Help ! [Log Hijackthis inclus] - 2ème Round !
Dernière réponse : dans Sécurité
Logfile of HijackThis v1.99.1
Scan saved at 23:32:11, on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\AMADE\Yinstall.exe
C:\dfndrff_e26.exe
C:\kybrdff_e26.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\nwnmff_e26.exe
C:\Program Files\Fichiers communs\{262916F0-0741-1036-1029-030311060021}\Update.exe
C:\Program Files\MSN Messenger\msgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Downloaded Program Files\USDR6V_0001_D18M3107NetInstaller.exe
C:\Documents and Settings\AMADE\Local Settings\Temporary Internet Files\Content.IE5\GTUJK9AZ\HijackThis[1].exe
C:\WINDOWS\TEMP\USDR6V_0001_D18M3107\installer.exe
C:\Program Files\SystemDoctor 2006 Free\sd2006.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qmrvo.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,bixaaeu.exe
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Fichiers communs\{362916F0-0741-1036-1029-030311060021}\MyToolBar.dll
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\AMADE\Yinstall.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e26.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e26.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [yuejow] C:\WINDOWS\system32\adaroy.exe reg_run
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e26.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [vrlkp] C:\WINDOWS\system32\adaroy.exe reg_run
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/31313...
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: scsiusr4 - C:\WINDOWS\SYSTEM32\scsiusr4.dll
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\d0j0la1m1d.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
Scan saved at 23:32:11, on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\AMADE\Yinstall.exe
C:\dfndrff_e26.exe
C:\kybrdff_e26.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\nwnmff_e26.exe
C:\Program Files\Fichiers communs\{262916F0-0741-1036-1029-030311060021}\Update.exe
C:\Program Files\MSN Messenger\msgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Downloaded Program Files\USDR6V_0001_D18M3107NetInstaller.exe
C:\Documents and Settings\AMADE\Local Settings\Temporary Internet Files\Content.IE5\GTUJK9AZ\HijackThis[1].exe
C:\WINDOWS\TEMP\USDR6V_0001_D18M3107\installer.exe
C:\Program Files\SystemDoctor 2006 Free\sd2006.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qmrvo.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,bixaaeu.exe
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Fichiers communs\{362916F0-0741-1036-1029-030311060021}\MyToolBar.dll
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\AMADE\Yinstall.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e26.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e26.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [yuejow] C:\WINDOWS\system32\adaroy.exe reg_run
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e26.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [vrlkp] C:\WINDOWS\system32\adaroy.exe reg_run
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/31313...
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: scsiusr4 - C:\WINDOWS\SYSTEM32\scsiusr4.dll
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\d0j0la1m1d.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
Autres pages sur : help log hijackthis inclus round
Lassé par la pub ? Créez un compte
Bonjour,
1/ Tu as une infection LooK2Me on va essayer sa :
Prière d'imprimer ces instructions, ou de les coller dans un fichier texte, pour lecture durant ce fix. Regarde bien les trois petites notes au bas, avant de débuter.
Télécharge Look2Me-Destroyer.exe sur ton Bureau.
http://www.atribune.org/ccount/click.php?id=7
* Ferme toutes les fenêtres actives avant de passer à l'étape suivante.
* Double-clique Look2Me-Destroyer.exe afin de lancer l'outil.
* Coche Run this program as a task
* Un message s'affichera, te disant ceci : "Look2Me-Destroyer will close and re-open in approximately 10 seconds". Clique OK
* Il se relancera après les 10 secondes, puis clique sur le bouton Scan for L2M; les icônes de ton Bureau vont disparaître : c'est normal.
* Lorsque le scan termine, clique sur le bouton Remove L2M
* Un message Done Scanning apparaîtra, clique OK.
* Un nouveau message s'affichera : Done removing infected files! Look2Me-Destroyer will now shutdown your computer; clique OK.
* Ton PC va maintenant s'éteindre.
* Démarre ton PC normalement.
* Colle le rapport généré, situé ici : C:\Look2Me-Destroyer.txt dans ta prochaine réponse.
