Encore un tojan: Trojan-Downloader.Win32.Bagl
drsnoggle
-
jensèrien -
jensèrien -
Bonjour à tous,
Depuis hier soir, j'ai passé des heures à essayer de suivre différents conseils sur les questions-réponses déja présentes ici ou sur quelques autre forums.
Pour info, c'est en ouvrant un .exe télécharger sur emule, avec avast comme antivirus (je PENSE que je vais changer!), Que j'ai remarqué qu'avast avait stoppé. Je le relance. il me dit avasat-bidulemachin is not a valid win32application.
Bon, je le désinstalle, le réinstalle, et c'est pareil.
C'est ensuite que je suis parti sur les forums. Mais la, ô misère, :P la majorité des utilitaires ne fonctionnent pas non plus (not a win32 valid application quand jessaie de les installer): highjackthis, a-square, etc, aucun ne marche. Elibagla a fonctionné, m'a trouvé un virus qui dit avoir eliminé mais rien n'a changé.
J'ai seulement pu faire un kaspersky online scan, elibagla, smitfraudfix (en étant obligé d'utiliser cet espece de truc bizzare que microsoft appelle un navigateur internet la, vous savez..... bref je vais me taire ca vaut mieux désolé :P)
Donc sur le rapport que voici, jai trouvé le trojan (que j'ai mis en titre de mon message)
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 29, 2008 10:53:45 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/02/2008
Kaspersky Anti-Virus database records: 590811
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Admin\LOCALS~1\Temp\
Scan Statistics:
Total number of scanned objects: 13863
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:49:14
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antiviru.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_618.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\DOCUME~1\Admin\LOCALS~1\Temp\Perflib_Perfdata_588.dat Object is locked skipped
C:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX00.547\Grand Theft Auto (8-bit) demo.exe Infected: Trojan-Downloader.Win32.Bagle.kp skipped
Scan process completed.
------------
J'ai trouvé une page ou il y a une liste de virus, spyware, trojans etc, j'ai trouvé celui que kaspersky ma sorti:
Trojan-Downloader.Win32.Bagle.kp
(j'ai effacé au passage le fichier en question C:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX00.547\Grand Theft Auto (8-bit) demo.exe --- peut etre n'aurais.je pas du?? oups. en tout cas j'sais pas ce qui ma pris d'ouvrir à l'arrache un machin aussi suspect!)
PROBLEME! je n'ai pas trouvé de petit utilitaire spécifique pour detruire ce trojan: la page dont je parlais recommande pour cela a-squared machintruc mais impossible de l'installer! arf. Je prépare le formatage?
Bon. Merci déja de m'avoir lu. Encore un ou l'autre rapport pour la route? Yeah. woohoo.- Merci avast, vive emule!- J'aurai au moins aprris quelquechose: ne pas télécharger et ouvrir n'importe quel .exe sans réfléchir, evidemment. quel c.. je suis!
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 29, 2008 11:13:58 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/02/2008
Kaspersky Anti-Virus database records: 590811
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Memory:
Scan Statistics:
Total number of scanned objects: 1549
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:17:31
Infected Object Name / Virus Name / Last Action
[0] [System Process] => C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll Infected: not-a-virus:AdWare.Win32.Shopper.v skipped
[3632] IEXPLORE.EXE => C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll Infected: not-a-virus:AdWare.Win32.Shopper.v skipped
Scan process completed.
----------
************************************************************************************
"Silent Runners.vbs", revision 56, https://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SuperCopier2.exe" = "C:\Program Files\SuperCopier2\SuperCopier2.exe" [file not found]
"TuneUp MemOptimizer" = ""C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe" autostart" ["TuneUp Software GmbH"]
"NVIDIA nTune" = ""C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear" ["NVIDIA"]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" ["Nero AG"]
"(Default)" = (empty string) [file not found]
"Kernel and Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"Adobe_ID0EYTHM" = "C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" ["Adobe Systems Incorporated"]
"Mobile Phone Suite" = "C:\Program Files\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe -nogui" [empty string]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"a-squared" = ""C:\Program Files\a-squared Anti-Malware\a2guard.exe"" ["Emsi Software GmbH"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ReEXEc" = "C:\Documents and Settings\Admin\My Documents\Installers\ELIBAGLA.09032008.EXE" ["Satinfo S.L."]
