salut a tous voila mon soucis
depuis plusieur jour un icone avec l'andicaper vert c'est mi sur mon pc et depuis mes antivirus detecte des truc impossible a supprimer >parreille avec ceux online
voila mon raport hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 12:17:19, on 22/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\apdproxy.exe
C:\Program Files\SuperCopier\SuperCopier.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\s?mbols\n?tepad.exe
C:\Program Files\sony\usbsircs\USBsircs.exe
C:\Program Files\sony\giga pocket\ReserveModule.exe
C:\Program Files\Fichiers communs\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\Program Files\Fichiers communs\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis Version Française\VERSION TRADUITE ORIGINALE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {5A4A7F7B-CCE8-9C60-BB2E-9EABB833E698} - C:\WINDOWS\system32\ouikpg.dll (file missing)
R3 - URLSearchHook: (no name) - {64C432A0-8664-DFE8-3122-8B6A64DE8BC8} - C:\WINDOWS\system32\bdsnem.dll (file missing)
R3 - URLSearchHook: (no name) - {0A487F2A-9BE2-9B34-BB2E-9EABB833E59B} - C:\WINDOWS\system32\xoh.dll (file missing)
R3 - URLSearchHook: (no name) - {0F6C32DB-8C46-84C7-1DD2-81CA9E21B2CA} - C:\WINDOWS\system32\gms.dll (file missing)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [SuperCopier.exe] C:\Program Files\SuperCopier\SuperCopier.exe
O4 - HKCU\..\Run: [Windows Protectot] boxide.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Configuration de la neuf Box] C:\Program Files\neuf telecom\neuf Box\Wizard\QuickAccess.exe
O4 - HKCU\..\Run: [Eree] "C:\WINDOWS\system32\SMBOLS~1\wuauboot.exe" -vt yazr
O4 - HKCU\..\Run: [uiuo] C:\PROGRA~1\FICHIE~1\uiuo\uiuom.exe
O4 - HKCU\..\Run: [Ueevu] C:\WINDOWS\s?mbols\n?tepad.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Pilote Remocon.lnk = C:\Program Files\sony\usbsircs\USBsircs.exe
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\sony\giga pocket\ReserveModule.exe
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: show/hide IEB Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - (no file)
O9 - Extra 'Tools' menuitem: IE Booster Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {00000000-0000-0000-0000-100000000003} - http://code.jcash.biz/l/2899e4a95c [...] d02_13.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6 [...] vSniff.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/act [...] 2D2D2D.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/window [...] 9815592415
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6 [...] /cabsa.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yaz [...] refid=1162
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\mbhtmled.dll (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\rgnd.dll (file missing)
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Y2FzcGVy\command.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Fichiers communs\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Merci d'avance. :-P
surpime ca sur ton log:
C:\WINDOWS\s?mbols\n?tepad.exe
Pour ces lignes, je ne suis pas quasiment sur que tu puisse les suprimer
R3 - URLSearchHook: (no name) - {5A4A7F7B-CCE8-9C60-BB2E-9EABB833E698} - C:\WINDOWS\system32\ouikpg.dll (file missing)
R3 - URLSearchHook: (no name) - {64C432A0-8664-DFE8-3122-8B6A64DE8BC8} - C:\WINDOWS\system32\bdsnem.dll (file missing)
R3 - URLSearchHook: (no name) - {0A487F2A-9BE2-9B34-BB2E-9EABB833E59B} - C:\WINDOWS\system32\xoh.dll (file missing)
continue la supresion de ces lignes:
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O9 - Extra button: show/hide IEB Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - (no file)
O9 - Extra 'Tools' menuitem: IE Booster Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - (no file)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/act [...] 2D2D2D.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yaz [...] refid=1162
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\mbhtmled.dll (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\rgnd.dll (file missing)
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Y2FzcGVy\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
Telecharge ewido, fais un scan puis poste le log
@+
Bonjour
Plusieurs infections.
Smitfraudfix n'a pas trouver. On va débroussailler un peu, et on va chercher un fichier caché. Je pense qu'il s'agit d'une nouvelle variante de ce type d'infection.
