[LOGICIEL] [Centralisation] .:::: Hijackthis ::::.

steve419 · le 21 octobre 2008

Bonjour à tous,

j'ai besoin de votre aide,

voici le rapport fait sur le pc d'une amie :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:06:26, on 21/10/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\System32\FTRTSVC.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Apps\Softex\OmniPass\Omniserv.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TeamViewer3\TeamViewer_Service.exe

C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\TeamViewer3\TeamViewer.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Apps\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\EoRezo\EoEngine.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\APPS\SMP\SmpSys.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\OFFICE One6.5\OFFICE One Clock\ooneclockv65.exe

C:\Program Files\OFFICE One6.5\OFFICE One Notes\oonotesv65.exe

C:\Program Files\Philips\Philips SPC220NC Webcam\TrayMin220.exe

C:\PROGRA~1\Wanadoo\GestionnaireInternet.exe

C:\PROGRA~1\Wanadoo\ComComp.exe

C:\PROGRA~1\Wanadoo\Toaster.exe

C:\PROGRA~1\Wanadoo\Inactivity.exe

C:\PROGRA~1\Wanadoo\PollingModule.exe

C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE

C:\PROGRA~1\Wanadoo\Watch.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ads.eorezo.com/cgi-bin/advert/getad...t&x_dp_id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Orange

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL

R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: EoRezoBHO - {64F56FC1-1272-44CD-BA6E-39723696E350} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [EoEngine] "C:\Program Files\EoRezo\EoEngine.exe"

O4 - HKLM\..\Run: [itsTV] "C:\Program Files\ItsLabel\ItsTV.exe"

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [smpcSys] C:\APPS\SMP\SmpSys.exe

O4 - HKCU\..\Run: [WOOKIT] "C:\PROGRA~1\Wanadoo\Shell.exe" appLaunchClientZone.shl|PARAM= cnx

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Orange Desktop Search] "C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe" /tray

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: OFFICE One 6.5.lnk = C:\Program Files\OFFICE One6.5\program\quickstart.exe

O4 - Global Startup: OFFICE One Clock v6.5.lnk = C:\Program Files\OFFICE One6.5\OFFICE One Clock\ooneclockv65.exe

O4 - Global Startup: OFFICE One Notes v6.5.lnk = C:\Program Files\OFFICE One6.5\OFFICE One Notes\oonotesv65.exe

O4 - Global Startup: TrayMin220.lnk = ?

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.orange.fr (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fr.htm

O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://s.tf1.fr/mmdia/static/rawflow/clien...1.0/Rawflow.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {2D37B9E8-C14C-482C-B1CF-939C5440E179} (VTToolkit Control) - http://saint-valentin.en-ville.orange.fr/V...p/VTToolkit.ocx

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://jeuxenligne.orange.fr/Gameshell/Gam...ronGameHost.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Br...018/flashax.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - file:///D:/Documents%20and%20Settings/manu.117734180318/Local%20Settings/Application%20Data/Oberon%20Media/Oberon%20Games%20Host/popcaploader_v6.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://grandmondial.microgaming.com/french/FlashAX2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{11DA0033-0B53-45D5-8A14-697585EBAA87}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{15C4B963-9938-46EC-BAEE-17E495C4FB90}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{67581134-69CB-4559-9A47-3D40B91165C0}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\..\{11DA0033-0B53-45D5-8A14-697585EBAA87}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\..\{11DA0033-0B53-45D5-8A14-697585EBAA87}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Apps\Softex\OmniPass\Omniserv.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

O23 - Service: TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer3\TeamViewer_Service.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

O23 - Service: Moteur Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--

End of file - 11539 bytes

Il y a des choses que je peux supprimer la dedans ?

Par avance merci

snooky · le 21 octobre 2008

@ steve419 :

1) Désinstalle :

Spysweeper

Eset Nod32

Spyware Terminator

Ad-Aware

2) Lance Clean v2.0 by FRUiT , procédure 1. ( ignore les messages Windows )

3) Redémarre le pc .

