Sujet Précédent Sujet Suivant

Infecté par zlob troyan,je n'y connais rien!!

Résolu/Fermé
ysra - 7 avril 2008 à 15:55
 ysra - 12 avril 2008 à 15:43
Bonjour,cela fais 3jours que j'ai un message inquietant sur mon pc qui me dit que j'ai un zlob troyan et que c'est tres dangereux pour mes données; j'ai des logiciels avec lesquels je travaille et qui m'ont coutés chers!!s'il vous plais aidez moi.
il faut savoir que je ne connais rien a l'informatique, alors please j'ai besoin d'explications tres tres tres simple. merci

21 réponses

  • 1
  • 2
Réponse 1 / 21
^^Marie^^ Messages postés 114053 Date d'inscription mardi 6 septembre 2005 Statut Membre Dernière intervention 28 août 2020 3 275
8 avril 2008 à 09:51
Bonjour

Il est fortement DÉCONSEILLÉ d'envoyer des néophytes sur le Robot Hijackthis.
D'autre part, le log est mal placé, donc en cas d'erreur l'internaute ne peut revenir en arrière, car les backups seront inexistants.
Ensuite, l'internaute "supprimera" des lignes MAIS en aucun cas les fichiers ou dossiers infectés
Des Fix ont été crées pour éradiquer les infections.




ysra

Fais ce qui suit

STP


Télécharge BTFix 1.017 (de bibi26)
http://cluster1.easy-hebergement.net/
https://www.01net.com/telecharger/windows/Utilitaire/nettoyeurs_et_installeurs/fiches/40698.html


* Décompresse l'archive sur ton Bureau (Clique-Droit/Extraire tout).
* Ouvre le dossier BTFix
* Double clique sur BTFix.exe
* Clique sur Rechercher
* Un rapport va apparaître, copie/colle-le dans ta prochaine réponse

Tuto
https://leblogdeclaude.blogspot.com/2007/10/procdure-btfix.html


3
Réponse 2 / 21
Lyonnais92 Messages postés 25159 Date d'inscription vendredi 23 juin 2006 Statut Contributeur sécurité Dernière intervention 16 septembre 2016 1 537
8 avril 2008 à 09:51
Bonjour,

tu ne fais pas ça.

d'abord parce que ça peut te faire faire de grosses erreurs;

Ensuite aprce que ça ne suffit pas toujours

Enfin parce que ça enlève les symptômes mais ne répare pas les dégats.

Tu fais ça :

1) Tu désinstalles ta version d'Hijackthis qui est obsolète (panneau de configuration, ajout suppression de programmes)

Si tu as "fixé" des lignes, tu ne fais rien, tu dis, on reviendra en arrière.

Clique sur ce lien
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
pour télécharger le fichier d'installation d'HijackThis.

Enregistre HJTInstall.exe sur ton bureau.

Double-clique sur HJTInstall.exe pour lancer le programme

Par défaut, il s'installera là :
C:\Program Files\Trend Micro\HijackThis

Accepte la license en cliquant sur le bouton "I Accept"

Choisis l'option "Do a system scan and save a log file"

Clique sur "Save log" pour enregistrer le rapport qui s'ouvrira avec le bloc-note

Clique sur "Edition -> Sélectionner tout", puis sur "Edition -> Copier" pour copier tout le contenu du rapport

Colle le rapport que tu viens de copier sur ce forum

Ne fixe encore AUCUNE ligne, cela pourrait empêcher ton PC de fonctionner correctement


Tutoriaux : http://pageperso.aol.fr/balltrap34/demohijack.htm (ne fixe rien pour le moment !!)
http://cybersecurite.xooit.com/t138-HijackThis-2-0-2.htm

2) Ouvre ce lien (merci a S!RI pour ce programme). http://siri.urz.free.fr/Fix/SmitfraudFix.php
et télécharge SmitfraudFix.exe.

Regarde le tuto
Exécute le en choisissant l’option 1, il va générer un rapport
Copie/colle le sur le poste stp.

3) il vaudrait mieux supprimer mywebsearch. Si tu es d'accord, je te dirai comment.
1
Réponse 3 / 21
^^Marie^^ Messages postés 114053 Date d'inscription mardi 6 septembre 2005 Statut Membre Dernière intervention 28 août 2020 3 275
11 avril 2008 à 09:36
Bonjour,

si il est normal qu'antivir est mit une alerte lorsque j'ai voulu telecharger SmitfraudFix ?
Oui, c'est normal il l'a détecté comme un faux positif donc pas de soucis.

N'oublie pas que tu navigues avec une version NON Officielle de Windows, donc tu t'exposes toujours à des soucis

· Télécharge ToolsCleaner de A.Roshtein sur ton Bureau.(sur un des 2 liens)
http://pagesperso-orange.fr/AceRothstein/ToolsCleaner2.exe
http://a-rothstein.changelog.fr/TC/ToolsCleaner2.exe
· Clique sur Recherche et laisse le scan se terminer.
· Clique, sur Suppression pour finaliser.
· Tu peux, si tu le souhaites, te servir des Options facultatives.
· Clique sur Quitter, pour que le rapport puisse se créer.
· Poste moi le rapport (TCleaner.txt) qui se trouve à la racine de ton disque dur( C:\).


+++

1
Réponse 4 / 21
TrojanVictim
7 avril 2008 à 16:02
salut,

qu'est ce que tu as comme anti virus ?

telecharge Hijack This et colle ton rapport dans une réponse.
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 5 / 21
ysra
7 avril 2008 à 17:25
salut j'ai antivir et je t'envois le rapport ,mais il est long, je ne sais pas si c'est ça que tu veux voir.***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.6.8.2523. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 08/04/2008 17:09:23
Using Database v6963
Operating System: Windows XP SP2 [Windows XP Professional Service Pack 2 (Build 2600)]
File System: FAT32
Data directory: C:\Documents and Settings\Administrateur\Application Data\Simply Super Software\Trojan Remover\
Logfile directory: C:\Documents and Settings\Administrateur\Mes documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges


**************************************************
The following Anti-Malware program(s) are loaded:
Avira AntiVir

**************************************************


**************************************************
17:09:23: Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINDOWS

**************************************************
17:09:23: Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINDOWS

**************************************************
17:09:23: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

**************************************************
17:09:24: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
File: explorer.exe
C:\WINDOWS\explorer.exe
1037312 bytes
Created: 21/07/2005
Modified: 13/06/2007
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
File: userinit.exe
C:\WINDOWS\system32\userinit.exe
25088 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
515584 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: ATIModeChange
Value Data: Ati2mdxx.exe
C:\WINDOWS\system32\Ati2mdxx.exe
28672 bytes
Created: 15/12/2003
Modified: 15/12/2003
Company: ATI Technologies, Inc.
--------------------
Value Name: ATIPTA
Value Data: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
335872 bytes
Created: 02/02/2006
Modified: 13/11/2003
Company: ATI Technologies, Inc.
--------------------
Value Name: AGRSMMSG
Value Data: AGRSMMSG.exe
C:\WINDOWS\AGRSMMSG.exe
88267 bytes
Created: 28/04/2003
Modified: 28/04/2003
Company: Agere Systems
--------------------
Value Name: SoundMan
Value Data: SOUNDMAN.EXE
C:\WINDOWS\SOUNDMAN.EXE
55296 bytes
Created: 23/05/2006
Modified: 24/07/2003
Company: Realtek Semiconductor Corp.
--------------------
Value Name: HTpatch
Value Data: C:\WINDOWS\htpatch.exe
C:\WINDOWS\htpatch.exe
28672 bytes
Created: 02/02/2006
Modified: 23/01/2003
Company:
--------------------
Value Name: EPSON Stylus DX4000 Series
Value Data: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_S87.tmp" /EF "HKLM"
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE
131072 bytes
Created: 20/02/2007
Modified: 21/02/2006
Company: SEIKO EPSON CORPORATION
--------------------
Value Name: Barsaka
Value Data: explorer.exe
C:\WINDOWS\explorer.exe
1037312 bytes
Created: 21/07/2005
Modified: 13/06/2007
Company: Microsoft Corporation
--------------------
Value Name: avgnt
Value Data: "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
249896 bytes
Created: 11/03/2008
Modified: 31/08/2007
Company: Avira GmbH
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe
C:\Program Files\Trojan Remover\Trjscan.exe
874064 bytes
Created: 05/04/2008
Modified: 27/03/2008
Company: Simply Super Software
--------------------
Value Name: FrameWorkService
Value Data:
- this registry value has been removed [file not found to scan]
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
--------------------
Value Name: MsnMsgr
Value Data: "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
C:\Program Files\MSN Messenger\MsnMsgr.Exe
5674352 bytes
Created: 19/01/2007
Modified: 19/01/2007
Company: Microsoft Corporation
--------------------
Value Name: Creative Detector
Value Data: C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
102400 bytes
Created: 02/08/2007
Modified: 02/12/2004
Company: Creative Technology Ltd
--------------------
Value Name: FrameWorkService
Value Data:
- this registry value has been removed [file not found to scan]
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty

**************************************************
17:09:33: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------

**************************************************
17:09:33: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

**************************************************
17:09:33: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver:
- this reference has been removed [file not found to scan]
--------------------

**************************************************
17:09:34: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Key: >{26923b43-4d38-484f-9b9e-de460746276c}
Path: %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
C:\WINDOWS\system32\shmgrate.exe
42496 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
Path: %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
C:\WINDOWS\system32\shmgrate.exe
42496 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
Path: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
C:\Program Files\Outlook Express\setup50.exe
73728 bytes
Created: 15/12/2005
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: {44BBA842-CC51-11CF-AAFA-00AA00B6015B}
Path: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
C:\WINDOWS\system32\advpack.dll
101888 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: {6BF52A52-394A-11d3-B153-00C04F79FAA6}
Path: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
C:\WINDOWS\system32\advpack.dll - file already scanned
----------
Key: {7790769C-0471-11d2-AF11-00C04FA35D02}
Path: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
C:\Program Files\Outlook Express\setup50.exe
73728 bytes
Created: 15/12/2005
Modified: 19/08/2004
Company: Microsoft Corporation
----------

**************************************************
17:09:35: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------

**************************************************
17:09:35: Scanning ----- SERVICES REGISTRY KEYS -----
Key: AgereSoftModem
ImagePath: system32\DRIVERS\AGRSM.sys
C:\WINDOWS\system32\DRIVERS\AGRSM.sys
1170464 bytes
Created: 28/04/2003
Modified: 28/04/2003
Company: Agere Systems
----------
Key: AntiVirScheduler
ImagePath: "C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
63016 bytes
Created: 11/03/2008
Modified: 28/08/2007
Company: Avira GmbH
----------
Key: AntiVirService
ImagePath: "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
214056 bytes
Created: 11/03/2008
Modified: 11/09/2007
Company: Avira GmbH
----------
Key: Ati HotKey Poller
ImagePath: %SystemRoot%\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
385024 bytes
Created: 15/12/2003
Modified: 15/12/2003
Company:
----------
Key: avgio
ImagePath: \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
11840 bytes
Created: 11/03/2008
Modified: 27/02/2007
Company: Avira GmbH
----------
Key: avgntflt
ImagePath: \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
48448 bytes
Created: 11/03/2008
Modified: 17/09/2007
Company: Avira GmbH
----------
Key: avipbb
ImagePath: system32\DRIVERS\avipbb.sys
C:\WINDOWS\system32\DRIVERS\avipbb.sys
62016 bytes
Created: 11/03/2008
Modified: 07/09/2007
Company: AVIRA GmbH
----------
Key: catchme
ImagePath: \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys - this file is globally excluded
----------
Key: DcCam
ImagePath: system32\DRIVERS\DcCam.sys
C:\WINDOWS\system32\DRIVERS\DcCam.sys
37150 bytes
Created: 16/06/2005
Modified: 16/06/2005
Company: Eastman Kodak Company
----------
Key: DcFpoint
ImagePath: system32\DRIVERS\DcFpoint.sys
C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
61564 bytes
Created: 31/03/2005
Modified: 31/03/2005
Company: Eastman Kodak Company
----------
Key: DCFS2K
ImagePath: system32\drivers\dcfs2k.sys
C:\WINDOWS\system32\drivers\dcfs2k.sys
38673 bytes
Created: 31/03/2005
Modified: 31/03/2005
Company: Eastman Kodak Company
----------
Key: DcLps
ImagePath: system32\DRIVERS\DcLps.sys
C:\WINDOWS\system32\DRIVERS\DcLps.sys
8022 bytes
Created: 31/03/2005
Modified: 31/03/2005
Company: Eastman Kodak Company
----------
Key: DcPTP
ImagePath: system32\DRIVERS\DcPTP.sys
C:\WINDOWS\system32\DRIVERS\DcPTP.sys
70262 bytes
Created: 31/03/2005
Modified: 31/03/2005
Company: Eastman Kodak Company
----------
Key: EL2000
ImagePath: system32\DRIVERS\EL2K_XP.sys
C:\WINDOWS\system32\DRIVERS\EL2K_XP.sys
-R- 147328 bytes
Created: 29/03/2006
Modified: 24/07/2003
Company: 3Com Corporation
----------
Key: el575nd5
ImagePath: system32\DRIVERS\el575nd5.sys
C:\WINDOWS\system32\DRIVERS\el575nd5.sys
69692 bytes
Created: 15/12/2005
Modified: 23/07/2005
Company: 3Com Corporation
----------
Key: Exportit
ImagePath: system32\DRIVERS\exportit.sys
C:\WINDOWS\system32\DRIVERS\exportit.sys
152081 bytes
Created: 31/03/2005
Modified: 31/03/2005
Company: Eastman Kodak Company
----------
Key: fbxusb
ImagePath: system32\DRIVERS\fbxusb32.sys
C:\WINDOWS\system32\DRIVERS\fbxusb32.sys
21344 bytes
Created: 12/01/2006
Modified: 20/10/2004
Company: FreeBox SA
----------
Key: gusvc
ImagePath: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
138168 bytes
Created: 11/02/2007
Modified: 11/02/2007
Company: Google
----------
Key: irsir
ImagePath: system32\DRIVERS\irsir.sys
C:\WINDOWS\system32\DRIVERS\irsir.sys
18688 bytes
Created: 15/12/2005
Modified: 23/07/2005
Company: Microsoft Corporation
----------
Key: KodakCCS
ImagePath: %SystemRoot%\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
411920 bytes
Created: 30/03/2005
Modified: 30/03/2005
Company: Eastman Kodak Company
----------
Key: O&O Defrag
ImagePath: C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\oodag.exe
225280 bytes
Created: 11/05/2005
Modified: 11/05/2005
Company: O&O Software GmbH
----------
Key: ose
ImagePath: "C:\Program Files\Fichiers communs\Microsoft Shared\Source Engine\OSE.EXE"
C:\Program Files\Fichiers communs\Microsoft Shared\Source Engine\OSE.EXE
89136 bytes
Created: 28/07/2003
Modified: 28/07/2003
Company: Microsoft Corporation
----------
Key: PxHelp20
ImagePath: System32\Drivers\PxHelp20.sys
C:\WINDOWS\System32\Drivers\PxHelp20.sys
20576 bytes
Created: 23/09/2004
Modified: 23/09/2004
Company: Sonic Solutions
----------
Key: Secdrv
ImagePath: system32\DRIVERS\secdrv.sys
C:\WINDOWS\system32\DRIVERS\secdrv.sys
20480 bytes
Created: 17/07/2004
Modified: 13/11/2007
Company: Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.
----------
Key: sisagp
ImagePath: system32\DRIVERS\SISAGPX.sys
C:\WINDOWS\system32\DRIVERS\SISAGPX.sys
30848 bytes
Created: 23/01/2003
Modified: 23/01/2003
Company: Silicon Integrated Systems Corporation
----------
Key: ssmdrv
ImagePath: system32\DRIVERS\ssmdrv.sys
C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
28352 bytes
Created: 11/03/2008
Modified: 01/03/2007
Company: Avira GmbH
----------
Key: SwPrv
ImagePath: C:\WINDOWS\system32\dllhost.exe /Processid:{CB7A443E-A235-4B8D-BEC1-6BB59F1EF56E}
C:\WINDOWS\system32\dllhost.exe
5120 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: usbsermpt
ImagePath: system32\DRIVERS\usbsermpt.sys
C:\WINDOWS\system32\DRIVERS\usbsermpt.sys
22768 bytes
Created: 30/12/2005
Modified: 30/12/2005
Company: Microsoft Corporation
----------
Key: usnjsvc
ImagePath: "C:\Program Files\MSN Messenger\usnsvc.exe"
C:\Program Files\MSN Messenger\usnsvc.exe
97136 bytes
Created: 19/01/2007
Modified: 19/01/2007
Company: Microsoft Corporation
----------

