[virus] infecté par TR/Dldr.Mohbpork.A.142

Résolu
Thierry -  
Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   -
Bonjour

je suis infecté par TR/Dldr.Mohbpork.A.142. il est détecté par AV Guard mais dès que je reboote, il est de nouveau présent. Je n'arrive pas à trouver le programme "maitre"

Pourriez vous m'aider ?

Je vous remercie, bonne soirée

9 réponses

  1. Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   1 349
     
    Salut,

    télécharge HijackThis ici:
    http://telechargement.zebulon.fr/138-hijackthis-1991.html

    Dézippe le dans un dossier prévu à cet effet.
    Par exemple C:\hijackthis < Enregistre le bien dans c : !
    Démo : (Merci a Balltrap34 pour cette réalisation)
    http://pageperso.aol.fr/balltrap34/Hijenr.gif

    Lance le puis:
    clique sur "do a system scan and save logfile" (cf démo)
    faire un copier coller du log entier sur le forum

    Démo : (Merci a Balltrap34 pour cette réalisation)
    http://pageperso.aol.fr/balltrap34/demohijack.htm

    Bon courage

    A+
    0
    1. Thierry
       
      Bonjour et merci. Voila le log :

      Logfile of HijackThis v1.99.1
      Scan saved at 12:22:02, on 26/11/2006
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
      C:\WINDOWS\System32\GEARSec.exe
      C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
      D:\Norton Ghost\Agent\PQV2iSvc.exe
      C:\Program Files\Cyberlink\Shared files\RichVideo.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\ZoneLabs\vsmon.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\VM_STI.EXE
      D:\ZoneAlarm\zlclient.exe
      D:\Norton Ghost\Agent\GhostTray.exe
      C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
      D:\Images\Power DVD 7\PDVDServ.exe
      C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
      D:\Winamp\winampa.exe
      C:\WINDOWS\system32\ctfmon.exe
      D:\CUseeMe\Amigo.exe
      C:\Program Files\NETGEAR\WPN111\wpn111.exe
      C:\Program Files\Technology Corporation\FW_C703 Wireless LAN\BK_USB_Monitor.exe
      C:\Program Files\VIA\RAID\raid_tool.exe
      C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
      C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
      C:\PROGRA~1\FICHIE~1\CUSEEM~1\CUCore.exe
      D:\eMule\emule.exe
      D:\firefox\firefox.exe
      C:\Hitjack\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
      O2 - BHO: IEHlprObj Class - {F62A47A7-4CA3-9D00-95A3-6724d43a9E8C} - LineAudio.dll (file missing)
      O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
      O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
      O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
      O4 - HKLM\..\Run: [Zone Labs Client] "d:\ZoneAlarm\zlclient.exe"
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [Norton Ghost 9.0] D:\Norton Ghost\Agent\GhostTray.exe
      O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
      O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
      O4 - HKLM\..\Run: [RemoteControl] "D:\Images\Power DVD 7\PDVDServ.exe"
      O4 - HKLM\..\Run: [LanguageShortcut] "D:\Images\Power DVD 7\Language\Language.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
      O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
      O4 - HKLM\..\Run: [dmrhh.exe] C:\WINDOWS\system32\dmrhh.exe
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [WP Companion] D:\CUseeMe\Amigo.exe -minimize
      O4 - HKCU\..\Run: [WOOKIT] C:\PROGRA~1\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx
      O4 - HKCU\..\Run: [eMuleAutoStart] D:\eMule\emule.exe -AutoStart
      O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
      O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
      O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
      O4 - Global Startup: USB Wireless LAN Utility.lnk = ?
      O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
      O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
      O9 - Extra button: CUseeMe Conferencing Companion - {44EFB53C-C965-43CF-9F45-52242D134187} - D:\CUseeMe\Amigo.exe
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - D:\Internet Cleaner\ICleaner.exe (HKCU)
      O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - D:\Internet Cleaner\ICleaner.exe (HKCU)
      O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
      O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
      O17 - HKLM\System\CCS\Services\Tcpip\..\{3D013CA4-842A-4C9E-82C5-DF43ADB90092}: NameServer = 85.255.113.133,85.255.112.94
      O17 - HKLM\System\CCS\Services\Tcpip\..\{4D612367-568E-4BB8-8B7F-0F0EEC025975}: NameServer = 85.255.113.133,85.255.112.94
      O17 - HKLM\System\CCS\Services\Tcpip\..\{72095144-A51E-4D92-AD06-6A9797E6496E}: NameServer = 85.255.113.133,85.255.112.94
      O17 - HKLM\System\CCS\Services\Tcpip\..\{9D4ABA7C-160C-45E0-AA9E-DB9D4BF262A7}: NameServer = 85.255.113.133,85.255.112.94
      O17 - HKLM\System\CCS\Services\Tcpip\..\{C5457211-C3F3-4D6B-8C2B-2E03766F7871}: NameServer = 85.255.113.133,85.255.112.94
      O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94
      O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94
      O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94
      O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
      O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
      O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
      O23 - Service: Norton Ghost - Symantec Corporation - D:\Norton Ghost\Agent\PQV2iSvc.exe
      O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
      O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - d:\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
      O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - d:\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
      O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

