Sujet Précédent Sujet Suivant

Variante recente du trojan dnschanger-

Fermé
stef38 - 16 déc. 2008 à 19:30
jlpjlp Messages postés 51580 Date d'inscription vendredi 18 mai 2007 Statut Contributeur sécurité Dernière intervention 3 mai 2022 - 18 déc. 2008 à 14:19
Bonjour,
mon pc xp sp2 est infecte par une variante du virus dns changer que j'ai attrapee fin nov debut dec.
j'ai passe en revue les messages sur ce sujet dans les forum et sur le net mais sans succes. Malbytes detecte les entrees de la registry infectees mais n'arrive pas a les enlever (normal, safe mode...); elles sont restorer presque instantanement. chkdsk / f et defrag refusent de se lancer et au bout d'un certain temps iexplorer se plante et freeze le PC.
Avec les outils processexplorer , regmon et autres, j'ai pu voir que ce sonts tous les process svchost (j'en ai 6) qui ecrivent dans les cles de la regeistry et ils le font tous des que, soit je detruit la cle par regedit, soit je change le DNS dans les propietes tcpip des interfaces reseaux.
J'en suis donc ramene a chercher ou se trouve le code qui fait cela.
En regardant la liste des dlls de chaque SVCHOST , il n'y a rien de flagrant et tous les outils de scan que j'ai lance ne detectent que les cles comme etant suspectes.
je pense essayer maintenant de regarder si je trouve la string correspondant a l'adresse DNS suspecte dans les dlls mais je suppose que celui qui a ecrit cette salete a penser a les crypter!.
Connaissz vous un outil qui pourrait indiquer quelle DLL est active a un instant donne, processexplorer ne le fait qu'au niveau des process et c'est insufisant pour m'aider!
Que penser de la desactivation de chkdsk et defrag? la bete se terrerait-elle dans quelques secteurs non "declares"?

PS: ce forum ainsi que d'autres sont bien utiles mais je pense que ceux qui ecrivent les virus et trojan les lise et cela leur permet de rendre leur code plus "resistant"

Merci d'avance pour votre aide. J'envisage de reinitialiser mon HDD et tout reinstaller pour occuper les froides nuits entre Noel et le Jour de l'an si je ne trouve pas de soluce :-(
A voir également:

11 réponses

Réponse 1 / 11
jlpjlp Messages postés 51580 Date d'inscription vendredi 18 mai 2007 Statut Contributeur sécurité Dernière intervention 3 mai 2022 5 040
16 déc. 2008 à 20:19
slt,

tu as le rapport malwarebyte pour voir?

__________

Télécharge ici :

http://images.malwareremoval.com/random/RSIT.exe

random's system information tool (RSIT) par andom/random et sauvegarde-le sur le Bureau.

Double-clique sur RSIT.exe afin de lancer RSIT.

Clique Continue à l'écran Disclaimer.

Si l'outil HijackThis (version à jour) n'est pas présent ou non détecté sur l'ordinateur, RSIT le téléchargera (autorise l'accès dans ton pare-feu, si demandé) et tu devras accepter la licence.

Lorsque l'analyse sera terminée, deux fichiers texte s'ouvriront.

Poste le contenu de log.txt (<<qui sera affiché)
ainsi que de info.txt (<<qui sera réduit dans la Barre des Tâches).

NB : Les rapports sont sauvegardés dans le dossier C:\rsit
0
stef38
16 déc. 2008 à 20:51
OK, je vais faire cela demain.
je ne mets plus le PC sur le reseau pour eviter de contaminer; donc je telecharge sur un autre et je transfere par hdd usb, ce qui complique un peu lorsque les outils veulent se connecter online.

Merci pour ta reponse et a demain.
0
Réponse 2 / 11
jlpjlp Messages postés 51580 Date d'inscription vendredi 18 mai 2007 Statut Contributeur sécurité Dernière intervention 3 mai 2022 5 040
16 déc. 2008 à 20:53
ok mais demain moins dispo...
0
stef38
17 déc. 2008 à 11:38
voici les logs, en premier malbytes
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2

12/17/2008 10:20:47 AM
mbam-log-2008-12-17 (10-20-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 156595
Time elapsed: 1 hour(s), 32 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 15
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f8d4a1a1-c35e-4657-a7c5-5513abb893e0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f8d4a1a1-c35e-4657-a7c5-5513abb893e0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f8d4a1a1-c35e-4657-a7c5-5513abb893e0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
--------------------------------------------------------fin du rapport