**************************************************
17:09:37: Scanning -----VXD ENTRIES-----

**************************************************
17:09:37: Scanning ----- WINLOGON\NOTIFY DLLS -----

**************************************************
17:09:37: Scanning ----- CONTEXTMENUHANDLERS -----
Key: EPPShellEx
CLSID: {509FE1AF-ADD5-49EC-BC55-7CF81FD16E78}
Path: C:\Program Files\EPSON\Creativity Suite\Easy Photo Print\EPPShell.dll
C:\Program Files\EPSON\Creativity Suite\Easy Photo Print\EPPShell.dll
69632 bytes
Created: 20/02/2007
Modified: 14/06/2005
Company: SEIKO EPSON CORPORATION
----------
Key: Fichiers hors connexion
CLSID: {750fdf0e-2a26-11d1-a3ea-080036587f03}
Path: %SystemRoot%\System32\cscui.dll
C:\WINDOWS\System32\cscui.dll
337920 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: IZArcCM
CLSID: {8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}
Path: C:\PROGRA~1\IZArc\IZArcCM.dll
C:\PROGRA~1\IZArc\IZArcCM.dll
617472 bytes
Created: 02/09/2007
Modified: 02/06/2007
Company:
----------
Key: Open With
CLSID: {09799AFB-AD67-11d1-ABCD-00C04FC30936}
Path: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------
Key: Open With EncryptionMenu
CLSID: {A470F8CF-A1E8-4f65-8335-227475AA5C46}
Path: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------
Key: Shell Extension for Malware scanning
CLSID: {45AC2688-0253-4ED8-97DE-B5370FA7D48A}
Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll
C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll
61480 bytes
Created: 11/03/2008
Modified: 23/03/2007
Company: Avira GmbH
----------
Key: Trojan Remover
CLSID: {52B87208-9CCF-42C9-B88E-069281105805}
Path: C:\PROGRA~1\TROJAN~1\Trshlex.dll
C:\PROGRA~1\TROJAN~1\Trshlex.dll
467552 bytes
Created: 05/04/2008
Modified: 05/02/2007
Company: Simply Super Software
----------
Key: {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Path: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------

**************************************************
17:09:38: Scanning ----- FOLDER\COLUMNHANDLERS -----
Key: {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
File: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------
Key: {24F14F01-7B1C-11d1-838f-0000F80461CF}
File: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------
Key: {24F14F02-7B1C-11d1-838f-0000F80461CF}
File: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------
Key: {66742402-F9B9-11D1-A202-0000F81FEDEE}
File: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------
Key: {F9DB5320-233E-11D1-9F84-707F02C10627}
File: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
110592 bytes
Created: 14/12/2004
Modified: 14/12/2004
Company: Adobe Systems, Inc.
----------

**************************************************
17:09:38: Scanning ----- BROWSER HELPER OBJECTS -----
Key: {02478D38-C3F9-4EFB-9B51-7695ECA05670}
BHO: C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
440384 bytes
Created: 05/04/2007
Modified: 26/10/2006
Company: Yahoo! Inc.
----------
Key: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
BHO: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
59032 bytes
Created: 23/09/2005
Modified: 18/12/2006
Company: Adobe Systems Incorporated
----------
Key: {8B580E40-6B46-44C8-9E80-A5AD6E1D1035}
BHO: C:\WINDOWS\kiasys.dll
C:\WINDOWS\kiasys.dll
203264 bytes
Created: 04/04/2008
Modified: 04/04/2008
Company:
----------
Key: {9030D464-4C02-4ABF-8ECC-5164760863C6}
BHO: C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
322368 bytes
Created: 31/08/2006
Modified: 31/08/2006
Company: Microsoft Corporation
----------
Key: {AA58ED58-01DD-4d91-8333-CF10577473F7}
BHO: c:\program files\google\googletoolbar1.dll
c:\program files\google\googletoolbar1.dll
-R- 2436160 bytes
Created: 25/09/2007
Modified: 25/09/2007
Company: Google Inc.
----------
Key: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
BHO: C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
325048 bytes
Created: 27/08/2007
Modified: 27/08/2007
Company: Google Inc.
----------
Key: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
BHO: C:\Program Files\Windows Live Toolbar\msntb.dll
C:\Program Files\Windows Live Toolbar\msntb.dll
546320 bytes
Created: 19/10/2007
Modified: 19/10/2007
Company: Microsoft Corporation
----------
Key: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}
BHO: C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
368640 bytes
Created: 20/02/2007
Modified: 21/02/2005
Company: SEIKO EPSON CORPORATION
----------

**************************************************
17:09:39: Scanning ----- SHELLSERVICEOBJECTS -----
Key: PostBootReminder
CLSID: {7849596a-48ea-486e-8937-a2a3009f31a9}
Path: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------
Key: CDBurn
CLSID: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Path: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------
Key: WebCheck
CLSID: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Path: %SystemRoot%\system32\webcheck.dll
C:\WINDOWS\system32\webcheck.dll
281600 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: SysTray
CLSID: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Path: C:\WINDOWS\system32\stobject.dll
C:\WINDOWS\system32\stobject.dll
122368 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------

**************************************************
17:09:39: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----
Value: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
Comment: Pré-chargeur Browseui
File: %SystemRoot%\system32\browseui.dll
C:\WINDOWS\system32\browseui.dll
1024000 bytes
Created: 21/07/2005
Modified: 07/12/2007
Company: Microsoft Corporation
----------
Value: {8C7461EF-2B13-11d2-BE35-3078302C2030}
Comment: Démon de cache des catégories de composant
File: %SystemRoot%\system32\browseui.dll
C:\WINDOWS\system32\browseui.dll
1024000 bytes
Created: 21/07/2005
Modified: 07/12/2007
Company: Microsoft Corporation
----------

**************************************************
17:09:39: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

**************************************************
17:09:39: Scanning ----- APPINIT_DLLS -----
The AppInit_DLLs value is blank

**************************************************
17:09:39: Scanning ----- SECURITY PROVIDER DLLS -----
DLL: msapsspc.dll
C:\WINDOWS\system32\msapsspc.dll
86016 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
DLL: schannel.dll
C:\WINDOWS\system32\schannel.dll
144896 bytes
Created: 19/08/2004
Modified: 25/04/2007
Company: Microsoft Corporation
----------
DLL: digest.dll
C:\WINDOWS\system32\digest.dll
68608 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
DLL: msnsspc.dll
C:\WINDOWS\system32\msnsspc.dll
290816 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------