#Si Look2Me-Destroyer ne se relance pas automatiquement après les 10 secondes, redémarre et essaie à nouveau.
##Si tu reçois un message de ton parefeu que l'outil tente d'accéder à l'internet : accepte.
###Si un message runtime error '339' s'affiche : télécharge MSWINSCK.OCX du lien ci-bas, et place-le dans le dossier C:\Windows\System32.
http://www.ascentive.com/support/new/images/lib/MSWINSC...
2/ Télécharge Blacklight (de F-Secure); clique sur "I ACCEPT" au bas de la page. Sauvegarde le sur ton Bureau.
Double-clique blbeta.exe et accepte la licence; clique Scan puis Next
Tu verras une liste de fichiers détectés apparaître. Tu verras également un rapport, sur ton Bureau, nommé fsbl.xxxxxxx.log (les xxxxxxx sont des chiffres).
Copie et colle le contenu de ce rapport dans ta prochaine réponse. NE PAS choisir l'option "Rename" de suite : nous devons analyser le rapport, car des fichiers légitimes peuvent être présents, tel wbemtest.exe
Tu peux consulter le tutorial de F-Secure BlackLight : (merci à Malekal)
http://www.malekal.com/tutorial_f-secure_BlackLight.htm...
3/ Reposte un nouveau rapport HijackThis
1/ Tu as une infection LooK2Me on va essayer sa :
Prière d'imprimer ces instructions, ou de les coller dans un fichier texte, pour lecture durant ce fix. Regarde bien les trois petites notes au bas, avant de débuter.
Télécharge Look2Me-Destroyer.exe sur ton Bureau.
http://www.atribune.org/ccount/click.php?id=7
* Ferme toutes les fenêtres actives avant de passer à l'étape suivante.
* Double-clique Look2Me-Destroyer.exe afin de lancer l'outil.
* Coche Run this program as a task
* Un message s'affichera, te disant ceci : "Look2Me-Destroyer will close and re-open in approximately 10 seconds". Clique OK
* Il se relancera après les 10 secondes, puis clique sur le bouton Scan for L2M; les icônes de ton Bureau vont disparaître : c'est normal.
* Lorsque le scan termine, clique sur le bouton Remove L2M
* Un message Done Scanning apparaîtra, clique OK.
* Un nouveau message s'affichera : Done removing infected files! Look2Me-Destroyer will now shutdown your computer; clique OK.
* Ton PC va maintenant s'éteindre.
* Démarre ton PC normalement.
* Colle le rapport généré, situé ici : C:\Look2Me-Destroyer.txt dans ta prochaine réponse.
#Si Look2Me-Destroyer ne se relance pas automatiquement après les 10 secondes, redémarre et essaie à nouveau.
##Si tu reçois un message de ton parefeu que l'outil tente d'accéder à l'internet : accepte.
###Si un message runtime error '339' s'affiche : télécharge MSWINSCK.OCX du lien ci-bas, et place-le dans le dossier C:\Windows\System32.
http://www.ascentive.com/support/new/images/lib/MSWINSC...
2/ Télécharge Blacklight (de F-Secure); clique sur "I ACCEPT" au bas de la page. Sauvegarde le sur ton Bureau.
Double-clique blbeta.exe et accepte la licence; clique Scan puis Next
Tu verras une liste de fichiers détectés apparaître. Tu verras également un rapport, sur ton Bureau, nommé fsbl.xxxxxxx.log (les xxxxxxx sont des chiffres).
Copie et colle le contenu de ce rapport dans ta prochaine réponse. NE PAS choisir l'option "Rename" de suite : nous devons analyser le rapport, car des fichiers légitimes peuvent être présents, tel wbemtest.exe
Tu peux consulter le tutorial de F-Secure BlackLight : (merci à Malekal)
http://www.malekal.com/tutorial_f-secure_BlackLight.htm...
