertissements
0
Désinfectés
39
Fichiers effacés
0
Info sur les moteurs
Définition virus
411865
Version des moteurs
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)
Analyse des plugins
13
Archive des plugins
39
Unpack des plugins
5
E-mail plugins
6
Système plugins
1
Paramètres d'analyse
Première action
Désinfecté
Seconde Action
Supprimé
Heuristique
Oui
Acceptez les avertissements
Oui
Extensions analysées
*;
Excludez les extensions
Analyse d'emails
Oui
Analyse des Archives
Oui
Analyser paquets programmes
Oui
Analyse des fichiers
Oui
Analyse de boot
Oui
Fichier analysé
Statut
C:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dc3\wwpClean.exe
Infecté par: Win32.Virtob.C
C:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dc3\wwpClean.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\GenericRenosFix.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\GenericRenosFix.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Process.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Process.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Reboot.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\Reboot.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\restart.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\restart.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swreg.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swreg.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swsc.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Bureau\SmitfraudFix\SmitfraudFix\swsc.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5B.tmp
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5B.tmp
Désinfecté
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5C.tmp
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Local Settings\Temp\set5C.tmp
Désinfecté
H:\Documents and Settings\Fr@nckyll\Local Settings\Temporary Internet Files\Content.IE5\RK5VBL56\WoW-1.11.2.5464-to-0.12.0.5496-frFR-downloader[1].exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Local Settings\Temporary Internet Files\Content.IE5\RK5VBL56\WoW-1.11.2.5464-to-0.12.0.5496-frFR-downloader[1].exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Menu Démarrer\Programmes\IntelliTamper\IntelliTamper.lnk=>H:\Program Files\IntelliTamper\intellitamper.exe
Infecté par: Win32.Virtob.C
H:\Documents and Settings\Fr@nckyll\Menu Démarrer\Programmes\IntelliTamper\IntelliTamper.lnk=>H:\Program Files\IntelliTamper\intellitamper.exe
Désinfecté
H:\Documents and Settings\Fr@nckyll\Menu Démarrer\Programmes\IntelliTamper\IntelliTamper.lnk
Mis à jour
H:\Program Files\ewido anti-malware\ewidoguard.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-malware\ewidoguard.exe
Désinfecté
H:\Program Files\ewido anti-malware\SecuritySuite.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-malware\SecuritySuite.exe
Désinfecté
H:\Program Files\ewido anti-spyware 4.0\ewido.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-spyware 4.0\ewido.exe
Désinfecté
H:\Program Files\ewido anti-spyware 4.0\guard.exe
Infecté par: Win32.Virtob.C
H:\Program Files\ewido anti-spyware 4.0\guard.exe
Echec de la désinfection
H:\Program Files\ewido anti-spyware 4.0\guard.exe
Echec de la suppression
H:\Program Files\MSN Messenger\msnmsgr.exe
Infecté par: Win32.Virtob.C
H:\Program Files\MSN Messenger\msnmsgr.exe
Echec de la désinfection
H:\Program Files\MSN Messenger\msnmsgr.exe
Echec de la suppression
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh53\WoW.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh53\WoW.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh56.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh56.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh57.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh57.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh62.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh62.exe
Désinfecté
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh66.exe
Infecté par: Win32.Virtob.C
H:\RECYCLER\S-1-5-21-1757981266-2139871995-682003330-1003\Dh66.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046500.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046500.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046573.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046573.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046574.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046574.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046575.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046575.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046576.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046576.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046578.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046578.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046579.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046579.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046592.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046592.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046607.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046607.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046608.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046608.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046728.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046728.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046730.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046730.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046731.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046731.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046732.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046732.exe
Désinfecté
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046733.exe
Infecté par: Win32.Virtob.C
H:\System Volume Information\_restore{C1233D5B-F63E-4BAC-9191-D4077F362C27}\RP43\A0046733.exe
Désinfecté
H:\WINDOWS\system32\ati2evxx.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\ati2evxx.exe
Echec de la désinfection
H:\WINDOWS\system32\ati2evxx.exe
Echec de la suppression
H:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
Désinfecté
H:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
Désinfecté
H:\WINDOWS\system32\Process.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\Process.exe
Désinfecté
H:\WINDOWS\system32\spoolsv.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\spoolsv.exe
Echec de la désinfection
H:\WINDOWS\system32\spoolsv.exe
Echec de la suppression
H:\WINDOWS\system32\swreg.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\swreg.exe
Désinfecté
H:\WINDOWS\system32\swsc.exe
Infecté par: Win32.Virtob.C
H:\WINDOWS\system32\swsc.exe
Désinfecté
Il infecte tous les executables ce c** !
Lance un scan avec bitdefender.
Puis;
Double clic sur killbox.exe (Pocket Killbox)
- coche: delete on reboot
- Dans "Full Path of File to Delete"
- -Sélectionne "single File"
copie et colle:
H:\Program Files\Windows\WinUpdate.exe
- clique sur la croix rouge
- une fenêtre va apparaître pour confirmation clique sur YES
- une seconde fenêtre te demande si tu veux redémarrer clique sur YES
Si ce message s’affiche ignore le :
http://tinypic.com/images/goodbye.jpg
Laisse le pc redémarrer.
