Infection spyware (virus ranger, winsecure..) Résolu/Fermé

Question

Bonjour,

sur l'ordinateur d'un ami il semble que plusieurs spywares soient installes. J'ai installe The Cleaner et fait une analyse et j'ai trouve un "win32"
voici le rapport :

The Cleaner Log 02/03/2008 00:22:29

Windows XP SP2, Using advanced Kernel functions, Free version

 Program version: 5.0.0.152
Database version: 1025
  Last full scan: 01/03/2008 22:20:56
     Last update: 01/03/2008 21:49:46
Using heuristics: 1
Heuristics level: 5,00

Processes
---------
656 - C:\WINDOWS\System32\smss.exe - Windows NT Session Manager
716 - C:\WINDOWS\system32\csrss.exe - Client Server Runtime Process
740 - C:\WINDOWS\system32\winlogon.exe - Windows NT Logon Application
788 - C:\WINDOWS\system32\services.exe - Services and Controller app
800 - C:\WINDOWS\system32\lsass.exe - LSA Shell (Export Version)
952 - C:\WINDOWS\system32\svchost.exe - Generic Host Process for Win32 Services
1004 - C:\WINDOWS\system32\svchost.exe - Generic Host Process for Win32 Services
1044 - C:\WINDOWS\system32\svchost.exe - Generic Host Process for Win32 Services
1112 - C:\WINDOWS\system32\svchost.exe - Generic Host Process for Win32 Services
1224 - C:\WINDOWS\system32\svchost.exe - Generic Host Process for Win32 Services
1444 - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe - Common Client Settings Manager Service
1472 - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe - Common Client Event Manager Service
1588 - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe - Ad-Aware 2007 Service
1756 - C:\WINDOWS\system32\spoolsv.exe - Spooler SubSystem App
1804 - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe - Logitech LVPrcSrv Module.
1912 - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE - Machine Debug Manager
1964 - MioNetManager.e - MioNetManager.e
2000 - C:\Program Files\Norton AntiVirus
avapsvc.exe - Norton AntiVirus Auto-Protect Service
156 - C:\Program Files\Norton AntiVirus\SAVScan.exe - Symantec AntiVirus Scanner
240 - C:\Program Files\MioNet\jvm\bin\MioNet.exe - C:\Program Files\MioNet\jvm\bin\MioNet.exe
416 - C:\WINDOWS\system32\svchost.exe - Generic Host Process for Win32 Services
532 - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe - Norton Security Center Service
1908 - C:\WINDOWS\System32\alg.exe - Application Layer Gateway Service
2388 - C:\WINDOWS\Explorer.EXE - Windows Explorer
2676 - C:\Program Files\NetProject\scit.exe - C:\Program Files\NetProject\scit.exe
2688 - C:\Program Files\NetProject\sbmntr.exe - C:\Program Files\NetProject\sbmntr.exe
2720 - C:\WINDOWS\system32\igfxtray.exe - igfxTray Module
2732 - C:\WINDOWS\system32\hkcmd.exe - hkcmd Module
2744 - C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe - C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
2816 - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe - TouchPad Driver Helper Application
2828 - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe - Synaptics TouchPad Enhancements
2848 - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe - HP Framework Component Manager Service
2872 - C:\WINDOWS\system32\hphmon05.exe - HPHmon05
2888 - C:\Program Files\QuickTime\qttask.exe - C:\Program Files\QuickTime\qttask.exe
2908 - iTunesHelper.ex - iTunesHelper.ex
2924 - C:\Program Files\Common Files\Symantec Shared\ccApp.exe - Common Client User Session
2960 - C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe - Quick Launch Buttons
2980 - C:\WINDOWS\vphc700.exe - CameraMonitor Application
3000 - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
3012 - C:\WINDOWS\system32\hphmon04.exe - HPHmon04
3040 - C:\WINDOWS\system32\LVCOMSX.EXE - LVCom Server
3264 - CameraAssistant - CameraAssistant
3280 - C:\Program Files\NetProject\sbsm.exe - C:\Program Files\NetProject\sbsm.exe
3428 - C:\Program Files\NetProject\scm.exe - C:\Program Files\NetProject\scm.exe
3468 - C:\Program Files\iPod\bin\iPodService.exe - iPodService Module
3472 - C:\WINDOWS\system32\ElkCtrl.exe - Logitech Camera Service(E)
3608 - C:\WINDOWS\system32\ctfmon.exe - CTF Loader
3684 - C:\Program Files\Skype\Phone\Skype.exe - Skype. Take a deep breath 
3724 - GoogleToolbarNo - GoogleToolbarNo
3904 - LogitechDesktop - LogitechDesktop
928 - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe - HP Digital Imaging Monitor
792 - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe - SonyTray.exe
1356 - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe - Residence
2092 - C:\Program Files\Philips\SPC 700NC PC Camera\TrayMin700.exe - TrayMin MFC Application
2124 - C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe - HP CUE Status
3332 - C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe -  
1300 - C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe - Hewlett-Packard Product Assistant
2448 - C:\Program Files\Skype\Plugin Manager\skypePM.exe - Skype Extras Manager
3396 - C:\Program Files\Windows Live\Messenger\usnsvc.exe - Messenger Sharing USN Journal Reader Service
4448 - C:\Program Files\The Cleaner Free\cleaner.exe - The Cleaner v5 GUI
5980 - C:\Program Files\Messenger\msmsgs.exe - Windows Messenger