3/ Reposte un nouveau rapport HijackThis
===Rapport Look2me===
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 13/10/2006 09:54:06
Infected! C:\WINDOWS\system32\lv4809hue.dll
Infected! C:\WINDOWS\system32\nptid.dll
Infected! C:\WINDOWS\system32\dfsynth.dll
Infected! C:\WINDOWS\system32\ir2sl5f71.dll
Infected! C:\WINDOWS\system32\nrmssvc.dll
Infected! C:\WINDOWS\system32\oobcconf.dll
Infected! C:\WINDOWS\system32\irpql5751.dll
Infected! C:\WINDOWS\system32\lv4809hue.dll
Infected! C:\WINDOWS\system32\lv6609jse.dll
Infected! C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103236.dll
Infected! C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103237.dll
Infected! C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103241.dll
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\lv4809hue.dll
C:\WINDOWS\system32\lv4809hue.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\nptid.dll
C:\WINDOWS\system32\nptid.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dfsynth.dll
C:\WINDOWS\system32\dfsynth.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\ir2sl5f71.dll
C:\WINDOWS\system32\ir2sl5f71.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\nrmssvc.dll
C:\WINDOWS\system32\nrmssvc.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\oobcconf.dll
C:\WINDOWS\system32\oobcconf.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\irpql5751.dll
C:\WINDOWS\system32\irpql5751.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lv4809hue.dll
C:\WINDOWS\system32\lv4809hue.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lv6609jse.dll
C:\WINDOWS\system32\lv6609jse.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103236.dll
C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103236.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103237.dll
C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103237.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103241.dll
C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103241.dll Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9071B89F-F15A-4123-B582-E278BF072D03}"
HKCR\Clsid\{9071B89F-F15A-4123-B582-E278BF072D03}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrateurs - Succeeded
===Rapport Fsecure===
10/13/06 10:00:44 [Info]: BlackLight Engine 1.0.47 initialized
10/13/06 10:00:44 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/13/06 10:00:44 [Note]: 7019 4
10/13/06 10:00:44 [Note]: 7005 0
10/13/06 10:00:48 [Note]: 7006 0
10/13/06 10:00:48 [Note]: 7011 1440
10/13/06 10:00:48 [Note]: 7026 0
10/13/06 10:00:48 [Note]: 7026 0
10/13/06 10:00:48 [Note]: 7024 1
10/13/06 10:00:48 [Note]: 7015 1816
10/13/06 10:00:48 [Note]: 7015 5
10/13/06 10:00:48 [Info]: Hidden process: c:\windows\system32\_mzu_stonedrv2.exe
10/13/06 10:00:48 [Note]: FSRAW library version 1.7.1020
10/13/06 10:00:54 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\SCSIUSR4.DLL
10/13/06 10:00:54 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\SCSIPS~1.SYS
10/13/06 10:00:54 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\_MZU_S~1.EXE
10/13/06 10:00:54 [Note]: 7002 0
10/13/06 10:00:54 [Note]: 7003 1
10/13/06 10:02:08 [Note]: 7002 0
10/13/06 10:02:08 [Note]: 7003 1
10/13/06 10:04:51 [Note]: 7007 0
===Rapport Hijackthis===
Logfile of HijackThis v1.99.1
Scan saved at 10:05:04, on 13/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\AMADE\Yinstall.exe
C:\Program Files\Fichiers communs\{262916F0-0741-1036-1029-030311060021}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msgr.exe
C:\Documents and Settings\AMADE\Bureau\Virus_Ana\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00016.exe"
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\AMADE\Yinstall.exe
O4 - HKLM\..\Run: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msgr.exe" /background
O4 - HKCU\..\Run: [_mzu_stonedrv2] C:\WINDOWS\system32\_mzu_stonedrv2.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00016.exe"
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/31313...
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: scsiusr4 - C:\WINDOWS\SYSTEM32\scsiusr4.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 13/10/2006 09:54:06
Infected! C:\WINDOWS\system32\lv4809hue.dll
Infected! C:\WINDOWS\system32\nptid.dll
Infected! C:\WINDOWS\system32\dfsynth.dll
Infected! C:\WINDOWS\system32\ir2sl5f71.dll
Infected! C:\WINDOWS\system32\nrmssvc.dll
Infected! C:\WINDOWS\system32\oobcconf.dll
Infected! C:\WINDOWS\system32\irpql5751.dll
Infected! C:\WINDOWS\system32\lv4809hue.dll
Infected! C:\WINDOWS\system32\lv6609jse.dll
Infected! C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103236.dll
Infected! C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103237.dll
Infected! C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103241.dll
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\lv4809hue.dll
C:\WINDOWS\system32\lv4809hue.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\nptid.dll
C:\WINDOWS\system32\nptid.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dfsynth.dll
C:\WINDOWS\system32\dfsynth.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\ir2sl5f71.dll
C:\WINDOWS\system32\ir2sl5f71.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\nrmssvc.dll
C:\WINDOWS\system32\nrmssvc.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\oobcconf.dll
C:\WINDOWS\system32\oobcconf.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\irpql5751.dll
C:\WINDOWS\system32\irpql5751.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lv4809hue.dll
C:\WINDOWS\system32\lv4809hue.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lv6609jse.dll
C:\WINDOWS\system32\lv6609jse.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103236.dll
C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103236.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103237.dll
C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103237.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103241.dll
C:\System Volume Information\_restore{C3E359B4-5B9E-43A1-9012-2AE776B110AE}\RP355\A0103241.dll Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9071B89F-F15A-4123-B582-E278BF072D03}"
HKCR\Clsid\{9071B89F-F15A-4123-B582-E278BF072D03}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrateurs - Succeeded
===Rapport Fsecure===
10/13/06 10:00:44 [Info]: BlackLight Engine 1.0.47 initialized
10/13/06 10:00:44 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/13/06 10:00:44 [Note]: 7019 4
10/13/06 10:00:44 [Note]: 7005 0
10/13/06 10:00:48 [Note]: 7006 0
10/13/06 10:00:48 [Note]: 7011 1440
10/13/06 10:00:48 [Note]: 7026 0
10/13/06 10:00:48 [Note]: 7026 0
10/13/06 10:00:48 [Note]: 7024 1
10/13/06 10:00:48 [Note]: 7015 1816
10/13/06 10:00:48 [Note]: 7015 5
10/13/06 10:00:48 [Info]: Hidden process: c:\windows\system32\_mzu_stonedrv2.exe
10/13/06 10:00:48 [Note]: FSRAW library version 1.7.1020
10/13/06 10:00:54 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\SCSIUSR4.DLL
10/13/06 10:00:54 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\SCSIPS~1.SYS
10/13/06 10:00:54 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\_MZU_S~1.EXE
10/13/06 10:00:54 [Note]: 7002 0
10/13/06 10:00:54 [Note]: 7003 1
10/13/06 10:02:08 [Note]: 7002 0
10/13/06 10:02:08 [Note]: 7003 1
10/13/06 10:04:51 [Note]: 7007 0
===Rapport Hijackthis===
Logfile of HijackThis v1.99.1
Scan saved at 10:05:04, on 13/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\AMADE\Yinstall.exe
C:\Program Files\Fichiers communs\{262916F0-0741-1036-1029-030311060021}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msgr.exe
C:\Documents and Settings\AMADE\Bureau\Virus_Ana\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00016.exe"
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\AMADE\Yinstall.exe
O4 - HKLM\..\Run: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msgr.exe" /background
O4 - HKCU\..\Run: [_mzu_stonedrv2] C:\WINDOWS\system32\_mzu_stonedrv2.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00016.exe"
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/31313...
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: scsiusr4 - C:\WINDOWS\SYSTEM32\scsiusr4.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
Lassé par la pub ? Créez un compte
- Contenus similaires :
- ForumTrojan vundo recalcitrant help me svp
- ForumArret intempestif windows xp
- ForumScan avec hijackthis
- ForumPub intempestive windows 7
- ForumRapport hijackthis et internet explorer
- ForumWindows genuine advantage tool
- ForumWindows genuine advantage xp
- ForumAnalyse logfile of hijackthis spyware
- ForumGenuine advantage windows xp
- ForumWindows xp genuine advantage
- Voir plus