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Aide pour le lien d'Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{100EB1FD-D03E-47FD-81F3-EE91287F9465}\(Default) = "ShoppingReport"
-> {HKLM...CLSID} = "ShoppingReport"
\InProcServer32\(Default) = "C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll" ["ShopperReports"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
{F62A47A7-4CA3-9D00-95A3-6724d43a9E8C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IEHlprObj Class"
\InProcServer32\(Default) = "LineAudio.dll" [empty string]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Mes dossiers de partage"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "KbLogiExt Class"
\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\kbcplext.dll" ["Logitech Inc."]
"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "LogiExt Class"
\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\mcplext.dll" ["Logitech Inc."]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{CF74B903-3389-469c-B3B6-0204D204FCBD}" = "SnagIt Shell Extension"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoDrives" = (REG_BINARY) hex:03 00 1F 00
{unrecognized setting}
"NoSharedDocuments" = (REG_BINARY) hex:01 00 00 00
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Remove Shared Documents from My Computer}
"DisallowRun" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssstars.scr" [MS]
Startup items in "Admin" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"hp psc 1000 series" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe" ["Hewlett-Packard Co."]
"hpoddt01.exe" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
Enabled Scheduled Tasks:
------------------------
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"FRU Task #Hewlett-Packard#hp psc 1200 series#1192504614" -> launches: "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1192504614"" [empty string]
"Maintenance en 1 clic" -> launches: "C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{A7CDDCDC-BEEB-4685-A062-978F5E07CEEE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ShopperReports"
\InProcServer32\(Default) = "C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll" ["ShopperReports"]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Rechercher"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherche"
{C5428486-50A0-4A02-9D20-520B59A9F9B2}\
"ButtonText" = "ShopperReports - Compare product prices"
"CLSIDExtension" = "{C9CCBB35-D123-4a31-AFFC-9B2933132116}"
-> {HKLM...CLSID} = "IEButton"
\InProcServer32\(Default) = "C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll" ["ShopperReports"]
{C5428486-50A0-4A02-9D20-520B59A9F9B3}\
"ButtonText" = "ShopperReports - Compare travel rates"
"CLSIDExtension" = "{A16AD1E9-F69A-45af-9462-B1C286708842}"
-> {HKLM...CLSID} = "IEButtonA"
\InProcServer32\(Default) = "C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll" ["ShopperReports"]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Extension de conception TuneUp, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}
nTune Service, nTuneService, "C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService" ["NVIDIA"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
---------- (launch time: 2008-03-01 00:41:47)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 20 seconds, including 5 seconds for message boxes)
************************************************************************************
ELIBAGLA
Fri Feb 29 21:28:29 2008
EliBagle v11.09 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
Sat Mar 01 00:30:05 2008
EliBagle v11.09 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
Restaurada Clave: "SafeBoot\Minimal y Network"
Reinicie para Completar la Limpieza.
Sat Mar 01 00:31:04 2008
EliBagle v11.09 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
C:\Program Files\SuperCopier2\SUPERCOPIER2.EXE --> Eliminado Bagle.dldr
Nº Total de Directorios: 11939
Nº Total de Ficheros: 131184
Nº de Ficheros Analizados: 10374
Nº de Ficheros Infectados: 1
Nº de Ficheros Limpiados: 1
Sat Mar 01 00:42:33 2008
EliBagle v11.09 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
Reinicie para Completar la Limpieza.
Sat Mar 01 00:47:50 2008
EliBagle v11.09 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
Reinicie para Completar la Limpieza.