Au redemarrage lance ewido et donne le rapport!
Puis remet un silent runner
Lance un scan avec bitdefender.
Puis;
Double clic sur killbox.exe (Pocket Killbox)
- coche: delete on reboot
- Dans "Full Path of File to Delete"
- -Sélectionne "single File"
copie et colle:
H:\Program Files\Windows\WinUpdate.exe
- clique sur la croix rouge
- une fenêtre va apparaître pour confirmation clique sur YES
- une seconde fenêtre te demande si tu veux redémarrer clique sur YES
Si ce message s’affiche ignore le :
http://tinypic.com/images/goodbye.jpg
Laisse le pc redémarrer.
Au redemarrage lance ewido et donne le rapport!
Puis remet un silent runner
Salut,
J'ai un problème, quand je lance silent runner et que je lui demande de scanner, j'ai ce message d 'erreur : Http://dj.franckyll.free.fr/erreur silent runner.jpg
Qu'est ce que c'est ? Que faut uk que je fasse ?
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 23:57:10 21/07/2006
+ Scan result:
Nothing found.
::Report end
----------------------------------------------------------------------------
J'ai un problème, quand je lance silent runner et que je lui demande de scanner, j'ai ce message d 'erreur : Http://dj.franckyll.free.fr/erreur silent runner.jpg
Qu'est ce que c'est ? Que faut uk que je fasse ?
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 23:57:10 21/07/2006
+ Scan result:
Nothing found.
::Report end
----------------------------------------------------------------------------
"Silent Runners.vbs", revision 46, https://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"WinUpdate.exe" = "H:\Program Files\Windows\WinUpdate.exe" [file not found]
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Win32 Security Protocol" = "secure32.exe" [file not found]
"LogitechSoftwareUpdate" = ""H:\Program Files\Logitech\ManifestEngine.exe" boot" ["Logitech Inc."]
"BitTorrent" = ""H:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TkBellExe" = ""H:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]
"LVCOMSX" = "H:\WINDOWS\System32\LVCOMSX.EXE" ["Logitech Inc."]
"LogitechVideoRepair" = "H:\Program Files\Logitech\ISStart.exe " ["Logitech Inc."]
"LogitechVideoTray" = "H:\Program Files\Logitech\LogiTray.exe" ["Logitech Inc."]
"Win32 Security Protocol" = "secure32.exe" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "H:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "H:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "H:\Program Files\Logitech\Namespc2.dll" ["Logitech Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e OODBS" [file not found], [MS], [file not found], [file not found], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\photos\logo\logo noir & vert plastik.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "H:\WINDOWS\System32\sstext3d.scr" [MS]
Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------
E:\
INFECTION WARNING! E:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"]
Startup items in "Fr@nckyll" & "All Users" startup folders:
-----------------------------------------------------------
H:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "H:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{052B12F7-86FA-4921-8482-26C42316B522}"
-> {HKLM...CLSID} = "Safety Bar"
\InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{F053C368-5458-45B2-9B4D-D8914BDDDBFF}" = (no title provided)
-> {HKLM...CLSID} = "TextAloud"
\InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{052B12F7-86FA-4921-8482-26C42316B522}\(Default) = "Safety Bar"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Classes\CLSID\{F053C368-5458-45B2-9B4D-D8914BDDDBFF}\(Default) = "TextAloud"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Console Java (Sun)"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"MenuText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"Exec" = "H:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
H:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fhome.microsoft.com%2fintl%2ffr%2f%3f"
Missing lines (compared with English-language version):
[Strings]: 2 lines
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "H:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "H:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 206 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 44 seconds.
---------- (total run time: 407 seconds)
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"WinUpdate.exe" = "H:\Program Files\Windows\WinUpdate.exe" [file not found]
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Win32 Security Protocol" = "secure32.exe" [file not found]
"LogitechSoftwareUpdate" = ""H:\Program Files\Logitech\ManifestEngine.exe" boot" ["Logitech Inc."]
"BitTorrent" = ""H:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TkBellExe" = ""H:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]
"LVCOMSX" = "H:\WINDOWS\System32\LVCOMSX.EXE" ["Logitech Inc."]
"LogitechVideoRepair" = "H:\Program Files\Logitech\ISStart.exe " ["Logitech Inc."]
"LogitechVideoTray" = "H:\Program Files\Logitech\LogiTray.exe" ["Logitech Inc."]
