Virus _ Analyse HIJACKTHIS Fermé

Question

Bonjour,

je viens crier un grand SOS.

Je ne peux pas surfer à partir d'internet Explorer ou Mozilla pourtant je peux pinger les adresses web.

Je vous joins le rapport de hijackthis au cas où quelqu'un pourrait venir à mon secours.

Merci d'avance

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:12, on 18/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Trend Micro\Client Server Security Agent
trtscan.exe
C:\Program Files\Trend Micro\Client Server Security Agent	mlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\MU6902.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nec-online.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\spoolsv.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PIMphony.lnk = C:\Program Files\Alcatel_PIMphony\aocphone.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Démarrer Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32
wprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E708AE9-8F11-4DD9-A320-9785117F0B42}: NameServer = 192.168.4.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{9E708AE9-8F11-4DD9-A320-9785117F0B42}: NameServer = 192.168.4.9
O17 - HKLM\System\CS2\Services\Tcpip\..\{9E708AE9-8F11-4DD9-A320-9785117F0B42}: NameServer = 192.168.4.9
O23 - Service: NMC service (a47xxsrv) - Unknown owner - C:\NMC\bin\a47xxsrv.exe
O23 - Service: Generic Host Process for Win-32 Service - Unknown owner - C:\WINDOWS\spoolsv.exe
O23 - Service: Scan en temps réel Trend Micro Client/Server Security Agent (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent
trtscan.exe
O23 - Service: Pare-feu personnel Trend Micro Client/Server Security Agent (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Centre d'affaires 2006 (Synchronisation) (ServiceCentreAffaires2006) - Unknown owner - c:\program files\ucase software\centre d'affaires 2006\service windows\windowsservicecentreaffaires2006.exe (file missing)
O23 - Service: Trend Micro Client-Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent	mlisten.exe

FillPCA · Answer

Salut,

# Télécharge SDFix (créé par Andy Manchesta) et sauvegarde le sur ton Bureau : http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
# Imprime ceci.
# Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :

    * Redémarre ton ordinateur.
    * Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (ou F5).
    * A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
    * Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
    * Choisis ton compte.

# Déroule la liste des instructions ci-dessous :

    * En mode sans échec, double-clique sur le fichier SDFix.exe et clique sur install,
    * Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
    * Appuie sur Y pour commencer le script.
    * Il va supprimer les services de certains trojans, effectuera aussi quelques réparations du Registre et il te demandera d'appuyer sur une touche pour redémarrer.
    * Appuie sur une touche pour redémarrer le PC.
    * Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
    * Après le chargement du Bureau, l'outil terminera son travail et affichera Finished
    * Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
    * Enfin, ouvre le dossier de SDFix sur ton Bureau et copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum, avec un nouveau log Hijackthis !

FillPCA

kasta · Answer

Merci pour cette rapidité de réponse

voici le contenu du fichier report.txt
suivi d'un nouveau rapport hijackthis


[b][u]SDFix: Version 1.143[/u][/b]

Run by Administrateur on 18/02/2008 at 11:00

Microsoft Windows XP [version 5.1.2600]
Running From: C:\SDFix

[b][u]Checking Services[/u][/b]:

Name:
Generic Host Process for Win-32 Service

Path:
"C:\WINDOWS\spoolsv.exe" 

Generic Host Process for Win-32 Service - Deleted


C:\WINDOWS\system32\Microsoft\backup.ftp Found
C:\WINDOWS\system32\Microsoft\backup.tftp Found

[b]Checking files[/b]: 

[b]Genuine[/b]:
C:\WINDOWS\system32\Microsoft\backup.ftp
C:\WINDOWS\system32\Microsoft\backup.tftp

[b]Dummy[/b]:
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32	ftp.exe

Files copied to SDFix\Backups 

Restoring files if backups are found
 
[b]Final Check[/b]:

[b]Genuine[/b]:
C:\WINDOWS\system32\Microsoft\backup.ftp
C:\WINDOWS\system32\Microsoft\backup.tftp
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32	ftp.exe
C:\WINDOWS\system32\dllcache\ftp.exe
C:\WINDOWS\system32\dllcache	ftp.exe 

 


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


[b][u]Checking Files[/u][/b]: 

Trojan Files Found:

C:\WINDOWS\spoolsv.exe  - Deleted
C:\WINDOWS\system32\Microsoft\backup.ftp  - Deleted
C:\WINDOWS\system32\Microsoft\backup.tftp  - Deleted





Removing Temp Files...

[b][u]ADS Check[/u][/b]:
 


                                 [b][u]Final Check[/u][/b]:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 11:15:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\xd8\x2022\x20ac|\xff\xff\xff\xff\22\x2022\x20ac|\xf9\x20229~\2]
"C040AC1900063D11C8EF10054038389C"="C?\WINDOWS\System32\FM20ENU.DLL"

scanning hidden files ...