1 Télécharge
CCleaner.
http://www.filehippo.com/download_ccleaner.html
Installe le dans un répertoire dédié.
Ewido
http://www.ewido.net/en/download/
Tu l'installes et tu le mets à jour.
2 Redémarre en mode sans echec. Attention, tu n'as pas accès à internet dans ce mode, note bien ce que tu as à faire.
Démarre l'ordinateur.
Une fois le chargement du BIOS terminé, il y a un écran noir. Appuye sur la touche F8 jusqu'à l'affichage du menu des options avancées de Windows.
En utilisant les touches du curseur, sélectionne Mode sans échec et appuye sur Entrée.
3 Lance le nettoyage avec CCleaner.
4 Lance Ewido.
Fais un scan en mode complet.
Sauvegardes le rapport.
5 Redémarre normalement
6 Télécharge Silent Runners
http://www.silentrunners.org/Silent%20Runners.zip
Une fois téléchargé,tu le dézippes dans un dossier dédié.
Si tu as une alerte au cours du téléchargement , ou au cours des réparations de ton antivirus,au sujet de ce script,n'en tiend pas compte.
Puis tu double cliques sur ce fichier,il va travailler, patiente jusqu'à l'affichage d'un message.
Un rapport est généré dans le meme dossier, colle le ici avec un nouveau HijackThis et le rapport d'Ewido.
voici le rapport de ewido comme demander
--------------------------------------------------------
ewido anti-malware - Rapport de scan
---------------------------------------------------------
+ Créé le: 19:34:42, 22/05/2006
+ Somme de contrôle: 72D007A7
+ Résultats du scan:
HKU\S-1-5-21-2919669771-4087476683-2282475507-1005\Software\Classes\CLSID\{e04408db-4812-4478-8d4d-e46edcffd3b6} -> Trojan.Small : Nettoyer et sauvegarder
HKU\S-1-5-21-2919669771-4087476683-2282475507-1005_Classes\CLSID\{e04408db-4812-4478-8d4d-e46edcffd3b6} -> Trojan.Small : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\Cache\7678B15Fd01/install.exe -> Hijacker.Small : Nettoyer et sauvegarder
:mozilla.10:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Atdmt : Nettoyer et sauvegarder
:mozilla.17:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Hotlog : Nettoyer et sauvegarder
:mozilla.18:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Yadro : Nettoyer et sauvegarder
:mozilla.19:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Spylog : Nettoyer et sauvegarder
:mozilla.20:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Statcounter : Nettoyer et sauvegarder
:mozilla.21:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Statcounter : Nettoyer et sauvegarder
:mozilla.33:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Mediaplex : Nettoyer et sauvegarder
:mozilla.41:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Doubleclick : Nettoyer et sauvegarder
:mozilla.43:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Bluestreak : Nettoyer et sauvegarder
:mozilla.44:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Advertising : Nettoyer et sauvegarder
:mozilla.45:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Advertising : Nettoyer et sauvegarder