Sat Mar 01 00:47:59 2008
EliBagle v11.09 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
Nº Total de Directorios: 11939
Nº Total de Ficheros: 131451
Nº de Ficheros Analizados: 10374
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0
************************************************************************************
-------------------------------
SmitFraudFix v2.299
Scan done at 0:19:42.57, 01.03.2008
Run from C:\Documents and Settings\Admin\My Documents\Installers\smitfraudfix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Admin
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Admin\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Admin\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Attansic L1 Gigabit Ethernet 10/100/1000Base-T Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C3FB136C-25FC-4F5F-87DD-1AA549FA20D9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C3FB136C-25FC-4F5F-87DD-1AA549FA20D9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
et encore un ptit pour la route
************************************************************************************
SmitFraudFix v2.299
Rapport fait à 0:26:09.09, 01.03.2008
Executé à partir de C:\Documents and Settings\Admin\My Documents\Installers\smitfraudfix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Le type du système de fichiers est NTFS
Fix executé en mode normal
»»»»»»»»»»»»»»»»»»»»»»»» DNS Avant Fix
Description: Attansic L1 Gigabit Ethernet 10/100/1000Base-T Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C3FB136C-25FC-4F5F-87DD-1AA549FA20D9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C3FB136C-25FC-4F5F-87DD-1AA549FA20D9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
»»»»»»»»»»»»»»»»»»»»»»»» DNS Après Fix
Description: Attansic L1 Gigabit Ethernet 10/100/1000Base-T Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C3FB136C-25FC-4F5F-87DD-1AA549FA20D9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C3FB136C-25FC-4F5F-87DD-1AA549FA20D9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
Mes excuses pour ce poste aussi long, j'espère que tout ces rapports ne sont pas trop inutiles...
Merci pour votre aide :/
Depuis hier soir, j'ai passé des heures à essayer de suivre différents conseils sur les questions-réponses déja présentes ici ou sur quelques autre forums.
Pour info, c'est en ouvrant un .exe télécharger sur emule, avec avast comme antivirus (je PENSE que je vais changer!), Que j'ai remarqué qu'avast avait stoppé. Je le relance. il me dit avasat-bidulemachin is not a valid win32application.
Bon, je le désinstalle, le réinstalle, et c'est pareil.
C'est ensuite que je suis parti sur les forums. Mais la, ô misère, :P la majorité des utilitaires ne fonctionnent pas non plus (not a win32 valid application quand jessaie de les installer): highjackthis, a-square, etc, aucun ne marche. Elibagla a fonctionné, m'a trouvé un virus qui dit avoir eliminé mais rien n'a changé.
J'ai seulement pu faire un kaspersky online scan, elibagla, smitfraudfix (en étant obligé d'utiliser cet espece de truc bizzare que microsoft appelle un navigateur internet la, vous savez..... bref je vais me taire ca vaut mieux désolé :P)
Donc sur le rapport que voici, jai trouvé le trojan (que j'ai mis en titre de mon message)
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 29, 2008 10:53:45 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/02/2008
Kaspersky Anti-Virus database records: 590811
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Admin\LOCALS~1\Temp\
Scan Statistics:
Total number of scanned objects: 13863
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:49:14
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antiviru.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_618.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\DOCUME~1\Admin\LOCALS~1\Temp\Perflib_Perfdata_588.dat Object is locked skipped
C:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX00.547\Grand Theft Auto (8-bit) demo.exe Infected: Trojan-Downloader.Win32.Bagle.kp skipped
Scan process completed.
------------
J'ai trouvé une page ou il y a une liste de virus, spyware, trojans etc, j'ai trouvé celui que kaspersky ma sorti:
Trojan-Downloader.Win32.Bagle.kp
(j'ai effacé au passage le fichier en question C:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX00.547\Grand Theft Auto (8-bit) demo.exe --- peut etre n'aurais.je pas du?? oups. en tout cas j'sais pas ce qui ma pris d'ouvrir à l'arrache un machin aussi suspect!)
PROBLEME! je n'ai pas trouvé de petit utilitaire spécifique pour detruire ce trojan: la page dont je parlais recommande pour cela a-squared machintruc mais impossible de l'installer! arf. Je prépare le formatage?
Bon. Merci déja de m'avoir lu. Encore un ou l'autre rapport pour la route? Yeah. woohoo.- Merci avast, vive emule!- J'aurai au moins aprris quelquechose: ne pas télécharger et ouvrir n'importe quel .exe sans réfléchir, evidemment. quel c.. je suis!
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 29, 2008 11:13:58 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/02/2008
Kaspersky Anti-Virus database records: 590811
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Memory:
Scan Statistics:
Total number of scanned objects: 1549
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:17:31
Infected Object Name / Virus Name / Last Action
[0] [System Process] => C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll Infected: not-a-virus:AdWare.Win32.Shopper.v skipped
[3632] IEXPLORE.EXE => C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll Infected: not-a-virus:AdWare.Win32.Shopper.v skipped
Scan process completed.