Services
--------
C:\WINDOWS\system32\alg.exe=ALG
C:\WINDOWS\system32\svchost.exe=AudioSrv
C:\WINDOWS\system32\svchost.exe=BITS
C:\WINDOWS\system32\svchost.exe=CryptSvc
C:\WINDOWS\system32\svchost.exe=DcomLaunch
C:\WINDOWS\system32\svchost.exe=Dhcp
C:\WINDOWS\system32\svchost.exe=Dnscache
C:\WINDOWS\system32\svchost.exe=ERSvc
C:\WINDOWS\system32\services.exe=Eventlog
c:\windows\system32\svchost.exe=EventSystem
C:\WINDOWS\system32\svchost.exe=FastUserSwitchingCompatibility
C:\WINDOWS\system32\svchost.exe=helpsvc
C:\WINDOWS\system32\svchost.exe=HidServ
c:\program files\ipod\bin\ipodservice.exe=iPodService
C:\WINDOWS\system32\svchost.exe=lanmanserver
C:\WINDOWS\system32\svchost.exe=lanmanworkstation
C:\WINDOWS\system32\svchost.exe=LmHosts
c:\program files\common files\logitech\lvmvfm\lvprcsrv.exe=LVPrcSrv
c:\program files\mionet\mionetmanager.exe=MioNet
C:\WINDOWS\system32\svchost.exe=Netman
C:\WINDOWS\system32\svchost.exe=Nla
C:\WINDOWS\system32\services.exe=PlugPlay
C:\WINDOWS\system32\lsass.exe=PolicyAgent
C:\WINDOWS\system32\lsass.exe=ProtectedStorage
C:\WINDOWS\system32\svchost.exe=RasMan
C:\WINDOWS\system32\svchost.exe=RpcSs
C:\WINDOWS\system32\lsass.exe=SamSs
C:\WINDOWS\system32\svchost.exe=Schedule
C:\WINDOWS\system32\svchost.exe=seclogon
C:\WINDOWS\system32\svchost.exe=SENS
C:\WINDOWS\system32\svchost.exe=SharedAccess
C:\WINDOWS\system32\svchost.exe=ShellHWDetection
C:\WINDOWS\system32\spoolsv.exe=Spooler
C:\WINDOWS\system32\svchost.exe=srservice
C:\WINDOWS\system32\svchost.exe=SSDPSRV
C:\WINDOWS\system32\svchost.exe=stisvc
C:\WINDOWS\system32\svchost.exe=TapiSrv
C:\WINDOWS\system32\svchost.exe=TermService
C:\WINDOWS\system32\svchost.exe=Themes
C:\WINDOWS\system32\svchost.exe=TrkWks
C:\WINDOWS\system32\svchost.exe=W32Time
C:\WINDOWS\system32\svchost.exe=WebClient
C:\WINDOWS\system32\svchost.exe=winmgmt
C:\WINDOWS\system32\svchost.exe=wscsvc
C:\WINDOWS\system32\svchost.exe=wuauserv
C:\WINDOWS\system32\svchost.exe=WZCSVC