4) Lance FixWareOut et poste le rapport créé :

http://downloads.subratam.org/Fixwareout.exe

5) Lance ComboFix et poste le rapport créé :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

steve419 · le 21 octobre 2008

merci snooky pour ton aide :)

voici le rapport de FixWareOut :

Username "manu" - 21/10/2008 14:39:24 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check

Cache de résolution DNS vidé.

System was rebooted successfully.

~~~~~ Postrun check

HKLM\SOFTWARE\~\Winlogon\ "System"=""

....

....

~~~~~ Misc files.

....

~~~~~ Checking for older varients.

....

~~~~~ Current runs (hklm hkcu "run" Keys Only)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]

"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

"EoEngine"="\"C:\\Program Files\\EoRezo\\EoEngine.exe\""

"ItsTV"="\"C:\\Program Files\\ItsLabel\\ItsTV.exe\""

"avgnt"="\"C:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SmpcSys"="C:\\APPS\\SMP\\SmpSys.exe"

"WOOKIT"="\"C:\\PROGRA~1\\Wanadoo\\Shell.exe\" appLaunchClientZone.shl|PARAM= cnx"

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

"Orange Desktop Search"="\"C:\\Program Files\\Orange HSS\\Orange Desktop Search\\OrangeDesktopSearch.exe\" /tray"

"MsnMsgr"="\"C:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe\" /background"

....

Hosts file was reset, If you use a custom hosts file please replace it...