C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:CA_INOCULATEIT 512 bytes hidden from API
C:\Documents and Settings\Administrateur\NTUSER.DAT:CA_INOCULATEIT 512 bytes hidden from API
C:\Documents and Settings\Administrateur
tuser.dat.LOG:CA_INOCULATEIT 512 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3


[b][u]Remaining Services[/u][/b]:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\PCXTools\PM5\R210_33.0\bin\pm5.exe"="C:\Program Files\PCXTools\PM5\R210_33.0\bin\pm5.exe:*:Enabled:Configuration program for OmniPCX Office"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[b][u]Remaining Files[/u][/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b][u]Files with Hidden Attributes[/u][/b]:

Tue 25 May 2004           193 A.SHR --- "C:\BOOT.BAK"
Thu  7 Jul 2005            56 ..SHR --- "C:\WINDOWS\system32\76C36569A1.sys"
Thu 21 Sep 2006         1,682 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Fri 31 Dec 2004         4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 31 Dec 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 31 Dec 2004         4,348 ...H. --- "C:\Documents and Settings\Administrateur\Mes documents\Ma musique\Sauvegarde de la licence\drmv1key.bak"
Fri 31 Dec 2004            20 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\Ma musique\Sauvegarde de la licence\drmv1lic.bak"
Fri 31 Dec 2004           400 ...H. --- "C:\Documents and Settings\Administrateur\Mes documents\Ma musique\Sauvegarde de la licence\drmv2key.bak"
Fri 31 Dec 2004         1,536 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\Ma musique\Sauvegarde de la licence\drmv2lic.bak"
Thu 20 Nov 2003       135,168 A..H. --- "C:\WINDOWS\system32\spool\drivers\w32x86\3\EF3X2A27.dll"
Thu 20 Nov 2003     2,400,256 A..H. --- "C:\WINDOWS\system32\spool\drivers\w32x86\3\efjm.dll"
Wed 27 Aug 2003       365,380 A..H. --- "C:\WINDOWS\system32\spool\drivers\w32x86\3\EFXLDSCU.DLL"
Wed 27 Aug 2003       408,132 A..H. --- "C:\WINDOWS\system32\spool\drivers\w32x86\3\EFXLGCU.DLL"
Wed 27 Aug 2003       241,812 A..H. --- "C:\WINDOWS\system32\spool\drivers\w32x86\3\EFXLIFCU.DLL"
Thu 20 Nov 2003       421,930 A..H. --- "C:\WINDOWS\system32\spool\drivers\w32x86\3\ehm10.dll"
Thu 20 Nov 2003       299,051 A..H. --- "C:\WINDOWS\system32\spool\drivers\w32x86\3\ehmbrg.dll"
Thu 20 Nov 2003        98,348 A..H. --- "C:\WINDOWS\system32\spool\drivers\w32x86\3\ehmcore.dll"
Thu 20 Nov 2003       155,692 A..H. --- "C:\WINDOWS\system32\spool\drivers\w32x86\3\ehmecol.dll"
Thu 20 Nov 2003       487,467 A..H. --- "C:\WINDOWS\system32\spool\drivers\w32x86\3\ehmefi.dll"

[b]Finished![/b]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:56, on 18/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Trend Micro\Client Server Security Agent
trtscan.exe
C:\Program Files\Trend Micro\Client Server Security Agent	mlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\PC3CC5.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\Acrodist.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nec-online.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PIMphony.lnk = C:\Program Files\Alcatel_PIMphony\aocphone.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Démarrer Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32
wprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E708AE9-8F11-4DD9-A320-9785117F0B42}: NameServer = 192.168.4.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{9E708AE9-8F11-4DD9-A320-9785117F0B42}: NameServer = 192.168.4.9
O17 - HKLM\System\CS2\Services\Tcpip\..\{9E708AE9-8F11-4DD9-A320-9785117F0B42}: NameServer = 192.168.4.9
O23 - Service: NMC service (a47xxsrv) - Unknown owner - C:\NMC\bin\a47xxsrv.exe
O23 - Service: Scan en temps réel Trend Micro Client/Server Security Agent (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent
trtscan.exe
O23 - Service: Pare-feu personnel Trend Micro Client/Server Security Agent (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Centre d'affaires 2006 (Synchronisation) (ServiceCentreAffaires2006) - Unknown owner - c:\program files\ucase software\centre d'affaires 2006\service windows\windowsservicecentreaffaires2006.exe (file missing)
O23 - Service: Trend Micro Client-Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent	mlisten.exe

FillPCA · Answer

Re,

1/ Ouvre Hijackthis>"Do a scan only" et coche ceci :
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

Clique sur fix/réparer.