Registry
--------
000=HKCU\Run: BackupNotify=c:\program files\hp\digital imaging\bin\backupnotify.exe
000=HKCU\Run: ctfmon.exe=c:\windows\system32\ctfmon.exe
000=HKCU\Run: LDM=c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe
000=HKCU\Run: MsnMsgr="c:\program files\windows live\messenger\msnmsgr.exe" /background
000=HKCU\Run: Skype="c:\program files\skype\phone\skype.exe" /nosplash /minimized
000=HKCU\Run: swg=c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
000=HKCU\Run: updateMgr=c:\program files\adobe\acrobat 7.0eader\adobeupdatemanager.exe
000=HKLM\Run: ccApp="c:\program files\common files\symantec shared\ccapp.exe"
000=HKLM\Run: Cpqset=c:\program files\hpq\default settings\cpqset.exe
000=HKLM\Run: DXDllRegExe=dxdllreg.exe
000=HKLM\Run: eabconfg.cpl=c:\program files\hpq\quick launch buttons\eabservr.exe
000=HKLM\Run: HotKeysCmds=c:\windows\system32\hkcmd.exe
000=HKLM\Run: HP Component Manager="c:\program files\hp\hpcoretech\hpcmpmgr.exe"
000=HKLM\Run: HPDJ Taskbar Utility=c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
000=HKLM\Run: HPHmon04=c:\windows\system32\hphmon04.exe
000=HKLM\Run: HPHmon05=c:\windows\system32\hphmon05.exe
000=HKLM\Run: HPHUPD04="c:\program files\hp photosmart 11\hphinstall\unipatch\hphupd04.exe"
000=HKLM\Run: HPHUPD05=c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
000=HKLM\Run: IgfxTray=c:\windows\system32\igfxtray.exe
000=HKLM\Run: iTunesHelper=c:\program files\itunes\ituneshelper.exe
000=HKLM\Run: LogitechCameraAssistant=c:\program files\logitech\video\cameraassistant.exe
000=HKLM\Run: LogitechCameraService(E)=c:\windows\system32\elkctrl.exe
000=HKLM\Run: LogitechVideo[inspector]=c:\program files\logitech\video\installhelper.exe
000=HKLM\Run: LVCOMSX=c:\windows\system32\lvcomsx.exe
000=HKLM\Run: phc700=c:\windows\vphc700.exe
000=HKLM\Run: QuickTime Task="c:\program files\quicktime\qttask.exe" -atboottime
000=HKLM\Run: SunJavaUpdateSched=c:\program files\java\j2re1.4.2_03\bin\jusched.exe
000=HKLM\Run: SynTPEnh=c:\program files\synaptics\syntp\syntpenh.exe
000=HKLM\Run: SynTPLpr=c:\program files\synaptics\syntp\syntplpr.exe
000=HKLM\Run: UpdateManager="c:\program files\common files\sonic\update manager\sgtray.exe" /r
001=Firewall bypass: %windir%\Network Diagnostic\xpnetdiag.exe=c:\windows
etwork diagnostic\xpnetdiag.exe
001=Firewall bypass: %windir%\system32\sessmgr.exe=c:\windows\system32\sessmgr.exe
001=Firewall bypass: C:\Documents and Settings\Mon Ordinateur\Local Settings\Temporary Internet Files\Content.IE5\TJJXJ9BC\incredimail_install[1].exe=c:\documents and settings\mon ordinateur\local settings	emporary internet files\content.ie5	jjxj9bc\incredimail_install[1].exe
001=Firewall bypass: C:\Program Files\EarthLink TotalAccess\TaskPanl.exe=c:\program files\earthlink totalaccess	askpanl.exe
001=Firewall bypass: C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe=c:\program files\hp\digital imaging\bin\hpfccopy.exe
001=Firewall bypass: C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe=c:\program files\hp\digital imaging\bin\hpoews01.exe
001=Firewall bypass: C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe=c:\program files\hp\digital imaging\bin\hpofxm08.exe
001=Firewall bypass: C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe=c:\program files\hp\digital imaging\bin\hposfx08.exe
001=Firewall bypass: C:\Program Files\HP\Digital Imaging\bin\hposid01.exe=c:\program files\hp\digital imaging\bin\hposid01.exe
001=Firewall bypass: C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe=c:\program files\hp\digital imaging\bin\hpqcopy.exe
001=Firewall bypass: C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe=c:\program files\hp\digital imaging\bin\hpqkygrp.exe
001=Firewall bypass: C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe=c:\program files\hp\digital imaging\bin\hpqscnvw.exe
001=Firewall bypass: C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe=c:\program files\hp\digital imaging\bin\hpqste08.exe
001=Firewall bypass: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe=c:\program files\hp\digital imaging\bin\hpqtra08.exe
001=Firewall bypass: C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe=c:\program files\hp\digital imaging\bin\hpzwiz01.exe
001=Firewall bypass: C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe=c:\program files\hp\digital imaging\unload\hpqdia.exe
001=Firewall bypass: C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe=c:\program files\hp\digital imaging\unload\hpqphunl.exe
001=Firewall bypass: C:\Program Files\IncrediMail\bin\ImApp.exe=c:\program files\incredimail\bin\imapp.exe
001=Firewall bypass: C:\Program Files\IncrediMail\bin\ImpCnt.exe=c:\program files\incredimail\bin\impcnt.exe
001=Firewall bypass: C:\Program Files\IncrediMail\bin\IncMail.exe=c:\program files\incredimail\bin\incmail.exe
001=Firewall bypass: C:\Program Files\iTunes\iTunes.exe=c:\program files\itunes\itunes.exe
001=Firewall bypass: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe=c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe
001=Firewall bypass: C:\Program Files\Messenger\msmsgs.exe=c:\program files\messenger\msmsgs.exe
020=SSODL: CDBurn=C:\WINDOWS\system32\shell32.dll
020=SSODL: PostBootReminder=C:\WINDOWS\system32\shell32.dll
020=SSODL: SysTray=c:\windows\system32\stobject.dll
020=SSODL: WebCheck=c:\windows\system32\webcheck.dll
030=BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670}=c:\program files\yahoo!\companion\installs\cpn\yt.dll (Yahoo! Toolbar Helper)
030=BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3}=(null) ()
030=BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045}=(null) ()
030=BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6}=c:\program files\common files\microsoft shared\windows live\windowslivelogin.dll (Programme d'aide de l'Assistant de connexion Windows Live)
030=BHO: {A3D76B96-30B9-4DCC-9B3D-D12E31280D29}=c:\program files\helper\1203980239.dll (e404mgr Class)
030=BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll (Google Toolbar Helper)
030=BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll (Google Toolbar Notifier BHO)
030=BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=c:\program files\windows live toolbar\msntb.dll (Windows Live Toolbar Helper)
030=BHO: {BDF3E430-B101-42AD-A544-FADC6B084872}=c:\program files
orton antivirus
avshext.dll (CNavExtBho Class)
030=BHO: {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}=c:\program files
etproject\sbmdl.dll (xxx)
030=BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}=(null) ()
031=Toolbar: {01E04581-4EEE-11D0-BFE9-00AA005B4383}=C:\WINDOWS\system32\browseui.dll
031=Toolbar: {0E5CBF21-D15F-11D0-8301-00AA005B4383}=C:\WINDOWS\system32\shell32.dll
031=Toolbar: {81705D67-3F73-4983-859B-97D0922E5ABE}=c:\program files
etproject\wamdl.dll
031=Toolbar: {F2CF5485-4E02-4F68-819C-B92DE9277049}=c:\windows\system32\ieframe.dll
031=Toolbar: ITBar7Layout=(null)
031=Toolbar: {81705D67-3F73-4983-859B-97D0922E5ABE}=c:\program files
etproject\wamdl.dll