**************************************************
17:09:40: Scanning ------ COMMON STARTUP GROUP ------
[C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\desktop.ini
-HS- 84 bytes
Created: 15/12/2005
Modified: 15/12/2005
Company:
--------------------

**************************************************
No User Startup Groups were located to check

**************************************************
17:09:40: Scanning ----- SCHEDULED TASKS -----
Taskname: Vérifier les mises à jour de Windows Live Toolbar.job
File: C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
99856 bytes
Created: 19/10/2007
Modified: 19/10/2007
Company: Microsoft Corporation
Parameters: [blank]
Next Run Time: 08/04/2008 17:58:00
Status: La tâche est prête à s'exécuter à l'heure prévue
Creator: SYSTEM
Comments: [blank]
----------
Taskname: Low Battery Alarm Program.job
File:
Parameters: [blank]
Next Run Time: Never
Status: Une ou plusieurs des propriétés nécessaires pour exécuter cette tâche suivant un calendrier n'ont pas été définies
Creator: Administrateur
Comments: [blank]
[file not found to scan]
----------

**************************************************
17:09:43: ----- ADDITIONAL CHECKS -----
PE386 rootkit checks completed
----------
Winlogon registry rootkit checks completed
----------
Heuristic checks for hidden files/drivers completed
----------
Layered Service Provider entries checks completed
---------
Windows Explorer Policies checks completed
----------
Desktop Wallpaper: C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
3932214 bytes
Created: 19/01/2007
Modified: 27/03/2008
Company:
----------
Web Desktop Wallpaper: %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
3932214 bytes
Created: 19/01/2007
Modified: 27/03/2008
Company:
----------
Additional file checks completed
---------

**************************************************
17:09:44: Scanning ----- RUNNING PROCESSES -----
[Only loaded modules not scanned already
during this scan will be scanned here]

C:\WINDOWS\System32\smss.exe
[1 loaded module]
--------------------
C:\WINDOWS\system32\csrss.exe
[11 loaded modules in total]
--------------------
C:\WINDOWS\system32\winlogon.exe
[63 loaded modules in total]
--------------------
C:\WINDOWS\system32\services.exe
[34 loaded modules in total]
--------------------
C:\WINDOWS\system32\lsass.exe
[47 loaded modules in total]
--------------------
C:\WINDOWS\system32\Ati2evxx.exe
[7 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[46 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[36 loaded modules in total]
--------------------
C:\WINDOWS\System32\svchost.exe
[151 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[29 loaded modules in total]
--------------------
C:\WINDOWS\system32\spoolsv.exe
[53 loaded modules in total]
--------------------
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
[34 loaded modules in total]
--------------------
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
[33 loaded modules in total]
--------------------
C:\WINDOWS\system32\CTsvcCDA.EXE
[7 loaded modules in total]
--------------------
C:\WINDOWS\system32\oodag.exe
[21 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[37 loaded modules in total]
--------------------
C:\WINDOWS\system32\wdfmgr.exe
[13 loaded modules in total]
--------------------
C:\WINDOWS\System32\alg.exe
[31 loaded modules in total]
--------------------
C:\WINDOWS\system32\WgaTray.exe
[43 loaded modules in total]
--------------------
C:\WINDOWS\Explorer.EXE
[77 loaded modules in total]
--------------------
C:\WINDOWS\system32\wuauclt.exe
[40 loaded modules in total]
--------------------
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[29 loaded modules in total]
--------------------
C:\WINDOWS\AGRSMMSG.exe
[22 loaded modules in total]
--------------------
C:\WINDOWS\SOUNDMAN.EXE
[18 loaded modules in total]
--------------------
C:\WINDOWS\htpatch.exe
[10 loaded modules in total]
--------------------
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE
[14 loaded modules in total]
--------------------
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
[33 loaded modules in total]
--------------------
C:\WINDOWS\system32\ctfmon.exe
[22 loaded modules in total]
--------------------
C:\Program Files\MSN Messenger\MsnMsgr.Exe
[109 loaded modules in total]
--------------------
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
[29 loaded modules in total]
--------------------
C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\Démarrage\Dos Optimizer.pif
[15 loaded modules in total]
--------------------
C:\Documents and Settings\Administrateur\Application Data\Simply Super Software\Trojan Remover\anr2.exe
FileSize: 2474560
[This is a Trojan Remover component]
[22 loaded modules in total]
--------------------
C:\Program Files\Internet Explorer\iexplore.exe
[149 loaded modules in total]
--------------------
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
[36 loaded modules in total]
--------------------

**************************************************
17:10:12: Checking AUTOEXEC.BAT file
AUTOEXEC.BAT found in C:\
No malicious entries were found in the AUTOEXEC.BAT file

**************************************************
17:10:12: Checking AUTOEXEC.NT file
AUTOEXEC.NT found in C:\WINDOWS\system32
No malicious entries were found in the AUTOEXEC.NT file

**************************************************
17:10:12: Checking HOSTS file
No malicious entries were found in the HOSTS file

**************************************************
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Local Page":
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://www.google.com/toolbar/ie8/sidebar.html
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
https://www.bing.com/?toHttps=1&redig=8F3F334EA60E4B1CB4D040DCFE393A89{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
http://www.google.com/toolbar/ie8/sidebar.html
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://quicknews.info/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page":
https://www.google.com/?gws_rd=ssl

**************************************************
=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
Scan completed at: 08/04/2008 17:10:12
************************************************************


***** TROJAN REMOVER HAS RESTARTED THE SYSTEM *****
05/04/2008 16:39:08: Trojan Remover has been restarted
C:\WINDOWS\system32\RAVMON.exe has been deleted (if it existed)
=======================================================
Deleting the following registry value(s):
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RavMont] - already deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[FrameWorkService] - already deleted
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[FrameWorkService] - already deleted
=======================================================
Unable to rename C:\WINDOWS\system32\RAVMON.exe to C:\WINDOWS\system32\RAVMON.exe.vir
(C:\WINDOWS\system32\RAVMON.exe does not appear to exist)
05/04/2008 16:39:08: Trojan Remover closed
************************************************************


***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.6.8.2523. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 05/04/2008 16:36:01
Using Database v6963
Operating System: Windows XP SP2 [Windows XP Professional Service Pack 2 (Build 2600)]
File System: FAT32
Data directory: C:\Documents and Settings\Administrateur\Application Data\Simply Super Software\Trojan Remover\
Logfile directory: C:\Documents and Settings\Administrateur\Mes documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges


**************************************************
The following Anti-Malware program(s) are loaded:
Avira AntiVir

**************************************************


**************************************************
16:36:01: Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINDOWS

**************************************************
16:36:01: Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINDOWS

**************************************************
16:36:01: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

**************************************************
16:36:03: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
File: explorer.exe
C:\WINDOWS\explorer.exe
1037312 bytes
Created: 21/07/2005
Modified: 13/06/2007
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
File: userinit.exe
C:\WINDOWS\system32\userinit.exe
25088 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
515584 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: ATIModeChange
Value Data: Ati2mdxx.exe
C:\WINDOWS\system32\Ati2mdxx.exe
28672 bytes
Created: 15/12/2003
Modified: 15/12/2003
Company: ATI Technologies, Inc.
--------------------
Value Name: ATIPTA
Value Data: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
335872 bytes
Created: 02/02/2006
Modified: 13/11/2003
Company: ATI Technologies, Inc.
--------------------
Value Name: AGRSMMSG
Value Data: AGRSMMSG.exe
C:\WINDOWS\AGRSMMSG.exe
88267 bytes
Created: 28/04/2003
Modified: 28/04/2003
Company: Agere Systems
--------------------
Value Name: SoundMan
Value Data: SOUNDMAN.EXE
C:\WINDOWS\SOUNDMAN.EXE
55296 bytes
Created: 23/05/2006
Modified: 24/07/2003
Company: Realtek Semiconductor Corp.
--------------------
Value Name: HTpatch
Value Data: C:\WINDOWS\htpatch.exe
C:\WINDOWS\htpatch.exe
28672 bytes
Created: 02/02/2006
Modified: 23/01/2003
Company:
--------------------
Value Name: EPSON Stylus DX4000 Series
Value Data: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_S87.tmp" /EF "HKLM"
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE
131072 bytes
Created: 20/02/2007
Modified: 21/02/2006
Company: SEIKO EPSON CORPORATION
--------------------
Value Name: RavMont
Value Data: C:\WINDOWS\system32\RAVMON.exe
C:\WINDOWS\system32\RAVMON.exe - this registry value has been removed [file not found to scan]
C:\WINDOWS\system32\RAVMON.exe - process is either not running or could not be terminated
C:\WINDOWS\system32\RAVMON.exe - file could not be neutralised
[kill file error: C:\WINDOWS\system32\RAVMON.exe, Le fichier spécifié est introuvable.
]
C:\WINDOWS\system32\RAVMON.exe - marked for renaming when the PC is restarted (if it exists)
--------------------
Value Name: Barsaka
Value Data: explorer.exe
C:\WINDOWS\explorer.exe
1037312 bytes
Created: 21/07/2005
Modified: 13/06/2007
Company: Microsoft Corporation
--------------------
Value Name: avgnt
Value Data: "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
249896 bytes
Created: 11/03/2008
Modified: 31/08/2007
Company: Avira GmbH
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe
C:\Program Files\Trojan Remover\Trjscan.exe
874064 bytes
Created: 05/04/2008
Modified: 27/03/2008
Company: Simply Super Software
--------------------
Value Name: FrameWorkService
Value Data:
- this registry value has been removed [file not found to scan]
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
--------------------
Value Name: MsnMsgr
Value Data: "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
C:\Program Files\MSN Messenger\MsnMsgr.Exe
5674352 bytes
Created: 19/01/2007
Modified: 19/01/2007
Company: Microsoft Corporation
--------------------
Value Name: Creative Detector
Value Data: C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
102400 bytes
Created: 02/08/2007
Modified: 02/12/2004
Company: Creative Technology Ltd
--------------------
Value Name: FrameWorkService
Value Data:
- this registry value has been removed [file not found to scan]
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty

**************************************************
16:36:46: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------

**************************************************
16:36:46: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

**************************************************
16:36:47: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver: C:\WINDOWS\system32\ssstars.scr
C:\WINDOWS\system32\ssstars.scr
14336 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
--------------------

**************************************************
16:36:47: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Key: >{26923b43-4d38-484f-9b9e-de460746276c}
Path: %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
C:\WINDOWS\system32\shmgrate.exe
42496 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
Path: %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
C:\WINDOWS\system32\shmgrate.exe
42496 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
Path: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
C:\Program Files\Outlook Express\setup50.exe
73728 bytes
Created: 15/12/2005
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: {44BBA842-CC51-11CF-AAFA-00AA00B6015B}
Path: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
C:\WINDOWS\system32\advpack.dll
101888 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: {6BF52A52-394A-11d3-B153-00C04F79FAA6}
Path: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
C:\WINDOWS\system32\advpack.dll - file already scanned
----------
Key: {7790769C-0471-11d2-AF11-00C04FA35D02}
Path: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
C:\Program Files\Outlook Express\setup50.exe
73728 bytes
Created: 15/12/2005
Modified: 19/08/2004
Company: Microsoft Corporation
----------

**************************************************
16:36:47: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------

**************************************************
16:36:47: Scanning ----- SERVICES REGISTRY KEYS -----
Key: AgereSoftModem
ImagePath: system32\DRIVERS\AGRSM.sys
C:\WINDOWS\system32\DRIVERS\AGRSM.sys
1170464 bytes
Created: 28/04/2003
Modified: 28/04/2003
Company: Agere Systems
----------
Key: AntiVirScheduler
ImagePath: "C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
63016 bytes
Created: 11/03/2008
Modified: 28/08/2007
Company: Avira GmbH
----------
Key: AntiVirService
ImagePath: "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
214056 bytes
Created: 11/03/2008
Modified: 11/09/2007
Company: Avira GmbH
----------
Key: Ati HotKey Poller
ImagePath: %SystemRoot%\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
385024 bytes
Created: 15/12/2003
Modified: 15/12/2003
Company:
----------
Key: avgio
ImagePath: \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
11840 bytes
Created: 11/03/2008
Modified: 27/02/2007
Company: Avira GmbH
----------
Key: avgntflt
ImagePath: \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
48448 bytes
Created: 11/03/2008
Modified: 17/09/2007
Company: Avira GmbH
----------
Key: avipbb
ImagePath: system32\DRIVERS\avipbb.sys
C:\WINDOWS\system32\DRIVERS\avipbb.sys
62016 bytes
Created: 11/03/2008
Modified: 07/09/2007
Company: AVIRA GmbH
----------
Key: catchme
ImagePath: \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys - this file is globally excluded
----------
Key: DcCam
ImagePath: system32\DRIVERS\DcCam.sys
C:\WINDOWS\system32\DRIVERS\DcCam.sys
37150 bytes
Created: 16/06/2005
Modified: 16/06/2005
Company: Eastman Kodak Company
----------
Key: DcFpoint
ImagePath: system32\DRIVERS\DcFpoint.sys
C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
61564 bytes
Created: 31/03/2005
Modified: 31/03/2005
Company: Eastman Kodak Company
----------
Key: DCFS2K
ImagePath: system32\drivers\dcfs2k.sys
C:\WINDOWS\system32\drivers\dcfs2k.sys
38673 bytes
Created: 31/03/2005
Modified: 31/03/2005
Company: Eastman Kodak Company
----------
Key: DcLps
ImagePath: system32\DRIVERS\DcLps.sys
C:\WINDOWS\system32\DRIVERS\DcLps.sys
8022 bytes
Created: 31/03/2005
Modified: 31/03/2005
Company: Eastman Kodak Company
----------
Key: DcPTP
ImagePath: system32\DRIVERS\DcPTP.sys
C:\WINDOWS\system32\DRIVERS\DcPTP.sys
70262 bytes
Created: 31/03/2005
Modified: 31/03/2005
Company: Eastman Kodak Company
----------
Key: EL2000
ImagePath: system32\DRIVERS\EL2K_XP.sys
C:\WINDOWS\system32\DRIVERS\EL2K_XP.sys
-R- 147328 bytes
Created: 29/03/2006
Modified: 24/07/2003
Company: 3Com Corporation
----------
Key: el575nd5
ImagePath: system32\DRIVERS\el575nd5.sys
C:\WINDOWS\system32\DRIVERS\el575nd5.sys
69692 bytes
Created: 15/12/2005
Modified: 23/07/2005
Company: 3Com Corporation
----------
Key: Exportit
ImagePath: system32\DRIVERS\exportit.sys
C:\WINDOWS\system32\DRIVERS\exportit.sys
152081 bytes
Created: 31/03/2005
Modified: 31/03/2005
Company: Eastman Kodak Company
----------
Key: fbxusb
ImagePath: system32\DRIVERS\fbxusb32.sys
C:\WINDOWS\system32\DRIVERS\fbxusb32.sys
21344 bytes
Created: 12/01/2006
Modified: 20/10/2004
Company: FreeBox SA
----------
Key: gusvc
ImagePath: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
138168 bytes
Created: 11/02/2007
Modified: 11/02/2007
Company: Google
----------
Key: irsir
ImagePath: system32\DRIVERS\irsir.sys
C:\WINDOWS\system32\DRIVERS\irsir.sys
18688 bytes
Created: 15/12/2005
Modified: 23/07/2005
Company: Microsoft Corporation
----------
Key: KodakCCS
ImagePath: %SystemRoot%\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
411920 bytes
Created: 30/03/2005
Modified: 30/03/2005
Company: Eastman Kodak Company
----------
Key: O&O Defrag
ImagePath: C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\oodag.exe
225280 bytes
Created: 11/05/2005
Modified: 11/05/2005
Company: O&O Software GmbH
----------
Key: ose
ImagePath: "C:\Program Files\Fichiers communs\Microsoft Shared\Source Engine\OSE.EXE"
C:\Program Files\Fichiers communs\Microsoft Shared\Source Engine\OSE.EXE
89136 bytes
Created: 28/07/2003
Modified: 28/07/2003
Company: Microsoft Corporation
----------
Key: PxHelp20
ImagePath: System32\Drivers\PxHelp20.sys
C:\WINDOWS\System32\Drivers\PxHelp20.sys
20576 bytes
Created: 23/09/2004
Modified: 23/09/2004
Company: Sonic Solutions
----------
Key: Secdrv
ImagePath: system32\DRIVERS\secdrv.sys
C:\WINDOWS\system32\DRIVERS\secdrv.sys
20480 bytes
Created: 17/07/2004
Modified: 13/11/2007
Company: Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.
----------
Key: sisagp
ImagePath: system32\DRIVERS\SISAGPX.sys
C:\WINDOWS\system32\DRIVERS\SISAGPX.sys
30848 bytes
Created: 23/01/2003
Modified: 23/01/2003
Company: Silicon Integrated Systems Corporation
----------
Key: ssmdrv
ImagePath: system32\DRIVERS\ssmdrv.sys
C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
28352 bytes
Created: 11/03/2008
Modified: 01/03/2007
Company: Avira GmbH
----------
Key: SwPrv
ImagePath: C:\WINDOWS\system32\dllhost.exe /Processid:{CB7A443E-A235-4B8D-BEC1-6BB59F1EF56E}
C:\WINDOWS\system32\dllhost.exe
5120 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: usbsermpt
ImagePath: system32\DRIVERS\usbsermpt.sys
C:\WINDOWS\system32\DRIVERS\usbsermpt.sys
22768 bytes
Created: 30/12/2005
Modified: 30/12/2005
Company: Microsoft Corporation
----------
Key: usnjsvc
ImagePath: "C:\Program Files\MSN Messenger\usnsvc.exe"
C:\Program Files\MSN Messenger\usnsvc.exe
97136 bytes
Created: 19/01/2007
Modified: 19/01/2007
Company: Microsoft Corporation
----------