2/     *  Télécharge combofix.exe (par sUBs) sur ton Bureau : http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    * Double clique combofix.exe et suis les invites.
    * Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse.

3/ # Télécharge SREng (de Smallfrogs) : http://www.kztechs.com/eng/download.html
# Dézippe tout son contenu sur ton bureau (clic droit >Extraire ici).
# Ouvre le dossier SReng2 et double-clique sur SREngPS.exe.
# Clique sur "smart scan".
# Clique sur le bouton "scan".
# Quand l'analyse est terminée, clique sur le bouton "save reports".
# Sauvegarde alors le rapport sur ton bureau.
# Copie/colle le contenu du rapport  SREnglLOG.log dans ta prochaine réponse.

4/ Edite les rapports suivants : Combofix, SREng et un nouveau rapport Hijackthis.

FillPCA

kasta · Answer

Ci dessous les rapports demandés Combofix Sreng Hijackthis Cela fonctionnait avant de faire combofix depuis plus d'internet à nouveau ComboFix 08-02-18.1 - EDES 2008-02-18 12:25:11.1 - NTFSx86 Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.1449 [GMT 1:00] Endroit: C:\Documents and Settings\EDES\Bureau\ComboFix.exe * Création d'un nouveau point de restauration . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\acceuil\Application Data\HbTools C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HbTools\static\1\btntrans.idx C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HbTools\static\2\btntrans.idx C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HbTools\static\DownLoad\samplegroups2.txt C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HbTools\static\DownLoad\samplegroups2.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HbTools\static\DownLoad\samplegroups2reg.txt C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HbTools\static\DownLoad\samplegroups2reg.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u30104_emte10_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u30104_emte11_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u30104_emte12_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u30104_emte13_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u30104_emte14_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u30104_emte19_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u30104_emte20_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u30104_emte21_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u30104_emte9_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u30203lib_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102angel_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102bigluf_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102bigsmile_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102birthday_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102cheers_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102flo_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102good_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102jump_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102king_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102lough_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102luf_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102smile_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102smiled_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102sor_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102thanx_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u33102uhu_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u40103ahh_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u40103wow_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u40104_emi2_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u42102_1134_112_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u50103big_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u50103gig_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u50103hm_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u50103nomail_emoti_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u50103norm_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u60104_ema15_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u60104_ema16_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u60104_ema17_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u60104_ema18_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u60104_ema19_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u60104_ema20_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u60104_ema21_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u60104_ema24_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u60104_ema25_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u60104_ema26_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u60104_ema30_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u60104_ema33_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u60104_ema34_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u62802hippi_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u62802jumpie_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u80402argh_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u80402oops_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u80402ouch_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u82502no_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\[u]0/u82502yes_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\110103_boring1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\110103_confused_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\110103_crying_ugly_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\110103_fantastic_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\110103_feel_better_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\110103_gimme_break_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\110103_heehee_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\110103_hlopaet_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\110103_ign_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\110103_lol_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\110103_no_comment_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\110103_peace_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\110103_smashing_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\110103_talk2thehand_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\block_sm.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\block_sm2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\block_smli.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\block_smli2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\blocked.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\blocked2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\btn_add-but.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\btn_back-but.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\btn_left_cut_enabled_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\btn_left_enabled_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\btn_left_pressed_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\btn_middle_enabled_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\btn_middle_pressed_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\btn_right_cut_enabled_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\btn_right_enabled_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\btn_right_pressed_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\business_promo.htm C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\buttondir.txt C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\components.cdf C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\css_cattree.css C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\css_flashpreview.css C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\css2_main.css C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\css2_pagingmodule.css C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\css2_topbuttons.css C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\delete.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\edit_clear_sound.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\edit_fs.htm C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\edit_select.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-511745-514279.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-backgrounds.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-bcards.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-ecards.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-edit.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-emoticons.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-estationery.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-funny.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-help.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-images.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-info.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-more.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-my.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-people.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-photo.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-tell.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-temp.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-temp_OI.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-text.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def-email-voice.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-def.cdf C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-premium-email-premium.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-premium-email-premium_OI.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-t1-bg.res C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\email-temp-bg.res C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\estatationery.