info.txt logfile of random's system information tool 1.04 2008-12-17 11:17:25

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
-->C:\Windows\IsUninst.exe -fC:\Windows\orun32.isu
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{854A5F01-D692-11D4-A984-009027EC0A9C}\setup.exe"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{945E2519-C2B9-11D3-9D56-0060B0A4823E}\setup.exe"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CD47EFC1-D692-11D4-A984-009027EC0A9C}\setup.exe"
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACDSee 4.0-->MsiExec.exe /I{92605735-AAFB-47F7-A67D-17ED129EFF9C}
Adobe Photoshop 7.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0.7-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
ALShow-->"C:\Program Files\ESTsoft\ALShow\unins000.exe"
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\Windows\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVI Info-->C:\WINDOWS\st6unst.exe -n "C:\AVI Info\ST6UNST.LOG"
BlackJack-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll<UNINSTALL_CMD>
Bridge Base Online-->C:\Windows\iun506.exe c:\Bridge Base Online\irunin.ini
Compaq Easy Access Buttons 3.00 D2-->C:\Windows\IsUninst.exe -f"C:\Program Files\Compaq\EAB\Uninst.isu" -c"C:\Windows\System32\EABINST.DLL"
Compaq Power Management-->C:\Windows\IsUninst.exe -f"C:\Program Files\Compaq\Compaq Power Management\DeIsL1.isu" -c"C:\Program Files\Compaq\Compaq Power Management\uninst32.dll"
Compaq Wireless LAN-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BDBDA94-0C6F-4E1F-920A-0146B5B2BFEE}\setup.exe" -l0x9 -a
CursorXP-->C:\Program Files\CursorXP\CurXPUtil.exe -u
DAEMON Tools-->MsiExec.exe /I{25AA4C17-8894-4CF6-B11C-194A019C4549}
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Easy CD & DVD Creator 6-->MsiExec.exe /I{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9}
ESBUnitConv v4.1-->"C:\Program Files\ESBUnitConv\unins000.exe"
File Splitter and Joiner (FFSJ v3.3)-->"C:\Windows\unins000.exe"
GetDataBack for NTFS-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56582EEA-3AEF-4D84-8B9D-C87A3CD9250F}\setup.exe" -l0x9 -removeonly
GMAT POWERPREP-->C:\Windows\IsUninst.exe -fC:\ETS\PPGMAT.ISU
GSpot Codec Information Appliance-->C:\Program Files\GSpot\Uninstall.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\Windows\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\Windows\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB914440)-->"C:\Windows\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\Windows\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\Windows\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\Windows\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel(R) PRO Ethernet Adapter and Software-->Prounstl.exe
InterVideo WinDVD 4-->"C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Le Mystere de la Momie-->C:\Program Files\Le Mystere de la Momie\Setup\SHSetup.exe /u /s /a
LiveUpdate 2.6 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MediaJoin-->"C:\Documents and Settings\All Users\Application Data\{27ED786F-D773-47F8-93EB-8A249414AD30}\setup_mj.exe" REMOVE=TRUE MODIFY=FALSE
Memories Disc Creator 2.0-->MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft ActiveSync 3.8-->"C:\WINDOWS\ISUNINST.EXE" -f"C:\Program Files\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Program Files\Microsoft ActiveSync\ceuninst.dll"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\Windows\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669-->C:\Windows\muninst.exe C:\Windows\INF\KB870669.inf
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\Windows\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\Windows\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Professional 2003-->MsiExec.exe /I{903B0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003-->MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Media Content-->MsiExec.exe /I{9030040C-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Web Components-->MsiExec.exe /I{90260409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\Windows\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Movie Joiner-->C:\Program Files\Movie Joiner\uninst.exe -c
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
Myst V End Of Ages-->C:\Program Files\Ubisoft\Cyan Worlds\Myst V End Of Ages\_uninst\uninstaller.exe
Neodivx 9.2 Crystal Fusion-->"C:\Program Files\Neodivx\unins000.exe"
Nero 6 Ultra Edition-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Orange - Logiciels Internet-->C:\Program Files\OrangeHSS\installation\core\Installgui.exe -u
Pocket Controller-Professional-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CC9EA2BC-BCFA-4DEA-8F5F-1E1032567673}\Setup.exe" -l0x9 UNINSTALL
Prepwizard - GMAT Preparation Software-->MsiExec.exe /I{D51DF25D-57AC-4129-9A6D-59863C9CD41C}
Quick View Plus-->C:\Windows\UNINSQVP.EXE
QuickTime-->MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
RealOne Player-->C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
Schizm - mysterious journey-->c:\fichiers programmes\Microids\Schizm CD\uninstall.exe
Security Update for Step By Step Interactive Training (KB898458)-->"C:\Windows\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\Windows\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\Windows\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\Windows\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\Windows\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\Windows\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\Windows\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\Windows\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\Windows\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\Windows\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows XP (KB883939)-->"C:\Windows\$NtUninstallKB883939$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\Windows\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\Windows\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\Windows\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\Windows\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\Windows\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\Windows\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\Windows\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896688)-->"C:\Windows\$NtUninstallKB896688$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\Windows\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588)-->"C:\Windows\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\Windows\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\Windows\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\Windows\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\Windows\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\Windows\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\Windows\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\Windows\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\Windows\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\Windows\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\Windows\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\Windows\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\Windows\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\Windows\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\Windows\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\Windows\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\Windows\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\Windows\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\Windows\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\Windows\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\Windows\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\Windows\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\Windows\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\Windows\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\Windows\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\Windows\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\Windows\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\Windows\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\Windows\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\Windows\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\Windows\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\Windows\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\Windows\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\Windows\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\Windows\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\Windows\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760)-->"C:\Windows\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\Windows\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\Windows\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\Windows\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\Windows\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\Windows\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\Windows\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\Windows\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\Windows\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\Windows\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\Windows\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\Windows\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\Windows\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\Windows\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\Windows\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\Windows\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\Windows\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\Windows\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\Windows\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\Windows\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\Windows\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\Windows\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\Windows\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\Windows\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\Windows\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\Windows\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\Windows\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\Windows\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\Windows\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\Windows\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\Windows\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\Windows\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\Windows\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\Windows\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\Windows\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\Windows\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\Windows\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\Windows\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\Windows\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\Windows\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\Windows\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\Windows\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\Windows\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\Windows\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\Windows\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\Windows\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\Windows\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\Windows\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\Windows\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\Windows\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\Windows\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\Windows\$NtUninstallKB957095$\spuninst\spuninst.exe"
Setup Compaq Software-->C:\Windows\IsUninst.exe -f"C:\Program Files\COMPAQ\Setup Compaq Software\Uninst.isu" -c"C:\Program Files\COMPAQ\Setup Compaq Software\CPQUNST.DLL"
SmartFTP-->MsiExec.exe /I{11C762F9-95EA-486A-A8E7-683A50C231C1}
SoundMAX WDM Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7E518B2-B174-11D3-9D4E-0060B0A4823E}\setup.exe"
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Symantec AntiVirus-->MsiExec.exe /I{3248E093-5288-4CA9-B3AB-11A675FEA1F9}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
SysMetrix-->MsiExec.exe /I{132B5F44-9967-4B53-911E-3B87293CF089}
The Matrix Reloaded 3D Screen Saver v2.6-->"C:\Program Files\UselessCreations\Matrix3D\uninst.exe"
The Matrix Reloaded 3D Screensaver-->C:\PROGRA~1\FILESU~1\THEMAT~1\UNWISE.EXE C:\PROGRA~1\FILESU~1\THEMAT~1\INSTALL.LOG
Update for Windows XP (KB894391)-->"C:\Windows\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB896727)-->"C:\Windows\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\Windows\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\Windows\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"C:\Windows\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\Windows\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\Windows\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\Windows\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\Windows\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\Windows\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\Windows\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\Windows\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\Windows\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\Windows\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\Windows\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\Windows\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\Windows\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
VideoLAN VLC media player 0.7.1-->"C:\Program Files\VideoLAN\VLC\uninstall.exe"
VLC media player 0.9.6-->C:\Program Files\VideoLAN\VLC\uninstall.exe
WinAce Archiver 2.0-->C:\Program Files\WinAce\SXUNINST.EXE C:\Program Files\WinAce\SXUNINST.INI
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Installer 3.1 (KB893803)-->"C:\Windows\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\Windows\ie7\spuninst\spuninst.exe"
Windows Internet Explorer 8 Beta 2-->"C:\Windows\ie8\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail-->MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\Windows\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\Windows\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Hotfix - KB834707-->C:\Windows\$NtUninstallKB834707$\spuninst\spuninst.exe
Windows XP Hotfix - KB867282-->C:\Windows\$NtUninstallKB867282$\spuninst\spuninst.exe
Windows XP Hotfix - KB873333-->C:\Windows\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\Windows\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\Windows\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\Windows\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\Windows\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB885884-->C:\Windows\$NtUninstallKB885884$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\Windows\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\Windows\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\Windows\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\Windows\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\Windows\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890047-->C:\Windows\$NtUninstallKB890047$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\Windows\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\Windows\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB890923-->"C:\Windows\$NtUninstallKB890923$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\Windows\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893066-->"C:\Windows\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893086-->"C:\Windows\$NtUninstallKB893086$\spuninst\spuninst.exe"
Windows XP Service Pack 2-->C:\Windows\$NtServicePackUninstall$\spuninst\spuninst.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip Command Line Support Add-On 1.1-->C:\Program Files\WinZip\winzip32 /auninstall wzcline
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
XviD Video Codec 27.11.2002-00:20 (uManiac's build)-->"C:\Program Files\XviD\UninstXviD.exe"