----------
************************************************************************************
"Silent Runners.vbs", revision 56, https://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SuperCopier2.exe" = "C:\Program Files\SuperCopier2\SuperCopier2.exe" [file not found]
"TuneUp MemOptimizer" = ""C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe" autostart" ["TuneUp Software GmbH"]
"NVIDIA nTune" = ""C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear" ["NVIDIA"]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" ["Nero AG"]
"(Default)" = (empty string) [file not found]
"Kernel and Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"Adobe_ID0EYTHM" = "C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" ["Adobe Systems Incorporated"]
"Mobile Phone Suite" = "C:\Program Files\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe -nogui" [empty string]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"a-squared" = ""C:\Program Files\a-squared Anti-Malware\a2guard.exe"" ["Emsi Software GmbH"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ReEXEc" = "C:\Documents and Settings\Admin\My Documents\Installers\ELIBAGLA.09032008.EXE" ["Satinfo S.L."]
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Aide pour le lien d'Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{100EB1FD-D03E-47FD-81F3-EE91287F9465}\(Default) = "ShoppingReport"
-> {HKLM...CLSID} = "ShoppingReport"
\InProcServer32\(Default) = "C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll" ["ShopperReports"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
{F62A47A7-4CA3-9D00-95A3-6724d43a9E8C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IEHlprObj Class"
\InProcServer32\(Default) = "LineAudio.dll" [empty string]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Mes dossiers de partage"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "KbLogiExt Class"
\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\kbcplext.dll" ["Logitech Inc."]
"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "LogiExt Class"
\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\mcplext.dll" ["Logitech Inc."]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{CF74B903-3389-469c-B3B6-0204D204FCBD}" = "SnagIt Shell Extension"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoDrives" = (REG_BINARY) hex:03 00 1F 00
{unrecognized setting}
"NoSharedDocuments" = (REG_BINARY) hex:01 00 00 00
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Remove Shared Documents from My Computer}
"DisallowRun" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssstars.scr" [MS]
Startup items in "Admin" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"hp psc 1000 series" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe" ["Hewlett-Packard Co."]
"hpoddt01.exe" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
Enabled Scheduled Tasks:
------------------------
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"FRU Task #Hewlett-Packard#hp psc 1200 series#1192504614" -> launches: "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1192504614"" [empty string]
"Maintenance en 1 clic" -> launches: "C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{A7CDDCDC-BEEB-4685-A062-978F5E07CEEE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ShopperReports"
\InProcServer32\(Default) = "C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll" ["ShopperReports"]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Rechercher"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherche"
{C5428486-50A0-4A02-9D20-520B59A9F9B2}\
"ButtonText" = "ShopperReports - Compare product prices"
"CLSIDExtension" = "{C9CCBB35-D123-4a31-AFFC-9B2933132116}"
-> {HKLM...CLSID} = "IEButton"
\InProcServer32\(Default) = "C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll" ["ShopperReports"]
{C5428486-50A0-4A02-9D20-520B59A9F9B3}\
"ButtonText" = "ShopperReports - Compare travel rates"
"CLSIDExtension" = "{A16AD1E9-F69A-45af-9462-B1C286708842}"
-> {HKLM...CLSID} = "IEButtonA"
\InProcServer32\(Default) = "C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll" ["ShopperReports"]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Extension de conception TuneUp, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}
nTune Service, nTuneService, "C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService" ["NVIDIA"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
---------- (launch time: 2008-03-01 00:41:47)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 20 seconds, including 5 seconds for message boxes)
************************************************************************************
ELIBAGLA
Fri Feb 29 21:28:29 2008
EliBagle v11.09 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
Sat Mar 01 00:30:05 2008
EliBagle v11.09 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
Restaurada Clave: "SafeBoot\Minimal y Network"
Reinicie para Completar la Limpieza.