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\flashpreview.htm C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\fs3.htm C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\hotbar_promo.htm C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\icon_checked_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\icon_close_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\icon_close_pressed_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\icon_edit_preview.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\icon_edit_send.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\icon_flash_preview.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\icon_recently_used.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\icon_remove_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\icon_remove_pressed_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\icon_sand-clock2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\icon_tell_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\icon_tell_pressed_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\icon_tree_null.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\icon_unchecked_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\icon_unchecked_pressed_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\img_barlayout.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\img_barlayout2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\img_barlayout4.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\img_corner_left.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\img_local_logo.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\js2_basetemplate.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\js2_hbgroups.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\js2_hbobject3.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\js2_hbobjectset3.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\js2_hotbarwrapper.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\js2_iteratorsandreaders3nf.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\js2_pagingmoduleobj3.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\js2_texts3.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\js2_xmltree3nf.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\layout.cdf C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\linkpathlegal.txt C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\n.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\nav_b_2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\nav_bb_2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\nav_f_2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\nav_ff_2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\progress.res C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\searchbtn.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\submit.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\tab_bg.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\tab_bga.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\tab_bgia.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\tab_l.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\tab_la.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\tab_lia.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\tab_r.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\tab_ra.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\tab_ria.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\tree_dots.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\tree_minus.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\tree_plus.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\treedata_animations.xml C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\treedata_backgrounds.xml C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\treedata_ecards.xml C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\treedata_emoticons.xml C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\treedata_notifiers.xml C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\1\treedata_text.xml C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\DownLoad\business_promo.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\DownLoad\buttondir.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\DownLoad\code.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\DownLoad\email-def.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\DownLoad\email-t1-bg.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\DownLoad\email-temp-bg.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\DownLoad\hotbar_promo.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\DownLoad\images.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\DownLoad\layout.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\DownLoad\linkpathlegal.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\DownLoad\localcontent.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\DownLoad\progress.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOI\static\DownLoad\treexml.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u30104_emte10_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u30104_emte11_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u30104_emte12_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u30104_emte13_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u30104_emte14_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u30104_emte19_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u30104_emte20_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u30104_emte21_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u30104_emte9_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u30203lib_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102angel_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102bigluf_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102bigsmile_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102birthday_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102cheers_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102flo_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102good_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102jump_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102king_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102lough_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102luf_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102smile_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102smiled_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102sor_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102thanx_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u33102uhu_1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u40103ahh_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u40103wow_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u40104_emi2_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u42102_1134_112_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u50103big_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u50103gig_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u50103hm_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u50103nomail_emoti_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u50103norm_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u60104_ema15_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u60104_ema16_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u60104_ema17_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u60104_ema18_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u60104_ema19_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u60104_ema20_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u60104_ema21_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u60104_ema24_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u60104_ema25_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u60104_ema26_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u60104_ema30_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u60104_ema33_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u60104_ema34_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u62802hippi_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u62802jumpie_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u80402argh_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u80402oops_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u80402ouch_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u82502no_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\[u]0/u82502yes_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\110103_boring1_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\110103_confused_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\110103_crying_ugly_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\110103_fantastic_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\110103_feel_better_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\110103_gimme_break_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\110103_heehee_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\110103_hlopaet_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\110103_ign_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\110103_lol_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\110103_no_comment_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\110103_peace_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\110103_smashing_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\110103_talk2thehand_prv.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\block_sm.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\block_sm2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\block_smli.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\block_smli2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\blocked.