=====HijackThis Backups=====

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: PictureTaker - LANovation - C:\Windows\System32\PCTKRNT.SYS
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\Program Files\OrangeHSS\SearchURLHook\SearchPageURL.dll
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost:6464
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom SA - C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)
O23 - Service: Groove Installer Service (GrooveInstallerService) - Unknown owner - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe (file missing)

======Security center information======

AV: Symantec AntiVirus Corporate Edition

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 4, GenuineIntel
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=0204
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------
Logfile of random's system information tool 1.04 (written by random/random)
Run by sttosi at 2008-12-17 11:17:15
Microsoft Windows XP Professional Service Pack 2
System drive C: has 16 GB (29%) free of 57 GB
Total RAM: 511 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:22 AM, on 12/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\MsPMSPSv.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Windows\system32\ctfmon.exe
C:\Documents and Settings\sttosi\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\sttosi.exe

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Groove Networks\Groove\Bin\GrooveShellExtensions.dll (file missing)
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00000006-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms6 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall6.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {7290A1F1-EC1C-11D2-996F-0060B086A50C} (Time&Labor) - http://saintes.grenoble.hp.com:8008/applet/tal754.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A1BFBE93-8D91-427C-965B-72088CFAADF4} (CCertificateDelete Object) - https://hppkis01.can.hp.com/userweb/vscertdel.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84B5DE31-F6B0-42A6-937D-5FE078274F9E}: NameServer = 85.255.114.59;85.255.112.211
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.59;85.255.112.211
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.59;85.255.112.211
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - Unknown owner - C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe (file missing)
O23 - Service: Groove Installer Service (GrooveInstallerService) - Unknown owner - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe (file missing)
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
0
stef38 > stef38
17 déc. 2008 à 11:57
et la fin du log.txt :

