christ15
-
Compteur de contenus
5 -
Inscription
-
Dernière visite
christ15's Achievements
Junior Member (3/12)
0
Réputation sur la communauté
-
Rapport HijackThis
christ15 a répondu à un(e) sujet de christ15 dans Analyses et éradication malwares
Bonjour, je n'ai pas vu le passage concernant le fichier "wininet.dll", mais je suppose que c'est bon! Depuis ces manips, je n'ai plus d'ouverture intempestive de fenêtre!!!!! Voici quand même les rapports demandés: SmitFraudFix v2.225 Rapport fait à 14:59:51,22, 20/09/2007 Executé à partir de C:\Documents and Settings\Moƒ.MABETE\Bureau\SmitfraudFix OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT Le type du système de fichiers est NTFS Fix executé en mode sans echec »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Arret des processus »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés C:\WINDOWS\main_uninstaller.exe supprimé C:\WINDOWS\msmdev.dll supprimé Deleting [HKEY_CLASSES_ROOT\CLSID\{2CA133F7-78BB-41CC-ACA3-1954BD222C16}] C:\WINDOWS\msmhost.dll supprimé Deleting [HKEY_CLASSES_ROOT\CLSID\{3924E3CF-CDEC-43F6-8AC8-DBE7098BE6FB}] C:\WINDOWS\nsduo.dll supprimé C:\DOCUME~1\MO4D9B~1.MAB\Bureau\Error Cleaner.url supprimé C:\DOCUME~1\MO4D9B~1.MAB\Bureau\Privacy Protector.url supprimé C:\DOCUME~1\MO4D9B~1.MAB\Bureau\Spyware?Malware Protection.url supprimé C:\DOCUME~1\MO4D9B~1.MAB\Favoris\Error Cleaner.url supprimé C:\DOCUME~1\MO4D9B~1.MAB\Favoris\Privacy Protector.url supprimé »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{83AE4876-79F7-4311-AA15-449E2822EAB3}: DhcpNameServer=212.27.54.252 212.27.53.252 HKLM\SYSTEM\CS1\Services\Tcpip\..\{83AE4876-79F7-4311-AA15-449E2822EAB3}: DhcpNameServer=212.27.54.252 212.27.53.252 HKLM\SYSTEM\CS2\Services\Tcpip\..\{83AE4876-79F7-4311-AA15-449E2822EAB3}: DhcpNameServer=212.27.54.252 212.27.53.252 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252 »»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre Nettoyage terminé. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Fin Logfile of HijackThis v1.99.1 Scan saved at 15:05:26, on 20/09/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe H:\Nouvelle installation\Antivir\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: EoRezoBHO - {64F56FC1-1272-44CD-BA6E-39723696E350} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Trust\DS-4500X Wireless Laser Deskset\Keyboard\kbdap32a.EXE O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Trust\DS-4500X Wireless Laser Deskset\Mouse\mouse32a.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1036 O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - HKCU\..\Run: [spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe" O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\windows\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe DiagHelp version v1.2 - http://www.malekal.com excute le 20/09/2007 à 15:20:40,95 Liste des derniers fichies modifies/crees dans windir\system32 et prefetch C:\WINDOWS\prefetch\CHCP.COM-18156052.pf -->20/09/2007 15:20:06 C:\WINDOWS\prefetch\CMD.EXE-087B4001.pf -->20/09/2007 15:20:05 C:\WINDOWS\prefetch\SETUP.OVR-154CE291.pf -->20/09/2007 15:16:47 C:\WINDOWS\prefetch\ALG.EXE-0F138680.pf -->20/09/2007 15:10:50 C:\WINDOWS\prefetch\SVCHOST.EXE-3530F672.pf -->20/09/2007 15:10:46 C:\WINDOWS\prefetch\IMAPI.EXE-0BF740A4.pf -->20/09/2007 15:10:43 C:\WINDOWS\prefetch\ASHWEBSV.EXE-0548EF0A.pf -->20/09/2007 15:10:43 C:\WINDOWS\prefetch\ASHMAISV.EXE-12E27032.pf -->20/09/2007 15:10:41 C:\WINDOWS\prefetch\WSCNTFY.EXE-1B24F5EB.pf -->20/09/2007 15:10:40 C:\WINDOWS\prefetch\KPF4GUI.EXE-03046928.pf -->20/09/2007 15:10:32 C:\WINDOWS\System32\drivers\fwdrv.err -->20/09/2007 14:57:17 C:\WINDOWS\System32\drivers\avipbb.sys -->18/09/2007 18:13:38 C:\WINDOWS\System32\drivers\aswmon.sys -->06/09/2007 12:05:25 C:\WINDOWS\System32\drivers\aswmon2.sys -->06/09/2007 12:05:10 C:\WINDOWS\System32\drivers\aswRdr.sys -->06/09/2007 12:03:02 C:\WINDOWS\System32\drivers\aswTdi.sys -->06/09/2007 12:02:20 