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\blocked2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\btn_add-but.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\btn_back-but.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\btn_left_cut_enabled_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\btn_left_enabled_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\btn_left_pressed_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\btn_middle_enabled_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\btn_middle_pressed_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\btn_right_cut_enabled_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\btn_right_enabled_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\btn_right_pressed_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\business_promo.htm C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\buttondir.txt C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\components.cdf C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\css_cattree.css C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\css_flashpreview.css C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\css2_main.css C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\css2_pagingmodule.css C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\css2_topbuttons.css C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\delete.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\edit_clear_sound.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\edit_fs.htm C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\edit_select.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-511724-543450.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-511724-548964.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-511724-589306.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-511724-9595.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-511724-9696.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-511745-514279.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-backgrounds.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-bcards.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-ecards.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-emoticons.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-estationery.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-funny.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-help.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-images.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-info.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-more.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-my.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-new.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-new2.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-options.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-people.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-photo.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-tell.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-temp.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-text.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def-email-voice.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-def.cdf C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-premium-email-premium.mnu C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-t1-bg.res C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\email-temp-bg.res C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\estatationery.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\flashpreview.htm C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\fs3.htm C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\hotbar_promo.htm C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\icon_checked_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\icon_close_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\icon_close_pressed_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\icon_edit_preview.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\icon_edit_send.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\icon_flash_preview.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\icon_recently_used.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\icon_remove_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\icon_remove_pressed_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\icon_sand-clock2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\icon_tell_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\icon_tell_pressed_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\icon_tree_null.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\icon_unchecked_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\icon_unchecked_pressed_1.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\img_barlayout.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\img_barlayout2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\img_barlayout4.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\img_corner_left.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\img_local_logo.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\js2_basetemplate.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\js2_hbgroups.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\js2_hbobject3.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\js2_hbobjectset3.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\js2_hotbarwrapper.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\js2_iteratorsandreaders3nf.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\js2_pagingmoduleobj3.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\js2_texts3.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\js2_xmltree3nf.js C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\layout.cdf C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\linkpathlegal.txt C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\n.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\nav_b_2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\nav_bb_2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\nav_f_2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\nav_ff_2.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\progress.res C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\searchbtn.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\submit.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\tab_bg.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\tab_bga.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\tab_bgia.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\tab_l.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\tab_la.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\tab_lia.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\tab_r.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\tab_ra.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\tab_ria.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\tree_dots.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\tree_minus.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\tree_plus.gif C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\treedata_animations.xml C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\treedata_backgrounds.xml C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\treedata_ecards.xml C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\treedata_emoticons.xml C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\treedata_notifiers.xml C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\1\treedata_text.xml C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\DownLoad\business_promo.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\DownLoad\buttondir.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\DownLoad\code.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\DownLoad\email-def.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\DownLoad\email-t1-bg.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\DownLoad\email-temp-bg.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\DownLoad\hotbar_promo.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\DownLoad\images.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\DownLoad\layout.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\DownLoad\linkpathlegal.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\DownLoad\localcontent.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\DownLoad\progress.xip C:\Documents and Settings\acceuil\Application Data\HbTools\v3.0\HostOL\static\DownLoad\treexml.xip C:\Program Files\HbTools C:\Program Files\HbTools\HbTools.log C:\WINDOWS\system32\Cache C:\WINDOWS\xvs_ilop.dll . ((((((((((((((((((((((((((((( Fichiers créés 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))))))) . 2008-02-18 10:59 . 2004-08-20 00:09 46,080 --a------ C:\WINDOWS\system32\dllcache\ftp.exe 2008-02-18 10:59 . 2002-08-30 12:00 17,920 --a------ C:\WINDOWS\system32\dllcache\tftp.exe 2008-02-18 10:57 . 2008-02-18 10:58 d-------- C:\WINDOWS\ERUNT 2008-02-18 10:57 . 2008-02-18 11:18 d-------- C:\SDFix 2008-02-14 20:51 . 2008-02-14 20:51 d-------- C:\Program Files\CCleaner 2008-02-14 14:13 . 2002-10-11 13:29 d--h----- C:\Documents and Settings\LKNE\Voisinage réseau 2008-02-14 14:13 . 2002-10-11 13:29 d--h----- C:\Documents and Settings\LKNE\Voisinage d'impression 2008-02-14 14:13 . 2002-10-11 13:29 d--h----- C:\Documents and Settings\LKNE\Modèles 2008-02-14 14:13 . 2008-02-14 14:13 dr------- C:\Documents and Settings\LKNE\Mes documents 2008-02-14 14:13 . 2002-10-11 13:29 dr------- C:\Documents and Settings\LKNE\Menu Démarrer 2008-02-14 14:13 . 2008-02-14 14:13 dr------- C:\Documents and Settings\LKNE\Favoris 2008-02-14 14:13 . 