Startup Folders
---------------
Common: hp digital imaging monitor.lnk -> C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
Common: hp image zone fast start.lnk -> C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe
Common: logitech desktop messenger.lnk -> C:\PROGRA~1\Logitech\DESKTO~1\8876480\Program\LOGITE~1.EXE
Common: picture package menu.lnk -> C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~3\SonyTray.exe
Common: picture package vcd maker.lnk -> C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~1\RESIDE~1.EXE
Common: traymin700.exe.lnk -> C:\PROGRA~1\Philips\SPC700~1\TRAYMI~1.EXE

HOSTS
-----
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost


Voila j'espere que quelqu'un pourra m'aider. Le pc tourne sous windows XP home edition SP2. Si besoin je pourrais installer et faire une analyse avec Hijack this.

Un immense merci a celui qui trouvera une solution au probleme!!!

jlpjlp · Answer

slt,


smit fraud fix (colle le rapport)

1/ telecharger :

http://siri.urz.free.fr/Fix/SmitfraudFix.php

2/ double clique sur smitfraudfix. puis sélectionne 1 et appuyer sur entrée afin de créer le rapport des infection présentes. une fois le rapport effectué redémarre en mode sans échec (en appuyant sur F8 ou suppr, ou F5 au démarrage en général) 

3/ puis refaire comme en 2/ mais sélectionne l'option 2 et appuyer sur entrée pour commencer la désinfection. lorsque le programme demande si tu veut nettoyer le registre mets oui en tapant 0 et entrée

________________


colle un rapport hijackthis 
 
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

manuel :

https://leblogdeclaude.blogspot.com/2006/10/informatique-section-hijackthis.html


Je conseille de renomer Hijackthis, pour contrer une éventuelle infection de Vundo. 

ex:Renomme le fichier HijackThis.exe en eden.exe pour cela, fais un clic droit sur le fichier HijackThis.exe et choisis renommer dans la liste 