C:\WINDOWS\System32\drivers\aavmker4.sys -->06/09/2007 12:00:53 C:\WINDOWS\System32\tmp.txt -->20/09/2007 15:00:00 C:\WINDOWS\System32\tmp.reg -->20/09/2007 15:00:00 C:\WINDOWS\System32\CONFIG.NT -->14/09/2007 22:30:24 C:\WINDOWS\System32\wpa.dbl -->14/09/2007 22:28:50 C:\WINDOWS\System32\aswBoot.exe -->06/09/2007 12:09:49 C:\WINDOWS\System32\AVASTSS.scr -->06/09/2007 12:00:07 C:\WINDOWS\System32\VCCLSID.exe -->06/09/2007 00:22:23 C:\WINDOWS\System32\Uninstall.ico -->02/09/2007 21:12:57 C:\WINDOWS\System32\pavas.ico -->02/09/2007 21:12:57 C:\WINDOWS\System32\Help.ico -->02/09/2007 21:12:57 C:\WINDOWS\System32\FNTCACHE.DAT -->01/09/2007 12:35:33 C:\WINDOWS\System32\perfh00C.dat -->01/09/2007 07:10:47 C:\WINDOWS\System32\perfh009.dat -->01/09/2007 07:10:47 C:\WINDOWS\System32\perfc00C.dat -->01/09/2007 07:10:47 C:\WINDOWS\System32\perfc009.dat -->01/09/2007 07:10:47 C:\WINDOWS\System32\TZLog.log -->01/09/2007 03:03:11 C:\WINDOWS\System32\PerfStringBackup.INI -->29/08/2007 18:42:56 C:\WINDOWS\System32\nscompat.tlb -->14/08/2007 00:57:25 C:\WINDOWS\System32\amcompat.tlb -->14/08/2007 00:57:25 C:\WINDOWS\System32\jupdate-1.6.0_02-b06.log -->12/08/2007 09:31:43 C:\WINDOWS\System32\ElbyCDIO.dll -->10/08/2007 21:56:53 C:\WINDOWS\System32\wbocx.ocx -->10/08/2007 08:11:00 C:\WINDOWS\System32\wbhelp2.dll -->10/08/2007 08:11:00 C:\WINDOWS\System32\AniGIF.ocx -->10/08/2007 08:11:00 C:\WINDOWS\System32\ati64hlp.stb -->08/08/2007 16:09:24 C:\WINDOWS\wiadebug.log -->20/09/2007 15:10:39 C:\WINDOWS\wiaservc.log -->20/09/2007 15:10:37 C:\WINDOWS.log -->20/09/2007 15:10:28 C:\WINDOWS\WindowsUpdate.log -->20/09/2007 15:10:12 C:\WINDOWS\bootstat.dat -->20/09/2007 15:09:07 C:\WINDOWS\dat.txt -->20/09/2007 14:55:39 C:\WINDOWS\NeroDigital.ini -->20/09/2007 09:19:36 C:\WINDOWS\SchedLgU.Txt -->19/09/2007 22:19:21 C:\WINDOWS\rs.txt -->19/09/2007 11:46:24 C:\WINDOWS\win.ini -->18/09/2007 20:56:06 C:\WINDOWS\system.ini -->18/09/2007 20:56:06 C:\WINDOWS\pavsig.txt -->02/09/2007 21:13:04 C:\WINDOWS\mozver.dat -->02/09/2007 19:20:01 C:\WINDOWS\SEA683F28.tmp -->30/08/2007 22:18:14 C:\WINDOWS\Sti_Trace.log -->27/08/2007 15:05:19 MD5 des fichiers sensibles ndis.sys 558635d3af1c7546d26067d5d9b6959e null.sys 73c1e1f395918bc2c6dd67af7591a3ad svchost.exe 1bd6c2f707a275cb7c16fd99fe0f31ca Le volume dans le lecteur C s'appelle C 30 Le numéro de série du volume est 6099-64EE Répertoire de C:\WINDOWS\system32 05/08/2004 14:00 6 144 csrss.exe 1 fichier(s) 6 144 octets 0 Rép(s) 15 134 924 800 octets libres Contenu de Downloaded Program Files Le volume dans le lecteur C s'appelle C 30 Le numéro de série du volume est 6099-64EE Répertoire de C:\WINDOWS\Downloaded Program Files 15/09/2007 23:54 <REP> . 15/09/2007 23:54 <REP> .. 24/08/2006 08:28 141 424 asinst.dll 22/08/2006 09:06 537 asinst.inf 06/08/2007 19:59 65 desktop.ini 22/08/2007 09:46 562 nanoinst.inf 4 fichier(s) 142 588 octets Total des fichiers listés : 4 fichier(s) 142 588 octets 2 Rép(s) 15 134 920 704 octets libres Recherche de rootkit! (Merci S!Ri) Recherche d'infections connues Export des clefs sensibles.. Liste des fichiers en exception sur le pare-feu XP SP2 "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"="C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe:*:Enabled:Sunbelt Firewall GUI" "C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail" "C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule" "C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail" "C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Export de la clef SharedTaskScheduler [sharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant" REGEDIT4 [taskmgr.exe] exports des policies REGEDIT4 [system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 Export des clefs sensibles.. Rechercher adresses sensibles dans le fichier HOSTS... catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-20 15:21:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:7d7fb77c "s2"=dword:d42957b7 