      A+
      0
  2. Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   1 349
     
    Salut,

    Télécharge le FixWareout d'un de ces deux sites sur le bureau:
    http://downloads.subratam.org/Fixwareout.exe
    http://swandog46.geekstogo.com/Fixwareout.exe

    Lance le fix: clique sur Next, puis Install, puis assure toi que "Run fixit" est activé puis clique sur Finish.
    Le fix va commencer, suis les messages à l'écran. Il te sera demandé de redémarrer ton ordinateur, fais le. Ton système mettra un peu plus de temps au démarrage, c'est normal.

    Quand ton système aura redémarré, suis les invites des messages. A la fin du fix, tu auras peut-être encore besoin de redémarrer le PC.

    Au final, poste le contenu de C:\fixwareout\report.txt avec un nouveau rapport HijackThis.

    A+
    0
  3. Thierry
     
    Bonjour,

    Voici les deux logs. Merci encore de votre aide

    @+

    Fixwareout ver 1.003
    Last edited 8/11/2006
    Post this report in the forums please

    Reg Entries that were deleted
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}907E002B454B-BDAB-E4C4-6A58-C74D7F2A{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F6A42E4EA535-048A-1FD4-3734-1E638C9A{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\hhrmd
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
    ...

    Microsoft (R) Windows Script Host Version 5.6
    Random Runs removed from HKLM
    "dmrhh.exe"=-
    ...

    PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

    »»»»» Searching by size/names...

    »»»»»
    Search five digit cs, dm and jb files.
    This WILL/CAN also list Legit Files, Submit them at Virustotal

    Other suspects.
    Directory of C:\WINDOWS\system32

    »»»»» Misc files.

    »»»»» Checking for older varients covered by the Rem3 tool.

    Logfile of HijackThis v1.99.1
    Scan saved at 14:32:08, on 26/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
    D:\Norton Ghost\Agent\PQV2iSvc.exe
    C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\VM_STI.EXE
    D:\ZoneAlarm\zlclient.exe
    D:\Norton Ghost\Agent\GhostTray.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    D:\Images\Power DVD 7\PDVDServ.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    D:\Winamp\winampa.exe
    C:\WINDOWS\system32\ctfmon.exe
    D:\CUseeMe\Amigo.exe
    D:\eMule\emule.exe
    C:\Program Files\NETGEAR\WPN111\wpn111.exe
    C:\Program Files\Technology Corporation\FW_C703 Wireless LAN\BK_USB_Monitor.exe
    C:\PROGRA~1\FICHIE~1\CUSEEM~1\CUCore.exe
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    D:\firefox\firefox.exe
    C:\Hitjack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: IEHlprObj Class - {F62A47A7-4CA3-9D00-95A3-6724d43a9E8C} - LineAudio.dll (file missing)
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "d:\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Norton Ghost 9.0] D:\Norton Ghost\Agent\GhostTray.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [RemoteControl] "D:\Images\Power DVD 7\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "D:\Images\Power DVD 7\Language\Language.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WP Companion] D:\CUseeMe\Amigo.exe -minimize
    O4 - HKCU\..\Run: [WOOKIT] C:\PROGRA~1\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx
    O4 - HKCU\..\Run: [eMuleAutoStart] D:\eMule\emule.exe -AutoStart
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
    O4 - Global Startup: USB Wireless LAN Utility.lnk = ?
    O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: CUseeMe Conferencing Companion - {44EFB53C-C965-43CF-9F45-52242D134187} - D:\CUseeMe\Amigo.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - D:\Internet Cleaner\ICleaner.exe (HKCU)
    O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - D:\Internet Cleaner\ICleaner.exe (HKCU)
    O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
    O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3D013CA4-842A-4C9E-82C5-DF43ADB90092}: NameServer = 85.255.113.133,85.255.112.94
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4D612367-568E-4BB8-8B7F-0F0EEC025975}: NameServer = 85.255.113.133,85.255.112.94
    O17 - HKLM\System\CCS\Services\Tcpip\..\{72095144-A51E-4D92-AD06-6A9797E6496E}: NameServer = 85.255.113.133,85.255.112.94
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9D4ABA7C-160C-45E0-AA9E-DB9D4BF262A7}: NameServer = 85.255.113.133,85.255.112.94
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C5457211-C3F3-4D6B-8C2B-2E03766F7871}: NameServer = 85.255.113.133,85.255.112.94
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94
    O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Norton Ghost - Symantec Corporation - D:\Norton Ghost\Agent\PQV2iSvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - d:\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - d:\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    0
  4. Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   1 349
     