C:\WINDOWS\repair\autoexec.nt missing

C:\WINDOWS\repair\Config.nt missing

~~~~~ End report ~~~~~

voici le rapport de ComboFix :

la maiComboFix 08-10-19.04 - manu 2008-10-21 14:55:15.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.1.1036.18.602 [GMT 2:00]

Lancé depuis: C:\temp\ComboFix.exe

.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

D:\Documents and Settings\manu\Application Data\HbTools . . . . impossible à supprimer

D:\Documents and Settings\manu\Application Data\HbTools_Icons . . . . impossible à supprimer

D:\Documents and Settings\marie\Application Data\HbTools . . . . impossible à supprimer

D:\Documents and Settings\marie\Application Data\HbTools_Icons . . . . impossible à supprimer

.

((((((((((((((((((((((((((((( Fichiers créés du 2008-09-21 au 2008-10-21 ))))))))))))))))))))))))))))))))))))

.

2008-10-21 14:37 . 2008-10-21 14:41 <REP> d-------- C:\fixwareout

2008-10-21 13:53 . 2008-10-21 14:15 2,992,910 -ra------ C:\temp\ComboFix.exe

2008-10-21 13:53 . 2008-10-21 13:45 486,449 --a------ C:\temp\Fixwareout.exe

2008-10-21 13:47 . 2008-10-21 13:35 254,604 --a------ C:\clean.cmd

2008-10-21 13:35 . 2008-10-21 13:35 254,604 --a------ C:\temp\clean.cmd

2008-10-21 12:12 . 2008-10-21 12:59 25,085,704 --a------ C:\temp\antivir_workstation_winu_en_h.exe

2008-10-21 10:06 . 2008-10-21 10:06 <REP> d-------- C:\Program Files\Trend Micro

2008-10-21 10:05 . 2008-10-21 10:06 812,344 --a------ C:\temp\hijackthis_hijackthis_2.02_anglais_17891.exe

2008-10-20 20:47 . 2007-01-17 17:31 1,200,490 --a------ C:\temp\wrar37b2.exe

2008-10-20 17:49 . 2008-09-15 17:26 1,846,528 --------- C:\WINDOWS\system32\dllcache\win32k.sys

2008-10-20 17:49 . 2008-09-08 12:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys

2008-10-20 17:48 . 2008-10-20 17:48 8,580,384 --a------ C:\temp\SpywareTerminatorSetup.exe

2008-10-20 17:48 . 2008-08-14 15:23 2,191,232 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2008-10-20 17:48 . 2008-08-14 15:23 2,147,328 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe

2008-10-20 17:48 . 2008-08-14 15:23 2,068,096 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2008-10-20 17:48 . 2008-08-14 15:23 2,025,984 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe

2008-10-20 17:47 . 2008-10-20 17:50 <REP> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft

2008-10-20 17:46 . 2008-10-20 17:46 19,153,264 --a------ C:\temp\Lavasoft_Adaware_multi.exe

2008-10-20 17:39 . 2008-10-20 17:47 <REP> d-------- D:\Documents and Settings\manu.117734180318\Application Data\GetRightToGo

2008-10-20 17:38 . 2008-10-20 17:39 361,456 --a------ C:\temp\Download_SpySweeper5-5TrialSetup_FR_now.exe

2008-10-20 16:08 . 2008-10-20 16:08 <REP> d-------- D:\Documents and Settings\LocalService\Application Data\TeamViewer

2008-10-20 15:49 . 2008-10-20 15:52 22,386 --a------ C:\WINDOWS\wininit.ini

2008-10-20 15:29 . 2008-10-21 13:56 <REP> d-------- C:\temp\patricia

2008-10-20 15:18 . 2008-10-20 22:11 <REP> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-10-20 15:18 . 2008-10-20 15:23 <REP> d-------- C:\Program Files\Spybot - Search & Destroy

2008-10-20 14:47 . 2008-10-20 14:47 15,083,520 --a------ C:\temp\spybotsd160.exe

2008-10-20 13:51 . 2008-10-20 23:07 <REP> d-------- C:\Program Files\TeamViewer3

2008-10-20 13:29 . 2008-10-21 13:56 <REP> d-------- C:\temp\photos

2008-10-19 14:37 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg

2008-10-19 14:37 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg

2008-10-19 14:35 . 2008-10-19 14:35 <REP> d-------- D:\Documents and Settings\All Users\Application Data\ESET

2008-10-19 14:35 . 2008-10-19 14:35 <REP> d-------- C:\Program Files\ESET

2008-10-19 14:31 . 2008-10-19 14:43 <REP> d-------- C:\Program Files\JkDefrag

2008-10-19 14:31 . 2008-09-02 15:49 253,952 --a------ C:\WINDOWS\system32\JkDefragScreenSaver.exe

2008-10-19 14:31 . 2008-09-02 15:49 106,496 --a------ C:\WINDOWS\system32\JkDefragScreenSaver.scr

2008-10-19 14:29 . 2008-10-19 14:20 978,187 --a------ C:\temp\JkDefrag_3.36_full.exe