Sat Mar 01 00:31:04 2008
EliBagle v11.09 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
C:\Program Files\SuperCopier2\SUPERCOPIER2.EXE --> Eliminado Bagle.dldr
Nº Total de Directorios: 11939
Nº Total de Ficheros: 131184
Nº de Ficheros Analizados: 10374
Nº de Ficheros Infectados: 1
Nº de Ficheros Limpiados: 1
Sat Mar 01 00:42:33 2008
EliBagle v11.09 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
Reinicie para Completar la Limpieza.
Sat Mar 01 00:47:50 2008
EliBagle v11.09 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
Reinicie para Completar la Limpieza.
Sat Mar 01 00:47:59 2008
EliBagle v11.09 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
Nº Total de Directorios: 11939
Nº Total de Ficheros: 131451
Nº de Ficheros Analizados: 10374
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0
************************************************************************************
-------------------------------
SmitFraudFix v2.299
Scan done at 0:19:42.57, 01.03.2008
Run from C:\Documents and Settings\Admin\My Documents\Installers\smitfraudfix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Admin
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Admin\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Admin\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Attansic L1 Gigabit Ethernet 10/100/1000Base-T Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C3FB136C-25FC-4F5F-87DD-1AA549FA20D9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C3FB136C-25FC-4F5F-87DD-1AA549FA20D9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
et encore un ptit pour la route
************************************************************************************
SmitFraudFix v2.299
Rapport fait à 0:26:09.09, 01.03.2008
Executé à partir de C:\Documents and Settings\Admin\My Documents\Installers\smitfraudfix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Le type du système de fichiers est NTFS
Fix executé en mode normal
»»»»»»»»»»»»»»»»»»»»»»»» DNS Avant Fix
Description: Attansic L1 Gigabit Ethernet 10/100/1000Base-T Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C3FB136C-25FC-4F5F-87DD-1AA549FA20D9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C3FB136C-25FC-4F5F-87DD-1AA549FA20D9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
»»»»»»»»»»»»»»»»»»»»»»»» DNS Après Fix
Description: Attansic L1 Gigabit Ethernet 10/100/1000Base-T Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C3FB136C-25FC-4F5F-87DD-1AA549FA20D9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C3FB136C-25FC-4F5F-87DD-1AA549FA20D9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
Mes excuses pour ce poste aussi long, j'espère que tout ces rapports ne sont pas trop inutiles...
Merci pour votre aide :/
6 réponses
slt as-tu essaye de faire a ma maniere? deja change d'anti virus prend antivir avec comme par feu zone alarm(gratuit tous les 2) alors voici ma methode:
-etape 1 : Hijackthis poste le rapport ici meme
- etape 2:
prend sa Dr Web CureIt ! analyse rapide puis complete
-etape3 :
AVG Anti-spyware et A-squared mise a jour des 2
-etape 4 :
CCleaner repare et nettoie
-etape 5 :
Disk Defrag
-etape 6 :
SmitFraudFix choisit la deuxieme reponse puis au bout d'un moment il va te dire:"voulez vous nettoyer le registre" met o
-etape 7 :
poste 1nouveau log de hijack
-etape 1 : Hijackthis poste le rapport ici meme
- etape 2:
prend sa Dr Web CureIt ! analyse rapide puis complete
-etape3 :
AVG Anti-spyware et A-squared mise a jour des 2
-etape 4 :
CCleaner repare et nettoie
-etape 5 :
Disk Defrag
-etape 6 :
SmitFraudFix choisit la deuxieme reponse puis au bout d'un moment il va te dire:"voulez vous nettoyer le registre" met o
-etape 7 :
poste 1nouveau log de hijack
alors voila le resultat du scan avec asquared free :
a-squared Free - Version 3.1
Last update: 01.03.2008 11:40:38
Scan settings:
Objects: Memory, Traces, Cookies, C:\, K:\
Scan archives: On
Heuristics: On
ADS Scan: On
Scan start: 01.03.2008 11:41:05
C:\Documents and Settings\Admin\Cookies\admin@247realmedia[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@2o7[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@adserver.futura-sciences[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@advertising[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@atdmt[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@bluestreak[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@computerhope[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@doubleclick[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@fastclick[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@hotbar[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@media.licenseacquisition[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@mediaplex[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@smartadserver[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@statcounter[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@tradedoubler[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@tribalfusion[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@weborama[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:28 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:35 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:170 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:171 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:172 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:192 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:193 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:194 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:200 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:223 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:228 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:229 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:230 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:279 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:280 