Sujet Précédent Sujet Suivant

Virus adware et cheval de troie

ReD-1 Messages postés 15 Statut Membre -  
Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   -
Bonjour,

Je refais un tour sur ce forum parce que mon pc refais des siennes,
7 ou 8 alertes d'infection de virus ou de cheval de troie apparaissent toutes les 10 minutes, j'aurais aimé savoir ce qu'il se passe..

je laisse le rapport Hijackthis! que je viens de générer à l'instant.

Merci d'avance.

ReD-OnE

Logfile of HijackThis v1.99.1
Scan saved at 05:30:23, on 11/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Kit ADSL\Wizard\PostInstall_Checker.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Propriétaire\Bureau\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr?cobrand=compaq-desktop.msn.com&ocid=HPDHP&pc=CPDTDF
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=Q404&bd=presa...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr?cobrand=compaq-desktop.msn.com&ocid=HPDHP&pc=CPDTDF
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VRSRun] "C:\Program Files\NCH Swift Sound\VRS\vrs.exe" -logon
O4 - HKLM\..\Run: [feddi.exe] C:\WINDOWS\system32\feddi.exe
O4 - HKCU\..\Run: [neufbox_reminder] "C:\Program Files\Kit ADSL\Wizard\PostInstall_Checker.exe" -r
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{17034D0E-6DBF-48D9-884A-166FBF49B6F6}: NameServer = 85.255.114.39,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{3878FC13-D0CB-4D30-92D1-D4275A8FB012}: NameServer = 85.255.114.39,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{488C716E-0C06-47A0-8AA7-B5A8384177F8}: NameServer = 85.255.114.39 85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0BB635A-1DBB-449E-8748-E88313BE3107}: NameServer = 85.255.114.39,85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{17034D0E-6DBF-48D9-884A-166FBF49B6F6}: NameServer = 85.255.114.39,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.11
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
A voir également:

26 réponses

  • 1
  • 2
Réponse 1 / 26
ReD-1 Messages postés 15 Statut Membre
 
Re bonsoir tout le monde,

Je n'ai toujours pas réussi a éradiquer le probleme.

Est-ce que quelqu'un pourrait me renseigner svp, et me donner des conseils quand à la suppression de ces virus...

Je vous remercie

ReD-1
0
Réponse 2 / 26
Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   1 322
 
Salut,

Télécharge le FixWareout d'un de ces deux sites sur le bureau:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Lance le fix: clique sur Next, puis Install, puis assure toi que "Run fixit" est activé puis clique sur Finish.
Le fix va commencer, suis les messages à l'écran. Il te sera demandé de redémarrer ton ordinateur, fais le. Ton système mettra un peu plus de temps au démarrage, c'est normal.

Quand ton système aura redémarré, suis les invites des messages. Ensuite lance HijackThis. Clique sur Scan et coche les lignes suivantes:

O4 - HKLM\..\Run: [feddi.exe] C:\WINDOWS\system32\feddi.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{17034D0E-6DBF-48D9-884A-166FBF49B6F6}: NameServer = 85.255.114.39,85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{3878FC13-D0CB-4D30-92D1-D4275A8FB012}: NameServer = 85.255.114.39,85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{488C716E-0C06-47A0-8AA7-B5A8384177F8}: NameServer = 85.255.114.39 85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{A0BB635A-1DBB-449E-8748-E88313BE3107}: NameServer = 85.255.114.39,85.255.112.11

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.11

O17 - HKLM\System\CS1\Services\Tcpip\..\{17034D0E-6DBF-48D9-884A-166FBF49B6F6}: NameServer = 85.255.114.39,85.255.112.11

Clique sur Fix Checked. Ferme HijackThis et clique sur OK pour continuer la procédure.

A la fin du fix, tu auras peut-être encore besoin de redémarrer le PC.

Au final, poste le contenu de C:\fixwareout\report.txt avec un nouveau rapport HijackThis.

A+
0
Réponse 3 / 26
ReD-1 Messages postés 15 Statut Membre
 
Bonsoir à toi regis et merci pour ton aide, voici le rapport que tu m'as demandé, quant au 2eme, aucun rapport ne s'est affiché après avoir cocher les cases que tu m'as demandé ...

le 1er :

Logfile of HijackThis v1.99.1
Scan saved at 23:52:29, on 11/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NCH Swift Sound\VRS\vrs.exe
C:\Program Files\Kit ADSL\Wizard\PostInstall_Checker.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Propriétaire\Bureau\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr?cobrand=compaq-desktop.msn.com&ocid=HPDHP&pc=CPDTDF
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=Q404&bd=presa...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr?cobrand=compaq-desktop.msn.com&ocid=HPDHP&pc=CPDTDF
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VRSRun] "C:\Program Files\NCH Swift Sound\VRS\vrs.exe" -logon
O4 - HKLM\..\Run: [ajdac.exe] C:\WINDOWS\system32\ajdac.exe
O4 - HKCU\..\Run: [neufbox_reminder] "C:\Program Files\Kit ADSL\Wizard\PostInstall_Checker.exe" -r
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
0
Réponse 4 / 26
ReD-1 Messages postés 15 Statut Membre
 
au temps pour moi, voici le rapport du FiX :

Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0CEF152091DC-082B-CE14-ED60-581F0C00{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AA553FF3E4F2-E33B-64D4-A25F-06A25D6B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}212D3C818DAA-6B1B-4CE4-9F1F-D3FA10EE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7655ABC27F29-A37A-7E04-EC5B-C5579003{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AA9EF3AF2EC0-DC38-3B84-436B-4A6C230E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}632064C2219F-2B98-D3F4-5A34-6DECB91B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}82898701F71C-2A1B-7024-0052-E718657C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1F98872CB98F-24D8-0084-8F91-BD71397B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2EE322083551-AA6A-07C4-200E-97DA2497{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C0C353801D06-51DB-6764-7E03-A1662FAF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}605A6803FBEF-90D9-4EC4-0069-89697FAD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FF5E633EC2F9-1BAA-DF64-891C-5B15AF86{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}72E23FE9EC01-5E28-2D24-C71C-0E121AD7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5A7C760D7A5A-6B3A-4724-4F1C-26B1378B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}00E9B6EA30BC-EFAB-0934-DB0A-DF9349E2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}59E5510F815B-9E8A-F1D4-E418-722C6E28{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSGUU.EXE
* csr.exe C:\WINDOWS\System32\CSNMR.EXE
* csr.exe C:\WINDOWS\System32\CSTZK.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSGUU.EXE 51 242 2006-07-11
C:\WINDOWS\SYSTEM32\CSNMR.EXE 51 254 2006-07-11
C:\WINDOWS\SYSTEM32\CSTZK.EXE 51 249 2006-07-11
C:\WINDOWS\SYSTEM32\DMGMM.EXE 62 018 2004-08-05
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 5 / 26
Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   1 322
 