Ensuite avec Explorer créer un dossier c:\hijackthis 
Décompresser Hijackthis dans ce dossier. 
C'est important pour les sauvegardes."

meeko12 · Answer

le rapport de smit fraud fix

SmitFraudFix v2.299

Scan done at 15:43:56,22, 02/03/2008
Run from C:\Users\Camille\Downloads\SmitfraudFix
OS: Microsoft Windows [version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Orange\AntivirusFirewall\Anti-Virus\fsgk32st.exe
C:\Program Files\Orange\AntivirusFirewall\Anti-Virus\FSGK32.EXE
C:\Program Files\Orange\AntivirusFirewall\Common\FSMA32.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Orange\AntivirusFirewall\Common\FSMB32.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Orange\AntivirusFirewall\Common\FCH32.EXE
C:\Program Files\Orange\AntivirusFirewall\Anti-Virus\fssm32.exe
C:\Program Files\Orange\AntivirusFirewall\Anti-Virus\fsqh.exe
C:\Program Files\Orange\AntivirusFirewall\Common\FAMEH32.EXE
C:\Program Files\Orange\AntivirusFirewall\FSAUA\program\fsaua.exe
C:\Program Files\Orange\AntivirusFirewall\FWES\Program\fsdfwd.exe
C:\Program Files\Orange\AntivirusFirewall\FSAUA\program\fsus.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Windows\system32	askeng.exe
C:\Windows\system32	askeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Orange\AntivirusFirewall\Anti-Virus\fsav32.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\vVX3000.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Orange\AntivirusFirewall\Common\FSM32.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Camille\AppData\Local
nneddd.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\conime.exe
C:\Program Files\Orange\AntivirusFirewall\FSGUI\fsguidll.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Windows\system32	askeng.exe
C:\Program Files\Axon Data\AxCrypt\1.6.3\AxCrypt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9d.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Camille


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Camille\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Camille\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files 


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Carte réseau Broadcom 802.11g
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{703CEF78-FB3E-40D5-A4D1-DCCEF4750A48}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9F7827C4-9A3F-4DFC-A247-147B4C36C8FF}: DhcpNameServer=163.244.4.254 163.244.76.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{703CEF78-FB3E-40D5-A4D1-DCCEF4750A48}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9F7827C4-9A3F-4DFC-A247-147B4C36C8FF}: DhcpNameServer=163.244.4.254 163.244.76.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{703CEF78-FB3E-40D5-A4D1-DCCEF4750A48}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9F7827C4-9A3F-4DFC-A247-147B4C36C8FF}: DhcpNameServer=163.244.4.254 163.244.76.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

meeko12 · Answer

SmitFraudFix v2.299

Scan done at 16:11:09,88, 02/03/2008
Run from C:\Users\Camille\Downloads\SmitfraudFix
OS: Microsoft Windows [version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1       localhost
::1             localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Carte réseau Broadcom 802.11g
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{703CEF78-FB3E-40D5-A4D1-DCCEF4750A48}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9F7827C4-9A3F-4DFC-A247-147B4C36C8FF}: DhcpNameServer=163.244.4.254 163.244.76.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{703CEF78-FB3E-40D5-A4D1-DCCEF4750A48}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9F7827C4-9A3F-4DFC-A247-147B4C36C8FF}: DhcpNameServer=163.244.4.254 163.244.76.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{703CEF78-FB3E-40D5-A4D1-DCCEF4750A48}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9F7827C4-9A3F-4DFC-A247-147B4C36C8FF}: DhcpNameServer=163.244.4.254 163.244.76.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done. 
 
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

meeko12 · Answer

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13:50, on 02/03/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Users\Camille\Downloads\enden.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer fourni par Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing)
O1 - Hosts: ::1 localhost
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\Windows\vVX3000.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Orange\AntivirusFirewall\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Orange\AntivirusFirewall\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [nnneddd] c:\users\camille\appdata\local
nneddd.exe nnneddd
O4 - HKCU\..\Policies\Explorer\Run: [Windows Security Tool] WinSecure.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin
pjpi160.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin
pjpi160.dll
O13 - Gopher Prefix: 
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\Common\FSMA32.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

Razu · Answer

Okay. Tout fonctionne nickel maintenant, encore merci beaucoup pour ton aide et tes conseils.
Peut-etre a bientot sur le forum.
Andy

jlpjlp · Answer

ok bonne suite!

mika903 · Answer

^^

Infection spyware (virus ranger, winsecure..)

7 réponses

Discussions similaires