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:281 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:290 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:295 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:296 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:297 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:298 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:301 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:385 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:386 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:396 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:397 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:399 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:400 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:401 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:402 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:405 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:436 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:460 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:461 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:462 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:463 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:472 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:570 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:612 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:618 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:633 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:666 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:667 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:687 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:690 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:756 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:757 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:774 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:847 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:849 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\My Documents\Installers\Nero-7.8.5.0_fra_trial.exe/Toolbar.exe detected: Adware.Win32.MyWebSearch
C:\Documents and Settings\Admin\My Documents\Installers\smitfraudfix\SmitfraudFix\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\Admin\My Documents\Installers\smitfraudfix\SmitfraudFix\Reboot.exe detected: Riskware.RiskTool.Win32.Reboot.f
C:\Documents and Settings\Admin\My Documents\Installers\smitfraudfix\SmitfraudFix.zip/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\Admin\My Documents\Installers\smitfraudfix\SmitfraudFix.zip/Reboot.exe detected: Riskware.RiskTool.Win32.Reboot.f
K:\Documents de Armand\installers\Everest Poker.exe detected: Adware.Win32.Casino.af
K:\Documents de Armand\installers\SmileyCentralFFSetup2.0.3.24.exe detected: Adware.ToolBar.MyWebSearch
K:\Documents de Armand\installers\P2P-navigateurs-msn-etc\EvID4226Patch-pour-emule.exe detected: Email-Worm.Win32.Runouce.b
K:\Documents de Armand\ARCHIVE\backup-ipod-fev06\bureau\sysreset253.exe detected: Riskware.Client-IRC.Win32.mIRC.614
Scanned
Files: 440596
Traces: 155923
Cookies: 1048
Processes: 31
Found
Files: 9
Traces: 0
Cookies: 67
Processes: 0
Registry keys: 0
Scan end: 01.03.2008 13:12:23
Scan time: 1:31:18
K:\Documents de Armand\ARCHIVE\backup-ipod-fev06\bureau\sysreset253.exe Quarantined Riskware.Client-IRC.Win32.mIRC.614
K:\Documents de Armand\installers\P2P-navigateurs-msn-etc\EvID4226Patch-pour-emule.exe Quarantined Email-Worm.Win32.Runouce.b
Quarantined
Files: 2
Traces: 0
Cookies: 0
J'ai mis 2 objets en quarantaine... apparememnt rien de très utile...
je ne sais plus quoi faire à part formater :(
a-squared Free - Version 3.1
Last update: 01.03.2008 11:40:38
Scan settings:
Objects: Memory, Traces, Cookies, C:\, K:\
Scan archives: On
Heuristics: On
ADS Scan: On
Scan start: 01.03.2008 11:41:05
C:\Documents and Settings\Admin\Cookies\admin@247realmedia[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@2o7[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@adserver.futura-sciences[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@advertising[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@atdmt[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@bluestreak[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@computerhope[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@doubleclick[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@fastclick[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@hotbar[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@media.licenseacquisition[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@mediaplex[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@smartadserver[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@statcounter[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@tradedoubler[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@tribalfusion[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Cookies\admin@weborama[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:28 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:35 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:170 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:171 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:172 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:192 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:193 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:194 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:200 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:223 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:228 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:229 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:230 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:279 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:280 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:281 