**************************************************
16:36:52: Scanning -----VXD ENTRIES-----

**************************************************
16:36:52: Scanning ----- WINLOGON\NOTIFY DLLS -----

**************************************************
16:36:53: Scanning ----- CONTEXTMENUHANDLERS -----
Key: EPPShellEx
CLSID: {509FE1AF-ADD5-49EC-BC55-7CF81FD16E78}
Path: C:\Program Files\EPSON\Creativity Suite\Easy Photo Print\EPPShell.dll
C:\Program Files\EPSON\Creativity Suite\Easy Photo Print\EPPShell.dll
69632 bytes
Created: 20/02/2007
Modified: 14/06/2005
Company: SEIKO EPSON CORPORATION
----------
Key: Fichiers hors connexion
CLSID: {750fdf0e-2a26-11d1-a3ea-080036587f03}
Path: %SystemRoot%\System32\cscui.dll
C:\WINDOWS\System32\cscui.dll
337920 bytes
Created: 19/08/2004
Modified: 19/08/2004
Company: Microsoft Corporation
----------
Key: IZArcCM
CLSID: {8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}
Path: C:\PROGRA~1\IZArc\IZArcCM.dll
C:\PROGRA~1\IZArc\IZArcCM.dll
617472 bytes
Created: 02/09/2007
Modified: 02/06/2007
Company:
----------
Key: Open With
CLSID: {09799AFB-AD67-11d1-ABCD-00C04FC30936}
Path: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------
Key: Open With EncryptionMenu
CLSID: {A470F8CF-A1E8-4f65-8335-227475AA5C46}
Path: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------
Key: Shell Extension for Malware scanning
CLSID: {45AC2688-0253-4ED8-97DE-B5370FA7D48A}
Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll
C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll
61480 bytes
Created: 11/03/2008
Modified: 23/03/2007
Company: Avira GmbH
----------
Key: Trojan Remover
CLSID: {52B87208-9CCF-42C9-B88E-069281105805}
Path: C:\PROGRA~1\TROJAN~1\Trshlex.dll
C:\PROGRA~1\TROJAN~1\Trshlex.dll
467552 bytes
Created: 05/04/2008
Modified: 05/02/2007
Company: Simply Super Software
----------
Key: {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Path: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------

**************************************************
16:36:53: Scanning ----- FOLDER\COLUMNHANDLERS -----
Key: {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
File: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------
Key: {24F14F01-7B1C-11d1-838f-0000F80461CF}
File: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------
Key: {24F14F02-7B1C-11d1-838f-0000F80461CF}
File: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------
Key: {66742402-F9B9-11D1-A202-0000F81FEDEE}
File: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Company: Microsoft Corporation
----------
Key: {F9DB5320-233E-11D1-9F84-707F02C10627}
File: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
110592 bytes
Created: 14/12/2004
Modified: 14/12/2004
Company: Adobe Systems, Inc.
----------

**************************************************
16:36:54: Scanning ----- BROWSER HELPER OBJECTS -----
Key: {02478D38-C3F9-4EFB-9B51-7695ECA05670}
BHO: C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
440384 bytes
Created: 05/04/2007
Modified: 26/10/2006
Company: Yahoo! Inc.
----------
Key: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
BHO: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
59032 bytes
Created: 23/09/2005
Modified: 18/12/2006
Company: Adobe Systems Incorporated
----------
Key: {8B580E40-6B46-44C8-9E80-A5AD6E1D1035}
BHO: C:\WINDOWS\kiasys.dll
C:\WINDOWS\kiasys.dll
203264 bytes
Created: 04/04/2008
Modified: 04/04/2008
Company:
----------
Key: {9030D464-4C02-4ABF-8ECC-5164760863C6}
BHO: C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
322368 bytes
Created: 31/08/2006
Modified: 31/08/2006
Company: Microsoft Corporation
----------
Key: {AA58ED58-01DD-4d91-8333-CF10577473F7}
BHO: c:\program files\google\googletoolbar1.dll
c:\program files\google\googletoolbar1.dll
-R- 2436160 bytes
Created: 25/09/2007
Modified: 25/09/2007
Company: Google Inc.
----------
Key: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
BHO: C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
325048 bytes
Created: 27/08/2007
Modified: 27/08/2007
Company: Google Inc.
----------
Key: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
BHO: C:\Program Files\Windows Live Toolbar\msntb.dll
C:\Program Files\Windows Live Toolbar\msntb.dll
546320 bytes
Created: 19/10/2007
Modified: 19/10/2007
Company: Microsoft Corporation
----------
Key: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}
BHO: C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
368640 bytes
Created: 20/02/2007
Modified: 21/02/2005
Company: SEIKO EPSON CORPORATION
----------

**************************************************
16:36:54: Scanning ----- SHELLSERVICEOBJECTS -----
Key: PostBootReminder
CLSID: {7849596a-48ea-486e-8937-a2a3009f31a9}
Path: %SystemRoot%\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
8510976 bytes
Created: 21/07/2005
Modified: 25/10/2007
Compa
0
Réponse 6 / 21
TrojanVictim
7 avril 2008 à 20:01
re,

je ne penses pas que tu es fais la bonne manipulation !

regarde sur les autres problèmes du forum à quoi ressemble les rapports (logs) HijackThis.