S3 NdisIP;Microsoft TV/Video Connection; C:\Windows\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 NWRDR;NetWare Rdr; C:\Windows\System32\DRIVERS\nwrdr.sys [2006-10-13 163584]
S3 PCAMPR5;PCAMPR5 NDIS Protocol Driver; \??\C:\Windows\system32\PCAMPR5.SYS []
S3 PCANDIS5;PCANDIS5 NDIS Protocol Driver; \??\C:\Windows\system32\PCANDIS5.SYS []
S3 pepifilter;Volume Adapter; C:\Windows\system32\DRIVERS\lv302af.sys []
S3 PID_08A0;Labtec WebCam Pro(PID_08A0); C:\Windows\system32\DRIVERS\LV302AV.SYS []
S3 SLIP;BDA Slip De-Framer; C:\Windows\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\Windows\System32\DRIVERS\smcirda.sys [2001-08-17 35913]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\Windows\System32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
S3 streamip;BDA IPSink; C:\Windows\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2004-08-04 59264]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\Windows\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbscan;USB Scanner Driver; C:\Windows\System32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\Windows\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2004-08-04 78464]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\Windows\system32\DRIVERS\wceusbsh.sys [2004-12-06 104064]
S3 wlags51b;Wireless LAN USB Driver; C:\Windows\system32\DRIVERS\wlags51b.sys [2002-04-30 176128]
S3 WSTCODEC;World Standard Teletext Codec; C:\Windows\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\Windows\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\Windows\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 HPQSETUP.SYS;HPQSETUP.SYS; \??\C:\Documents and Settings\sttosi\HPQSETUP.SYS []
S4 sr;System Restore Filter Driver; C:\Windows\System32\DRIVERS\sr.sys [2004-08-04 73472]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\Windows\System32\drivers\ws2ifsl.sys [2001-08-18 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\Windows\System32\Ati2evxx.exe [2003-03-30 249941]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2005-06-02 185968]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2005-06-02 161392]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2005-08-22 19648]
R2 Hibernation;Hibernation; C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe [2002-10-10 90112]
R2 Irmon;Infrared Monitor; C:\Windows\System32\svchost.exe [2004-08-04 14336]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-19 322120]
R2 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2005-08-22 169152]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2005-08-22 1716928]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\Windows\System32\MsPMSPSv.exe [2001-05-01 53248]
S2 FTRTSVC;France Telecom Routing Table Service; C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe []
S2 GrooveInstallerService;Groove Installer Service; C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe []
S2 NWCWorkstation;Client Service for NetWare; C:\Windows\System32\svchost.exe [2004-08-04 14336]
S3 aspnet_state;ASP.NET State Service; C:\Windows\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2005-06-02 83568]
S3 magaService;Lan Discover Agent; C:\Program Files\Sygate\SSA\maga\maga.exe []
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2005-04-22 206552]
S3 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2005-03-31 992864]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\Windows\system32\svchost.exe [2004-08-04 14336]
S4 PictureTaker;PictureTaker; C:\Windows\System32\PCTKRNT.SYS [2003-02-10 45056]

-----------------EOF-----------------
0
Réponse 3 / 11
jlpjlp Messages postés 51580 Date d'inscription vendredi 18 mai 2007 Statut Contributeur sécurité Dernière intervention 3 mai 2022 5 040
17 déc. 2008 à 12:40
Telecharge UsbFix sur ton bureau
http://sd-1.archive-host.com/membres/up/116615172019703188/U­sbFix.exe

--> Lance l installation avec les parametres par default

Branche tes sources de données externes à ton PC, (clé USB, disque dur externe, etc...) suceptible d avoir été infectés sans les ouvrir

--> Double clic sur le raccourci UsbFix sur ton bureau

--> Le pc va redémarer

-->Apres redémarrage post le rapport UsbFix.txt

Note : le rapport UsbFix.txt est sauvegardé a la racine du disque
Note : Si le Bureau ne réapparait pas presse Ctrl + Alt + Suppr , Onglet "Fichier" , "Nouvelle tâche" , tapes explorer.exe et valides

____________________

puis refais malwarebyte antimalware après mise a jour et colle le rapport et ensuite un nouveau RSIT
0
Réponse 4 / 11
stef38
17 déc. 2008 à 14:18
merci pour ton aide;
Etant curieux de nature, ton message a declenche chez moi une poussee d'adrenaline et je me suis jete sur mes hdd usb (j'en ai 2) pour voir.
La minute suivante, je me suis mis une grosse giffle quand j'ai vu ce qu'il y avait a la racine des disques!
Sur l'un des deux, dans le fichier autorun.inf (qui a ete modifie), il cherche a lancer un boot.com situe dans un directory reSycled; mais pas de directory en vue! D'ailleurs ce directory reSycled, j'en avais entendu parler dans les messages sur ce virus avant.
En regardant un peu plus, j'avais un Recycle Bin et aussi un Recycle et lorsque j'ai delete le Recycle, le directory reSycled est apparu. J'ai egalement vire les directory "systeme volume information" qui apparemment contenaient des 'restore points" qui n'ont a mon sens rien a faire dans des disques "data" et qui de toutes facons devaient disparaitre (j'avais deja disable la fonction restore sur le PC).

Je vais maintenant faire la manip USBfix puis refaire un full scan malwarebyte, et rsit ce qui va prendre environ 2h!