Salut

Telecharge ceci
https://www.silentrunners.org/Silent%20Runners.vbs
Execute le,atends quelques minutes, il va creer ensuite un dossier juste a coté de silent runner sous format texte, copie/colle ce qu il te donnera

A+
0
Réponse 6 / 26
ReD-1 Messages postés 15 Statut Membre
 
Bonjour regis, voici le rapport que tu viens de me demander :

"Silent Runners.vbs", revision 46, https://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"neufbox_reminder" = ""C:\Program Files\Kit ADSL\Wizard\PostInstall_Checker.exe" -r" ["neuf telecom"]
"MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart" ["Patchou"]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"KillAndClean" = ""C:\Program Files\KillAndClean\KillAndClean.exe"" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"SiS Windows KeyHook" = "C:\WINDOWS\system32\keyhook.exe" ["Silicon Integrated Systems Corporation"]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"Reminder" = ""C:\Windows\Creator\Remind_XP.exe"" ["SoftThinks"]
"TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"VRSRun" = ""C:\Program Files\NCH Swift Sound\VRS\vrs.exe" -logon" [null data]
"rauqc.exe" = "C:\WINDOWS\system32\rauqc.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "c:\Program Files\Sonic RecordNow!\shlext.dll" [null data]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Mes dossiers de partage"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0792.00.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cssda.exe" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Compaq_Propriétaire\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\sstext3d.scr" [MS]

Startup items in "Compaq_Propriétaire" & "All Users" startup folders:
---------------------------------------------------------------------

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

Enabled Scheduled Tasks:
------------------------

"Connexion facile à Internet" -> launches: "C:\Program Files\Easy Internet signup\HPSdpApp.exe /remind" ["Hewlett-Packard"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Console Java (Sun)"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fhome.microsoft.com%2fintl%2ffr%2f%3f"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
0
Réponse 7 / 26
Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   1 322
 
ok

C est infecté.
Redonne un Hijack et je te donne la manip

a+
0
Réponse 8 / 26
ReD-1 Messages postés 15 Statut Membre
 
re =)

voici le rapport hijack this :

Logfile of HijackThis v1.99.1
Scan saved at 16:09:41, on 12/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NCH Swift Sound\VRS\vrs.exe
C:\Program Files\Kit ADSL\Wizard\PostInstall_Checker.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Propriétaire\Bureau\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr?cobrand=compaq-desktop.msn.com&ocid=HPDHP&pc=CPDTDF
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=Q404&bd=presa...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr?cobrand=compaq-desktop.msn.com&ocid=HPDHP&pc=CPDTDF
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VRSRun] "C:\Program Files\NCH Swift Sound\VRS\vrs.exe" -logon
O4 - HKLM\..\Run: [rauqc.exe] C:\WINDOWS\system32\rauqc.exe
O4 - HKCU\..\Run: [neufbox_reminder] "C:\Program Files\Kit ADSL\Wizard\PostInstall_Checker.exe" -r
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{17034D0E-6DBF-48D9-884A-166FBF49B6F6}: NameServer = 85.255.114.39,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{3878FC13-D0CB-4D30-92D1-D4275A8FB012}: NameServer = 85.255.114.39,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{488C716E-0C06-47A0-8AA7-B5A8384177F8}: NameServer = 85.255.114.39 85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0BB635A-1DBB-449E-8748-E88313BE3107}: NameServer = 85.255.114.39,85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{17034D0E-6DBF-48D9-884A-166FBF49B6F6}: NameServer = 85.255.114.39,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.11
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
0
Réponse 9 / 26
Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   1 322
 
Salut

¤Relance HijackThis, coche les cases devant ces lignes et ensuite clique sur fix checked :

O4 - HKLM\..\Run: [rauqc.exe] C:\WINDOWS\system32\rauqc.exe

O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"

O17 - HKLM\System\CCS\Services\Tcpip\..\{17034D0E-6DBF-48D9-884A-166FBF49B6F6}: NameServer = 85.255.114.39,85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{3878FC13-D0CB-4D30-92D1-D4275A8FB012}: NameServer = 85.255.114.39,85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{488C716E-0C06-47A0-8AA7-B5A8384177F8}: NameServer = 85.255.114.39 85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{A0BB635A-1DBB-449E-8748-E88313BE3107}: NameServer = 85.255.114.39,85.255.112.11

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.11

O17 - HKLM\System\CS1\Services\Tcpip\..\{17034D0E-6DBF-48D9-884A-166FBF49B6F6}: NameServer = 85.255.114.39,85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.11

----------------------------------------------------------------------------
¤Démarre en mode sans échec :
Pour cela, tu tapotes la touche F8 dès le début de l’allumage du pc sans t’arrêter
Une fenêtre va s’ouvrir tu te déplaces avec les flèches du clavier sur démarrer en mode sans échec puis tape entrée.
Une fois sur le bureau s’il n’y a pas toutes les couleurs et autres c’est normal !
(Si F8 ne marche pas utilise la touche F5).
----------------------------------------------------------------------------
¤Recherche et supprime ceci:
attention seulement les fichiers (si présents).

C:\WINDOWS\system32\rauqc.exe
C:\Program Files\KillAndClean

Relance le fix wareout.
Lance ewido et done les rapports

a+
0
Réponse 10 / 26
ReD-1 Messages postés 15 Statut Membre
 
Re Regis, le premier fichier que tu m'as demandé de supprimer à savoir :

C:\WINDOWS\system32\rauqc.exe

est introuvable.

le 2nd,

C:\Program Files\KillAndClean

a bien été supprimer, je t'envoi les rapports dans quelques minutes,

merci a toi
0
Réponse 11 / 26
zed73 Messages postés 2 Statut Membre
 
Bonjour,

j'ai le même problème mais contrairement à toi, je ne trouve pas
C:\Program Files\KillAndClean , pourtant cette saloperie est bien présente dans ma liste de programmes.