    Ok,

    Telecharge ceci
    https://www.silentrunners.org/Silent%20Runners.vbs
    Execute le,atends quelques minutes, il va creer ensuite un dossier juste a coté de silent runner sous format texte, copie/colle ce qu il te donnera

    A+
    0
    1. Thierry
       
      Bonjour,

      Après execution du VBS, j'obtiens un fichier .txt comme prévu et ce dans un repertoire perso.

      J'ai essayé en vain de trouver un programme ou repertoire "silent runner " mais rien sur mon disque

      Je ne sais pas quoi faire de ce fichier et je m'excuse encore de vous importuner

      Merci de votre réponse
      0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   1 349
     
    Re,

    Tu ouvres le fichier texte et tu copie colle tout ce qui se trouve dedans.

    A+
    0
  7. Thierry
     
    Je m'excuse mais voila ce que j'obtiens (ci dessous)

    Je ne connais pas trop l'informatique aussi, je ne sais pas comment copier coller dans une base de registre par exemple.

    Il n'y aurait pas une aide en ligne pour m'aider à inclure tous ces paramètres dans mon système ?

    En vous remerciant, bonne journée

    "Silent Runners.vbs", revision 49, https://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"

    Startup items buried in registry:
    ---------------------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "WP Companion" = "D:\CUseeMe\Amigo.exe -minimize" ["CUseeMe Networks"]
    "WOOKIT" = "C:\PROGRA~1\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx" [file not found]
    "eMuleAutoStart" = "D:\eMule\emule.exe -AutoStart" ["https://www.emule-project.net/home/perl/general.cgi?l=1"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
    "BigDogPath" = "C:\WINDOWS\VM_STI.EXE USB PC Camera 301P" ["VM."]
    "PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe" [empty string]
    "Zone Labs Client" = ""d:\ZoneAlarm\zlclient.exe"" ["Zone Labs Inc."]
    "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
    "(Default)" = "(empty string)" [file not found]
    "Norton Ghost 9.0" = "D:\Norton Ghost\Agent\GhostTray.exe" ["Symantec Corporation"]
    "ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
    "avgnt" = ""C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
    "RemoteControl" = ""D:\Images\Power DVD 7\PDVDServ.exe"" ["Cyberlink Corp."]
    "LanguageShortcut" = ""D:\Images\Power DVD 7\Language\Language.exe"" [null data]
    "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
    "WinampAgent" = "D:\Winamp\winampa.exe" [null data]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "AcroIEHlprObj Class"
    \InProcServer32\(Default) = "d:\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "D:\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
    {F62A47A7-4CA3-9D00-95A3-6724d43a9E8C}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "IEHlprObj Class"
    \InProcServer32\(Default) = "LineAudio.dll" [empty string]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
    -> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
    "{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension"
    -> {HKLM...CLSID} = "CD Copy Shell Extension"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]
    "{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension"
    -> {HKLM...CLSID} = "CD Wizard Shell Extension"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]
    "{F5D92344-0A64-11D0-9956-0000E8096023}" = "InstantWrite Shellextension"
    -> {HKLM...CLSID} = "InstantWrite Shellextension"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\iwshex.dll" ["VOB Computersysteme GmbH"]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
    -> {HKLM...CLSID} = "Outlook File Icon Extension"
    \InProcServer32\(Default) = "D:\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "D:\Microsoft Office\Office10\msohev.dll" [MS]
    "{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
    -> {HKLM...CLSID} = "SimpleShlExt Class"
    \InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
    "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
    -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
    \InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
    "System" = (value not set)