Puis-je savoir comment t'est venue l'idee du USBfix? est-ce quelque chose dans les logs?

merci encore
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 5 / 11
jlpjlp Messages postés 51580 Date d'inscription vendredi 18 mai 2007 Statut Contributeur sécurité Dernière intervention 3 mai 2022 5 040
17 déc. 2008 à 15:30
usbfix car frequent cette infection rsycled avec ton infection 85.255......


et ceci:


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae44fd80-8238-11dd-993f-0008024436b8}]
shell\AutoRun\command - D:\o1.com
shell\explore\command - D:\o1.com
shell\open\command - D:\o1.com
0
stef38
17 déc. 2008 à 18:55
Voici les resultats constates ainsi que les fichiers logs.
Il y avait bien des repertoires et fichiers indesirables sur les drives USB detectes par USBFIX, j'en avais nettoye a la main avant le passage de l'outil et j'ai laisse l'outil en nettoyer un de lui meme comme indique dans le log. il semble que ce cote la de l'affaire soit resolu.
J'ai passe ensuite malwarebyes sur tous les drives ( 3h et quelques) et il n'a detecte que les valeurs DNS de la registry comme auparavent, j'ai coche et valide l'option "fix" et il a rebbote la machine. Cependant comme auparavent, en regardant la registry, je m'apercois (ainsi que RSIT) que les valeurs ont ete retablies !!!!!!
RSIT n'a pas regenere le fichier info donc je ne l'attache pas par contre j'ai mis "2 mois" pour ce qui est des fichiers modifies...

En ce qui concerne USBFIX, dois-je faire "la vaccination"?



-------------- UsbFix V2.413.4 ---------------

* User : sttosi - STEVO800C
* Outils mis a jours le 11/12/2008 par Chiquitine29 et Chimay8
* Recherche effectuée à 14:32:55 le Wed 12/17/2008
* Windows Xp - Internet Explorer 8.0.6001.18241


--------------- [ Processus actifs ] ----------------


C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\Windows\system32\WgaTray.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\DOCUME~1\sttosi\LOCALS~1\Temp\1.tmp\b2e.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

--------------- [ Informations lecteurs ] ----------------

C: - Fixed DriveG: - Fixed DriveH: - Fixed DriveT: - Fixed Drive
+- Contenu de l'autorun : G:\autorun.inf

[autorun]
ICON=AUTORUN\WDLOGO.ICO


+- Contenu de l'autorun : T:\autorun.inf

[autorun]
;ceqjqrlyblchppflwaxcauapnnscypvuvfzdffjftfskpbdnmhsgknsapgxwbwpnawabmgxadowrpibgyfzupowmklwfdrsjcxedvtjh
shellexecute="resycled\boot.com t:"
;tiencbolxzwjvgngfcxxjlqbemgezwcgbfbdwisumxmiziuffisenfjdjizabbrggqtjwxwrfratdpktaatoyikv
shell\Ope

--------------- [ Lecteur C ] ----------------

C: - Fixed Drive
+- Listing des fichiers présents :

[08/30/2004 12:45 PM][-rahs----] C:\NTDETECT.COM
[10/06/2005 10:22 AM][--a------] C:\kit.exe
[08/30/2004 01:10 PM][--ahs----] C:\boot.ini
[12/17/2008 02:32 PM][--a------] C:\Pollog.txt
[12/17/2008 02:32 PM][--a------] C:\PollSt.txt
[12/17/2008 02:32 PM][--a------] C:\rapport.txt
[12/17/2008 02:32 PM][--a------] C:\UsbFix.txt
[02/07/2003 06:22 PM][-rahs----] C:\IO.SYS
[02/07/2003 06:22 PM][-rahs----] C:\MSDOS.SYS
[02/07/2003 06:22 PM][-rahs----] C:\pagefile.sys

--------------- [ Lecteur G ] ----------------

G: - Fixed Drive
+- Listing des fichiers présents :

[09/04/2006 04:11 PM][--a------] G:\WDSync.exe
[09/04/2006 04:11 PM][--a------] G:\XoftSpySE_Setup_RW.exe
[09/04/2006 04:11 PM][--a------] G:\HJTInstall.exe
[09/04/2006 04:11 PM][--a------] G:\RSIT.exe
[09/04/2006 04:11 PM][--a------] G:\UsbFix.exe
[11/15/2005 11:08 AM][--ah-----] G:\autorun.inf
[10/02/2008 06:09 PM][--a------] G:\New Text Document.txt
[10/02/2008 06:09 PM][--a------] G:\mbam-log-2008-12-17 (10-20-47).txt
[10/02/2008 06:09 PM][--a------] G:\info.txt
[10/02/2008 06:09 PM][--a------] G:\log.txt

--------------- [ Lecteur H ] ----------------

H: - Fixed Drive
+- Listing des fichiers présents :


--------------- [ Lecteur T ] ----------------

T: - Fixed Drive
+- Listing des fichiers présents :

[12/07/2008 05:29 PM][-r-hs----] T:\autorun.inf

--------------- [ Registre / Startup ] ----------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Start Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
CursorXP=C:\Program Files\CursorXP\CursorXP.exe
ctfmon.exe=C:\Windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
ATIModeChange=Ati2mdxx.exe
AtiPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
eabconfg.cpl=C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
DAEMON Tools-1033="C:\Program Files\D-Tools\daemon.exe" -lang 1033
TkBellExe=C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
RoxioEngineUtility="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RoxioDragToDisc="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray=C:\PROGRA~1\SYMANT~2\VPTray.exe
NeroFilterCheck=C:\Windows\system32\NeroCheck.exe
LogitechVideoRepair=C:\Program Files\Logitech\Video\ISStart.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL=
Installed=1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI=
Installed=1
NoChange=1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS=
Installed=1