une fois que tu aura le bon rapport, copie le et colle le ici :

http://hijackthis.de/index.php?langselect=french

le site te donnera une interprétation de chaque ligne de ton rapport Hijackthis. t'aura plus qu'à suivre et supprimer les fichiers infectés
0
Réponse 7 / 21
ysra
8 avril 2008 à 00:20
cette fois je pense avoir fais la bonne manipulation ,ça ressemble au autres rapports que j'ai vu sur les posts


Logfile of HijackThis v1.99.1
Scan saved at 00:14:59, on 09/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\Démarrage\Dos Optimizer.pif
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\update.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\IZARC\IZARC.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ARCA\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quicknews.info/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL (file missing)
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Media Codec - {8B580E40-6B46-44C8-9E80-A5AD6E1D1035} - C:\WINDOWS\kiasys.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_S87.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [Barsaka] explorer.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: Dos Optimizer.pif = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZC
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - https://onedrive.live.com/?id=favorites
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C30947A-63B3-49DC-8E31-4B32E77EF688}: NameServer = 213.150.176.196 193.95.67.22
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
0
Réponse 8 / 21
TrojanVictim
8 avril 2008 à 09:33
ok cette fois il est bon, va sur le site ci-dessous, tu le copie / colle et fais le analyser

http://hijackthis.de/index.php?langselect=french

tu commenceras par supprimer à l'aide de HijackThis les fichiers cochés d'une croix rouge.

ensuite ressort un rapport HijackThis et refais la même manip'

lorsque que tu aura fais tout ça fais une analyse avec ton antivirus et dis moi ce qui en est !

on verra après
0
Réponse 9 / 21
ysra
8 avril 2008 à 21:34
BTFix 1.095 (par bibi26) - 09/04/2008 21:27:32 - Analyse
Lancé depuis C:\Documents and Settings\Administrateur\Mes documents\virus\BTFix\BTFix\BTFix.exe

---> Fichiers/Dossiers trouvés

- C:\Program Files\MyWebSearch\
- C:\Program Files\FunWebProducts\
- C:\Program Files\Mozilla Firefox\chrome\m3ffxtbr.manifest
- C:\Program Files\Mozilla Firefox\chrome\m3ffxtbr.jar
- C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
- C:\Program Files\Internet Explorer\msimg32.dll
- C:\Program Files\MSN Messenger\RICHED20.dll

---> Analyse terminée le 09/04/2008 21:27:33
0
^^Marie^^ Messages postés 114053 Date d'inscription mardi 6 septembre 2005 Statut Membre Dernière intervention 28 août 2020 3 275
8 avril 2008 à 21:37
Re

[*]Ouvre BTFix.
[*]Clique sur Nettoyer.
[*]Un rapport va apparaître, copie/colle-le dans ta prochaine réponse.


+ un log hijackthis

0
Réponse 10 / 21
ysra
8 avril 2008 à 22:01
BTFix 1.095 (par bibi26) - 09/04/2008 21:40:31 - Nettoyage - Mode normal
Lancé depuis C:\Documents and Settings\Administrateur\Mes documents\virus\BTFix\BTFix\BTFix.exe

---> Fichiers/dossiers supprimés (Première passe)

- Fichiers temporaires effacés
- C:\Program Files\MyWebSearch\bar\Avatar\
- C:\Program Files\MyWebSearch\bar\Message\
- C:\Program Files\MyWebSearch\bar\Notifier\
- C:\Program Files\MyWebSearch\bar\Game\
- C:\Program Files\MyWebSearch\bar\icons\
- C:\Program Files\MyWebSearch\bar\Settings\
- C:\Program Files\MyWebSearch\bar\Cache\
- C:\Program Files\MyWebSearch\bar\History\
- C:\Program Files\MyWebSearch\bar\2.bin\
- C:\Program Files\MyWebSearch\bar\3.bin\ (erreur lors de la suppression)
- C:\Program Files\MyWebSearch\bar\MSNBackgrounds\
- C:\Program Files\MyWebSearch\bar\ (erreur lors de la suppression)
- C:\Program Files\MyWebSearch\SrchAstt\2.bin\
- C:\Program Files\MyWebSearch\SrchAstt\3.bin\
- C:\Program Files\MyWebSearch\SrchAstt\
- C:\Program Files\MyWebSearch\ (erreur lors de la suppression)
- C:\Program Files\FunWebProducts\ScreenSaver\Images\
- C:\Program Files\FunWebProducts\ScreenSaver\
- C:\Program Files\FunWebProducts\Shared\Cache\
- C:\Program Files\FunWebProducts\Shared\
- C:\Program Files\FunWebProducts\
- C:\Program Files\Mozilla Firefox\chrome\m3ffxtbr.manifest
- C:\Program Files\Mozilla Firefox\chrome\m3ffxtbr.jar
- C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
- C:\Program Files\Internet Explorer\msimg32.dll

---> Fichiers/dossiers supprimés (Seconde passe - Redémarrage de l'ordinateur)

- Fichiers temporaires effacés
- C:\Program Files\MyWebSearch\bar\3.bin\
- C:\Program Files\MyWebSearch\bar\
- C:\Program Files\MyWebSearch\

---> Nettoyage terminé le 09/04/2008 21:42:44





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:57:09, on 09/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Media Codec - {8B580E40-6B46-44C8-9E80-A5AD6E1D1035} - C:\WINDOWS\kiasys.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_S87.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [Barsaka] explorer.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKUS\S-1-5-19\..\RunOnce: [XPPro4.0] %systemroot%\REG\run.cmd (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\RunOnce: [XPPro4.0] %systemroot%\REG\run.cmd (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\RunOnce: [XPPro4.0] %systemroot%\REG\run.cmd (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [XPPro4.0] %systemroot%\REG\run.cmd (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - https://onedrive.live.com/?id=favorites
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C30947A-63B3-49DC-8E31-4B32E77EF688}: NameServer = 213.150.176.196 193.95.67.22
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O24 - Desktop Component 0: (no name) - http://static.hugedomains.com/images/logo_huge_domains.gif
0
Réponse 11 / 21
^^Marie^^ Messages postés 114053 Date d'inscription mardi 6 septembre 2005 Statut Membre Dernière intervention 28 août 2020 3 275
8 avril 2008 à 22:24
Normal que tu aies des soucis avec une Version Windows XP non officielle

Télécharge SmitfraudFix
Utilitaire de S!Ri: Moe et balltrap34
http://siri.urz.free.fr/Fix/SmitfraudFix.php
et télécharge SmitfraudFix.exe.

Regarde le tuto

Exécute le en choisissant l’option 1,
il va générer un rapport
Copie/colle le sur le poste stp.

Bon courage
A++

0
Réponse 12 / 21
ysra
8 avril 2008 à 23:18
SmitFraudFix v2.309

Rapport fait à 23:02:13.40, 09/04/2008
Executé à partir de C:\Documents and Settings\Administrateur\Mes documents\virus\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est FAT32
Fix executé en mode sans echec

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Arret des processus


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0C30947A-63B3-49DC-8E31-4B32E77EF688}: NameServer=213.150.176.196 193.95.67.22
HKLM\SYSTEM\CCS\Services\Tcpip\..\{53CE74E8-EB9F-43D1-AC93-64DF85A8F350}: DhcpNameServer=212.27.54.252 212.27.39.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{53CE74E8-EB9F-43D1-AC93-64DF85A8F350}: DhcpNameServer=212.27.54.252 212.27.39.2
HKLM\SYSTEM\CS3\Services\Tcpip\..\{53CE74E8-EB9F-43D1-AC93-64DF85A8F350}: DhcpNameServer=212.27.54.252 212.27.39.2


»»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre

Nettoyage terminé.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Fin



voila j'espere avoir fais les bonnes manipulations

j'ignorais que mon win xp n'etais pas d'origine, j'ai acheter mon pc a une amie, de plus il y a une etiquette sous mon pc qui dit que la version est authentique.
0
Réponse 13 / 21
^^Marie^^ Messages postés 114053 Date d'inscription mardi 6 septembre 2005 Statut Membre Dernière intervention 28 août 2020 3 275
9 avril 2008 à 09:15
Salut

Fix executé en mode sans echec
Pour quoi tu l'as fait en Mode sans Echec ???
Ce n'est pas ce que je t'avais demandé...


de plus il y a une etiquette sous mon pc qui dit que la version est authentique.
Tu lui demanderas le CD d'origine à ton amie. Le jour où tu dois formater tu vas faire comment ??