2002-10-11 13:29 dr------- C:\Documents and Settings\LKNE\Bureau 2008-02-14 14:13 . 2008-02-14 14:13 d-------- C:\Documents and Settings\LKNE\Application Data\Alcatel PIMphony 2008-02-11 16:13 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2008-02-08 14:33 . 2008-02-08 14:33 d-------- C:\Documents and Settings\Administrateur\Application Data\Alcatel PIMphony 2008-02-08 14:28 . 2002-10-11 13:29 d--h----- C:\Documents and Settings\admin\Voisinage réseau 2008-02-08 14:28 . 2002-10-11 13:29 d--h----- C:\Documents and Settings\admin\Voisinage d'impression 2008-02-08 14:28 . 2002-10-11 13:29 d--h----- C:\Documents and Settings\admin\Modèles 2008-02-08 14:28 . 2008-02-08 14:28 dr------- C:\Documents and Settings\admin\Mes documents 2008-02-08 14:28 . 2002-10-11 13:29 dr------- C:\Documents and Settings\admin\Menu Démarrer 2008-02-08 14:28 . 2008-02-08 14:28 dr------- C:\Documents and Settings\admin\Favoris 2008-02-08 14:28 . 2002-10-11 13:29 dr------- C:\Documents and Settings\admin\Bureau 2008-02-08 14:28 . 2008-02-08 14:28 d-------- C:\Documents and Settings\admin\Application Data\Alcatel PIMphony 2008-01-30 18:08 . 2008-01-30 18:08 d-------- C:\Program Files\Sage 2008-01-30 15:04 . 2007-02-13 09:17 1,966,080 --a------ C:\WINDOWS\system32\cdintf251.dll 2008-01-22 14:58 . 2008-01-22 14:59 d-------- C:\Documents and Settings\EDES\Application Data\SugarCRM 2008-01-22 14:52 . 2008-01-22 14:53 d-------- C:\Program Files\SugarCRM . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-18 10:39 --------- d-----w C:\Documents and Settings\EDES\Application Data\Alcatel PIMphony 2008-02-18 09:17 --------- d-----w C:\Program Files\Trend Micro 2008-02-15 11:10 --------- d-----w C:\Documents and Settings\administrateur.JDSCENTER\Application Data\Alcatel PIMphony 2008-02-14 13:18 --------- d-----w C:\Program Files\Fichiers communs\Adobe 2008-02-01 13:17 --------- d-----w C:\Program Files\Fichiers communs\SAGE 2008-02-01 13:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sage 2008-01-30 14:05 --------- d-----w C:\Program Files\GecoMaes 2007-12-31 08:38 --------- d-----w C:\Program Files\Windows Media Connect 2 2007-12-31 07:27 --------- d-----w C:\Program Files\Java 2005-07-07 11:50 56 --sh--r C:\WINDOWS\system32\76C36569A1.sys 2006-09-21 16:56 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sonic RecordNow!"="" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:09 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-03 13:22 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-03 13:41 114688] "Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-20 00:09 144384] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-05-25 12:18 77824] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2005-12-16 06:09 372813] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:09 15360] C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-12-15 15:01:30 82026] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360] PIMphony.lnk - C:\Program Files\Alcatel_PIMphony\aocphone.exe [2006-10-24 17:28:54 2588761] Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 21:07:32 81920] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2003-04-14 20:05 1498032 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessKeyboard] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessMouse] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-20 00:09] S2 ServiceCentreAffaires2006;Centre d'affaires 2006 (Synchronisation);c:\program files\ucase software\centre d'affaires 2006\service windows\windowsservicecentreaffaires2006.exe [] S3 a47xxsrv;NMC service;C:\NMC\bin\a47xxsrv.exe [2001-09-30 23:00] S4 LogWatch;Event Log Watch;C:\WINDOWS\LogWatNT.exe [2000-06-08 19:15] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59a99ee8-daf2-11dc-8c2c-000c76f2ea8b}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL index.html [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95ba2d32-6b50-11dc-8bfa-000c76f2ea8b}] \Shell\AutoRun\command - D:\LaunchU3.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad4036b5-8244-11dc-8c01-000c76f2ea8b}] \Shell\AutoRun\command - D:\setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ecbe567a-5d08-11dc-8bf7-000c76f2ea8b}] \Shell\Auto\command - D:\pjmacronn.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pjmacronn.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-18 12:27:36 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . Temps d'accomplissement: 2008-02-18 12:28:04 ComboFix-quarantined-files.txt 2008-02-18 11:28:02 . 2008-01-11 07:19:09 --- E O F --- [CODE] 2008-02-18,12:43:19 System Repair Engineer 2.5.16.900 Smallfrogs (http://www.KZTechs.com) Windows XP Professional Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed Follow item(s) have been choosed: All Boot Items (Including Registry, Startup Folders, Services and so on) Browser Add-ons Runing Processes (Including process model information) File Associations Winsock Provider Autorun.Inf HOSTS File Process Privileges Scan Boot Items Registry [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] <> [N/A] [(Verified)Microsoft Windows Publisher] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] [(Verified)Microsoft Windows Hardware Compatibility Publisher] [(Verified)Microsoft Windows Hardware Compatibility Publisher] <%SystemRoot%\system32\mobsync.exe /logon> [(Verified)Microsoft Windows Publisher] <"C:\Program Files\QuickTime\qttask.exe" -atboottime> [Apple Computer, Inc.] <"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"> [(Verified)"Sun Microsystems, Inc."] <"C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow> [Trend Micro Inc.] <"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"> [(Verified)"Adobe Systems, Incorporated"] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] [(Verified)Microsoft Windows Component Publisher] [(Verified)Microsoft Windows Publisher] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows] <> [N/A] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] [(Verified)Microsoft Windows Publisher] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] [(Verified)Microsoft Windows Component Publisher] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] [(Verified)Microsoft Corporation] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] [(Verified)Microsoft Windows Component Publisher] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] <%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] <%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] <"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] [(Verified)Microsoft Windows Publisher] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}] [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}] [(Verified)Microsoft Windows Component Publisher] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}] <"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}] [(Verified)Microsoft Corporation] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] <; "C:\Program Files\Messenger\msmsgs.exe" /background> [(Verified)Microsoft Corporation] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] <; C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe> [N/A] <; C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe> [N/A] ================================== Startup Folders [Acrobat Assistant] C:\PROGRA~1\Adobe\ACROBA~2.0\Distillr\AcroTray.exe [Adobe Systems Inc.]> [Microsoft Office] C:\PROGRA~1\MICROS~2\Office10\OSA.EXE [Microsoft Corporation]> [PIMphony] C:\PROGRA~1\ALCATE~1\aocphone.exe [Alcatel]> [Service Manager] C:\PROGRA~1\MI6841~1\80\Tools\Binn\sqlmangr.exe [Microsoft Corporation]> ================================== Services [NMC service / a47xxsrv][Stopped/Manual Start] [Windows Presentation Foundation Font Cache 3.0.0.0 / FontCache3.0.0.0][Stopped/Manual Start] [Windows CardSpace / idsvc][Stopped/Manual Start] <"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"> [Event Log Watch / LogWatch][Stopped/Disabled] [MSSQL$MICROSOFTSMLBIZ / MSSQL$MICROSOFTSMLBIZ][Running/Auto Start] <"c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ> [MSSQLSERVER / MSSQLSERVER][Running/Auto Start] [MSSQLServerADHelper / MSSQLServerADHelper][Stopped/Manual Start] [Net.Tcp Port Sharing Service / NetTcpPortSharing][Stopped/Manual Start] <"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"> [Scan en temps réel Trend Micro Client/Server Security Agent / ntrtscan][Running/Auto Start] [Pare-feu personnel Trend Micro Client/Server Security Agent / OfcPfwSvc][Running/Auto Start] [Centre d'affaires 2006 (Synchronisation) / ServiceCentreAffaires2006][Stopped/Auto Start] [SQLAgent$MICROSOFTSMLBIZ / SQLAgent$MICROSOFTSMLBIZ][Stopped/Manual Start] <"c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ> [SQLSERVERAGENT / SQLSERVERAGENT][Stopped/Manual Start] [Trend Micro Client-Server Security Agent Listener / tmlisten][Running/Auto Start] ================================== Drivers [abp480n5 / abp480n5][Running/Boot Start] <\SystemRoot\System32\DRIVERS\ABP480N5.SYS> [adpu160m / adpu160m][Running/Boot Start] <\SystemRoot\System32\DRIVERS\adpu160m.sys> [aeaudio / aeaudio][Running/Manual Start] [Aha154x / Aha154x][Running/Boot Start] <\SystemRoot\System32\DRIVERS\aha154x.sys> [aic78u2 / aic78u2][Running/Boot Start] <\SystemRoot\System32\DRIVERS\aic78u2.sys> [aic78xx / aic78xx][Running/Boot Start] <\SystemRoot\System32\DRIVERS\aic78xx.sys> [AliIde / AliIde][Running/Boot Start] <\SystemRoot\System32\DRIVERS\aliide.sys> [Pilote de filtre du bus AMD AGP / amdagp][Running/Boot Start] <\SystemRoot\System32\DRIVERS\amdagp.sys> [asc / asc][Running/Boot Start] <\SystemRoot\System32\DRIVERS\asc.sys> [asc3350p / asc3350p][Running/Boot Start] <\SystemRoot\System32\DRIVERS\asc3350p.sys> [asc3550 / asc3550][Running/Boot Start] <\SystemRoot\System32\DRIVERS\asc3550.sys> [catchme / catchme][Stopped/Manual Start] <\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys> [cd20xrnt / cd20xrnt][Running/Boot Start] <\