--------------- [ Registre / Mountpoint2 ] ----------------

Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ae44fd80-8238-11dd-993f-0008024436b8}\Shell\AutoRun\command
Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ae44fd80-8238-11dd-993f-0008024436b8}\Shell\explore\Command
Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ae44fd80-8238-11dd-993f-0008024436b8}\Shell\open\Command

--------------- [ Nettoyage des disques ] ----------------

Supprimé ! - [12/13/2008 06:36 PM][--a------] C:\Windows\system32\tmp.reg
Supprimé ! - [12/13/2008 06:36 PM][--a------] C:\Windows\system32\tmp.txt
Supprimé ! - [11/15/2005 11:08 AM][--ah-----] G:\autorun.inf
Supprimé ! - [04/06/2007 02:55 PM][d--------] G:\AutoRun
Supprimé ! - [12/07/2008 05:29 PM][-r-hs----] T:\autorun.inf

--------------- [ Resumé ] ----------------

-> /!\ Le resultat doit etre interprété par un spécialiste /!\

[08/30/2004 12:45 PM][-rahs----] C:\NTDETECT.COM
[10/06/2005 10:22 AM][--a------] C:\kit.exe
[08/30/2004 01:10 PM][--ahs----] C:\boot.ini
[09/04/2006 04:11 PM][--a------] G:\WDSync.exe
[09/04/2006 04:11 PM][--a------] G:\XoftSpySE_Setup_RW.exe
[09/04/2006 04:11 PM][--a------] G:\HJTInstall.exe
[09/04/2006 04:11 PM][--a------] G:\RSIT.exe
[09/04/2006 04:11 PM][--a------] G:\UsbFix.exe

--------------- ! Fin du rapport ! ----------------

Kit.exe est le soft de FREE pour la freebox; le fichier boot.ini ne contient que la string de demarrage de windows.

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2

12/17/2008 6:11:49 PM
mbam-log-2008-12-17 (18-11-49).txt

Scan type: Full Scan (C:\|G:\|H:\|T:\|)
Objects scanned: 370978
Time elapsed: 3 hour(s), 29 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


et enfin pour RSIT
Logfile of random's system information tool 1.04 (written by random/random)
Run by sttosi at 2008-12-17 18:30:40
Microsoft Windows XP Professional Service Pack 2
System drive C: has 16 GB (29%) free of 57 GB
Total RAM: 511 MB (37% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:41 PM, on 12/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\MsPMSPSv.exe
C:\Windows\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Windows\system32\ctfmon.exe
C:\PROGRA~1\QUICKV~1\PROGRAM\QVP32.EXE
C:\Documents and Settings\sttosi\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\sttosi.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Groove Networks\Groove\Bin\GrooveShellExtensions.dll (file missing)
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00000006-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms6 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall6.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {7290A1F1-EC1C-11D2-996F-0060B086A50C} (Time&Labor) - http://saintes.grenoble.hp.com:8008/applet/tal754.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A1BFBE93-8D91-427C-965B-72088CFAADF4} (CCertificateDelete Object) - https://hppkis01.can.hp.com/userweb/vscertdel.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84B5DE31-F6B0-42A6-937D-5FE078274F9E}: NameServer = 85.255.114.59;85.255.112.211
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.59;85.255.112.211
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.59;85.255.112.211
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.59;85.255.112.211
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - Unknown owner - C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe (file missing)
O23 - Service: Groove Installer Service (GrooveInstallerService) - Unknown owner - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe (file missing)
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
0
Réponse 6 / 11
jlpjlp Messages postés 51580 Date d'inscription vendredi 18 mai 2007 Statut Contributeur sécurité Dernière intervention 3 mai 2022 5 040
17 déc. 2008 à 19:39
telecharge smitfraudfix choisi l'option 5
et colle le rapport


telecharge smitfraudfix choisi l'option 5
et colle le rapport
___________

relancer HijackThis, les lignes 017 ne devraient à présent plus apparaitre, si ce n'est pas le cas, choisir do a scan only, puis cocher la case devant les lignes ci-dessous et cliquer en bas sur fix checked

O17 - HKLM\System\CCS\Services\Tcpip\..\{C761BA5A-60C5-4445-8C2D-5­788800F3A1F}: NameServer = 85.255.113.138;85.255.112.115
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.138;85.255.112.115
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.138;85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.138;85.255.112.115
___________


click sur demarrer > executer > dans la boite de dialogue tape > cmd et valide

dans la fenetre noir tape ceci : ipconfig /flushdns et valide par entrer ( il y a un espace entre le g de config et la / )

___________

redemarre et remets un rapport RSIT ou hijackthis
0
Réponse 7 / 11
stef38
17 déc. 2008 à 22:15
voici le rapport de smitfraudfix option 5.

apparemment il ne reussit pas mais cela ne m'etonne pas car tout utilitaire qui essaye de changer les valeurs est voue a l'echec car il y a un process attache a SVCHOST qui trappe les access a ces cles et restore les valeurs en cas de modif.

Il faut que j'arrive a trouver quel driver ou DLL loadees par les services reseaux a ete modifiee par le virus pour faire cet interception de ces cles de la reg.