:mozilla.46:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Advertising : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Cookies\casper@atdmt[2].txt -> TrackingCookie.Atdmt : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Cookies\casper@bluestreak[2].txt -> TrackingCookie.Bluestreak : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Cookies\casper@mediaplex[1].txt -> TrackingCookie.Mediaplex : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Cookies\casper@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Cookies\casper@weborama[2].txt -> TrackingCookie.Weborama : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Cookies\casper@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Mes documents\Ma musique\telechargement\Call of Duty Heat of Battle map pack 2.0.zip/Setup.exe -> Worm.VB.dw : Nettoyer et sauvegarder
C:\drsmartload45a.exe -> Downloader.Adload.bo : Nettoyer et sauvegarder
C:\Program Files\Snowball Wars\OINSetup.exe -> Downloader.PurityScan.cm : Nettoyer et sauvegarder
C:\Program Files\Snowball Wars\SnowballWars.exe -> Dropper.VB.mz : Nettoyer et sauvegarder
C:\Program Files\webHancer\Programs\webhdll.dll -> Adware.WebHancer : Nettoyer et sauvegarder
C:\Program Files\webHancer\Programs\whagent.exe -> Adware.WebHancer : Nettoyer et sauvegarder
C:\Program Files\webHancer\Programs\whinstaller.exe -> Adware.WebHancer : Nettoyer et sauvegarder
C:\WINDOWS\drsmartload45a.exe -> Downloader.Adload.bo : Nettoyer et sauvegarder
C:\WINDOWS\drsmartload46a.exe -> Downloader.Adload.bo : Nettoyer et sauvegarder
C:\WINDOWS\Temp\ddl21.tmp.exe -> Dialer.Agent.z : Nettoyer et sauvegarder
C:\WINDOWS\Temp\ddl4A1.tmp.exe -> Dialer.Agent.z : Nettoyer et sauvegarder
C:\WINDOWS\Temp\ddlDA.tmp.exe -> Dialer.Agent.z : Nettoyer et sauvegarder
C:\WINDOWS\Temp\win279.tmp.exe -> Dropper.Agent.ajc : Nettoyer et sauvegarder
C:\WINDOWS\Temp\win281.tmp.exe -> Dropper.Agent.ajc : Nettoyer et sauvegarder
C:\WINDOWS\Temp\win282.tmp.exe -> Dropper.Agent.ajc : Nettoyer et sauvegarder
::Fin du rapport
et maintenant je ve faire comme il me dis chercheur pca
salut, est ce que ca va mieux? sinon continue la desinfection que chercheur CPA ta dit de faire
Bonsoir
| Citation : ricileprogramatteur a écrit :
|
Je pense que c'est ce qu'il fait
| Citation : et maintenant je ve faire comme il me dis chercheur pca |
Mais le plus gros du nettoyage a été fait par Ewido.
Le rapport de Silent Runners me permettra peut être de voir un fichier caché qui génére l'alerte.
Si je le trouve, je le ferais parvenir à S!Ri (le concepteur de SmitfraudFix) pour analyse.
aparament je serais debarasser de ce bordel
voici quand meme le rapport silent runners:
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SuperCopier.exe" = "C:\Program Files\SuperCopier\SuperCopier.exe" ["SFX TEAM"]
"Windows Protectot" = "boxide.exe" [file not found]
"(Default)" = (empty string)
"Sony Ericsson PC Suite" = ""C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized" ["Sony Ericsson Mobile Communications AB"]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"Configuration de la neuf Box" = "C:\Program Files\neuf telecom\neuf Box\Wizard\QuickAccess.exe" [file not found]
"Eree" = ""C:\WINDOWS\system32\SMBOLS~1\wuauboot.exe" -vt ndrv" [null data]
"uiuo" = "C:\PROGRA~1\FICHIE~1\uiuo\uiuom.exe" [file not found]
"Ueevu" = "C:\WINDOWS\s*mbols\n*tepad.exe" (unwritable string) [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"ezShieldProtector for Px" = "C:\WINDOWS\System32\ezSP_Px.exe" ["Easy Systems Japan Ltd."]