FillPCA · Answer

Re,

1/ 
    *  Sélectionne le texte suivant :

Driver::
a47xxsrv
ServiceCentreAffaires2006
SMTPSVC

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59a99e e8-daf2-11dc-8c2c-000c76f2ea8b}] 
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95ba2d 32-6b50-11dc-8bfa-000c76f2ea8b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad4036 b5-8244-11dc-8c01-000c76f2ea8b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ecbe56 7a-5d08-11dc-8bf7-000c76f2ea8b}]

File::
C:\WINDOWS\system32\76C36569A1.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\rdriv.sys
D:\LaunchU3.exe
D:\setupSNK.exe
D:\pjmacronn.exe

Folder::
C:\NMC
C:\program files\ucase software
C:\WINDOWS\System32\inetsrv

    * Copie le texte sélectionné (CTRL+C).
    * Ouvre le bloc-note (programme>Accessoire>bloc-note).
    * Colle le texte copié dans ce bloc-note (CTRL+V).
    * Sauvegarde ce fichier sous le nom de CFScript.txt
    * Fais un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe
    * Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.
    * Patiente le temps du scan. Le bureau va disparaître à plusieurs reprises: c'est normal!
      Ne touche à rien tant que le scan n'est pas terminé.
    * Une fois le scan achevé, un rapport va s'afficher: Poste son contenu.
    * Si le fichier ne s'ouvre pas, il se trouve ici > C:\ComboFix.txt

2/ Edite aussi un nouveau rapport Hijackthis.