Refais un log hijackthis -- stp

0
Réponse 14 / 21
ysra
9 avril 2008 à 14:18
SmitFraudFix v2.309

Rapport fait à 14:11:59.48, 10/04/2008
Executé à partir de C:\Documents and Settings\Administrateur\Mes documents\virus\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est FAT32
Fix executé en mode normal

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\sol.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrateur


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrateur\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORIS


»»»»»»»»»»»»»»»»»»»»»»»» Bureau


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues


»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 213.150.176.196
DNS Server Search Order: 193.95.67.22

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0C30947A-63B3-49DC-8E31-4B32E77EF688}: NameServer=213.150.176.196 193.95.67.22
HKLM\SYSTEM\CCS\Services\Tcpip\..\{53CE74E8-EB9F-43D1-AC93-64DF85A8F350}: DhcpNameServer=212.27.54.252 212.27.39.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{53CE74E8-EB9F-43D1-AC93-64DF85A8F350}: DhcpNameServer=212.27.54.252 212.27.39.2
HKLM\SYSTEM\CS3\Services\Tcpip\..\{53CE74E8-EB9F-43D1-AC93-64DF85A8F350}: DhcpNameServer=212.27.54.252 212.27.39.2


»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll


»»»»»»»»»»»»»»»»»»»»»»»» Fin


voila j'espere que c'est bon.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:13:44, on 10/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\sol.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Media Codec - {8B580E40-6B46-44C8-9E80-A5AD6E1D1035} - C:\WINDOWS\kiasys.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_S87.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [Barsaka] explorer.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKUS\S-1-5-19\..\RunOnce: [XPPro4.0] %systemroot%\REG\run.cmd (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\RunOnce: [XPPro4.0] %systemroot%\REG\run.cmd (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\RunOnce: [XPPro4.0] %systemroot%\REG\run.cmd (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [XPPro4.0] %systemroot%\REG\run.cmd (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - https://onedrive.live.com/?id=favorites
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C30947A-63B3-49DC-8E31-4B32E77EF688}: NameServer = 213.150.176.196 193.95.67.22
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
0
Réponse 15 / 21
ysra
9 avril 2008 à 23:59
bonsoir, je pense avoir fais ce qu'il fallait, et maintenant je fais quoi?
0
Réponse 16 / 21
^^Marie^^ Messages postés 114053 Date d'inscription mardi 6 septembre 2005 Statut Membre Dernière intervention 28 août 2020 3 275
10 avril 2008 à 10:21
Salut

Comment se comprte ton PC ??

0
Réponse 17 / 21
ysra
10 avril 2008 à 23:01
bonsoir marie, apres toutes ces manipulations cela semble aller, je n'ai plus cette alerte sur zlob troyan depuis ,je crois que c'est bon de ce coté. mais j'aimerais savoir si il est normal qu'antivir est mit une alerte lorsque j'ai voulu telecharger SmitfraudFix ? j'ai dû mettre antivir en veille pour pouvoir telecharger.
en tout cas je tiens a te remercier pour ton aide ,ainsi que tous ceux qui m'ont repondu.
je pense que tout est ok, a moins de devoir faire d'autres manipulations je peux dire que mon probleme est resolu.
;-)
bise et a bientot ,mais sur un autre forum!!!
0
Réponse 18 / 21
ysra
11 avril 2008 à 09:36
antivir bloque smitfraudFix et me dit contains detection pattern of the dropper DR/Tool.Reboot.F.76
0
^^Marie^^ Messages postés 114053 Date d'inscription mardi 6 septembre 2005 Statut Membre Dernière intervention 28 août 2020 3 275
11 avril 2008 à 09:42
C'est pas grave, c'est un faux positif.

Lance Tool

0
Réponse 19 / 21
ysra
11 avril 2008 à 09:45
voila le rapport
-->- Recherche:

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\HijackThis: trouvé !
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\HijackThis\HijackThis.lnk: trouvé !
C:\Documents and Settings\Administrateur\Recent\HijackThis.lnk: trouvé !
C:\Documents and Settings\Administrateur\Mes documents\HijackThis: trouvé !
C:\Documents and Settings\Administrateur\Mes documents\hijackthis\HijackThis.exe: trouvé !
C:\Documents and Settings\Administrateur\Mes documents\virus\BtFix.zip: trouvé !
C:\Documents and Settings\Administrateur\Mes documents\virus\HJTInstall.exe: trouvé !
C:\Documents and Settings\Administrateur\Mes documents\virus\Btfix: trouvé !
C:\Documents and Settings\Administrateur\Mes documents\virus\SmitFraudfix: trouvé !
C:\Documents and Settings\Administrateur\Mes documents\virus\BTFix\Btfix: trouvé !
C:\Documents and Settings\Administrateur\Bureau\HijackThis.lnk: trouvé !
C:\Documents and Settings\Administrateur\Bureau\SmitFraudFix.exe: trouvé !
C:\Program Files\Trend Micro\HijackThis: trouvé !
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe: trouvé !


Point de restauration crée !
---------------------------------
-->- Suppression:
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\HijackThis\HijackThis.lnk: supprimé !
C:\Documents and Settings\Administrateur\Recent\HijackThis.lnk: supprimé !
C:\Documents and Settings\Administrateur\Mes documents\hijackthis\HijackThis.exe: supprimé !
C:\Documents and Settings\Administrateur\Mes documents\virus\BtFix.zip: supprimé !
C:\Documents and Settings\Administrateur\Mes documents\virus\HJTInstall.exe: supprimé !
C:\Documents and Settings\Administrateur\Bureau\HijackThis.lnk: supprimé !
C:\Documents and Settings\Administrateur\Bureau\SmitFraudFix.exe: supprimé !
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe: supprimé !
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\HijackThis: supprimé !
C:\Documents and Settings\Administrateur\Mes documents\HijackThis: supprimé !
C:\Documents and Settings\Administrateur\Mes documents\virus\Btfix: supprimé !
C:\Documents and Settings\Administrateur\Mes documents\virus\SmitFraudfix: supprimé !
C:\Program Files\Trend Micro\HijackThis: supprimé !
0
Réponse 20 / 21
^^Marie^^ Messages postés 114053 Date d'inscription mardi 6 septembre 2005 Statut Membre Dernière intervention 28 août 2020 3 275
11 avril 2008 à 09:49
OK

Super

Installe un pare feu

télécharger la version gratuite de Kerio

Kerio (pare-feu) : reste gratuit après la période d'essai en français
https://kerio.probb.fr/
Regarde ce tutoriel si tu as besoin d'aide pour l'installation et la configuration de Kerio
https://kerio.probb.fr/
Plus d'info :
->https://kerio.probb.fr/


Bon surf

+++

0

Discussions similaires

Virus détecté
Koony -
MisteryBean -

6 réponses
infecté par des virus
Lisy59120 -
Lisy59120 -

5 réponses
mustapha
mustapha -
Ainillia -

1 réponse
Infection d'une URL.blacklist
marina41 -
Malekal_morte- -

6 réponses
Infection par : ONLYPC Flow.co.in
Jackot17 -
bazfile -

3 réponses