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
    -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
    \InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
    -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
    \InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]

    Group Policies {GPedit.msc branch and setting}:
    -----------------------------------------------

    Note: detected settings may not have any effect.

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Devices: Allow undock without having to log on}

    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\Thierry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

    Enabled Screen Saver:
    ---------------------

    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssflwbox.scr" [MS]

    Startup items in "Thierry" & "All Users" startup folders:
    ---------------------------------------------------------

    C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
    "Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
    "Microsoft Office" -> shortcut to: "D:\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
    "NETGEAR WPN111 Smart Wizard" -> shortcut to: "C:\Program Files\NETGEAR\WPN111\wpn111.exe" ["NETGEAR"]
    "USB Wireless LAN Utility" -> shortcut to: "C:\Program Files\Technology Corporation\FW_C703 Wireless LAN\BK_USB_Monitor.exe" [empty string]
    "VIA RAID TOOL" -> shortcut to: "C:\Program Files\VIA\RAID\raid_tool.exe" ["VIA Technologies"]

    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Extensions (Tools menu items, main toolbar menu buttons)

    HKCU\Software\Microsoft\Internet Explorer\Extensions\
    {45819E58-6E84-4A5D-BD65-A706981E5BE8}\
    "ButtonText" = "Internet Cleaner"
    "MenuText" = "Internet Cleaner"
    "Exec" = "D:\Internet Cleaner\ICleaner.exe" ["Neoweb Software"]

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Console Java (Sun)"
    "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
    -> {HKCU...CLSID} = "Java Plug-in"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
    -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

    {44EFB53C-C965-43CF-9F45-52242D134187}\
    "ButtonText" = "CUseeMe Conferencing Companion"
    "Exec" = "D:\CUseeMe\Amigo.exe" ["CUseeMe Networks"]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

    Miscellaneous IE Hijack Points
    ------------------------------

    C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

    Added lines (compared with English-language version):
    [Strings]: SAFESITE_VALUE="https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fhome.microsoft.com%2fintl%2ffr%2f%3f"

    Missing lines (compared with English-language version):
    [Strings]: 1 line

    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"]
    AntiVir Scheduler, AntiVirScheduler, "C:\Program Files\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
    Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
    Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\Cyberlink\Shared files\RichVideo.exe"" [empty string]
    GEARSecurity, GEARSecurity, "C:\WINDOWS\System32\GEARSec.exe" ["GEAR Software"]
    Machine Debug Manager, MDM, ""C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
    Norton Ghost, Norton Ghost, "D:\Norton Ghost\Agent\PQV2iSvc.exe" ["Symantec Corporation"]
    TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."]

    ----------
    <<!>>: Suspicious data at a malware launch point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points, use the -supp parameter or answer "No" at the
    first message box and "Yes" at the second message box.
    ---------- (total run time: 79 seconds, including 18 seconds for message boxes)
    0
  8. Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   1 349
     
    Salut,

    Je ne connais pas trop l'informatique aussi, je ne sais pas comment copier coller dans une base de registre par exemple.

    Ne touche pas au registre, c est tres sensible.

    Tu peux remettre un HijackThis stp

    A+
    0
    1. Thierry
       
      Bonsoir et merci. voila le nouveau :