Ci-dessous mon rapport Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 17:56:00, on 12/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\SCTIPS~1\Kernel\Sbkrnl.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
D:\Valve\Steam\Steam.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HIJACKTHIS VF\hijackthis vf.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {83667F96-F003-55F3-5627-58A83DACB1C7} - gabber.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Fichiers communs\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [SecurityBoxKernel] "C:\SctipSecBox\Kernel\SbKrnl.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ActionScr] MONITER.exe
O4 - HKLM\..\Run: [MONITER] TRPT.exe
O4 - HKLM\..\Run: [kjhxn.exe] C:\WINDOWS\system32\kjhxn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] D:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ERTYDF] BoundRec.exe
O4 - HKCU\..\Run: [Testimonials] mozilla-text.exe
O4 - HKCU\..\Run: [TForm1] new32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=https://fr.creative.com/
O16 - DPF: {B79A53C0-1DAC-4636-BACE-FD086A7A79BF} (AdSignerLCContrl Class) - https://static.impots.gouv.fr/tdir/static/adpform/AdSignerADP.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SBSCHED - C:\SctipSecBox\Kernel\sbxwl.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\PROPRI~1\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

ET CELUI DE SILENT RUNNER :

"Silent Runners.vbs", revision 46, https://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"(Default)" = (empty string)
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [file not found]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Steam" = "D:\Valve\Steam\Steam.exe -silent" ["Valve Corporation"]
"ERTYDF" = "BoundRec.exe" [file not found]
"Testimonials" = "mozilla-text.exe" [file not found]
"TForm1" = "new32.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"RoxioEngineUtility" = ""C:\Program Files\Fichiers communs\Roxio Shared\System\EngUtil.exe"" ["Roxio"]
"RoxioDragToDisc" = ""C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"" ["Roxio"]
"RoxioAudioCentral" = ""C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"" ["Roxio, Inc."]
"SecurityBoxKernel" = ""C:\SctipSecBox\Kernel\SbKrnl.exe"" ["Methode et Solution Informatique S.A. - http://ww11.securitybox.net/"]
"Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"Creative WebCam Tray" = "C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE" ["Creative Technology Ltd"]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"ActionScr" = "MONITER.exe" [file not found]
"MONITER" = "TRPT.exe" [file not found]
"dmxph.exe" = "C:\WINDOWS\system32\dmxph.exe" [null data]
"kjhxn.exe" = "C:\WINDOWS\system32\kjhxn.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media"
-> {HKLM...CLSID} = "Multimédia"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{02760099-070D-11D3-B35B-00805F010AA5}" = "SBox.UsrFolder"
-> {HKLM...CLSID} = "Utilisateurs Security BOX"
\InProcServer32\(Default) = "C:\SctipSecBox\Kernel\Sbsh.dll" ["Methode et Solution Informatique S.A. - http://ww11.securitybox.net/"]
"{02760098-070D-11D3-B35B-00805F010AA5}" = "SBox.UsrFile"
-> {HKLM...CLSID} = "Security BOX (C) UsrFile Class - MSI"
\InProcServer32\(Default) = "C:\SctipSecBox\Kernel\Sbsh.dll" ["Methode et Solution Informatique S.A. - http://ww11.securitybox.net/"]
"{01060014-070D-11D3-B35B-00805F010AA5}" = "SBoxLight.ShIco"
-> {HKLM...CLSID} = "Security BOX LIGHT (C) ShIco CoClass"
\InProcServer32\(Default) = "C:\SCTIPS~1\@Work\ShIcoDll.dll" ["Methode et Solution Informatique S.A. -- http://msi-sa.fr/ -- contact@msi-sa.fr"]
"{02861022-070D-11D3-B35B-00805F010AA5}" = "SBox.FileExtMgrImpl"
-> {HKLM...CLSID} = "Security BOX® File"
\InProcServer32\(Default) = "C:\SctipSecBox\File\Sbfsh.dll" ["Methode et Solution Informatique S.A. - http://ww11.securitybox.net/"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cslbu.exe" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! SBSCHED\DLLName = "C:\SctipSecBox\Kernel\sbxwl.dll" ["Methode et Solution Informatique S.A. - http://ww11.securitybox.net/"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

Par avance, merci pour votre aide.
0
Réponse 12 / 26
^^Marie^^ Messages postés 126523 Date d'inscription   Statut Membre Dernière intervention   3 279
 
Bonsoir Zed73,

Crée ton propre poste stp. Chaque cas est particulier.
Merci

A++

0
Réponse 13 / 26
ReD-1 Messages postés 15 Statut Membre
 
Re, voici donc les 2 rapports,

Ewido :

---------------------------------------------------------
ewido anti-malware - Rapport de scan
---------------------------------------------------------

+ Créé le: 18:25:59, 12/07/2006
+ Somme de contrôle: F99F0FCE

+ Résultats du scan:

[1936] VM_00D20000 -> Trojan.DNSChanger.ef : Erreur durant le nettoyage
[3192] VM_003C0000 -> Trojan.DNSChanger.ef : Erreur durant le nettoyage
[3440] VM_01150000 -> Trojan.Small.fb : Erreur durant le nettoyage
C:\Documents and Settings\Compaq_Propriétaire\Cookies\compaq_propriétaire@247realmedia[1].txt -> TrackingCookie.247realmedia : Nettoyer et sauvegarder
C:\Documents and Settings\Compaq_Propriétaire\Cookies\compaq_propriétaire@as1.falkag[2].txt -> TrackingCookie.Falkag : Nettoyer et sauvegarder
C:\Documents and Settings\Compaq_Propriétaire\Cookies\compaq_propriétaire@bluestreak[2].txt -> TrackingCookie.Bluestreak : Nettoyer et sauvegarder
C:\Documents and Settings\Compaq_Propriétaire\Cookies\compaq_propriétaire@estat[1].txt -> TrackingCookie.Estat : Nettoyer et sauvegarder
C:\Documents and Settings\Compaq_Propriétaire\Cookies\compaq_propriétaire@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Nettoyer et sauvegarder
C:\Documents and Settings\Compaq_Propriétaire\Cookies\compaq_propriétaire@serving-sys[2].txt -> TrackingCookie.Serving-sys : Nettoyer et sauvegarder
C:\Documents and Settings\Compaq_Propriétaire\Cookies\compaq_propriétaire@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Nettoyer et sauvegarder
C:\Documents and Settings\Compaq_Propriétaire\Cookies\compaq_propriétaire@weborama[1].txt -> TrackingCookie.Weborama : Nettoyer et sauvegarder
C:\Documents and Settings\Compaq_Propriétaire\Cookies\compaq_propriétaire@www.smartadserver[2].txt -> TrackingCookie.Smartadserver : Nettoyer et sauvegarder
C:\RECYCLER\S-1-5-21-608638314-2682778430-3541275171-1007\Dc335\xxx[1].jpg -> Trojan.DNSChanger.ef : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP308\A0041353.exe -> Trojan.Hoster : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP319\A0042293.exe -> Trojan.Hoster : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP363\A0047353.exe -> Trojan.DNSChanger.ef : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP363\A0047356.exe -> Trojan.Small.gq : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP363\A0047362.exe -> Downloader.Agent.uj : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP363\A0047366.exe -> Trojan.DNSChanger.ef : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP363\A0047415.exe -> Trojan.DNSChanger.ef : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP363\A0047450.exe -> Trojan.DNSChanger.ef : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP364\A0047459.exe -> Downloader.Agent.uj : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP364\A0047465.exe -> Trojan.DNSChanger.ef : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP364\A0047486.exe -> Downloader.Agent.uj : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP364\A0047488.exe -> Downloader.Agent.uj : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP364\A0047494.exe -> Trojan.Small.fb : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP364\A0047496.exe -> Trojan.DNSChanger.ef : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP365\A0047527.exe -> Downloader.Agent.uj : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP365\A0047533.exe -> Downloader.Agent.uj : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP365\A0047538.exe -> Trojan.Small.fb : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP365\A0047539.exe -> Trojan.DNSChanger.ef : Nettoyer et sauvegarder
C:\System Volume Information\_restore{88F0EC16-5093-454D-BD2D-4DD02919E000}\RP365\A0047570.exe -> Trojan.DNSChanger.ef : Nettoyer et sauvegarder
C:\WINDOWS\system32\csguu.exe -> Trojan.Small : Nettoyer et sauvegarder
C:\WINDOWS\system32\csnmr.exe -> Downloader.Agent.uj : Nettoyer et sauvegarder
C:\WINDOWS\system32\cstzk.exe -> Downloader.Agent.uj : Nettoyer et sauvegarder
C:\WINDOWS\system32\csxov.exe -> Downloader.Agent.uj : Nettoyer et sauvegarder
C:\WINDOWS\system32\dmzrd.exe -> Trojan.Small.fb : Nettoyer et sauvegarder
C:\WINDOWS\system32\{0D1B29CC-8712-488F-8D6E-B2BFEA27E2C9}.exe -> Adware.Casino : Nettoyer et sauvegarder
C:\WINDOWS\system32\{1651CDFE-8674-42B1-B03C-DF063708CF12}.exe -> Trojan.Small.gq : Nettoyer et sauvegarder
C:\WINDOWS\system32\{22E26333-596E-45E6-A687-1E169C983AD8}.exe -> Trojan.Hoster : Nettoyer et sauvegarder
C:\WINDOWS\system32\{4E39EA21-E49D-4323-9707-54BD7530F676}.exe -> Trojan.Hoster : Nettoyer et sauvegarder
C:\WINDOWS\system32\{63421D98-8BDE-46F2-AD33-46B8A8DA7AD1}.exe -> Adware.Casino : Nettoyer et sauvegarder
C:\WINDOWS\system32\{74B62A89-BA9A-4BCC-A0BB-3B3E1B9B7ADA}.exe -> Trojan.Puper.bx : Nettoyer et sauvegarder
C:\WINDOWS\system32\{7734E26E-2A9B-43A5-803A-5FEC28B9A04A}.exe -> Trojan.Puper.bx : Nettoyer et sauvegarder
C:\WINDOWS\system32\{9CDFB96F-7A35-417E-8E67-05AD6B75C4AD}.exe -> Trojan.Small.gq : Nettoyer et sauvegarder
C:\WINDOWS\system32\{B19BCED6-43A5-4F3D-89B2-F9122C460236}.exe -> Trojan.Puper.bx : Nettoyer et sauvegarder
C:\WINDOWS\system32\{B4DCB288-7681-4951-817B-DEF1B9AA5E20}.exe -> Trojan.Puper.bx : Nettoyer et sauvegarder
C:\WINDOWS\system32\{C644824A-65DB-4606-83FA-D3B548CFFE24}.exe -> Downloader.Small.buy : Nettoyer et sauvegarder
C:\WINDOWS\system32\{EE01AF3D-F1F9-4EC4-B1B6-AAD818C3D212}.exe -> Trojan.Small.gq : Nettoyer et sauvegarder

::Fin du rapport

et le FiX:

Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8DED49BE2932-C4CA-D204-7271-FEE9EE90{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0C3FA9F5AA6C-A918-C5E4-54B3-1919A8D3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}21FC807360FD-C30B-1B24-4768-EFDC1561{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C492A6F1E58B-DADA-B934-0A1A-48372AA6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E35673C04298-1DCB-82D4-1F8E-1C64277D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A40A9B82CEF5-A308-5A34-B9A2-E62E4377{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E08E56E11171-ACFA-9654-72BE-C1CD3182{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A9DE35B64AF1-18C8-6F14-AEB6-1D9521C4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}99B60586C9A7-A6D8-39D4-9176-76C675A2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3CA217390C6D-BAEB-2B44-0D76-06C3E670{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FD322CCF4335-B6FA-A3E4-FF75-973D3BB4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2907A2FC1EB8-B2BA-2524-7146-D8E4E1A9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DB2CF55AE109-0D6A-0AB4-9DF3-A0B3A6E0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F608D5A87EAA-1628-7B74-E601-1EC6F8ED{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0D47FCE43C0F-4A49-F454-9480-AC6BDD09{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}09F9B9AB60F9-D549-2804-E3F2-9BE56FC9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4C9654162B90-4BA9-6934-3ACF-FE88A665{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}79892EE61278-C548-6874-EEC0-CC6C7DA6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B5AE296F4AF9-3699-9F24-05F3-CA87404F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CFEE48B650DB-111A-0EC4-10FE-AE221470{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0301A6E3D2CC-5ADA-D274-3F68-199B715C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FCF23661E218-C05A-5A54-3C94-D6A31BCE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}89D943112FED-8CAA-2754-1575-005820B5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B918FEB6557C-8B1A-D4D4-94DE-1440DE79{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}87C042717B54-37EB-C424-01C8-DC299621{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}256A0BAB95B6-CF19-C5B4-79CE-092B4734{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6222DD9CCA60-188B-04C4-863F-05447C97{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1D62149BA013-4878-DED4-811B-462A6527{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9473DBD75320-A5E8-A394-61DA-29DCC79E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}74E2D090580F-15DB-F6E4-93B7-600980FF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E68F0BB5FC10-8208-9BF4-1E53-3BDB22ED{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}869FC9E63571-D6EB-6734-15FA-9AB7B3E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1E89DF5F3C81-5CEB-2B34-01CD-53810FFE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A30C25222896-9D5B-C7A4-3369-FC9E7428{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0B724DF5A693-E07A-0134-53ED-F252A67C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C32C1949F8A4-18BA-5B84-926D-5A1A8C8D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AB56B122187D-FD38-4DF4-7A18-C01CA661{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}04CD93510DA5-0009-A034-C5D5-02C7699A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C06BB237AF76-9259-1004-BAE7-65BD7920{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4D190BBB59C9-2F8B-31E4-6279-07D86BD5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9900458AF236-740B-B214-B191-3CBFAFEA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6800783D7467-65CA-0A54-6DAA-BDE1FEA2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DEA6999E6756-0329-73B4-63A0-9970BF1E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FD8FAA0AE242-158A-3314-76E0-E0BE51A6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B90EE48F2482-296B-7944-B783-29BAE15C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E929EDFBAB6A-9179-4484-33FE-AE658908{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9D5E9DD6D31F-2BC9-A724-4CC4-ECF6FD2D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5038BB8F5775-D93B-6064-F86D-2B97ADA5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}592637B917AD-AD89-DA94-F1E4-1355FE13{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C4D3D95F2183-6269-7894-BEE9-8553B0D6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}652BC03E81A2-021B-F8E4-D107-FDE6CFE0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}50A4FCA56F5C-72E8-36A4-D7B9-EA0A24AD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9301608C0C43-F9BA-B924-0B6F-B7048434{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}442AC341E58E-8009-B724-E43A-4288440E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D0EEAB2A4611-359A-3DF4-B80E-D4636F57{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B74A3EDBECBA-DC4B-13E4-8CC4-D86F027B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}27FA23F2C534-5549-91B4-A55F-BD2FCBB9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1F5DF1A44F1B-FFC9-C734-97EB-E7320118{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F12A74A5E10E-F6F9-21D4-611D-BA72DF93{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F78AC8595DD0-BBCB-FC44-F58E-91E02ED9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2C2D062542CB-CF0A-5744-490F-682403F0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2C75477CF42C-A909-15D4-09E1-10A8618A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1FFE7D9814D8-0CEA-A5C4-21ED-3F4CCF2F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}24D9257FA750-3BBA-61A4-BCE8-16CECBC8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2BAEBA2C7FC7-9B99-CCE4-4A6E-2764A4D9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B055EFFA7EE3-0E48-E7B4-DEB9-7B07E9EE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BF6B710C1EAD-8EEB-0CC4-394A-1C835FA1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}995162BF9D37-DB78-2AE4-E381-D16B2E7E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}71BB5AA9165B-1209-0914-24AF-FC760343{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CC9E63DDF845-CE58-77B4-B89C-0E79086C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F89CB0E6FAF8-ACE9-DA64-6A46-6C787CF9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2C12DE8919DC-B198-7764-A95F-1F8438EC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1356A66432A8-146A-0B04-2439-974D18EE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B226FFA67D8D-A2D8-8AD4-5D98-60F8B9A5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DE6D76290AB5-D728-0884-7AC9-FFF8CB6A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}75C6134A75F0-215B-3934-D82D-074ADC28{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}380C9852D618-371B-4084-A156-C3ACF09C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BBBC35362B52-A239-A3C4-A425-710CDF35{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AC1730CE5341-6B39-81E4-AF2A-F112438D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}511AD56EC6B3-B49A-1C14-22AE-028D00F2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A1BD703E3503-1499-9214-C898-625191A6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6B8F6297F571-519B-EB94-C895-7F38F98E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C6A0B0FB6136-0D5B-F914-B063-9F0D9A2B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}22C6ABB0D5BC-5D9B-6394-A902-278D4530{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0D3946E108D3-9E3B-46C4-B0FC-6EF87B49{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9C6D097CA07B-412A-5824-A265-883AA08C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2D051A8BFC36-F248-A694-99DA-E3F8FA15{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}794E8426520E-6B59-7214-D734-83D43E9D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}720BD7080743-A968-B154-3C41-C8D2727A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5FC935BB7E97-E3EB-6024-176D-58A2FD76{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0E3A1AB69481-615B-35B4-A5FF-D31FB85E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3847BC849304-F56B-2924-EDDC-87712D7E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DD234AEF6B75-5219-C984-A95D-4C6700C7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BDB83CB6D7F7-7258-CA54-E79B-6DDFA3F8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EA9198AE5ADA-BA29-D5A4-1B7C-2B90B5B6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5337AE4CC45E-E5CA-AAB4-2F97-0C3BD9EC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CF98870F1851-B6C8-4D04-4043-D7EC6A68{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}48572855AF89-A1F9-DD74-0C69-C57165AC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FAB212425511-2948-8264-7249-38961486{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CCD11BFDB892-3A18-1FF4-68C7-ABBBE148{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}30950D4A735B-8F28-3E54-925F-6DC2674C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}353631482F5F-B369-9124-8480-8942AA5F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}01130413BFB1-60EB-FE64-C8B0-7ABBB8E0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}455D1656A90E-DA7B-2414-02E7-511299D0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}610F36762E75-10D8-08B4-A14E-0C44AA00{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5C0E894AB49B-2D09-CDB4-EE0D-E0BA58A1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A5CB69F1EA92-7589-1E54-4772-AD6F307B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A8F3A9C90B99-C5EA-CEE4-99D8-0D3E1DCC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}676F0357DB45-7079-3234-D94E-12AE93E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\drzmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmzrd.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSGUU.EXE
* csr.exe C:\WINDOWS\System32\CSNMR.EXE
* csr.exe C:\WINDOWS\System32\CSTZK.EXE
* csr.exe C:\WINDOWS\System32\CSXOV.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSGUU.EXE 51 242 2006-07-11
C:\WINDOWS\SYSTEM32\CSNMR.EXE 51 254 2006-07-11
C:\WINDOWS\SYSTEM32\CSTZK.EXE 51 249 2006-07-11
C:\WINDOWS\SYSTEM32\CSXOV.EXE 51 206 2006-07-12
C:\WINDOWS\SYSTEM32\DMGMM.EXE 62 018 2004-08-05
C:\WINDOWS\SYSTEM32\DMZRD.EXE 61 992 2004-08-05
0
Réponse 14 / 26
Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   1 322
 
Salut

remet un hijack this stp et un silent runner

a+
0
Réponse 15 / 26
ReD-1 Messages postés 15 Statut Membre
 
Voila pour l'hijackthis :