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA}" = "NOMAD Jukebox 2/3/Zen"
-> {HKLM...CLSID} = "NOMAD Jukebox 2/3/Zen"
\InProcServer32\(Default) = "C:\Program Files\Creative\NOMAD Jukebox Zen NX\Creative File Manager 2\CTJBNS.DLL" ["Creative Technology Ltd"]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Gestionnaire de fichiers Sony Ericsson"
-> {HKLM...CLSID} = "Gestionnaire de fichiers Sony Ericsson"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {HKLM...CLSID} = "dMCIShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{37FFB441-F0DC-45DC-88AA-00774674185B}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\rgnd.dll" [file not found]
"{1168B12F-AD87-4FC9-B2B9-7AF1A605E32A}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\mbhtmled.dll" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
{FED7043D-346A-414D-ACD7-550D052499A7}\(Default) = "dBpowerAMP Column Handler"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\casper\Mes documents\Mes images\ef2.bmp"
Startup items in "casper" & "All Users" startup folders:
--------------------------------------------------------
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Lancement rapide d'Adobe Reader" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Pilote Remocon" -> shortcut to: "C:\Program Files\sony\usbsircs\USBsircs.exe" ["Sony Corporation"]
"Timer Recording Manager" -> shortcut to: "C:\Program Files\sony\giga pocket\ReserveModule.exe" ["Sony Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Console Java (Sun)"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherche"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings" )
Added lines (compared with English-language version):
(unwritable string)
Missing lines (compared with English-language version):
[Version]: 2 lines
[RestoreHomePage]: 1 line
[RestoreHomePage.reg]: 1 line
[RestoreBrowserSettings.reg]: 12 lines
[DeleteTemplates.reg]: 5 lines
[DeleteAutosearch.reg]: 1 line
[Strings]: 1 line
[RestoreBrowserSettings]: 2 lines
[Strings]: 3 lines
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{5A4A7F7B-CCE8-9C60-BB2E-9EABB833E698}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ouikpg.dll" [file not found]
"{64C432A0-8664-DFE8-3122-8B6A64DE8BC8}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\bdsnem.dll" [file not found]
"{0A487F2A-9BE2-9B34-BB2E-9EABB833E59B}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\xoh.dll" [file not found]
"{0F6C32DB-8C46-84C7-1DD2-81CA9E21B2CA}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\gms.dll" [file not found]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\System32\AdobePDF.dll" ["Adobe Systems Incorporated."]
hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 39 seconds, including 18 seconds for message boxes)
maintenant celui de ewido
---------------------------------------------------------
ewido anti-malware - Rapport de scan
---------------------------------------------------------
+ Créé le: 19:34:42, 22/05/2006
+ Somme de contrôle: 72D007A7
+ Résultats du scan:
HKU\S-1-5-21-2919669771-4087476683-2282475507-1005\Software\Classes\CLSID\{e04408db-4812-4478-8d4d-e46edcffd3b6} -> Trojan.Small : Nettoyer et sauvegarder
HKU\S-1-5-21-2919669771-4087476683-2282475507-1005_Classes\CLSID\{e04408db-4812-4478-8d4d-e46edcffd3b6} -> Trojan.Small : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\Cache\7678B15Fd01/install.exe -> Hijacker.Small : Nettoyer et sauvegarder
:mozilla.10:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Atdmt : Nettoyer et sauvegarder
:mozilla.17:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Hotlog : Nettoyer et sauvegarder
:mozilla.18:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Yadro : Nettoyer et sauvegarder
:mozilla.19:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Spylog : Nettoyer et sauvegarder
:mozilla.20:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Statcounter : Nettoyer et sauvegarder
:mozilla.21:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Statcounter : Nettoyer et sauvegarder
:mozilla.33:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Mediaplex : Nettoyer et sauvegarder
:mozilla.41:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Doubleclick : Nettoyer et sauvegarder
:mozilla.43:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Bluestreak : Nettoyer et sauvegarder
:mozilla.44:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Advertising : Nettoyer et sauvegarder
:mozilla.45:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Advertising : Nettoyer et sauvegarder