      Bonne soirée

      Logfile of HijackThis v1.99.1
      Scan saved at 20:37:25, on 27/11/2006
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
      C:\WINDOWS\System32\GEARSec.exe
      C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
      D:\Norton Ghost\Agent\PQV2iSvc.exe
      C:\Program Files\Cyberlink\Shared files\RichVideo.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\ZoneLabs\vsmon.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\VM_STI.EXE
      D:\ZoneAlarm\zlclient.exe
      D:\Norton Ghost\Agent\GhostTray.exe
      C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
      D:\Images\Power DVD 7\PDVDServ.exe
      C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
      D:\Winamp\winampa.exe
      C:\WINDOWS\system32\ctfmon.exe
      D:\CUseeMe\Amigo.exe
      D:\eMule\emule.exe
      C:\Program Files\NETGEAR\WPN111\wpn111.exe
      C:\Program Files\Technology Corporation\FW_C703 Wireless LAN\BK_USB_Monitor.exe
      C:\Program Files\VIA\RAID\raid_tool.exe
      C:\PROGRA~1\FICHIE~1\CUSEEM~1\CUCore.exe
      C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
      C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
      D:\Images\ConvertXtoDVD\ConvertXtoDvd.exe
      C:\Program Files\Outlook Express\msimn.exe
      D:\FIREFOX\FIREFOX.EXE
      D:\WinRAR\WinRAR.exe
      C:\DOCUME~1\Thierry\LOCALS~1\Temp\Rar$EX01.140\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
      O2 - BHO: IEHlprObj Class - {F62A47A7-4CA3-9D00-95A3-6724d43a9E8C} - LineAudio.dll (file missing)
      O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
      O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
      O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
      O4 - HKLM\..\Run: [Zone Labs Client] "d:\ZoneAlarm\zlclient.exe"
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [Norton Ghost 9.0] D:\Norton Ghost\Agent\GhostTray.exe
      O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
      O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
      O4 - HKLM\..\Run: [RemoteControl] "D:\Images\Power DVD 7\PDVDServ.exe"
      O4 - HKLM\..\Run: [LanguageShortcut] "D:\Images\Power DVD 7\Language\Language.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
      O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [WP Companion] D:\CUseeMe\Amigo.exe -minimize
      O4 - HKCU\..\Run: [WOOKIT] C:\PROGRA~1\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx
      O4 - HKCU\..\Run: [eMuleAutoStart] D:\eMule\emule.exe -AutoStart
      O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
      O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
      O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
      O4 - Global Startup: USB Wireless LAN Utility.lnk = ?
      O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
      O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
      O9 - Extra button: CUseeMe Conferencing Companion - {44EFB53C-C965-43CF-9F45-52242D134187} - D:\CUseeMe\Amigo.exe
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - D:\Internet Cleaner\ICleaner.exe (HKCU)
      O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - D:\Internet Cleaner\ICleaner.exe (HKCU)
      O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
      O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
      O17 - HKLM\System\CCS\Services\Tcpip\..\{3D013CA4-842A-4C9E-82C5-DF43ADB90092}: NameServer = 85.255.113.133,85.255.112.94
      O17 - HKLM\System\CCS\Services\Tcpip\..\{4D612367-568E-4BB8-8B7F-0F0EEC025975}: NameServer = 85.255.113.133,85.255.112.94
      O17 - HKLM\System\CCS\Services\Tcpip\..\{72095144-A51E-4D92-AD06-6A9797E6496E}: NameServer = 85.255.113.133,85.255.112.94
      O17 - HKLM\System\CCS\Services\Tcpip\..\{9D4ABA7C-160C-45E0-AA9E-DB9D4BF262A7}: NameServer = 85.255.113.133,85.255.112.94
      O17 - HKLM\System\CCS\Services\Tcpip\..\{C5457211-C3F3-4D6B-8C2B-2E03766F7871}: NameServer = 85.255.113.133,85.255.112.94
      O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94
      O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94
      O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94
      O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
      O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
      O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
      O23 - Service: Norton Ghost - Symantec Corporation - D:\Norton Ghost\Agent\PQV2iSvc.exe
      O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
      O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - d:\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
      O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - d:\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
      O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
      0
  9. Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   1 349
     
    Salut,

    ¤Relance HijackThis, coche les cases devant ces lignes et ensuite clique sur fix checked

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3D013CA4-842A-4C9E-82C5-DF43ADB90092}: NameServer = 85.255.113.133,85.255.112.94
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4D612367-568E-4BB8-8B7F-0F0EEC025975}: NameServer = 85.255.113.133,85.255.112.94
    O17 - HKLM\System\CCS\Services\Tcpip\..\{72095144-A51E-4D92-AD06-6A9797E6496E}: NameServer = 85.255.113.133,85.255.112.94
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9D4ABA7C-160C-45E0-AA9E-DB9D4BF262A7}: NameServer = 85.255.113.133,85.255.112.94
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C5457211-C3F3-4D6B-8C2B-2E03766F7871}: NameServer = 85.255.113.133,85.255.112.94
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94