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:c2,b6,96,c3,55,81,ea,d0,4d,37,c7,fd,bd,87,b9,c3,7a,84,6f,56,cd,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001] "a0"=hex:20,01,00,00,d8,08,06,e3,59,df,46,7e,90,0b,a5,ef,5c,78,25,c1,fe,.. "khjeh"=hex:f3,47,0e,b7,7e,ad,55,87,33,70,78,3f,0d,fd,e3,a3,7e,e8,a8,a0,d2,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf40] "khjeh"=hex:dc,94,38,21,2a,3e,2e,95,01,bf,3b,87,9e,e7,ff,31,1c,37,b0,49,b5,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:c2,b6,96,c3,55,81,ea,d0,4d,37,c7,fd,bd,87,b9,c3,7a,84,6f,56,cd,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001] "a0"=hex:20,01,00,00,d8,08,06,e3,59,df,46,7e,90,0b,a5,ef,5c,78,25,c1,fe,.. "khjeh"=hex:f3,47,0e,b7,7e,ad,55,87,33,70,78,3f,0d,fd,e3,a3,7e,e8,a8,a0,d2,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf40] "khjeh"=hex:dc,94,38,21,2a,3e,2e,95,01,bf,3b,87,9e,e7,ff,31,1c,37,b0,49,b5,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden services: 0 hidden files: 0 KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg) Process list by traversal of KiWaitListHead 4 - System 224 - KBDAP32A.EXE 348 - alg.exe 392 - explorer.exe 852 - avguard.exe 1144 - mouse32a.exe 1148 - atiptaxx.exe 1164 - csrss.exe 1188 - winlogon.exe 1232 - services.exe 1244 - lsass.exe 1300 - ashDisp.exe 1356 - DAP.exe 1408 - svchost.exe 1464 - svchost.exe 1512 - PicasaMediaDete 1556 - svchost.exe 1596 - avgnt.exe 1736 - svchost.exe 1748 - avgas.exe 1840 - ctfmon.exe 1904 - spamihilator.ex 2000 - ashServ.exe 2104 - AM32.exe 2112 - raid_tool.exe 2168 - IMApp.exe 2484 - sched.exe 2528 - guard.exe 2700 - kpf4gui.exe 2752 - cmd.exe 2972 - kpf4ss.exe 3352 - kpf4gui.exe 3560 - ashMaiSv.exe 3604 - ashWebSv.exe Total number of processes = 34 NOTE: Under WinXP, this will not show all processes. KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg) Driver/Module list by traversal of PsLoadedModuleList 804D7000 - \WINDOWS\system32\ntoskrnl.exe 806EF000 - \WINDOWS\system32\hal.dll F7A2F000 - \WINDOWS\system32\KDCOM.DLL F793F000 - \WINDOWS\system32\BOOTVID.dll F7437000 - sptd.sys F7A31000 - \WINDOWS\System32\Drivers\WMILIB.SYS F741F000 - \WINDOWS\System32\Drivers\SCSIPORT.SYS F73F0000 - ACPI.sys F73DF000 - pci.sys F752F000 - isapnp.sys F7AF7000 - pciide.sys F77AF000 - \WINDOWS\system32\DRIVERS\PCIIDEX.SYS F753F000 - MountMgr.sys F73C0000 - ftdisk.sys F77B7000 - PartMgr.sys F754F000 - VolSnap.sys F73A8000 - atapi.sys F7396000 - viasprid.sys F755F000 - disk.sys F756F000 - \WINDOWS\system32\DRIVERS\CLASSPNP.SYS F7377000 - fltMgr.sys F7365000 - sr.sys F734F000 - PQV2i.sys F757F000 - PxHelp20.sys F7338000 - KSecDD.sys F72AB000 - Ntfs.sys F727E000 - NDIS.sys F77BF000 - sisagp.sys F7263000 - Mup.sys F771F000 - \SystemRoot\system32\DRIVERS\amdk7.sys F7098000 - \SystemRoot\system32\DRIVERS\ati2mtag.sys F7084000 - \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS F772F000 - \SystemRoot\system32\DRIVERS\i8042prt.sys F7847000 - \SystemRoot\system32\DRIVERS\mouclass.sys F784F000 - \SystemRoot\system32\DRIVERS\kbdclass.sys F7857000 - \SystemRoot\system32\DRIVERS\fdc.sys F7073000 - \SystemRoot\system32\DRIVERS\serial.sys F722B000 - \SystemRoot\system32\DRIVERS\serenum.sys F705F000 - \SystemRoot\system32\DRIVERS\parport.sys F7227000 - \SystemRoot\system32\DRIVERS\gameenum.sys F7B8B000 - \SystemRoot\system32\drivers\msmpu401.sys F703B000 - \SystemRoot\system32\drivers\portcls.sys F773F000 - \SystemRoot\system32\drivers\drmk.sys F7018000 - \SystemRoot\system32\drivers\ks.sys F785F000 - \SystemRoot\system32\DRIVERS\usbohci.sys F6FF5000 - \SystemRoot\system32\DRIVERS\USBPORT.SYS F774F000 - \SystemRoot\system32\DRIVERS\imapi.sys F7867000 - \SystemRoot\System32\Drivers\ElbyCDFL.sys F7A47000 - \SystemRoot\System32\Drivers\ElbyDelay.sys F775F000 - \SystemRoot\system32\DRIVERS\cdrom.sys F776F000 - \SystemRoot\system32\DRIVERS\redbook.sys F786F000 - \SystemRoot\System32\Drivers\GearAspiWDM.SYS F7877000 - \SystemRoot\system32\DRIVERS\sisnic.sys F777F000 - \SystemRoot\system32\drivers\es1371mp.sys