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:290 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:295 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:296 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:297 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:298 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:301 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:385 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:386 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:396 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:397 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:399 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:400 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:401 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:402 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:405 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:436 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:460 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:461 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:462 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:463 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:472 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:570 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:612 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:618 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:633 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:666 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:667 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:687 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:690 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:756 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:757 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:774 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:847 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\qna0q4i9.default\cookies.txt:849 detected: Trace.TrackingCookie
C:\Documents and Settings\Admin\My Documents\Installers\Nero-7.8.5.0_fra_trial.exe/Toolbar.exe detected: Adware.Win32.MyWebSearch
C:\Documents and Settings\Admin\My Documents\Installers\smitfraudfix\SmitfraudFix\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\Admin\My Documents\Installers\smitfraudfix\SmitfraudFix\Reboot.exe detected: Riskware.RiskTool.Win32.Reboot.f
C:\Documents and Settings\Admin\My Documents\Installers\smitfraudfix\SmitfraudFix.zip/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\Admin\My Documents\Installers\smitfraudfix\SmitfraudFix.zip/Reboot.exe detected: Riskware.RiskTool.Win32.Reboot.f
K:\Documents de Armand\installers\Everest Poker.exe detected: Adware.Win32.Casino.af
K:\Documents de Armand\installers\SmileyCentralFFSetup2.0.3.24.exe detected: Adware.ToolBar.MyWebSearch
K:\Documents de Armand\installers\P2P-navigateurs-msn-etc\EvID4226Patch-pour-emule.exe detected: Email-Worm.Win32.Runouce.b
K:\Documents de Armand\ARCHIVE\backup-ipod-fev06\bureau\sysreset253.exe detected: Riskware.Client-IRC.Win32.mIRC.614
Scanned
Files: 440596
Traces: 155923
Cookies: 1048
Processes: 31
Found
Files: 9
Traces: 0
Cookies: 67
Processes: 0
Registry keys: 0
Scan end: 01.03.2008 13:12:23
Scan time: 1:31:18
K:\Documents de Armand\ARCHIVE\backup-ipod-fev06\bureau\sysreset253.exe Quarantined Riskware.Client-IRC.Win32.mIRC.614
K:\Documents de Armand\installers\P2P-navigateurs-msn-etc\EvID4226Patch-pour-emule.exe Quarantined Email-Worm.Win32.Runouce.b
Quarantined
Files: 2
Traces: 0
Cookies: 0
J'ai mis 2 objets en quarantaine... apparememnt rien de très utile...
je ne sais plus quoi faire à part formater :(
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
alors oui je l'avais déja, j'ai nettoyé mon registre mais... rien de très neuf.
d'autres idées???
je sui perduuuuuuu...
merci
d'autres idées???
je sui perduuuuuuu...
merci
Bonjour,
Fin décembre, je me suis retrouvée avec un trojan je-sais-plus-quoi, dont je n'arrivais pas non plus à me défaire, malgré plusieurs logiciels essayés les uns après les autres, dont Avast, A-Squared, Adaware, Spybot etc. Finalement, j'ai bêtement copié le nom du trojan en question dans Google, et je suis arrivée sur le site secuser.com (d'ailleurs, je suis abonnée à leur lettre d'information (gratuite), qui peut s'avérer très utile). Là, j'y ai vu décrit exactement le problème qui se présentait sur mon ordi, et le site me proposait de télécharger un tout petit logiciel antirootkit, censé me débarrasser définitivement de mon trojan.
Eh bien ça a super bien marché !!! Trojan détruit, mort et enterré, en un clin d'oeil !
On ne sait jamais, va faire un tour sur secuser.com. La solution à ton problème est peut-être là.
Fin décembre, je me suis retrouvée avec un trojan je-sais-plus-quoi, dont je n'arrivais pas non plus à me défaire, malgré plusieurs logiciels essayés les uns après les autres, dont Avast, A-Squared, Adaware, Spybot etc. Finalement, j'ai bêtement copié le nom du trojan en question dans Google, et je suis arrivée sur le site secuser.com (d'ailleurs, je suis abonnée à leur lettre d'information (gratuite), qui peut s'avérer très utile). Là, j'y ai vu décrit exactement le problème qui se présentait sur mon ordi, et le site me proposait de télécharger un tout petit logiciel antirootkit, censé me débarrasser définitivement de mon trojan.
Eh bien ça a super bien marché !!! Trojan détruit, mort et enterré, en un clin d'oeil !
On ne sait jamais, va faire un tour sur secuser.com. La solution à ton problème est peut-être là.
Malheureusement, impossible de faire tourné ni hihgjackthis, (essayé de le télécharger trois fois, de l'install dans program files, puis dans un dossier dédié directement sur C: rien ne marche) ".....is not a valid win32 apllication"
Donc là j'essaie Dr web.... Qui me dit qu'il n'est pas une applic. win32 valide non plus.
J'ai un virus qui s'attaque à tout ces utilitaires on dirait.
snif.
merci quand meme!!