SmitFraudFix v2.385

Scan done at 22:01:07.33, Wed 12/17/2008
Run from C:\Documents and Settings\sttosi\My Documents\tools\xp tools\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 85.255.114.59;85.255.112.211

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Compaq WLAN MultiPort W200 - Packet Scheduler Miniport
DNS Server Search Order: 85.255.114.59;85.255.112.211

HKLM\SYSTEM\CCS\Services\Tcpip\..\{84B5DE31-F6B0-42A6-937D-5FE078274F9E}: DhcpNameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CCS\Services\Tcpip\..\{84B5DE31-F6B0-42A6-937D-5FE078274F9E}: NameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8D4A1A1-C35E-4657-A7C5-5513ABB893E0}: DhcpNameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8D4A1A1-C35E-4657-A7C5-5513ABB893E0}: NameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS1\Services\Tcpip\..\{84B5DE31-F6B0-42A6-937D-5FE078274F9E}: DhcpNameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS1\Services\Tcpip\..\{84B5DE31-F6B0-42A6-937D-5FE078274F9E}: NameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8D4A1A1-C35E-4657-A7C5-5513ABB893E0}: DhcpNameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8D4A1A1-C35E-4657-A7C5-5513ABB893E0}: NameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS2\Services\Tcpip\..\{84B5DE31-F6B0-42A6-937D-5FE078274F9E}: DhcpNameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS2\Services\Tcpip\..\{84B5DE31-F6B0-42A6-937D-5FE078274F9E}: NameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F8D4A1A1-C35E-4657-A7C5-5513ABB893E0}: DhcpNameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F8D4A1A1-C35E-4657-A7C5-5513ABB893E0}: NameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.114.59;85.255.112.211

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 85.255.114.59;85.255.112.211

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Compaq WLAN MultiPort W200 - Packet Scheduler Miniport
DNS Server Search Order: 85.255.114.59;85.255.112.211

HKLM\SYSTEM\CCS\Services\Tcpip\..\{84B5DE31-F6B0-42A6-937D-5FE078274F9E}: DhcpNameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CCS\Services\Tcpip\..\{84B5DE31-F6B0-42A6-937D-5FE078274F9E}: NameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8D4A1A1-C35E-4657-A7C5-5513ABB893E0}: DhcpNameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8D4A1A1-C35E-4657-A7C5-5513ABB893E0}: NameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS1\Services\Tcpip\..\{84B5DE31-F6B0-42A6-937D-5FE078274F9E}: DhcpNameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS1\Services\Tcpip\..\{84B5DE31-F6B0-42A6-937D-5FE078274F9E}: NameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8D4A1A1-C35E-4657-A7C5-5513ABB893E0}: DhcpNameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8D4A1A1-C35E-4657-A7C5-5513ABB893E0}: NameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.255.114.59;85.255.112.211
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=85.255.114.59;85.255.112.211

merci encore pour ton aide.
0
Réponse 8 / 11
jlpjlp Messages postés 51580 Date d'inscription vendredi 18 mai 2007 Statut Contributeur sécurité Dernière intervention 3 mai 2022 5 040
17 déc. 2008 à 22:19
ok
le souci c'est que tu utilise malwarebyte antimalware sans l'avoir mis a jour,
mets le a jour avec la version 1512
et scan
et collle nous le rapport puis un nouvel hijackhtis

manuel
https://www.malekal.com/tutoriel-malwarebyte-anti-malware/
0
stef38
18 déc. 2008 à 12:37
Manuel,

Je pense que l'on peut crier victoire cette fois et je m'en veux de ne pas avoir fait cet update de malwarebytes alors que partout il est dit de le faire (a ma decharge, je pensais qu'avec une premiere install le 7 decembre, j'avais eu la derniere mouture); donc "Pan sur le bec pour moi et Kudos pour ta patience et perseverance.

J'ai donc loade la version 1512 et fait un scan en safe mode / no network et cette fois ci il a trouve un driver et un couple de dlls en plus des cles. Une des dll devant etre effacee lors du reboot (meme sans le reseau, cette salete etait loadee!), j'ai reboote et a mon agreable surprise CHKDSK s'est declenche sur le disque C. J'ai egalement verifie que defrag marche de nouveau.
J'ai egalement verifie que la dll 'resistante" avait ete delete.
Finalement, j'ai ete dans les proprietes des interface reseaux (lan et WIFI); celle du Lan avait ete remise en "full dhcp" et j'ai du le faire manuellement pour le WIFI.
Tout semble donc rentrer dans l'ordre meme si je sais que NORTON va me virer certains executables de smitfraudfix qu'il considere comme 'virus'.

je tiens vraiment a te remercier pour ton aide precieuse, ta disponibilite et ta convivialite.

Stephane

Malwarebytes' Anti-Malware 1.31
Database version: 1512
Windows 5.1.2600 Service Pack 2

12/18/2008 11:54:28 AM
mbam-log-2008-12-18 (11-54-09 before dest).txt

Scan type: Quick Scan
Objects scanned: 55857
Time elapsed: 9 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 18
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f8d4a1a1-c35e-4657-a7c5-5513abb893e0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f8d4a1a1-c35e-4657-a7c5-5513abb893e0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f8d4a1a1-c35e-4657-a7c5-5513abb893e0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f8d4a1a1-c35e-4657-a7c5-5513abb893e0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{84b5de31-f6b0-42a6-937d-5fe078274f9e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f8d4a1a1-c35e-4657-a7c5-5513abb893e0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f8d4a1a1-c35e-4657-a7c5-5513abb893e0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.59;85.255.112.211 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\msqpdxblaturev.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\msqpdxoctpxnyq.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\msqpdxrfdckfvm.sys (Trojan.Agent) -> No action taken.

tout cela avant que j'appuie sur "fix"