2008-10-19 14:10 . 2008-10-19 14:11 27,582,248 --a------ C:\temp\setupfre.exe

2008-10-19 14:10 . 2008-10-19 14:09 18,895,728 --a------ C:\temp\Install_Messenger.exe

2008-10-19 13:59 . 2008-10-19 13:59 <REP> d-------- C:\WINDOWS\system32\fr

2008-10-19 13:59 . 2008-10-19 13:59 <REP> d-------- C:\WINDOWS\system32\bits

2008-10-19 13:59 . 2008-10-19 13:59 <REP> d-------- C:\WINDOWS\l2schemas

2008-10-19 13:57 . 2008-10-19 13:59 <REP> d-------- C:\WINDOWS\ServicePackFiles

2008-10-19 13:49 . 2008-10-19 13:48 230,776 --a------ C:\temp\aswclear.exe

2008-10-19 13:28 . 2008-10-19 13:28 2 --a------ C:\WINDOWS\msoffice.ini

2008-10-19 13:06 . 2008-10-21 14:57 <REP> d-------- C:\Program Files\ItsLabel

2008-10-19 12:59 . 2008-10-19 13:22 <REP> d-------- C:\Program Files\CCleaner

2008-10-19 12:03 . 2008-10-19 12:03 <REP> d-------- D:\Documents and Settings\manu.117734180318\temp

2008-10-19 12:03 . 2008-10-20 15:32 <REP> d-------- D:\Documents and Settings\manu.117734180318\Application Data\TeamViewer

2008-10-18 09:15 . 2008-10-18 09:15 <REP> d-------- D:\Documents and Settings\manu.117734180318\Application Data\SPAMfighter

2008-09-22 18:20 . 2008-04-14 04:33 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll

2008-09-22 18:19 . 2008-04-14 04:33 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll

2008-09-21 21:45 . 2008-06-14 19:33 272,768 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-09-21 21:45 . 2008-06-14 19:33 272,768 --------- C:\WINDOWS\system32\dllcache\bthport.sys

2008-09-21 18:39 . 2008-05-01 16:36 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

2008-09-21 18:39 . 2008-05-08 16:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys

2008-09-21 18:37 . 2008-04-11 21:05 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-21 12:58 --------- d-----w C:\Program Files\Wanadoo

2008-10-21 12:57 --------- d-----w D:\Documents and Settings\manu.117734180318\Application Data\EoRezo

2008-10-21 12:28 --------- d-----w C:\Program Files\GamesBar

2008-10-21 11:56 --------- d-----w C:\Program Files\Lexmark 1200 Series

2008-10-21 11:56 --------- d-----w C:\Program Files\FaxTools

2008-10-19 16:56 --------- d-----w D:\Documents and Settings\All Users\Application Data\WLInstaller

2008-10-19 11:45 --------- d-----w C:\Program Files\EoRezo

2008-10-19 11:29 --------- d-----w D:\Documents and Settings\All Users\Application Data\AOL

2008-10-19 11:29 --------- d-----w C:\Program Files\Fichiers communs\AOL

2008-10-19 11:17 --------- d-----w C:\Program Files\SuperCopier2

2008-10-19 11:14 --------- d-----w C:\Program Files\Railroad Tycoon II

2008-10-19 11:02 --------- d-----w C:\Program Files\Windows Live

2008-10-19 10:49 --------- d-----w C:\Program Files\Google

2008-10-19 10:49 --------- d-----w C:\Program Files\Conduit

2008-10-19 10:49 --------- d-----w C:\Program Files\Binbango

2008-10-19 10:32 --------- d-----w C:\Program Files\Windows Live Toolbar

2008-10-19 10:20 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-10-19 10:14 --------- d-----w C:\Program Files\Gamenext

2008-10-19 10:13 --------- d-----w C:\Program Files\IncrediMail

2008-10-19 10:12 --------- d-----w C:\Program Files\GameSpy Arcade

2008-10-19 10:09 --------- d-----w C:\Program Files\Astonsoft

2008-10-19 10:08 --------- d-----w C:\Program Files\Chevaliers&Camelots

2008-10-18 11:33 --------- d-----w D:\Documents and Settings\All Users\Application Data\GamesBar

2008-09-19 15:52 --------- d-----w C:\Program Files\Orange HSS

2008-09-13 19:06 --------- d-----w C:\Program Files\Fichiers communs\Adobe

2008-09-13 19:00 --------- d-----w D:\Documents and Settings\All Users\Application Data\NOS

2008-09-13 19:00 --------- d-----w C:\Program Files\NOS

2008-09-11 19:51 --------- d-----w C:\Program Files\YesMessenger

2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2007-07-16 08:36 47,360 -c--a-w D:\Documents and Settings\manu.117734180318\Application Data\pcouffin.sys

.

((((((((((((((((((((((((((((( snapshot@2008-10-21_14.33.50.23 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-10-21 12:31:28 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