    Aller dans Démarrer > Panneau de configuration > Connexions > clic droit sur la connexion > Propriétés > onglet Gestion de réseau
    Mettre en surbrillance Protocole Internet (tcp/ip) puis cliquer sur le bouton Propriétés.
    Dans les options (serveur DNS préféré et serveur DNS auxiliaire) on trouvera une de ces adresses présentes dans le rapport hijackthis en ligne 017 =>(85.255.113.133 85.255.112.94 )

    Pour les éliminer, cocher : "Obtenir les adresses des serveurs DNS automatiquement" puis cliquer 2 fois sur"Ok" et redémarrer le PC.

    Reposte un nouveau Hijackthis pour vérifier.

    Bon courage.
    0
    1. Thierry
       
      Bonsoir et bonne nuit

      Logfile of HijackThis v1.99.1
      Scan saved at 22:43:04, on 27/11/2006
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\ZoneLabs\vsmon.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
      C:\WINDOWS\System32\GEARSec.exe
      C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
      D:\Norton Ghost\Agent\PQV2iSvc.exe
      C:\Program Files\Cyberlink\Shared files\RichVideo.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\ZoneLabs\isafe.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\VM_STI.EXE
      D:\Norton Ghost\Agent\GhostTray.exe
      C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
      C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
      D:\Images\Power DVD 7\PDVDServ.exe
      C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
      D:\Winamp\winampa.exe
      C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
      C:\WINDOWS\system32\ctfmon.exe
      D:\CUseeMe\Amigo.exe
      D:\eMule\emule.exe
      C:\PROGRA~1\FICHIE~1\CUSEEM~1\CUCore.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\Program Files\NETGEAR\WPN111\wpn111.exe
      C:\Program Files\Technology Corporation\FW_C703 Wireless LAN\BK_USB_Monitor.exe
      C:\Program Files\VIA\RAID\raid_tool.exe
      C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
      C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
      D:\WinRAR\WinRAR.exe
      C:\DOCUME~1\Thierry\LOCALS~1\Temp\Rar$EX00.875\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail?u=http%253A//webmail16e.orange.fr/webmail/fr_FR/inbox.html%253FFromSubmit%253Dtrue
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
      O2 - BHO: IEHlprObj Class - {F62A47A7-4CA3-9D00-95A3-6724d43a9E8C} - LineAudio.dll (file missing)
      O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
      O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
      O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [Norton Ghost 9.0] D:\Norton Ghost\Agent\GhostTray.exe
      O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
      O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
      O4 - HKLM\..\Run: [RemoteControl] "D:\Images\Power DVD 7\PDVDServ.exe"
      O4 - HKLM\..\Run: [LanguageShortcut] "D:\Images\Power DVD 7\Language\Language.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
      O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
      O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [WP Companion] D:\CUseeMe\Amigo.exe -minimize
      O4 - HKCU\..\Run: [WOOKIT] C:\PROGRA~1\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx
      O4 - HKCU\..\Run: [eMuleAutoStart] D:\eMule\emule.exe -AutoStart
      O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
      O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
      O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
      O4 - Global Startup: USB Wireless LAN Utility.lnk = ?
      O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
      O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
      O9 - Extra button: CUseeMe Conferencing Companion - {44EFB53C-C965-43CF-9F45-52242D134187} - D:\CUseeMe\Amigo.exe
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - D:\Internet Cleaner\ICleaner.exe (HKCU)
      O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - D:\Internet Cleaner\ICleaner.exe (HKCU)
      O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
      O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
      O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
      O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
      O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
      O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
      O23 - Service: Norton Ghost - Symantec Corporation - D:\Norton Ghost\Agent\PQV2iSvc.exe
      O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
      O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - d:\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
      O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - d:\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
      O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
      0
    2. Thierry
       
      Petit complément, MON MAIL VIA OUTLOOK REFONCTIONNE, pourvu que cela dur
      0
  10. Regis59 Messages postés 21143 Date d'inscription   Statut Contributeur sécurité Dernière intervention   1 349
     
    Salut,

    Super !

    Ou en sont tes soucis?

    A+
    0