Logfile of HijackThis v1.99.1
Scan saved at 19:01:11, on 12/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\alg.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NCH Swift Sound\VRS\vrs.exe
C:\Program Files\Kit ADSL\Wizard\PostInstall_Checker.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Compaq_Propriétaire\Bureau\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr?cobrand=compaq-desktop.msn.com&ocid=HPDHP&pc=CPDTDF
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=Q404&bd=presa...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr?cobrand=compaq-desktop.msn.com&ocid=HPDHP&pc=CPDTDF
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VRSRun] "C:\Program Files\NCH Swift Sound\VRS\vrs.exe" -logon
O4 - HKLM\..\Run: [edrzh.exe] C:\WINDOWS\system32\edrzh.exe
O4 - HKCU\..\Run: [neufbox_reminder] "C:\Program Files\Kit ADSL\Wizard\PostInstall_Checker.exe" -r
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{17034D0E-6DBF-48D9-884A-166FBF49B6F6}: NameServer = 85.255.114.39,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{3878FC13-D0CB-4D30-92D1-D4275A8FB012}: NameServer = 85.255.114.39,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{488C716E-0C06-47A0-8AA7-B5A8384177F8}: NameServer = 85.255.114.39 85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0BB635A-1DBB-449E-8748-E88313BE3107}: NameServer = 85.255.114.39,85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{17034D0E-6DBF-48D9-884A-166FBF49B6F6}: NameServer = 85.255.114.39,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.11
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Et le silent Runner :
"Silent Runners.vbs", revision 46, https://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"neufbox_reminder" = ""C:\Program Files\Kit ADSL\Wizard\PostInstall_Checker.exe" -r" ["neuf telecom"]
"MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart" ["Patchou"]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"SiS Windows KeyHook" = "C:\WINDOWS\system32\keyhook.exe" ["Silicon Integrated Systems Corporation"]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"Reminder" = ""C:\Windows\Creator\Remind_XP.exe"" ["SoftThinks"]
"TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"VRSRun" = ""C:\Program Files\NCH Swift Sound\VRS\vrs.exe" -logon" [null data]
"edrzh.exe" = "C:\WINDOWS\system32\edrzh.exe" [null data]
"(Default)" = """ = (data in unrecognized format!)" [file not found]

voilou
0
Réponse 16 / 26
Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   1 322
 
Re,

le silent runner n est pas entier. Je vais devoir preparer une manipulation béton pour que tout soit supprimer.Grrrr ca evolue en ce moment les infections !!

Relance silent et atend qqs minutes en + avant de prendre le rapport

Et aussi tu peux faire ca stp
Télécharge Blacklight (de F-Secure) a l’une des 2 adresses :
https://www.f-secure.com/en
https://www.f-secure.com/en

et sauvegarde le sur ton Bureau.

Double-clique blbeta.exe et accepte la licence ; laisse [X]scan through Windows Explorer activé ; clique Scan puis Next

Tu verras une liste de fichiers détectés apparaître. Tu verras également un rapport, sur ton Bureau, nommé fsbl.xxxxxxx.log (les xxxxxxx sont des chiffres).

Copie et colle le contenu de ce rapport dans ta prochaine réponse

a+
0
Réponse 17 / 26
ReD-1 Messages postés 15 Statut Membre
 
Voici le rapport silent runner en entier :

"Silent Runners.vbs", revision 46, https://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"neufbox_reminder" = ""C:\Program Files\Kit ADSL\Wizard\PostInstall_Checker.exe" -r" ["neuf telecom"]
"MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart" ["Patchou"]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"SiS Windows KeyHook" = "C:\WINDOWS\system32\keyhook.exe" ["Silicon Integrated Systems Corporation"]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"Reminder" = ""C:\Windows\Creator\Remind_XP.exe"" ["SoftThinks"]
"TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"VRSRun" = ""C:\Program Files\NCH Swift Sound\VRS\vrs.exe" -logon" [null data]
"edrzh.exe" = "C:\WINDOWS\system32\edrzh.exe" [null data]
"(Default)" = """ = (data in unrecognized format!)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "c:\Program Files\Sonic RecordNow!\shlext.dll" [null data]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Mes dossiers de partage"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0792.00.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Compaq_Propriétaire\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\sstext3d.scr" [MS]

Startup items in "Compaq_Propriétaire" & "All Users" startup folders:
---------------------------------------------------------------------

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

Enabled Scheduled Tasks:
------------------------

"Connexion facile à Internet" -> launches: "C:\Program Files\Easy Internet signup\HPSdpApp.exe /remind" ["Hewlett-Packard"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Console Java (Sun)"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[Strings]: SAFESITE_VALUE="https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fhome.microsoft.com%2fintl%2ffr%2f%3f"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Service Messenger Sharing USN Journal Reader, usnsvc, "C:\WINDOWS\system32\svchost.exe -k usnsvc" {"C:\Program Files\MSN Messenger\usnsvc.dll" [MS]}
Sunbelt Kerio Personal Firewall 4, KPF4, ""C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe"" ["Sunbelt Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt10\Driver = "hpzlnt10.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 78 seconds, including 3 seconds for message boxes)

et le rapport blbeta :