F6FAB000 - \SystemRoot\System32\Drivers\a598lavo.SYS F7BA7000 - \SystemRoot\system32\DRIVERS\audstub.sys F779F000 - \SystemRoot\system32\DRIVERS\rasl2tp.sys F71FB000 - \SystemRoot\system32\DRIVERS\ndistapi.sys F6F94000 - \SystemRoot\system32\DRIVERS\ndiswan.sys F75AF000 - \SystemRoot\system32\DRIVERS\raspppoe.sys F75BF000 - \SystemRoot\system32\DRIVERS\raspptp.sys F78C7000 - \SystemRoot\system32\DRIVERS\TDI.SYS F6F83000 - \SystemRoot\system32\DRIVERS\psched.sys F75CF000 - \SystemRoot\system32\DRIVERS\msgpc.sys F78CF000 - \SystemRoot\system32\DRIVERS\ptilink.sys F78D7000 - \SystemRoot\system32\DRIVERS\raspti.sys F78DF000 - \SystemRoot\system32\DRIVERS\ProtoWall.sys F75DF000 - \SystemRoot\system32\DRIVERS\termdd.sys F7A51000 - \SystemRoot\system32\DRIVERS\swenum.sys F6F4F000 - \SystemRoot\system32\DRIVERS\update.sys F71E7000 - \SystemRoot\system32\DRIVERS\mssmbios.sys F75EF000 - \SystemRoot\System32\Drivers\NDProxy.SYS F78EF000 - \SystemRoot\system32\DRIVERS\flpydisk.sys F762F000 - \SystemRoot\system32\DRIVERS\usbhub.sys F7A55000 - \SystemRoot\system32\DRIVERS\USBD.SYS F7A5B000 - \SystemRoot\System32\Drivers\Fs_Rec.SYS F7B60000 - \SystemRoot\System32\Drivers\Null.SYS F7A5D000 - \SystemRoot\System32\Drivers\Beep.SYS F7B61000 - \SystemRoot\System32\DRIVERS\AvgAsCln.sys F78FF000 - \SystemRoot\System32\drivers\vga.sys F7A5F000 - \SystemRoot\System32\Drivers\mnmdd.SYS F7A61000 - \SystemRoot\System32\DRIVERS\RDPCDD.sys B2F97000 - \SystemRoot\system32\drivers\fwdrv.sys F7907000 - \SystemRoot\System32\Drivers\Msfs.SYS F790F000 - \SystemRoot\System32\Drivers\Npfs.SYS F7179000 - \SystemRoot\system32\DRIVERS\rasacd.sys B2F84000 - \SystemRoot\system32\DRIVERS\ipsec.sys B2F2C000 - \SystemRoot\system32\DRIVERS\tcpip.sys F763F000 - \SystemRoot\System32\Drivers\aswTdi.SYS B2F04000 - \SystemRoot\system32\DRIVERS\netbt.sys B2EE2000 - \SystemRoot\System32\drivers\afd.sys F764F000 - \SystemRoot\system32\DRIVERS\netbios.sys F7917000 - \SystemRoot\system32\DRIVERS\ssmdrv.sys B2EB6000 - \SystemRoot\system32\DRIVERS\rdbss.sys F765F000 - \SystemRoot\System32\Drivers\PQIMount.SYS B2DCF000 - \SystemRoot\system32\DRIVERS\mrxsmb.sys B2DBE000 - \SystemRoot\system32\drivers\khips.sys F766F000 - \SystemRoot\System32\Drivers\Fips.SYS B2D9D000 - \SystemRoot\system32\DRIVERS\ipnat.sys F767F000 - \SystemRoot\system32\DRIVERS\wanarp.sys F6E70000 - \SystemRoot\system32\DRIVERS\usbscan.sys F768F000 - \SystemRoot\system32\DRIVERS\avipbb.sys F7A63000 - \??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys F7BBD000 - \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys F792F000 - \SystemRoot\System32\Drivers\Aavmker4.SYS F76CF000 - \SystemRoot\System32\Drivers\Cdfs.SYS B2B7E000 - \SystemRoot\System32\Drivers\dump_atapi.sys F7A71000 - \SystemRoot\System32\Drivers\dump_WMILIB.SYS BF800000 - \SystemRoot\System32\win32k.sys F77E7000 - \SystemRoot\System32\watchdog.sys B2BFE000 - \SystemRoot\System32\drivers\Dxapi.sys BF9C1000 - \SystemRoot\System32\drivers\dxg.sys F7C69000 - \SystemRoot\System32\drivers\dxgthk.sys BF9D3000 - \SystemRoot\System32\ati2dvag.dll BFA0A000 - \SystemRoot\System32\ati2cqag.dll BFA44000 - \SystemRoot\System32\ati3duag.dll BFC18000 - \SystemRoot\System32\ativvaxx.dll B2A7E000 - \SystemRoot\system32\DRIVERS\ndisuio.sys B28E8000 - \SystemRoot\System32\Drivers\aswMon2.SYS B25DB000 - \SystemRoot\system32\drivers\wdmaud.sys B26B8000 - \SystemRoot\system32\drivers\sysaudio.sys B21F9000 - \SystemRoot\system32\DRIVERS\mrxdav.sys B2056000 - \??