:mozilla.46:C:\Documents and Settings\casper\Application Data\Mozilla\Firefox\Profiles\cr36t6rk.default\cookies.txt -> TrackingCookie.Advertising : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Cookies\casper@atdmt[2].txt -> TrackingCookie.Atdmt : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Cookies\casper@bluestreak[2].txt -> TrackingCookie.Bluestreak : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Cookies\casper@mediaplex[1].txt -> TrackingCookie.Mediaplex : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Cookies\casper@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Cookies\casper@weborama[2].txt -> TrackingCookie.Weborama : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Cookies\casper@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : Nettoyer et sauvegarder
C:\Documents and Settings\casper\Mes documents\Ma musique\telechargement\Call of Duty Heat of Battle map pack 2.0.zip/Setup.exe -> Worm.VB.dw : Nettoyer et sauvegarder
C:\drsmartload45a.exe -> Downloader.Adload.bo : Nettoyer et sauvegarder
C:\Program Files\Snowball Wars\OINSetup.exe -> Downloader.PurityScan.cm : Nettoyer et sauvegarder
C:\Program Files\Snowball Wars\SnowballWars.exe -> Dropper.VB.mz : Nettoyer et sauvegarder
C:\Program Files\webHancer\Programs\webhdll.dll -> Adware.WebHancer : Nettoyer et sauvegarder
C:\Program Files\webHancer\Programs\whagent.exe -> Adware.WebHancer : Nettoyer et sauvegarder
C:\Program Files\webHancer\Programs\whinstaller.exe -> Adware.WebHancer : Nettoyer et sauvegarder
C:\WINDOWS\drsmartload45a.exe -> Downloader.Adload.bo : Nettoyer et sauvegarder
C:\WINDOWS\drsmartload46a.exe -> Downloader.Adload.bo : Nettoyer et sauvegarder
C:\WINDOWS\Temp\ddl21.tmp.exe -> Dialer.Agent.z : Nettoyer et sauvegarder
C:\WINDOWS\Temp\ddl4A1.tmp.exe -> Dialer.Agent.z : Nettoyer et sauvegarder
C:\WINDOWS\Temp\ddlDA.tmp.exe -> Dialer.Agent.z : Nettoyer et sauvegarder
C:\WINDOWS\Temp\win279.tmp.exe -> Dropper.Agent.ajc : Nettoyer et sauvegarder
C:\WINDOWS\Temp\win281.tmp.exe -> Dropper.Agent.ajc : Nettoyer et sauvegarder
C:\WINDOWS\Temp\win282.tmp.exe -> Dropper.Agent.ajc : Nettoyer et sauvegarder
::Fin du rapport
et enfin le dernier rapport hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 12:17:19, on 22/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\apdproxy.exe
C:\Program Files\SuperCopier\SuperCopier.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\s?mbols\n?tepad.exe
C:\Program Files\sony\usbsircs\USBsircs.exe
C:\Program Files\sony\giga pocket\ReserveModule.exe
C:\Program Files\Fichiers communs\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\Program Files\Fichiers communs\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis Version Française\VERSION TRADUITE ORIGINALE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {5A4A7F7B-CCE8-9C60-BB2E-9EABB833E698} - C:\WINDOWS\system32\ouikpg.dll (file missing)
R3 - URLSearchHook: (no name) - {64C432A0-8664-DFE8-3122-8B6A64DE8BC8} - C:\WINDOWS\system32\bdsnem.dll (file missing)
R3 - URLSearchHook: (no name) - {0A487F2A-9BE2-9B34-BB2E-9EABB833E59B} - C:\WINDOWS\system32\xoh.dll (file missing)
R3 - URLSearchHook: (no name) - {0F6C32DB-8C46-84C7-1DD2-81CA9E21B2CA} - C:\WINDOWS\system32\gms.dll (file missing)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [SuperCopier.exe] C:\Program Files\SuperCopier\SuperCopier.exe
O4 - HKCU\..\Run: [Windows Protectot] boxide.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Configuration de la neuf Box] C:\Program Files\neuf telecom\neuf Box\Wizard\QuickAccess.exe
O4 - HKCU\..\Run: [Eree] "C:\WINDOWS\system32\SMBOLS~1\wuauboot.exe" -vt yazr
O4 - HKCU\..\Run: [uiuo] C:\PROGRA~1\FICHIE~1\uiuo\uiuom.exe
O4 - HKCU\..\Run: [Ueevu] C:\WINDOWS\s?mbols\n?tepad.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Pilote Remocon.lnk = C:\Program Files\sony\usbsircs\USBsircs.exe
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\sony\giga pocket\ReserveModule.exe
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: show/hide IEB Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - (no file)
O9 - Extra 'Tools' menuitem: IE Booster Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {00000000-0000-0000-0000-100000000003} - http://code.jcash.biz/l/2899e4a95c [...] d02_13.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6 [...] vSniff.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/act [...] 2D2D2D.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/window [...] 9815592415
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6 [...] /cabsa.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yaz [...] refid=1162
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\mbhtmled.dll (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\rgnd.dll (file missing)
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Y2FzcGVy\command.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Fichiers communs\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Et si tout est resolu esque quelqu'un peut m'expliquer clairement ce que sont ces merdes qui sont arriver sur mon pc
vous pouvez m'eclairer la dessus?