"Win32 Security Protocol" = "secure32.exe" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "H:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "H:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "H:\WINDOWS\System32\dfshim.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "H:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "H:\Program Files\Logitech\Namespc2.dll" ["Logitech Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e OODBS" [file not found], [MS], [file not found], [file not found], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "H:\Program Files\Fichiers communs\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "H:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\photos\logo\logo noir & vert plastik.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "H:\WINDOWS\System32\sstext3d.scr" [MS]
Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------
E:\
INFECTION WARNING! E:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"]
Startup items in "Fr@nckyll" & "All Users" startup folders:
-----------------------------------------------------------
H:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "H:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{052B12F7-86FA-4921-8482-26C42316B522}"
-> {HKLM...CLSID} = "Safety Bar"
\InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "h:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{F053C368-5458-45B2-9B4D-D8914BDDDBFF}" = (no title provided)
-> {HKLM...CLSID} = "TextAloud"
\InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{052B12F7-86FA-4921-8482-26C42316B522}\(Default) = "Safety Bar"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "H:\Program Files\Safety Bar\Safety Bar.dll" [null data]
HKLM\Software\Classes\CLSID\{F053C368-5458-45B2-9B4D-D8914BDDDBFF}\(Default) = "TextAloud"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [null data]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Console Java (Sun)"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"MenuText" = "@H:\Program Files\Messenger\Msgslang.dll,-61144"
"Exec" = "H:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
H:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fhome.microsoft.com%2fintl%2ffr%2f%3f"
Missing lines (compared with English-language version):
[Strings]: 2 lines
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "H:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "H:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 206 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 44 seconds.
---------- (total run time: 407 seconds)
salut j'ai le meme probleme !!!
j'ai trouvé un removal pour ce virus sur le site de grisoft !
le nom du virus c'est win32/virut !!!!
il infecte tout les .exe par injection de code dans les fichiers exe !
il n'utilise pas de rootkit pour se cacher mais l'injection!
pour l'instant aucun antivirus n'est capable de proteger et reparer ce virus(a ma connaissance!)
une grosse ***** qui infecte tout les .exe de tout tes disques !
ca craint vraiment !
il faut desactiver tout les options recuperations du systeme !
puis utiliser le removal en mode sans echec en l'ayant telecharger a partir d'un pc non infecté !
voici le lien :
http://www.grisoft.com/doc/34/us/crp/0/ndi/67762
moi mon probleme c'est que j'arrive pas a redemarrer en mode sans echec car il reboot des que je tente le mode sans echec !
donc logiquement j'ai formaté 250 gigas de donnés et je me suis dis ok ca va allé bien maintenant !
et bien non !!!!
il est toujours la ce -****** de virus de *******!!!!!!
donc moi ma solution va etre radicale : je sauvegarde tout mes fichiers importants (tout sauf des .exe car le virus n'infecte que ceux la)
et pour info j'avais avg antispyware a jour installé et avg antivirus 7.5 a jour installé lors de ma contamination !
le virus a contaminé l'antivirus qui detecté des fichiers infecté dans le \sys32 et qui les a donc supprimés ou mis en quarantaine puis au redemarrage plus acces a windows !!!
suite a un bidouillage je recupere la possibilité d'avoir acces a windows et meme en essayant avec avast je recevais un message comme quoi le prograùme est modifié illegalement et qu'il est risqué de continuer a utiliser le programme !
meilleur solution actuelle : sauvegardé tout vos fichiers importants (aucun .exe!!!!) et formater a fond tout vos disques durs !!
rrrrrrrrrrrrrrrrrrrrrrr
ca enerve !
j'ai trouvé un removal pour ce virus sur le site de grisoft !
le nom du virus c'est win32/virut !!!!
il infecte tout les .exe par injection de code dans les fichiers exe !
il n'utilise pas de rootkit pour se cacher mais l'injection!
pour l'instant aucun antivirus n'est capable de proteger et reparer ce virus(a ma connaissance!)
une grosse ***** qui infecte tout les .exe de tout tes disques !
ca craint vraiment !
il faut desactiver tout les options recuperations du systeme !
puis utiliser le removal en mode sans echec en l'ayant telecharger a partir d'un pc non infecté !
voici le lien :
http://www.grisoft.com/doc/34/us/crp/0/ndi/67762
moi mon probleme c'est que j'arrive pas a redemarrer en mode sans echec car il reboot des que je tente le mode sans echec !
donc logiquement j'ai formaté 250 gigas de donnés et je me suis dis ok ca va allé bien maintenant !
et bien non !!!!
il est toujours la ce -****** de virus de *******!!!!!!
donc moi ma solution va etre radicale : je sauvegarde tout mes fichiers importants (tout sauf des .exe car le virus n'infecte que ceux la)
et pour info j'avais avg antispyware a jour installé et avg antivirus 7.5 a jour installé lors de ma contamination !
le virus a contaminé l'antivirus qui detecté des fichiers infecté dans le \sys32 et qui les a donc supprimés ou mis en quarantaine puis au redemarrage plus acces a windows !!!
suite a un bidouillage je recupere la possibilité d'avoir acces a windows et meme en essayant avec avast je recevais un message comme quoi le prograùme est modifié illegalement et qu'il est risqué de continuer a utiliser le programme !
meilleur solution actuelle : sauvegardé tout vos fichiers importants (aucun .exe!!!!) et formater a fond tout vos disques durs !!
rrrrrrrrrrrrrrrrrrrrrrr
ca enerve !