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys F7A75000 - \SystemRoot\System32\Drivers\ParVdm.SYS F77EF000 - \SystemRoot\System32\Drivers\ElbyCDIO.sys B1DFB000 - \SystemRoot\system32\DRIVERS\srv.sys F7807000 - \SystemRoot\system32\DRIVERS\secdrv.sys B192A000 - \SystemRoot\System32\Drivers\HTTP.sys B1A93000 - \SystemRoot\System32\Drivers\aswRdr.SYS B1748000 - \SystemRoot\system32\drivers\kmixer.sys F7C71000 - \SystemRoot\System32\DRIVERS\KProcCheck.sys Total number of drivers = 131 Liste des programmes installes Ad-Aware SE Personal Adobe Acrobat 5.0 Adobe Flash Player ActiveX Adobe Reader 8.1.0 - Français ALZip ATI - Utilitaire de désinstallation du logiciel ATI Control Panel ATI Display Driver ATI HydraVision avast! Antivirus AVG Anti-Spyware 7.5 Avira AntiVir PersonalEdition Classic CCleaner (remove only) CloneCD CloneDVD2 Correctif pour Windows XP (KB914440) DivX Codec DivX Content Uploader DivX Player DivX Web Player Download Accelerator Plus (DAP) DVD Decrypter (Remove Only) DVD Shrink 3.2 eMule Eraser FinePixViewer Ver.4.3 Free - Kit de connexion FUJIFILM USB Driver Google Earth HijackThis 1.99.1 Hotfix for Windows XP (KB915865) IncrediMail Xe Java 6 Update 2 Java SE Runtime Environment 6 Lecteur Windows Media 11 LiveUpdate 2.0 (Symantec Corporation) Microsoft .NET Framework 1.1 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348) Mise à jour pour Windows XP (KB898461) Mise à jour pour Windows XP (KB904942) Mozilla Firefox (2.0.0.7) Multi Virus Cleaner 2007 Nero 6 Ultra Edition Norton Ghost 9.0 Norton™ Security Scan OpenOffice.org 2.2 Panda ActiveScan Panda NanoScan Picasa 2 ProtoWall 2.0 Beta QuickTime QVGDM Seconde Edition RAW FILE CONVERTER LE Spamihilator Spybot - Search & Destroy 1.4 SpywareBlaster v3.5.1 Sunbelt Personal Firewall TRUST DS-4500X Wireless Laser Deskset_Keyboard TRUST DS-4500X Wireless Laser Deskset_Mouse TuneUp Utilities 2007 USB Scanner VIA Integrated Setup Wizard VIA Integrated Setup Wizard VideoLAN VLC media player 0.8.1 Vista Visual Pack 7.0 WebFldrs XP Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 XoftSpySE Le volume dans le lecteur C s'appelle C 30 Le numéro de série du volume est 6099-64EE Répertoire de C:\Program Files 19/09/2007 21:52 <REP> . 19/09/2007 21:52 <REP> .. 26/08/2007 14:44 <REP> Adobe 14/09/2007 21:29 <REP> Ahead 14/09/2007 22:27 <REP> Ahead(2) 02/07/2007 07:01 <REP> Alwil Software 02/07/2007 08:28 <REP> Ant Movie Catalog 20/09/2007 15:10 <REP> AntiVir PersonalEdition Classic 05/07/2007 14:01 <REP> ATI Technologies 15/09/2007 23:03 <REP> AxBx 19/09/2007 16:10 <REP> CCleaner 05/07/2007 13:53 <REP> C-Media 05/07/2007 14:16 <REP> C-Media Audio 02/07/2007 05:31 <REP> ComPlus Applications 30/08/2007 12:24 <REP> DAEMON Tools 17/08/2007 16:43 <REP> DaemonTools_WhenUSave_Installer 10/08/2007 08:11 <REP> DAP 19/07/2007 22:27 <REP> Disc2Phone 17/08/2007 17:07 <REP> DivX 02/07/2007 08:58 <REP> Dudez 30/08/2007 20:47 <REP> DVD Decrypter 30/08/2007 17:48 <REP> DVD Shrink 02/07/2007 11:04 <REP> Eidos Interactive 30/08/2007 21:53 <REP> Elaborate Bytes 20/09/2007 15:17 <REP> eMule 14/08/2007 00:14 <REP> eoRezo 20/09/2007 14:55 <REP> Eraser 02/07/2007 08:28 <REP> ESTsoft 19/09/2007 16:35 <REP> Fichiers communs 12/08/2007 09:18 <REP> FinePixViewer 08/08/2007 15:46 <REP> Free 08/08/2007 16:10 <REP> Free.fr 06/09/2007 22:17 <REP> Google 19/09/2007 21:52 <REP> Grisoft 08/08/2007 22:07 <REP> IncrediMail 04/08/2007 15:37 <REP> Infinity USB 01/09/2007 12:34 <REP> Internet Explorer 12/08/2007 09:31 <REP> Java 14/08/2007 13:36 <REP> Lavasoft 14/08/2007 00:49 <REP> LClock 01/09/2007 12:33 <REP> messenger 02/07/2007 05:34 <REP> microsoft frontpage 04/08/2007 21:14 <REP> Movie Maker 19/09/2007 14:11 <REP> Mozilla Firefox 19/09/2007 16:30 <REP> MSN 04/08/2007 21:16 <REP> msn gaming zone 04/08/2007 21:14 <REP> NetMeeting 15/09/2007 23:28 <REP> Norton Security Scan 06/08/2007 19:56 <REP> Online Services 10/08/2007 09:51 <REP> Open Office 02/07/2007 08:56 <REP> OpenOffice.org 2.1 10/08/2007 09:54 <REP> OpenOffice.org 2.2 01/09/2007 12:33 <REP> Outlook Express 15/09/2007 23:54 <REP> Panda Security 27/08/2007 15:05 <REP> Picasa2 11/09/2007 21:07 <REP> QuickTime 10/07/2007 15:16 <REP> REGSHAVE 17/07/2007 15:30 <REP> Satsuki Decoder Pack 18/09/2007 21:55 <REP> scanner 08/08/2007 16:16 <REP> ScannerU 02/07/2007 05:33 <REP> Services en ligne 14/09/2007 23:48 <REP> SlySoft 10/07/2007 15:44 <REP> Sony Ericsson 20/09/2007 15:19 <REP> Spamihilator 12/08/2007 16:33 <REP> Spybot - Search & Destroy 15/09/2007 15:57 <REP> SpywareBlaster 14/08/2007 00:49 <REP> Styler 02/07/2007 12:37 <REP> Sunbelt Software 04/08/2007 15:36 <REP> Swapper 02/07/2007 11:16 <REP> Symantec 02/07/2007 08:30 <REP> ToniArts 02/07/2007 11:24 <REP> Trust 19/09/2007 22:04 <REP> TuneUp Utilities 2007 02/07/2007 06:15 <REP> VIA 05/07/2007 09:33 <REP> VideoLAN 14/08/2007 00:49 <REP> ViOrb 14/08/2007 10:51 <REP> Vista Sidebar 14/08/2007 10:53 <REP> ViStart 14/08/2007 00:49 <REP> VisualTooltip 10/07/2007 18:54 <REP> VSO 01/09/2007 12:32 <REP> Windows Media Connect 2 01/09/2007 15:07 <REP> Windows Media Player 04/08/2007 21:12 <REP> Windows NT 02/07/2007 05:34 <REP> xerox 15/09/2007 23:17 <REP> XoftSpySE 17/07/2007 15:27 <REP> XviD 14/09/2007 21:25 <REP> Yahoo! 02/07/2007 10:54 <REP> Zeb-Utility 0 fichier(s) 0 octets 88 Rép(s) 15 134 838 784 octets libres Le volume dans le lecteur C s'appelle C 30 Le numéro de série du volume est 6099-64EE Répertoire de C:\Program Files\fichiers communs 19/09/2007 16:35 <REP> . 19/09/2007 16:35 <REP> .. 26/08/2007 14:44 <REP> Adobe 14/09/2007 22:27 <REP> Ahead 05/07/2007 13:58 <REP> InstallShield 02/08/2007 12:28 <REP> Java 02/07/2007 05:50 <REP> Microsoft Shared 02/07/2007 05:32 <REP> MSSoap 24/06/2007 02:13 <REP> ODBC 02/07/2007 05:32 <REP> Services 23/07/2007 17:01 <REP> SolidWorks Shared 24/06/2007 02:13 <REP> SpeechEngines 02/07/2007 11:15 <REP> Symantec Shared 01/09/2007 12:33 <REP> System 10/07/2007 15:45 <REP> Teleca Shared 19/09/2007 16:35 <REP> Wise Installation Wizard 0 fichier(s) 0 octets 16 Rép(s) 15 134 838 784 octets libres Le volume dans le lecteur C s'appelle C 30 Le numéro de série du volume est 6099-64EE Répertoire de C:\Program Files\fichiers communs\Microsoft Shared\Web Folders 06/08/2007 20:08 <REP> . 06/08/2007 20:08 <REP> .. 18/05/2001 15:57 561 209 MSONSEXT.DLL 03/06/1999 12:09 122 937 MSOWS409.DLL 07/03/2001 07:00 127 033 MSOWS40c.DLL 3 fichier(s) 811 179 octets 2 Rép(s) 15 134 838 784 octets libres c:\Documents and Settings\All Users.WINDOWS\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\uninstaller.exe c:\Documents and Settings\Moâ\Application Data\Microsoft\Installer\{BFD080F6-3BF0-40E1-9507-9CA969C35870}\ARPPRODUCTICON.exe c:\Documents and Settings\Moâ\Application Data\Microsoft\Installer\{BFD080F6-3BF0-40E1-9507-9CA969C35870}\NewShortcut1_E659E0EE10E649B7869660F38D0EB174.exe c:\Documents and Settings\Moâ\Application Data\Microsoft\Installer\{BFD080F6-3BF0-40E1-9507-9CA969C35870}\NewShortcut2_8315396A5EA1419DBEC4978284BDF556.exe c:\Documents and Settings\Moâ\Local Settings\Temp\xpinstall.exe c:\Documents and Settings\Moâ\Menu Démarrer\Programmes\Démarrage\Reboot.exe c:\Documents and Settings\Moâ.MABETE\.housecall6.6\getMac.exe c:\Documents and Settings\Moâ.MABETE\.housecall6.6\patch.exe c:\Documents and Settings\Moâ.MABETE\Application Data\Microsoft\Installer\{735D1B9F-A9A4-4FF2-A830-96C150883B97}\_81E4513.exe c:\Documents and Settings\Moâ.MABETE\Application Data\Microsoft\Installer\{BF516A44-48E3-4319-BBF6-B4B66E9F76FA}\sbase.exe c:\Documents and Settings\Moâ.MABETE\Application Data\Microsoft\Installer\{BF516A44-48E3-4319-BBF6-B4B66E9F76FA}\scalc.exe c:\Documents and Settings\Moâ.MABETE\Application Data\Microsoft\Installer\{BF516A44-48E3-4319-BBF6-B4B66E9F76FA}\sdraw.exe c:\Documents and Settings\Moâ.MABETE\Application Data\Microsoft\Installer\{BF516A44-48E3-4319-BBF6-B4B66E9F76FA}\simpress.exe c:\Documents and Settings\Moâ.MABETE\Application Data\Microsoft\Installer\{BF516A44-48E3-4319-BBF6-B4B66E9F76FA}\smath.exe c:\Documents and Settings\Moâ.MABETE\Application Data\Microsoft\Installer\{BF516A44-48E3-4319-BBF6-B4B66E9F76FA}\soffice.exe c:\Documents and Settings\Moâ.MABETE\Application Data\Microsoft\Installer\{BF516A44-48E3-4319-BBF6-B4B66E9F76FA}\swriter.exe c:\Documents and Settings\Moâ.MABETE\Application Data\MSNInstaller\msnauins.exe c:\Documents and Settings\Moâ.MABETE\Bureau\avgas-setup-7.5.0.50.exe c:\Documents and Settings\Moâ.MABETE\Bureau\ccsetup200.exe