3/ Dis-moi comment le pc se porte.

FillPCA

kasta · Answer

le poste refonctionne presque complètement il me manque une application primordial "NMC" logiciel de taxation Alcatel.

Ci dessous le rapport HIJACKTHIS

Et COMBOFIX



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:53, on 2008-02-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Trend Micro\Client Server Security Agent
trtscan.exe
C:\Program Files\Trend Micro\Client Server Security Agent	mlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\HY8B6C.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Alcatel_PIMphony\aocphone.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\ALCATE~1\VMBSER~1.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Esker\Lanfax Client\Program\mgr.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Esker\Lanfax Client\Program\fgcode.exe
C:\WINDOWS\system32
tvdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.jdscenter.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WireLessKeyboard] ; C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [WireLessMouse] ; C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] ; "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PIMphony.lnk = C:\Program Files\Alcatel_PIMphony\aocphone.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Démarrer Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32
wprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jdscenter.local
O17 - HKLM\Software\..\Telephony: DomainName = jdscenter.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E708AE9-8F11-4DD9-A320-9785117F0B42}: NameServer = 192.168.4.9
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jdscenter.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{9E708AE9-8F11-4DD9-A320-9785117F0B42}: NameServer = 192.168.4.9
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jdscenter.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{9E708AE9-8F11-4DD9-A320-9785117F0B42}: NameServer = 192.168.4.9
O23 - Service: Administration IIS (IISADMIN) - Unknown owner - C:\WINDOWS\System32\inetsrv\inetinfo.exe (file missing)
O23 - Service: Scan en temps réel Trend Micro Client/Server Security Agent (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent
trtscan.exe
O23 - Service: Pare-feu personnel Trend Micro Client/Server Security Agent (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client-Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent	mlisten.exe
O23 - Service: Publication World Wide Web (W3SVC) - Unknown owner - C:\WINDOWS\System32\inetsrv\inetinfo.exe (file missing)

FillPCA · Answer

Re,

Autant pour moi. J'ai vu ce logiciel NMC et Google ne renvoyait rien. Le nom du service associé était inconnu et je l'ai fait partir. Le dossier est dans la quarantaine de Combofix.
Il est dans C:\Qoobox\C\NMC
Déplace ce dossier en C:\NMC.

Si ça ne fonctionne pas, on essaiera autrement.

FillPCA

Edite : As-tu le logiicel en cas de ré-installation ?

kasta · Answer

Bonsoir

Les extensions des fichiers sont tous .vir à la suite de leur réel extension

Que faire y a il un backup pour ce dossier NMC.

 
MERCI BEAUCOUP

FillPCA · Answer

Re,

L'outil ajoute en effet cette extension pour rendre les fichiers infectieux inoffensifs. As-tu le logiciel d'installation au cas où ?

FillPCA

FillPCA · Answer

Re,

C'est un pc professionnel ou perso ? Car lles lignes 17 relatives à la connexion Internet ne sont pas les mêmes qu'au début ?

FillPCA

kasta · Answer

PC PRO Avec deux sessions différentes, puisque cela ne marchait pas au debut.
C'est un logiciel particulier connecté sur notre pabx alors je préfèrerais récupérer les dossiers sans les extensions.
Plutôt que de réinstaller.

FillPCA · Answer

Re,

J'ai demandé de l'aide. J'ai bien une idée, mais je ne suis pas certain de mon coup, donc j'attends des confirmations.
Si j'avais su au départ que c'était un pc professionnel, je n'y aurais pas touché.

FillPCA

FillPCA · Answer

Salut,

On peut tenter une restauration système, mais l'opération comporte un risque, et il faudra de toute façon reprendre le nettoyage car l'infection va revenir. Donc il y a 2 possibilités :
1/ Ré-installer le programme légitime supprimé à partir du logiciel,
2/ Restaurer à une date antérieure au passage de l'outil (Hier à 13 h 19 apparemment d'après le rapport Combofix), sachant que la manip est incertaine.

FillPCA

kasta · Answer

Je vous remercie pour tous vos conseils

y a t il un moyen de renommer ces fichiers sans le vir uniquement ?

Sinon je vais opter pour la réinstalle.

Un grand merci

FillPCA · Answer

Re,

Le problème, c'est que les fichiers, il y en a un sacré paquet (plusieurs centaines d'après le rapport Combofix). Et en plus, il y a un service du registre qui a été supprimé (en gros, c'est la procédure d'appel du programme). Donc même si tu renommais les fichiers, le programme ne fonctionnerait pas à mon avis.

FillPCA

Virus _ Analyse HIJACKTHIS

15 réponses

Discussions similaires