+ 2008-10-21 12:57:23 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

- 2008-10-21 12:31:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat

+ 2008-10-21 12:57:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat

- 2008-10-21 12:31:28 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-10-21 12:57:23 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SmpcSys"="C:\APPS\SMP\SmpSys.exe" [2005-11-17 975360]

"WOOKIT"="C:\PROGRA~1\Wanadoo\Shell.exe" [2004-08-23 122880]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

"Orange Desktop Search"="C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe" [2007-01-17 4938016]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-28 7573504]

"EoEngine"="C:\Program Files\EoRezo\EoEngine.exe" [2008-04-16 565248]

"ItsTV"="C:\Program Files\ItsLabel\ItsTV.exe" [2007-04-26 2908160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

D:\Documents and Settings\manu.117734180318\Menu D‚marrer\Programmes\D‚marrage\

OFFICE One 6.5.lnk - C:\Program Files\OFFICE One6.5\program\quickstart.exe [2004-03-08 36864]

D:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\

OFFICE One Clock v6.5.lnk - C:\Program Files\OFFICE One6.5\OFFICE One Clock\ooneclockv65.exe [2007-05-24 257536]

OFFICE One Notes v6.5.lnk - C:\Program Files\OFFICE One6.5\OFFICE One Notes\oonotesv65.exe [2007-05-24 559104]

TrayMin220.lnk - C:\Program Files\Philips\Philips SPC220NC Webcam\TrayMin220.exe [2007-09-19 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]

2006-01-30 08:53 49152 C:\APPS\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.dvacm"= C:\PROGRA~1\FICHIE~1\ULEADS~1\Vio\Dvacm.acm

"msacm.mpegacm"= C:\PROGRA~1\FICHIE~1\ULEADS~1\MPEG\mpegacm.acm

"msacm.ulmp3acm"= C:\PROGRA~1\FICHIE~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"avast! Antivirus"=2 (0x2)

"aswUpdSv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%ProgramFiles%\\AOL 9.0\\aol.exe"=

"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=

"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=

"%windir%\\system32\\sessmgr.exe"=

"C:\\APPS\\skype\\phone\\Skype.exe"=

"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 TeamViewer;TeamViewer 3;C:\Program Files\TeamViewer3\TeamViewer_Service.exe [2008-10-07 185640]

R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2006-04-17 825600]

R3 SPC220NC;Philips SPC220NC Webcam;C:\WINDOWS\system32\DRIVERS\SPC220NC.SYS [2007-01-09 507136]

R3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

R3 X10Hid;X10 Hid Device;C:\WINDOWS\system32\Drivers\x10hid.sys [2005-11-28 7040]

S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2004-08-10 3584]

S3 getPlus® Helper;getPlus® Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]

S3 jnv4_mib;jnv4_mib;D:\DOCUME~1\MANU~1.117\LOCALS~1\Temp\jnv4_mib.sys [ ]

S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]

.

.

------- Examen supplémentaire -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.lo.st

R0 -: HKLM-Main,Start Page = hxxp://ads.eorezo.com/cgi-bin/advert/getads.cgi?x_format=redirect&x_dp_id=9

R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore

O9 -: { - C:\Microgaming\Casino\platinumplay\casinogame.exe C:\Program Files\Messenger\msmsgs.exe

O9 -: {C:\Microgaming\Casino\platinumplay\casinogame.exe - C:\Program Files\Messenger\msmsgs.exe -

O17 -: HKLM\CCS\Interface\{11DA0033-0B53-45D5-8A14-697585EBAA87}: NameServer = 208.67.220.220,208.67.222.222

O17 -: HKLM\CCS\Interface\{15C4B963-9938-46EC-BAEE-17E495C4FB90}: NameServer = 208.67.220.220,208.67.222.222

O17 -: HKLM\CCS\Interface\{67581134-69CB-4559-9A47-3D40B91165C0}: NameServer = 208.67.220.220,208.67.222.222

O16 -: {029FDBA6-3547-11D7-AA4C-0050BF051A00} - hxxp://s.tf1.fr/mmdia/static/rawflow/clients/5.3.1.0/Rawflow.cab

C:\WINDOWS\Downloaded Program Files\Rawflow.ocx

O16 -: {2D37B9E8-C14C-482C-B1CF-939C5440E179} - hxxp://saint-valentin.en-ville.orange.fr/Ville/mulhouse/php/VTToolkit.ocx

C:\WINDOWS\Downloaded Program Files\VTToolkit.ocx

O16 -: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://jeuxenligne.orange.fr/Gameshell/GameHost/1.0/OberonGameHost.cab