c:\Documents and Settings\Moâ.MABETE\Bureau\SmitfraudFix.exe c:\Documents and Settings\Moâ.MABETE\Bureau\TU2007TrialFR.exe c:\Documents and Settings\Moâ.MABETE\Bureau\SmitfraudFix\dumphive.exe c:\Documents and Settings\Moâ.MABETE\Bureau\SmitfraudFix\exit.exe c:\Documents and Settings\Moâ.MABETE\Bureau\SmitfraudFix\GenericRenosFix.exe c:\Documents and Settings\Moâ.MABETE\Bureau\SmitfraudFix\HostsChk.exe c:\Documents and Settings\Moâ.MABETE\Bureau\SmitfraudFix\Process.exe c:\Documents and Settings\Moâ.MABETE\Bureau\SmitfraudFix\Reboot.exe c:\Documents and Settings\Moâ.MABETE\Bureau\SmitfraudFix\restart.exe c:\Documents and Settings\Moâ.MABETE\Bureau\SmitfraudFix\SmiUpdate.exe c:\Documents and Settings\Moâ.MABETE\Bureau\SmitfraudFix\SrchSTS.exe c:\Documents and Settings\Moâ.MABETE\Bureau\SmitfraudFix\swreg.exe c:\Documents and Settings\Moâ.MABETE\Bureau\SmitfraudFix\swsc.exe c:\Documents and Settings\Moâ.MABETE\Bureau\SmitfraudFix\swxcacls.exe c:\Documents and Settings\Moâ.MABETE\Bureau\SmitfraudFix\unzip.exe c:\Documents and Settings\Moâ.MABETE\Bureau\SmitfraudFix\VCCLSID.exe c:\Documents and Settings\Moâ.MABETE\Local Settings\Application Data\IM\Identities\{E2698E99-FF5C-47B4-B84A-0EA278B38159}\Message Store\Attachments\boules.exe c:\Documents and Settings\All Users.WINDOWS\Application Data\AntiVir PersonalEdition Classic\BACKUP\FAILSAFE\avewin32.dll c:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\AVG Anti-Spyware 7.5\Downloads\help.dll c:\Documents and Settings\All Users.WINDOWS\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll c:\Documents and Settings\All Users.WINDOWS\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll c:\Documents and Settings\Moâ.MABETE\Application Data\Mozilla\Firefox\Profiles\ixhh1zyv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll c:\Documents and Settings\Moâ.MABETE\Application Data\Mozilla\Firefox\Profiles\ixhh1zyv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll ****** Fin du rapport DiagHelp Sur ce, bon courage pour l'analyse et merci d'avance pour le résultat! @+ -
Rapport HijackThis
christ15 a répondu à un(e) sujet de christ15 dans Analyses et éradication malwares
Bonjour, je vois bien sur le site que je ne suis pas le seul à être embêté, mais je me permets de vous recontacter car vous m'avez peut-être oublié!!!! Si ce n'est pas le cas, désolé pour cette relance! @+ -
Rapport HijackThis
christ15 a répondu à un(e) sujet de christ15 dans Analyses et éradication malwares
Merci de m'aider!!! Voici le rapport: SmitFraudFix v2.225 Rapport fait à 21:37:19,01, 17/09/2007 Executé à partir de C:\Documents and Settings\Moƒ.MABETE\Bureau\SmitfraudFix OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT Le type du système de fichiers est NTFS Fix executé en mode normal »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\System32\GEARSec.exe C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Trust\DS-4500X Wireless Laser Deskset\Keyboard\kbdap32a.EXE C:\Program Files\Trust\DS-4500X Wireless Laser Deskset\Mouse\mouse32a.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\DAP\DAP.EXE C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Eraser\eraser.exe C:\Program Files\Spamihilator\spamihilator.exe C:\Program Files\Dudez\ProtoWall\ProtoWall.exe C:\Program Files\ScannerU\AM32.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\WINDOWS\explorer.exe C:\windows\system32\spider.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS C:\WINDOWS\main_uninstaller.exe PRESENT ! C:\WINDOWS\msmdev.dll PRESENT ! C:\WINDOWS\msmhost.dll PRESENT ! C:\WINDOWS\nsduo.dll PRESENT ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Moƒ.MABETE »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Moƒ.MABETE\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MO4D9B~1.MAB\Favoris C:\DOCUME~1\MO4D9B~1.MAB\Favoris\Error Cleaner.url PRESENT ! C:\DOCUME~1\MO4D9B~1.MAB\Favoris\Privacy Protector.url PRESENT ! »»»»»»»»»»»»»»»»»»»»»»»» Bureau C:\DOCUME~1\MO4D9B~1.MAB\Bureau\Error Cleaner.url PRESENT ! C:\DOCUME~1\MO4D9B~1.MAB\Bureau\Privacy Protector.url PRESENT ! C:\DOCUME~1\MO4D9B~1.MAB\Bureau\Spyware?Malware Protection.url PRESENT ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues »»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="Ma page d'accueil" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Carte Fast Ethernet PCI de base SiS 900 - Miniport d'ordonnancement de paquets DNS Server Search Order: 212.27.54.252 DNS Server Search Order: 212.27.53.252 HKLM\SYSTEM\CCS\Services\Tcpip\..