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:59 PM, on 12/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\wscntfy.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Groove Networks\Groove\Bin\GrooveShellExtensions.dll (file missing)
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00000006-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms6 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall6.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {7290A1F1-EC1C-11D2-996F-0060B086A50C} (Time&Labor) - http://saintes.grenoble.hp.com:8008/applet/tal754.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A1BFBE93-8D91-427C-965B-72088CFAADF4} (CCertificateDelete Object) - https://hppkis01.can.hp.com/userweb/vscertdel.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - Unknown owner - C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe (file missing)
O23 - Service: Groove Installer Service (GrooveInstallerService) - Unknown owner - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe (file missing)
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
0
Réponse 9 / 11
jlpjlp Messages postés 51580 Date d'inscription vendredi 18 mai 2007 Statut Contributeur sécurité Dernière intervention 3 mai 2022 5 040
18 déc. 2008 à 12:42
ok c'est bon :) j'avais eu ce cas et la personne aussi n'avais pas mis a jour ....

_____________________

bon vire ce qui est en quarantaine dans malwarebyte

il faudra mettre a jour windows avec le SP3


__________________

pour virer ce qui a été utilisé:


Télécharge ToolsCleaner sur ton bureau.
--> http://www.commentcamarche.net/telecharger/telecharger 34055291 toolscleaner
# Clique sur Recherche et laisse le scan agir ...
# Clique sur Suppression pour finaliser.
# Tu peux, si tu le souhaites, te servir des Options facultatives.
# Clique sur Quitter pour obtenir le rapport.
# Poste le rapport (TCleaner.txt) qui se trouve à la racine de ton disque dur (C:\).
_____________________

pour virer les virus qui seraient dans ta restauration:


Désactive ta restauration systeme puis redemarre ton ordi puis réactive là comme ceci:
https://www.informatruc.com
_______________________








rq:
norton c'est pas le top ..... antivir ou bitdefender ou G DATA c'est mieux :)

_______________________

garde malwarebyte en complement de norton et mets aussi ccleaner pour virer tes traces de surf ...
https://www.malekal.com/tutoriel-ccleaner/
_________________________

et fais gaffe où tu branche tes clés usb (si doute passe un coup de RAV ANTIVIRUS avant)
0
Réponse 10 / 11
stef38
18 déc. 2008 à 13:24
Pour le system restore, je l'avais deja desactive et je viens de le reativer et de generer un restore point.
Voici le rapport du tools cleaner qui complete ce que j'avais deja ote a la main.
[ Rapport ToolsCleaner version 2.2.7 (par A.Rothstein & dj QUIOU) ]

-->- Recherche:

C:\UsbFix.txt: trouvé !
C:\Rsit: trouvé !
C:\Documents and Settings\sttosi\My Documents\hijackthis.log: trouvé !
C:\Documents and Settings\sttosi\My Documents\tools\xp tools\SmitFraudFix.zip: trouvé !
C:\Documents and Settings\sttosi\My Documents\tools\xp tools\UsbFix.exe: trouvé !
C:\Documents and Settings\sttosi\My Documents\tools\xp tools\Rsit.exe: trouvé !
C:\Documents and Settings\sttosi\Recent\HijackThis.lnk: trouvé !
C:\Program Files\UsbFix: trouvé !
C:\Program Files\Trend Micro\HijackThis: trouvé !
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe: trouvé !
C:\Program Files\Trend Micro\HijackThis\hijackthis.log: trouvé !
C:\tmp\HJTInstall.exe: trouvé !

---------------------------------
-->- Suppression:

C:\Documents and Settings\sttosi\My Documents\tools\xp tools\SmitFraudFix.zip: supprimé !
C:\Documents and Settings\sttosi\Recent\HijackThis.lnk: supprimé !
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe: supprimé !
C:\tmp\HJTInstall.exe: supprimé !
C:\UsbFix.txt: supprimé !
C:\Documents and Settings\sttosi\My Documents\hijackthis.log: supprimé !
C:\Documents and Settings\sttosi\My Documents\tools\xp tools\UsbFix.exe: supprimé !
C:\Documents and Settings\sttosi\My Documents\tools\xp tools\Rsit.exe: supprimé !
C:\Program Files\Trend Micro\HijackThis\hijackthis.log: supprimé !
C:\Rsit: supprimé !
C:\Program Files\UsbFix: supprimé !
C:\Program Files\Trend Micro\HijackThis: supprimé !

je suis en train d'utiliser ccleaner qui me semble un super outils.
Tu recommandes donc d'installer SP3, j'avais eu des avis contraires sur ce point.

Ma derniere question est sur USBFIX, j'avais fait le nettoyage mais que fait la "vaccination" et recommandes-tu de la faire?

Merci pour tout.
Stephane
0
Réponse 11 / 11
jlpjlp Messages postés 51580 Date d'inscription vendredi 18 mai 2007 Statut Contributeur sécurité Dernière intervention 3 mai 2022 5 040
18 déc. 2008 à 14:19
oui pour usbfix vaccine cela évitera ton disque d'être infecté par une clé infectée
0

Discussions similaires

Comment supprimer le virus Trojan
vitsou -
vitsou -

18 réponses
Virus : trojan:win32/wacatac.h!ml
Alky09 -
bazfile -

8 réponses
Aide pour un virus
cerise92700 -
MisteryBean -

41 réponses
Trojan impossible à supprimer!
Gridouu -
Malekal_morte- -

12 réponses
C'est quoi "Win32:Trojan-gen {Other}"
Uzumaki -
Utilisateur anonyme -

5 réponses