Merci
ca doit venir d'une toolbar que ta installer et aussi des sites malveillant!
@+
Bonjour,
- Désinstalle via ajout/suppression de programme
webHancer
0/ Dans la liste des services, cherche et sélectionne
"Command Service" / double clique sur la ligne
/ vérifie dans Chemin d'accès des fichiers exécutables qu'il
s'agit bien de "C:\WINDOWS\Y2FzcGVy\command.exe" / dans Type de démarrage,
sélectionne Désactiver / valide la modification.
Refait la même manip. mais avec "Network Monitor"
"C:\Program Files\Network Monitor\netmon.exe"
1/ Redémarre en mode sans échec (Pour cela : démarrer le PC en tapotant sur la touche F8 du clavier jusqu'à ce que le menu des options avancées de Windows apparaisse puis avec les touches fléchées du clavier, sélectionner Mode sans échec puis appuyer sur la touche Entrée...)
Attention tu n'as pas accès à Internet dans ce mode donc note ou imprime les consignes qui suivent.
2/ Lance HijackThis
puis --> Do a system scan only
coche les lignes indiquées ci-dessous
puis --> Fix checked
puis oui à la question de confirmation
R3 - URLSearchHook: (no name) - {5A4A7F7B-CCE8-9C60-BB2E-9EABB833E698} - C:\WINDOWS\system32\ouikpg.dll (file missing)
R3 - URLSearchHook: (no name) - {64C432A0-8664-DFE8-3122-8B6A64DE8BC8} - C:\WINDOWS\system32\bdsnem.dll (file missing)
R3 - URLSearchHook: (no name) - {0A487F2A-9BE2-9B34-BB2E-9EABB833E59B} - C:\WINDOWS\system32\xoh.dll (file missing)
R3 - URLSearchHook: (no name) - {0F6C32DB-8C46-84C7-1DD2-81CA9E21B2CA} - C:\WINDOWS\system32\gms.dll (file missing)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [Windows Protectot] boxide.exe
O4 - HKCU\..\Run: [Eree] "C:\WINDOWS\system32\SMBOLS~1\wuauboot.exe" -vt yazr
O4 - HKCU\..\Run: [uiuo] C:\PROGRA~1\FICHIE~1\uiuo\uiuom.exe
O4 - HKCU\..\Run: [Ueevu] C:\WINDOWS\s?mbols\n?tepad.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: show/hide IEB Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - (no file)
O9 - Extra 'Tools' menuitem: IE Booster Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {00000000-0000-0000-0000-100000000003} - http://code.jcash.biz/l/2899e4a95c [...] d02_13.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6 [...] vSniff.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/act [...] 2D2D2D.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/window [...] 9815592415
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6 [...] /cabsa.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yaz [...] refid=1162
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\mbhtmled.dll (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\rgnd.dll (file missing)
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Y2FzcGVy\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
3/ Assure-toi que tu as accès aux fichiers cachés.
(Démarrer->Poste de travail->Outils->Options des dossiers...->Affichage
"Afficher les fichiers et dossiers cachés" ->coché
"Masquer les extensions des fichiers dont le type est connu" ->décoché
"Masquer les fichiers protégés du système d'exploitation" ->décoché)
3/ ensuite supprime les fichiers et/ou dossiers suivants si présents :
C:\Program Files\webHancer
boxide.exe
C:\WINDOWS\system32\SMBOLS~1\wuauboot.exe
C:\PROGRA~1\FICHIE~1\uiuo\uiuom.exe
C:\WINDOWS\s?mbols\n?tepad.exe
4/ Lance CCleaner puis bouton Analyse ensuite Bouton Lancer le Nettoyage
5/ Lance ewido (Scan complet du système) et supprime tout ce qu'il trouve. Sauvegarde le rapport sur le bureau.
6/ Redémarre normalement et poste le rapport Ewido et un nouveau rapport HijackThis.
7/ Fait une analyse en ligne chez Kaspersky et poste le rapport :
http://webscanner.kaspersky.fr/
Il y a 2054 utilisateurs connus et inconnus. Pour voir la liste des connectés connus, cliquez ici.