\{83AE4876-79F7-4311-AA15-449E2822EAB3}: DhcpNameServer=212.27.54.252 212.27.53.252 HKLM\SYSTEM\CS1\Services\Tcpip\..\{83AE4876-79F7-4311-AA15-449E2822EAB3}: DhcpNameServer=212.27.54.252 212.27.53.252 HKLM\SYSTEM\CS2\Services\Tcpip\..\{83AE4876-79F7-4311-AA15-449E2822EAB3}: DhcpNameServer=212.27.54.252 212.27.53.252 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252 »»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll »»»»»»»»»»»»»»»»»»»»»»»» Fin @+ -
Bonsoir à tous, J'ai sans arrêt des fenêtres qui s'ouvre en me demandant de télécharger tel ou tel Logiciel Antivirus quelconque! Voici le rapport, merci d'avance pour l'aide que vous m'apporterez! @+ Rapport: Logfile of HijackThis v1.99.1 Scan saved at 22:15:19, on 16/09/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\System32\GEARSec.exe C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Trust\DS-4500X Wireless Laser Deskset\Keyboard\kbdap32a.EXE C:\Program Files\Trust\DS-4500X Wireless Laser Deskset\Mouse\mouse32a.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\DAP\DAP.EXE C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Eraser\eraser.exe C:\Program Files\Spamihilator\spamihilator.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Dudez\ProtoWall\ProtoWall.exe C:\Program Files\ScannerU\AM32.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Program Files\OpenOffice.org 2.2\program\soffice.exe C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN C:\windows\system32\spider.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\eMule\emule.exe C:\PROGRA~1\INCRED~1\bin\IncMail.exe C:\WINDOWS\explorer.exe H:\Nouvelle installation\Antivir\hijackthis\HijackThis.exe C:\Program Files\OpenOffice.org 2.2\program\soffice.exe C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: EoRezoBHO - {64F56FC1-1272-44CD-BA6E-39723696E350} - C:\Program Files\eoRezo\EoAdv\EoRezoBHO.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: MSVPS System - {ACD85107-9CF9-4C9E-B0B7-39940A0017C0} - C:\WINDOWS\nsduo.dll O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Trust\DS-4500X Wireless Laser Deskset\Keyboard\kbdap32a.EXE O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Trust\DS-4500X Wireless Laser Deskset\Mouse\mouse32a.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1036 O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - HKCU\..\Run: [spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe" O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe O4 - Startup: Reboot.exe O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O21 - SSODL: msmhost - {3924E3CF-CDEC-43F6-8AC8-DBE7098BE6FB} - C:\WINDOWS\msmhost.dll O21 - SSODL: msmdev - {2CA133F7-78BB-41CC-ACA3-1954BD222C16} - C:\WINDOWS\msmdev.dll O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\windows\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
-
Bonsoir à tous! Voilà Mon problème: Je veux installer Le driver pour Mon scanner! C'est un fichier que je décompresse et dans lequel je trouve un .exe Mais lorsque je veux lancer ce .exe J'ai un message d'erreur: SOUS SYTEME WINDOWS 16 BITS D:\WINDOWS\SYSTEM32\AUTOEXECT.NT Le fichier système ne convient pas à l'exécution des applications MS-DOS ou Microsoft Windows. Choisissez FERMER pour mettre fin à l'application! Cet après-midi j'ai pû voir un spécialiste réussir l'installation et faire fonctionner Mon scanner correctement! Une idée sur ce qui empêcherait cette installation sur Mon ordi? Merci d'avance pour la réponse!