07/12/06 19:25:55 [Info]: BlackLight Engine 1.0.42 initialized
07/12/06 19:25:55 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/12/06 19:25:55 [Note]: 7019 4
07/12/06 19:25:55 [Note]: 7005 0
07/12/06 19:26:50 [Note]: 7006 0
07/12/06 19:26:50 [Note]: 7011 1936
07/12/06 19:26:50 [Note]: 7026 0
07/12/06 19:26:50 [Note]: 7026 0
07/12/06 19:27:05 [Note]: FSRAW library version 1.7.1019
07/12/06 19:28:39 [Info]: Hidden file: c:\WINDOWS\system32\csoai.exe
07/12/06 19:28:39 [Note]: 7002 32
07/12/06 19:28:39 [Note]: 7003 1
07/12/06 19:28:39 [Note]: 10002 1
07/12/06 19:28:44 [Info]: Hidden file: c:\WINDOWS\system32\dmovj.exe
07/12/06 19:28:44 [Note]: 7002 32
07/12/06 19:28:44 [Note]: 7003 1
07/12/06 19:28:44 [Note]: 10002 1
07/12/06 19:28:45 [Info]: Hidden file: c:\WINDOWS\system32\{B395F5B2-25E0-4120-A6DF-B7DC4B34C732}.exe
07/12/06 19:28:45 [Note]: 10002 1
07/12/06 19:28:45 [Info]: Hidden file: c:\WINDOWS\system32\{3DC88C62-1697-48A5-B01B-D3F02ECF28DF}.exe
07/12/06 19:28:45 [Note]: 10002 1
07/12/06 19:28:46 [Info]: Hidden file: c:\WINDOWS\system32\{40243105-7CDE-4536-A5AE-6B035BDCDB85}.exe
07/12/06 19:28:46 [Note]: 10002 1
07/12/06 19:28:46 [Info]: Hidden file: c:\WINDOWS\system32\{44F845AD-6F24-4A07-8F79-28266DD6539F}.exe
07/12/06 19:28:46 [Note]: 10002 1
07/12/06 19:28:47 [Info]: Hidden file: c:\WINDOWS\system32\{8E6613D0-E0A2-4F22-A398-3B54FA4A3843}.exe
07/12/06 19:28:47 [Note]: 10002 1
07/12/06 19:28:47 [Info]: Hidden file: c:\WINDOWS\system32\{953C92E9-70D3-4FD2-9B12-0E500AEF39C2}.exe
07/12/06 19:28:47 [Note]: 10002 1
07/12/06 19:28:47 [Info]: Hidden file: c:\WINDOWS\system32\{95854D71-26D7-43A1-84EE-FBA96B51B96A}.exe
07/12/06 19:28:47 [Note]: 10002 1
07/12/06 19:28:48 [Info]: Hidden file: c:\WINDOWS\system32\{98CB0F62-9738-4E47-A845-6865A8954173}.exe
07/12/06 19:28:48 [Note]: 10002 1
07/12/06 19:28:48 [Info]: Hidden file: c:\WINDOWS\system32\{28C1CE15-2B5E-45EF-BD88-07EB42BEEA06}.exe
07/12/06 19:28:48 [Note]: 10002 1
07/12/06 19:28:49 [Info]: Hidden file: c:\WINDOWS\system32\{2BB09A55-C15F-48A4-B765-1414471192F5}.exe
07/12/06 19:28:49 [Note]: 10002 1
07/12/06 19:28:49 [Info]: Hidden file: c:\WINDOWS\system32\{307FF709-5059-4E0B-A01B-B78441CB84B4}.exe
07/12/06 19:28:49 [Note]: 10002 1
07/12/06 19:28:50 [Info]: Hidden file: c:\WINDOWS\system32\{7A7C360E-934E-4BA8-8803-46035E90C678}.exe
07/12/06 19:28:50 [Note]: 10002 1
07/12/06 19:28:50 [Info]: Hidden file: c:\WINDOWS\system32\{7F44E57A-2DB0-4B01-8FC0-43AE8A988648}.exe
07/12/06 19:28:50 [Note]: 10002 1
07/12/06 19:28:50 [Info]: Hidden file: c:\WINDOWS\system32\{81313BBB-8D41-4545-B394-0F9BD449F1A2}.exe
07/12/06 19:28:50 [Note]: 10002 1
07/12/06 19:28:51 [Info]: Hidden file: c:\WINDOWS\system32\{A35EB8EB-1AEA-4E0D-A8C6-3A98F3B1E744}.exe
07/12/06 19:28:51 [Note]: 10002 1
07/12/06 19:28:51 [Info]: Hidden file: c:\WINDOWS\system32\{AE32E49A-F598-4952-B9D9-A352F67654E2}.exe
07/12/06 19:28:51 [Note]: 10002 1
07/12/06 19:28:52 [Info]: Hidden file: c:\WINDOWS\system32\{EF68FFFA-945F-4874-ADA0-F9A2FBAFD8B7}.exe
07/12/06 19:28:52 [Note]: 10002 1
07/12/06 19:28:52 [Info]: Hidden file: c:\WINDOWS\system32\{F2F15715-F080-4A98-9AA0-5BA310871A94}.exe
07/12/06 19:28:52 [Note]: 10002 1
07/12/06 19:28:52 [Info]: Hidden file: c:\WINDOWS\system32\{BCB92C2A-27E7-459D-B8BB-3AFF1EC41749}.exe
07/12/06 19:28:52 [Note]: 10002 1
07/12/06 19:28:53 [Info]: Hidden file: c:\WINDOWS\system32\{C0083EA9-8042-4726-82D3-66FFA1A49955}.exe
07/12/06 19:28:53 [Note]: 10002 1
07/12/06 19:28:53 [Info]: Hidden file: c:\WINDOWS\system32\{C3CC1D9F-F804-470E-8E95-EDDBEF175ACF}.exe
07/12/06 19:28:53 [Note]: 10002 1
07/12/06 19:28:54 [Info]: Hidden file: c:\WINDOWS\system32\{1718B226-609A-4B34-A15B-740A5179220C}.exe
07/12/06 19:28:54 [Note]: 10002 1
07/12/06 19:28:54 [Info]: Hidden file: c:\WINDOWS\system32\{9DBDD6F8-3CB9-4806-89C2-B7C491A7D3A3}.exe
07/12/06 19:28:54 [Note]: 10002 1
07/12/06 19:28:54 [Info]: Hidden file: c:\WINDOWS\system32\{9F3427F6-B4ED-4EFE-BB8E-B006E2943A5F}.exe
07/12/06 19:28:54 [Note]: 10002 1
07/12/06 19:28:55 [Info]: Hidden file: c:\WINDOWS\system32\{4F45C52C-E7F1-4DCF-8480-F7FE06CC7C86}.exe
07/12/06 19:28:55 [Note]: 10002 1
07/12/06 19:28:55 [Info]: Hidden file: c:\WINDOWS\system32\{E4003183-F968-4F31-8DB5-C8C09854B180}.exe
07/12/06 19:28:55 [Note]: 10002 1
07/12/06 19:28:56 [Info]: Hidden file: c:\WINDOWS\system32\{834EA7C5-E17E-46E3-A0AF-DDC483FD32C5}.exe
07/12/06 19:28:56 [Note]: 10002 1
07/12/06 19:28:56 [Info]: Hidden file: c:\WINDOWS\system32\{C8BCDE47-34F4-485E-A270-202ED6589590}.exe
07/12/06 19:28:56 [Note]: 10002 1
07/12/06 19:28:57 [Info]: Hidden file: c:\WINDOWS\system32\{CA4A6C01-70E5-4B47-BC4D-D66EE6DA597B}.exe
07/12/06 19:28:57 [Note]: 10002 1
07/12/06 19:28:57 [Info]: Hidden file: c:\WINDOWS\system32\{0FBA2524-10BC-4567-B5BB-FAD74DBD5BE5}.exe
07/12/06 19:28:57 [Note]: 10002 1
07/12/06 19:28:57 [Info]: Hidden file: c:\WINDOWS\system32\{F4DA69CD-DA36-4502-87B7-41C9BC462F62}.exe
07/12/06 19:28:57 [Note]: 10002 1
07/12/06 19:28:58 [Info]: Hidden file: c:\WINDOWS\system32\{F85E23EF-8ED6-4C1A-9299-B38508358C47}.exe
07/12/06 19:28:58 [Note]: 10002 1
07/12/06 19:28:58 [Info]: Hidden file: c:\WINDOWS\system32\{FA5C2546-4A6A-4F0C-92EF-8F8F4A6F4B3B}.exe
07/12/06 19:28:58 [Note]: 10002 1
07/12/06 19:31:38 [Note]: 7007 0

Voila.

Apparement ça a l'air méchant ce qu'il se passe dans mon pc lol
0
Réponse 18 / 26
Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   1 322
 
Re,

Ca va lol

----------------------------------------------------------------------------
¤Affiche tous les fichiers et dossiers :
Clique sur démarrer/panneau de configuration/outil/option des dossiers/affichage

Coche « afficher les fichiers et dossiers cachés »

Décoche la case "Masquer les fichiers protégés du système d'exploitation (recommandé)"

Décoche « masquer les extensions dont le type est connu »
Puis fais «Ok» pour valider les changements.

Et appliquer !
----------------------------------------------------------------------------
Dis moi est ce que tu trouves ceci?

c:\WINDOWS\system32\csoai.exe
c:\WINDOWS\system32\dmovj.exe

a+
0
Réponse 19 / 26
ReD-1 Messages postés 15 Statut Membre
 
Re :)

Non je ne trouve aucun de ces 2 fichiers
0
Réponse 20 / 26
Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   1 322
 
Salut

On va essayé comme ca dans un premier temps:

Note: Si tu peux sauvegarder tous les rapports et me les donner a la fin, ca serait super ! Merci

Télécharge Brute Force Uninstaller (de Merijn) ici:
http://www.merijn.org/files/bfu.zip
Créé un nouveau dossier directement à la racine de ton disque dur ou l'endroit qui te convient, nomme ce dossier BFU.
Décompresse le fichier téléchargé dans ce nouveau dossier (par exemple C:\BFU)

Ensuite, télécharge EGDACCESS.bfu (de Metallica) :

Fais un clik droit ici : http://metallica.geekstogo.com/EGDACCESS.bfu et choisis "Enregistrer la cible sous..." afin de télécharger EGDACCESS.bfu (de Metallica). Sauvegarde dans le dossier créé (C:\BFU). **Note : si tu utlises Internet Explorer ; lors de la sauvegarde, assure-toi que le champs "Type :" affiche "Tous les fichiers". Tu dois maintenant avoir deux fichiers dans le dossier C:\BFU : EGDACCESS.bfu et BFU.exe (très important).

Si tu utilises Internet Explorer, assure-toi lors de la sauvegarde que le champs "Type :" affiche "Tous les fichiers".
Tu dois maintenant avoir deux fichiers dans le dossier C:\BFU : EGDACCESS.bfu et BFU.exe (très important).

Deconnecte toi d internet (important)

Lance Hijack this et fixe ceci:

O4 - HKLM\..\Run: [edrzh.exe] C:\WINDOWS\system32\edrzh.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{17034D0E-6DBF-48D9-884A-166FBF49B6F6}: NameServer = 85.255.114.39,85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{3878FC13-D0CB-4D30-92D1-D4275A8FB012}: NameServer = 85.255.114.39,85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{488C716E-0C06-47A0-8AA7-B5A8384177F8}: NameServer = 85.255.114.39 85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{A0BB635A-1DBB-449E-8748-E88313BE3107}: NameServer = 85.255.114.39,85.255.112.11

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.11

O17 - HKLM\System\CS1\Services\Tcpip\..\{17034D0E-6DBF-48D9-884A-166FBF49B6F6}: NameServer = 85.255.114.39,85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.11

Redémarre en mode sans échec
Redemarre le pc, laisse passer l'écran du bios, puis tapote sur la touche F8 avant qu'apparaisse l'écran de chargement de windows.
Choisis le mode sans échec dans les options et valide avec entrée.

Fixer avec hijack this si present:

O4 - HKLM\..\Run: [edrzh.exe] C:\WINDOWS\system32\edrzh.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{17034D0E-6DBF-48D9-884A-166FBF49B6F6}: NameServer = 85.255.114.39,85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{3878FC13-D0CB-4D30-92D1-D4275A8FB012}: NameServer = 85.255.114.39,85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{488C716E-0C06-47A0-8AA7-B5A8384177F8}: NameServer = 85.255.114.39 85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{A0BB635A-1DBB-449E-8748-E88313BE3107}: NameServer = 85.255.114.39,85.255.112.11

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.11

O17 - HKLM\System\CS1\Services\Tcpip\..\{17034D0E-6DBF-48D9-884A-166FBF49B6F6}: NameServer = 85.255.114.39,85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.39 85.255.112.11

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

Lance "Brute Force Uninstaller" en double-cliquant BFU.exe (Dans le dossier C:\BFU)
- Clique sur le petit dossier jaune, et clique sur : EGDACCESS.bfu
- Coches la case Show log after script ends
- Clique sur Execute pour que le fix fasse son boulot :-)

Attends que le message Complete script execution apparaîsse et clique sur OK.
Un rapport va s'afficher dans la fenetre du programme, copie et colle dans le bloc-notes, puis sauvegardes le, tu le posteras plus tard sur le forum.
Clique Exit pour fermer le programme BFU.

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

Ensuite, lance Blacklight en double cliquant sur blbeta.exe et accepte la licence.
Clique sur Scan pour lancer l'analyse.
Une fois fait, selectionnes chaques fichiers trouvés et clic sur "RENAME"
Puis valide.
Réponds oui aux messages d'avertissements et te demandant si tu autorises le reboot du pc.

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

Après le reboot du pc, les fichiers :

c:\WINDOWS\system32\csoai.exe
c:\WINDOWS\system32\dmovj.exe
C:\WINDOWS\system32\edrzh.exe

devraient être visible et pouvoir être supprimés sans aucuns soucis.
Blacklight ne les supprimes pas, il les renommes simplement et il va falloir que tu les vires toi même:
Va dans C:\windows\system32\ et recherches et effaces:

csoai.exe.ren
dmovj.exe.ren
edrzh.exe

ouvre le bloc note et copie et colle ceci à l'interieur: (regedit4 sur la 1ere ligne du bloc note et ne met pas les etoiles)

****
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\ruins]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dmsvf.exe"=-
"wgoht.exe"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

***
Puis enregistrer sous et dans:
Nom du fichier, met fix.reg
Type de fichier: selectionne "tous les fichiers"
clic sur enregistrer

ensuite double clic sur fix.reg et accepte de fusionner

Lance wareout.

Lance ewido et supprime ce qu il trouve.

redemarrer le pc et si perte de connexion :

demarrer > connection > clic droit sur ta connection > propriétés
gestion de reseau
assure toi que protocole internet tcp/ip est en surbrillance (attention, ne décoche pas la case)> clic sur propriétés > selectionne "obtenir les adresses des serveurs automatiquement"
valide avec ok

A+
PS: Si ca marche pas, on modifiera legerement.
0

Discussions similaires

Softonic,est-ce un virus ?
techmel1 -
techmel1 -

6 réponses
Désinstaller Softonic
Diguimette -
lilidurhone -

5 réponses
virus Artemis!
mabiche37 -
Malekal_morte- -

14 réponses
Message Apple virus !!
Souclik67 -
MPMP10 -

3 réponses