C:\WINDOWS\Downloaded Program Files\OberonGameHost_dbg.inf

C:\WINDOWS\Downloaded Program Files\OberonGameHost.dll

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-21 14:57:37

Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès

Fichiers cachés: 0

**************************************************************************

.

--------------------- DLLs chargées dans les processus actifs ---------------------

PROCESSUS: C:\WINDOWS\system32\winlogon.exe

-> C:\Apps\Softex\OmniPass\opxpgina.dll

.

------------------------ Autres processus actifs ------------------------

.

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\ehome\ehrecvr.exe

C:\WINDOWS\ehome\ehSched.exe

C:\WINDOWS\system32\FTRTSVC.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\APPS\Softex\OmniPass\OmniServ.exe

C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

C:\PROGRA~1\COMMON~1\X10\Common\X10nets.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\Program Files\TeamViewer3\TeamViewer.exe

C:\WINDOWS\system32\dllhost.exe

C:\APPS\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\OFFICE One6.5\program\soffice.exe

C:\PROGRA~1\Wanadoo\GestionnaireInternet.exe

C:\PROGRA~1\Wanadoo\ComComp.exe

C:\PROGRA~1\Wanadoo\Toaster.exe

C:\PROGRA~1\Wanadoo\Inactivity.exe

C:\PROGRA~1\Wanadoo\PollingModule.exe

C:\WINDOWS\system32\ALERTM~1\ALERTM~1.EXE

C:\PROGRA~1\Wanadoo\Watch.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

.

**************************************************************************

.

Heure de fin: 2008-10-21 15:00:13 - La machine a redémarré

ComboFix-quarantined-files.txt 2008-10-21 12:59:38

ComboFix2.txt 2008-10-21 12:34:44

Avant-CF: 17 136 021 504 octets libres

Après-CF: 17,118,482,432 octets libres

240 --- E O F --- 2008-10-20 16:11:37

par avance merci :)

snooky · le 21 octobre 2008

Lance Navilog1 , choisis l'option 1 et poste le rapport créé

http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe

Coche et fixe toutes les lignes 04 et 016 avec Hijackthis , redémarre le pc et poste un nouveau rapport Hijackthis .

Edit :

Pourquoi avoir installé Antivir de Avira !

Désnstalle Antivir et Spybot avant de poster le rapport Hijackthis .

corbin · le 21 octobre 2008

bonjour,

je viens de supprimer (enfin, j'espère un trojan.win32.shutdowner.asl[issu d'un install_CCleaner.exe et j'ai vu un message montrant que je ne suis pas le seul] et un heur.worm.generic) par KAV;OOPS, j'ai failli me faire enguirlander : snooky m'a répondu sur un autre post où j'évoquai le problème !

je poste un HiJackThis par parano;

après avoir regardé toutes les lignes, il y a deux questions qui se posent à moi (il en existe peut-être d'autres !) :

- pourquoi ai-je trois fois "C:\Windows\System32\rundll32.exe" ?

- qu'est-ce que "O1 - Hosts: ::1 localhost" ?

merci

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:49:10, on 21/10/2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16757)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\SYSTEM32\WISPTIS.EXE

C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Palm\Hotsync.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\PopTray\PopTray.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Windows\system32\WTablet\TabUserW.exe

C:\Windows\system32\taskeng.exe

C:\HiJackThis\Eden.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.club-internet.fr

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')

O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe

O4 - Startup: PopTray.lnk = C:\Program Files\PopTray\PopTray.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll

O9 - Extra button: Statistiques de la protection du trafic Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\Windows\system32\Tablet.exe

--

End of file - 6165 bytes

snooky · le 21 octobre 2008

Désactive Windows Defender :

http://infomars.fr/forum/index.php?showtopic=1244

Hosts = vise ma signature .

steve419 · le 21 octobre 2008

Lance Navilog1 , choisis l'option 1 et poste le rapport créé
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe

Coche et fixe toutes les lignes 04 et 016 avec Hijackthis , redémarre le pc et poste un nouveau rapport Hijackthis .

Edit :

Pourquoi avoir installé Antivir de Avira !

Désnstalle Antivir et Spybot avant de poster le rapport Hijackthis .

toutes les lignes 04 et 016 ?? il y a des trucs d'office et des composants windows... c'est pas grave ? Je peux te faire confiance :transpi: ?

Parce que ce n'est pas mon pc sur lequel je fais la desinfection donc je voudrai pas me prendre des coups lol

dans tous les cas merci pour ton aide précieuse

ps : j'avais installer entre temps l'antivirus gratuit que j'ai desinstallé ! + desinstaller spybot

steve419 · le 21 octobre 2008

le rapport de navilog1 :

Search Navipromo version 3.6.6 commencé le 21/10/2008 à 15:22:01,68
!!! Attention,ce rapport peut indiquer des fichiers/programmes légitimes!!!

!!! Postez ce rapport sur le forum pour le faire analyser !!!

!!! Ne lancez pas la partie désinfection sans l'avis d'un spécialiste !!!

Outil exécuté depuis C:\Program Files\navilog1

Session actuelle : "manu"

Mise à jour le 29.09.2008 à 17h30 par IL-MAFIOSO

Microsoft Windows XP [version 5.1.2600]

Internet Explorer : 7.0.5730.11

Système de fichiers : NTFS

Recherche executé en mode normal

*** Recherche Programmes installés ***

*** Recherche dossiers dans "C:\WINDOWS" ***

*** Recherche dossiers dans "C:\Program Files" ***

*** Recherche dossiers dans "D:\Documents and Settings\All Users\menudm~1\progra~1" ***

*** Recherche dossiers dans "D:\Documents and Settings\All Users\menudm~1" ***

*** Recherche dossiers dans "d:\docume~1\alluse~1\applic~1" ***

*** Recherche dossiers dans "D:\Documents and Settings\manu.117734180318\applic~1" ***

*** Recherche dossiers dans "D:\Documents and Settings\manu.117734180318\locals~1\applic~1" ***

*** Recherche dossiers dans "D:\Documents and Settings\manu.117734180318\menudm~1\progra~1" ***

*** Recherche avec Catchme-rootkit/stealth malware detector par gmer ***

pour + d'infos : http://www.gmer.net

*** Recherche avec GenericNaviSearch ***

!!! Tous ces résultats peuvent révéler des fichiers légitimes !!!

!!! A vérifier impérativement avant toute suppression manuelle !!!

* Recherche dans "C:\WINDOWS\system32" *

Fichiers trouvés :

mehfydp.exe trouvé !

mkjyvdy.exe trouvé !

* Recherche dans "D:\Documents and Settings\manu.117734180318\locals~1\applic~1" *

*** Recherche fichiers ***

*** Recherche clés spécifiques dans le Registre ***

*** Module de Recherche complémentaire ***

(Recherche fichiers spécifiques)

1)Recherche nouveaux fichiers Instant Access :

2)Recherche Heuristique :

* Dans "C:\WINDOWS\system32" :

* Dans "D:\Documents and Settings\manu.117734180318\locals~1\applic~1" :

3)Recherche Certificats :

Certificat Egroup absent !

Certificat Electronic-Group trouvé !

Certificat Montorgueil absent !

Certificat OOO-Favorit trouvé !

Certificat Sunny-Day-Design-Ltd absent !

4)Recherche fichiers connus :

*** Analyse terminée le 21/10/2008 à 15:48:15,17 ***

merci

snooky · le 21 octobre 2008

Lance à nouveau Navilog1 , puis prends l'option 2 pour nettoyer .

+ le nouveau rapport Hijackthis manquant .

PS : inutile de mettre les balises pour les rapports , merci :transpi:

steve419 · le 21 octobre 2008

et la suite après avoir fixé...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:38:14, on 21/10/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\FTRTSVC.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Apps\Softex\OmniPass\Omniserv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TeamViewer3\TeamViewer_Service.exe

C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\Program Files\TeamViewer3\TeamViewer.exe

C:\WINDOWS\system32\dllhost.exe

C:\Apps\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lo.st

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ads.eorezo.com/cgi-bin/advert/getad...t&x_dp_id=9

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL

R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: EoRezoBHO - {64F56FC1-1272-44CD-BA6E-39723696E350} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup