Aller au contenu

  • Pas encore inscrit ?

    Pourquoi ne pas vous inscrire ? C'est simple, rapide et gratuit.
    Pour en savoir plus, lisez Les avantages de l'inscription... et la Charte de Zébulon.
    De plus, les messages que vous postez en tant qu'invité restent invisibles tant qu'un modérateur ne les a pas validés. Inscrivez-vous, ce sera un gain de temps pour tout le monde, vous, les helpeurs et les modérateurs ! :wink:

Rapport HJT

Digger

Par Digger
dans Analyses et éradication malwares

 Partager

Messages recommandés

Digger Mega Power Member

Digger

Posté(e)
  • Auteur
Posté(e)

Alors voici le combo:

 

ComboFix 08-03-09.4 - EKAdmin 10/03/2008 20:58:33.2 - NTFSx86

Microsoft Windows 2000 Professionnel 5.0.2195.4.1252.1.1033.18.577 [GMT 1:00]

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\WINNT\system\mside.exe

C:\WINNT\system32\drivers\aswMon.sys

C:\WINNT\system32\msasvc.exe

C:\WINNT\SYSTEM32\srvany.exe

C:\WINNT\system32\wmsv.exe

C:\WINNT\system32\xwvyb.bak1

C:\WINNT\system32\xwvyb.bak2

C:\WINNT\system32\xwvyb.ini2

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\_OTMoveIt

C:\_OTMoveIt\MovedFiles\03102008_114602.log

C:\_OTMoveIt\MovedFiles\03102008_114602.res

C:\_OTMoveIt\MovedFiles\03102008_114602\WINNT\web\RELATED.HTM

C:\SDFix

C:\SDFix\apps\assosfix.reg

C:\SDFix\apps\cliptext.exe

C:\SDFix\apps\download.exe

C:\SDFix\apps\dummy.sys

C:\SDFix\apps\Enable_Command_Prompt.reg

C:\SDFix\apps\ERDNT.E_E

C:\SDFix\apps\ERDNTDOS.LOC

C:\SDFix\apps\ERDNTWIN.LOC

C:\SDFix\apps\ERUNT.EXE

C:\SDFix\apps\ERUNT.LOC

C:\SDFix\apps\fix.reg

C:\SDFix\apps\FixBH.reg

C:\SDFix\apps\FixComponents.reg

C:\SDFix\apps\FIXCU.reg

C:\SDFix\apps\FIXLM.reg

C:\SDFix\apps\FixPath.exe

C:\SDFix\apps\FixRedir.reg

C:\SDFix\apps\FixSchedule.reg

C:\SDFix\apps\FixWebCheck.reg

C:\SDFix\apps\fixXP.reg

C:\SDFix\apps\FixXPsp2.reg

C:\SDFix\apps\grep.exe

C:\SDFix\apps\HPFix.reg

C:\SDFix\apps\HPFix2.reg

C:\SDFix\apps\HPFix3.reg

C:\SDFix\apps\HPFix4.reg

C:\SDFix\apps\HPFix5.reg

C:\SDFix\apps\HPFix6.reg

C:\SDFix\apps\HPFix7.reg

C:\SDFix\apps\isadmin.exe

C:\SDFix\apps\leg2.txt

C:\SDFix\apps\legacy.txt

C:\SDFix\apps\legacybk.txt

C:\SDFix\apps\locate.com

C:\SDFix\apps\LS.exe

C:\SDFix\apps\MD5File.exe

C:\SDFix\apps\MyGcpvFix.reg

C:\SDFix\apps\MyGkFix2.reg

C:\SDFix\apps\Process.exe

C:\SDFix\apps\procs.exe

C:\SDFix\apps\psservice.exe

C:\SDFix\apps\Rem.txt

C:\SDFix\apps\Rem2.txt

C:\SDFix\apps\Replace\regedit.exe

C:\SDFix\apps\Replace\W2K.exe

C:\SDFix\apps\Replace\w2k\beep.sys

C:\SDFix\apps\Replace\w2k\null.sys

C:\SDFix\apps\Replace\XP.exe

C:\SDFix\apps\Replace\xp\beep.sys

C:\SDFix\apps\Replace\xp\null.sys

C:\SDFix\apps\Reset_AppInit_DLLs.reg

C:\SDFix\apps\RestartIt!.exe

C:\SDFix\apps\Restore_SecurityCenter.reg

C:\SDFix\apps\Restore_SharedAccess.reg

C:\SDFix\apps\sc.exe

C:\SDFix\apps\sed.exe

C:\SDFix\apps\SF.exe

C:\SDFix\apps\shutdown.exe

C:\SDFix\apps\srv2.txt

C:\SDFix\apps\srv2bk.txt

C:\SDFix\apps\svc.txt

C:\SDFix\apps\svcbk.txt

C:\SDFix\apps\swreg.exe

C:\SDFix\apps\swsc.exe

C:\SDFix\apps\unzip.exe

C:\SDFix\apps\vfind.exe

C:\SDFix\apps\WINMSG.EXE

C:\SDFix\apps\winsec.reg

C:\SDFix\apps\zip.exe

C:\SDFix\backups\backupreg.zip

C:\SDFix\backups\backups.zip

C:\SDFix\backups\catchme.log

C:\SDFix\backups\HOSTS

C:\SDFix\catchme.exe

C:\SDFix\dummy.sys

C:\SDFix\rapport du 10 mars 12 52.txt

C:\SDFix\Report.txt

C:\SDFix\RunThis.bat

C:\SDFix\SDFIX_ReadMe_Online.url

C:\VundoFix Backups

C:\WINNT\system32\drivers\aswMon.sys

C:\WINNT\system32\xwvyb.bak1

C:\WINNT\system32\xwvyb.bak2

C:\WINNT\system32\xwvyb.ini2

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\LEGACY_ASWMON

-------\LEGACY_EKINST

-------\LEGACY_MSASVC

-------\LEGACY_MSIDE

-------\LEGACY_NDISKIO

-------\LEGACY_WSMV

-------\aswMon

-------\EKInst

-------\MsaSvc

-------\mside

-------\Ndiskio

-------\nvcfsr

-------\nvcoafl5

-------\nvcoarc5

-------\nvcoas

-------\NVCScheduler

-------\wsmv

 

 

((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))

.

 

2008-03-10 12:17 . 08-03-10 12:17 <DIR> d-------- C:\WINNT\ERUNT

2008-03-09 17:57 . 08-03-09 17:57 <DIR> d-------- C:\Program Files\Avira

2008-03-09 17:57 . 08-03-09 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira

2008-03-08 13:52 . 08-03-08 13:51 691,545 --a------ C:\WINNT\unins000.exe

2008-03-08 13:52 . 08-03-08 13:52 2,547 --a------ C:\WINNT\unins000.dat

2008-03-05 07:59 . 08-03-10 11:25 <DIR> d-------- C:\Hijackthis

2008-03-04 20:00 . 08-03-05 07:30 <DIR> d-------- C:\Program Files\a-squared Anti-Malware

2008-03-04 19:47 . 08-03-04 19:47 <DIR> d-------- C:\Program Files\ToniArts

2008-03-03 14:07 . 08-03-03 14:07 0 --a------ C:\WINNT\3

2008-03-01 14:21 . 08-03-03 12:33 <DIR> d-------- C:\Program Files\Defenza

2008-03-01 14:21 . 96-08-20 20:37 15,840 --a------ C:\WINNT\system32\Machnm1.exe

2008-03-01 14:21 . 05-09-25 16:37 5,632 --a------ C:\WINNT\system32\Machnm64.sys

2008-03-01 14:21 . 08-03-01 14:21 3,120 --a------ C:\WINNT\system32\118290.54

2008-03-01 14:21 . 08-03-01 14:21 3,120 --a------ C:\WINNT\118294.78

2008-03-01 14:21 . 03-08-13 00:27 2,304 --a------ C:\WINNT\system32\Machnm32.sys

2008-03-01 14:08 . 08-03-01 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue

2008-03-01 13:50 . 08-03-01 14:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue

2008-03-01 13:42 . 08-03-01 13:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ItsLabel

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-08 12:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-03-08 12:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-03-07 19:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM

2008-03-04 18:47 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-03-04 18:47 --------- d---a-w C:\Program Files\Common Files\InstallShield

2008-01-21 09:59 --------- d-----w C:\Program Files\Trend Micro

2008-01-21 09:51 102,664 ----a-w C:\WINNT\system32\drivers\tmcomm.sys

2003-09-01 08:38 832 ----a-w C:\Program Files\INSTALL.LOG

2002-01-08 19:10 271 ---ha-w C:\Program Files\desktop.ini

2002-01-08 19:10 21,952 ---ha-w C:\Program Files\folder.htt

1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys

.

 

------- Sigcheck -------

 

01-05-08 01:00 7952 1206706a25c5b32652b4f465ede330e9 C:\WINNT\system32\svchost.exe

99-12-07 13:00 7952 9e64ad53cfd9da2d22e8a924f8c6e62c C:\WINNT\system32\dllcache\svchost.exe

 

03-06-19 11:05 181008 3980c28d116d438bbb36fb38526fde1a C:\WINNT\ServicePackFiles\i386\winlogon.exe

05-06-03 11:25 191248 5b5c3a13997c536c1ea1956ac7a41db8 C:\WINNT\system32\WINLOGON.EXE

03-06-19 17:05 181008 3980c28d116d438bbb36fb38526fde1a C:\WINNT\system32\dllcache\WINLOGON.EXE

 

03-06-19 11:05 1694080 541daef38c9c82541690aa7e6f52f654 C:\WINNT\ServicePackFiles\i386\ntkrnlpa.exe

07-03-06 05:03 1717056 12e5366b7d7eac583309cdada766b2e9 C:\WINNT\system32\NTKRNLPA.EXE

 

03-06-19 11:05 1719056 61a2dcfce1abf5340d2128e45b5f52b7 C:\WINNT\ServicePackFiles\i386\ntoskrnl.exe

07-03-06 05:03 1694400 a7ac10f8cea3d5d48e8a38f09462c448 C:\WINNT\system32\NTOSKRNL.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

"E:\"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 2097488]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [08-03-10 07:06 249896]

"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 C:\WINNT\system32\mobsync.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"internat.exe"="internat.exe" [01-05-08 01:00 20752 C:\WINNT\system32\internat.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 17:05 186640]

 

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\

ieproxychk.bat [2003-11-17 15:47:06 214]

userdata.bat [2001-09-04 21:41:19 251]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Collect Most Frequent Userid.lnk.disabled [2004-04-16 17:13:38 496]

McAfee Desktop Firewall Tray.lnk.disabled [2004-04-16 17:13:38 745]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 0 (0x0)

"RunLogonScriptSync"= 0 (0x0)

"RunStartupScriptSync"= 1 (0x1)

"SynchronousMachineGroupPolicy"= 1 (0x1)

"SynchronousUserGroupPolicy"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoToolbarCustomize"= 0 (0x0)

"NoBandCustomize"= 0 (0x0)

"NoMSAppLogo5ChannelNotify"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"Btn_Back"= 0 (0x0)

"Btn_Forward"= 0 (0x0)

"Btn_Stop"= 0 (0x0)

"Btn_Refresh"= 0 (0x0)

"Btn_Home"= 0 (0x0)

"Btn_Search"= 0 (0x0)

"Btn_History"= 0 (0x0)

"Btn_Favorites"= 0 (0x0)

"Btn_Folders"= 0 (0x0)

"Btn_Fullscreen"= 0 (0x0)

"Btn_Tools"= 0 (0x0)

"Btn_MailNews"= 0 (0x0)

"Btn_Size"= 0 (0x0)

"Btn_Print"= 0 (0x0)

"Btn_Edit"= 0 (0x0)

"Btn_Discussions"= 0 (0x0)

"Btn_Cut"= 0 (0x0)

"Btn_Copy"= 0 (0x0)

"Btn_Paste"= 0 (0x0)

"Btn_Encoding"= 0 (0x0)

"Btn_PrintPreview"= 0 (0x0)

"NoFavoritesMenu"= 0 (0x0)

"NoLogoff"= 0 (0x0)

"EnforceShellExtensionSecurity"= 0 (0x0)

"NoDeletePrinter"= 0 (0x0)

"NoAddPrinter"= 0 (0x0)

"NoPrinterTabs"= 0 (0x0)

"Btn_Media"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ActiveSync]

WcesWlgn.dll 05-11-15 19:44 7168 C:\WINNT\system32\WcesWlgn.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 TivoliAP

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"AGRSMMSG"=AGRSMMSG.exe

"dla"=C:\WINNT\system32\dla\tfswctrl.exe

"lcfep"="C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" -x

"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

"pdfFactory Dispatcher v1"=C:\WINNT\System32\spool\DRIVERS\W32X86\2\fppdis1.exe

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

"SwdisUsrPCN.patwlc5528"="C:\apps\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\apps\Tivoli\swdis\1\wdusrpcn.env"

"Synchronization Manager"=mobsync.exe /logon

 

R0 avgntmgr;avgntmgr;C:\WINNT\system32\DRIVERS\avgntmgr.sys [07-07-18 14:21 ]

R1 avgntdd;avgntdd;C:\WINNT\system32\DRIVERS\avgntdd.sys [07-08-09 13:03 ]

R1 TGrab;Tivoli Remote Control Text Grabber;C:\WINNT\system32\drivers\TGrab.sys [03-04-11 09:05 ]

R1 TPPWR;TPPWR;C:\WINNT\system32\drivers\Tppwr.sys [03-01-17 01:32 ]

R2 MouEx2;Tivoli Remote Control Pointer Filter;C:\WINNT\system32\drivers\MouEx2.sys [03-04-11 09:05 ]

R2 TME10RC;Tivoli Remote Control Service;C:\WINNT\RCSERV.EXE [03-04-11 09:05 ]

R3 Eqnmirdd;Eqnmirdd;C:\WINNT\system32\DRIVERS\Eqnmirdd.sys [03-04-11 09:05 ]

R3 fhlppppoe;PPPOE/ADSL miniport;C:\WINNT\system32\DRIVERS\fhlpppoe.sys [02-11-21 16:35 ]

R3 KeyEx2;Tivoli Remote Control Keyboard Filter;C:\WINNT\system32\drivers\KeyEx2.sys [03-04-11 09:05 ]

R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINNT\system32\DRIVERS\tp4track.sys [02-07-16 09:07 ]

S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINNT\system32\DRIVERS\ipsecw2k.sys []

S2 lcfd;Tivoli Endpoint;"C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE" []

S3 Eacfilt;Eacfilt Miniport;C:\WINNT\system32\DRIVERS\eacfilt.sys []

S3 FireProx;%pgpnetMP_Desc%;C:\WINNT\system32\DRIVERS\fireprox.sys []

S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINNT\system32\DRIVERS\ipsecw2k.sys []

S3 nvcoaft5;nvcoaft5;C:\VIRUSfighter\Nvc\bin\nvcoaft5.sys []

S3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys [05-10-25 09:02 ]

 

.

Contents of the 'Scheduled Tasks' folder

"2007-06-15 18:02:40 C:\WINNT\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2006-09-11 06:40:49 C:\WINNT\Tasks\BMMTask.job"

- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE

"2008-03-03 11:29:38 C:\WINNT\Tasks\Uniblue SpyEraser Nag.job"

- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

"2008-03-01 13:09:32 C:\WINNT\Tasks\Uniblue SpyEraser.job"

- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-10 21:03:36

Windows 5.0.2195 Service Pack 4 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]

"E:\\"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

.

------------------------ Other Running Processes ------------------------

.

C:\WINNT\System32\ibmpmsvc.exe

C:\Program Files\a-squared Anti-Malware\a2service.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

.

**************************************************************************

.

Completion time: 2008-03-10 21:05:46 - machine was rebooted

ComboFix-quarantined-files.txt 2008-03-10 20:05:41

ComboFix2.txt 2008-03-10 13:48:45

 

et voilà le HJT:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:07:30, on 10/03/2008

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\a-squared Anti-Malware\a2service.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\RCSERV.EXE

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINNT\explorer.exe

C:\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.kodak.com:81/proxy.pac

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [E:\] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - .DEFAULT Startup: ieproxychk.bat (User 'Default user')

O4 - .DEFAULT Startup: userdata.bat (User 'Default user')

O4 - .DEFAULT User Startup: ieproxychk.bat (User 'Default user')

O4 - .DEFAULT User Startup: userdata.bat (User 'Default user')

O4 - Global Startup: Collect Most Frequent Userid.lnk.disabled

O4 - Global Startup: McAfee Desktop Firewall Tray.lnk.disabled

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Créer un favori mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O14 - IERESET.INF: START_PAGE_URL=http://home.kodak.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fr.kodak.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fr.kodak.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fr.kodak.com

O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe

O23 - Service: McAfee Alert Manager (AlertManager) - McAfee Division of Network Associates, Inc. - C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe

O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE (file missing)

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: Norman ZANDA - Unknown owner - C:\VIRUSfighter\Npm\Bin\Zanda.exe (file missing)

O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINNT\RCSERV.EXE

 

--

End of file - 5874 bytes

 

Merci de tes lumières, dans la nuit...

angelique Devil Member !

angelique

Posté(e)
Posté(e)

• j'en ai oublié un !

 

ouvre ton bloc note[executer--notepad] et copies/colles le contenu du cadre ci dessous:

 

Driver::
nvcoaft5

Folder::
C:\VIRUSfighter

 

[*]Va en haut de la page et clique sur le menu"Fichier" , une liste apparait=>

[*]Choisis "Enregistrer sous" et choisis "Bureau"

[*]Dans le champs "Nom du fichier" en bas de page donne le nom suivant:CFScript en fichier .txt

[*]Clique sur le bouton "Enregistrer" à droite du champs "nom du fichier"

[*]Quitte le Bloc Notes.

[*]Fait un glisser/déposer de ce fichier CFScript.txt sur le fichier ComboFix.exe comme sur la capture

 

 

CFScript.gif

 

 

 

* Une fenêtre bleue va apparaitre, suis les instructions , t'as l'habitude maintenant :P

* Patiente le temps du scan.Le bureau va disparaitre à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

* Une fois le scan achevé, un rapport va s'afficher: poste son contenu.

* Si le fichier n'apparait pas, il se trouve ici > C:\ComboFix.txt

 

• * Fais un scan en ligne Kaspersky avec IE

http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

* Clique sur Accept

* Une barre jaune va te demander si tu acceptes d'installer le Kavwebscan_Unicode.cab, installe l'Active X.

* clique une nouvelle fois sur "Accept"

* Les bases de mises à jour vont s'installer, patiente un moment

* Clique sur Next.

* Clique sur My Computer, le scan se met en route; attends la fin du scan sans fermer la fenêtre sinon il s'arrêtera.

 

tuto >> http://forum.pcastuces.com/tuto_scan_antiv...y-f25s37641.htm

 

poste le rapport avec un nouveau rapport HJT

Digger Mega Power Member

Digger

Posté(e)
  • Auteur
Posté(e)

Bonjour,

 

voici le combo:

 

ComboFix 08-03-09.4 - EKAdmin 11/03/2008 9:43:58.3 - NTFSx86

Microsoft Windows 2000 Professionnel 5.0.2195.4.1252.1.1033.18.529 [GMT 1:00]

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))

.

 

2008-03-10 12:17 . 08-03-10 12:17 <DIR> d-------- C:\WINNT\ERUNT

2008-03-09 17:57 . 08-03-09 17:57 <DIR> d-------- C:\Program Files\Avira

2008-03-09 17:57 . 08-03-09 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira

2008-03-08 13:52 . 08-03-08 13:51 691,545 --a------ C:\WINNT\unins000.exe

2008-03-08 13:52 . 08-03-08 13:52 2,547 --a------ C:\WINNT\unins000.dat

2008-03-05 07:59 . 08-03-10 21:07 <DIR> d-------- C:\Hijackthis

2008-03-04 20:00 . 08-03-05 07:30 <DIR> d-------- C:\Program Files\a-squared Anti-Malware

2008-03-04 19:47 . 08-03-04 19:47 <DIR> d-------- C:\Program Files\ToniArts

2008-03-03 14:07 . 08-03-03 14:07 0 --a------ C:\WINNT\3

2008-03-01 14:21 . 08-03-03 12:33 <DIR> d-------- C:\Program Files\Defenza

2008-03-01 14:21 . 96-08-20 20:37 15,840 --a------ C:\WINNT\system32\Machnm1.exe

2008-03-01 14:21 . 05-09-25 16:37 5,632 --a------ C:\WINNT\system32\Machnm64.sys

2008-03-01 14:21 . 08-03-01 14:21 3,120 --a------ C:\WINNT\system32\118290.54

2008-03-01 14:21 . 08-03-01 14:21 3,120 --a------ C:\WINNT\118294.78

2008-03-01 14:21 . 03-08-13 00:27 2,304 --a------ C:\WINNT\system32\Machnm32.sys

2008-03-01 14:08 . 08-03-01 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue

2008-03-01 13:50 . 08-03-01 14:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue

2008-03-01 13:42 . 08-03-01 13:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ItsLabel

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-08 12:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-03-08 12:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-03-07 19:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM

2008-03-04 18:47 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-03-04 18:47 --------- d---a-w C:\Program Files\Common Files\InstallShield

2008-01-21 09:59 --------- d-----w C:\Program Files\Trend Micro

2008-01-21 09:51 102,664 ----a-w C:\WINNT\system32\drivers\tmcomm.sys

2003-09-01 08:38 832 ----a-w C:\Program Files\INSTALL.LOG

2002-01-08 19:10 271 ---ha-w C:\Program Files\desktop.ini

2002-01-08 19:10 21,952 ---ha-w C:\Program Files\folder.htt

1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys

.

 

------- Sigcheck -------

 

01-05-08 01:00 7952 1206706a25c5b32652b4f465ede330e9 C:\WINNT\system32\svchost.exe

99-12-07 13:00 7952 9e64ad53cfd9da2d22e8a924f8c6e62c C:\WINNT\system32\dllcache\svchost.exe

 

03-06-19 11:05 181008 3980c28d116d438bbb36fb38526fde1a C:\WINNT\ServicePackFiles\i386\winlogon.exe

05-06-03 11:25 191248 5b5c3a13997c536c1ea1956ac7a41db8 C:\WINNT\system32\WINLOGON.EXE

03-06-19 17:05 181008 3980c28d116d438bbb36fb38526fde1a C:\WINNT\system32\dllcache\WINLOGON.EXE

 

03-06-19 11:05 1694080 541daef38c9c82541690aa7e6f52f654 C:\WINNT\ServicePackFiles\i386\ntkrnlpa.exe

07-03-06 05:03 1717056 12e5366b7d7eac583309cdada766b2e9 C:\WINNT\system32\NTKRNLPA.EXE

 

03-06-19 11:05 1719056 61a2dcfce1abf5340d2128e45b5f52b7 C:\WINNT\ServicePackFiles\i386\ntoskrnl.exe

07-03-06 05:03 1694400 a7ac10f8cea3d5d48e8a38f09462c448 C:\WINNT\system32\NTOSKRNL.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

"E:\"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 2097488]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [08-03-10 07:06 249896]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"internat.exe"="internat.exe" [01-05-08 01:00 20752 C:\WINNT\system32\internat.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 17:05 186640]

 

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\

ieproxychk.bat [2003-11-17 15:47:06 214]

userdata.bat [2001-09-04 21:41:19 251]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Collect Most Frequent Userid.lnk.disabled [2004-04-16 17:13:38 496]

McAfee Desktop Firewall Tray.lnk.disabled [2004-04-16 17:13:38 745]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 0 (0x0)

"RunLogonScriptSync"= 0 (0x0)

"RunStartupScriptSync"= 1 (0x1)

"SynchronousMachineGroupPolicy"= 1 (0x1)

"SynchronousUserGroupPolicy"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoToolbarCustomize"= 0 (0x0)

"NoBandCustomize"= 0 (0x0)

"NoMSAppLogo5ChannelNotify"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"Btn_Back"= 0 (0x0)

"Btn_Forward"= 0 (0x0)

"Btn_Stop"= 0 (0x0)

"Btn_Refresh"= 0 (0x0)

"Btn_Home"= 0 (0x0)

"Btn_Search"= 0 (0x0)

"Btn_History"= 0 (0x0)

"Btn_Favorites"= 0 (0x0)

"Btn_Folders"= 0 (0x0)

"Btn_Fullscreen"= 0 (0x0)

"Btn_Tools"= 0 (0x0)

"Btn_MailNews"= 0 (0x0)

"Btn_Size"= 0 (0x0)

"Btn_Print"= 0 (0x0)

"Btn_Edit"= 0 (0x0)

"Btn_Discussions"= 0 (0x0)

"Btn_Cut"= 0 (0x0)

"Btn_Copy"= 0 (0x0)

"Btn_Paste"= 0 (0x0)

"Btn_Encoding"= 0 (0x0)

"Btn_PrintPreview"= 0 (0x0)

"NoFavoritesMenu"= 0 (0x0)

"NoLogoff"= 0 (0x0)

"EnforceShellExtensionSecurity"= 0 (0x0)

"NoDeletePrinter"= 0 (0x0)

"NoAddPrinter"= 0 (0x0)

"NoPrinterTabs"= 0 (0x0)

"Btn_Media"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ActiveSync]

WcesWlgn.dll 05-11-15 19:44 7168 C:\WINNT\system32\WcesWlgn.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 TivoliAP

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"AGRSMMSG"=AGRSMMSG.exe

"dla"=C:\WINNT\system32\dla\tfswctrl.exe

"lcfep"="C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" -x

"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

"pdfFactory Dispatcher v1"=C:\WINNT\System32\spool\DRIVERS\W32X86\2\fppdis1.exe

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

"SwdisUsrPCN.patwlc5528"="C:\apps\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\apps\Tivoli\swdis\1\wdusrpcn.env"

"Synchronization Manager"=mobsync.exe /logon

 

R0 avgntmgr;avgntmgr;C:\WINNT\system32\DRIVERS\avgntmgr.sys [07-07-18 14:21 ]

R1 avgntdd;avgntdd;C:\WINNT\system32\DRIVERS\avgntdd.sys [07-08-09 13:03 ]

R1 TGrab;Tivoli Remote Control Text Grabber;C:\WINNT\system32\drivers\TGrab.sys [03-04-11 09:05 ]

R1 TPPWR;TPPWR;C:\WINNT\system32\drivers\Tppwr.sys [03-01-17 01:32 ]

R2 MouEx2;Tivoli Remote Control Pointer Filter;C:\WINNT\system32\drivers\MouEx2.sys [03-04-11 09:05 ]

R3 Eqnmirdd;Eqnmirdd;C:\WINNT\system32\DRIVERS\Eqnmirdd.sys [03-04-11 09:05 ]

R3 fhlppppoe;PPPOE/ADSL miniport;C:\WINNT\system32\DRIVERS\fhlpppoe.sys [02-11-21 16:35 ]

R3 KeyEx2;Tivoli Remote Control Keyboard Filter;C:\WINNT\system32\drivers\KeyEx2.sys [03-04-11 09:05 ]

R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINNT\system32\DRIVERS\tp4track.sys [02-07-16 09:07 ]

S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINNT\system32\DRIVERS\ipsecw2k.sys []

S2 lcfd;Tivoli Endpoint;"C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE" []

S3 Eacfilt;Eacfilt Miniport;C:\WINNT\system32\DRIVERS\eacfilt.sys []

S3 FireProx;%pgpnetMP_Desc%;C:\WINNT\system32\DRIVERS\fireprox.sys []

S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINNT\system32\DRIVERS\ipsecw2k.sys []

S3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys [05-10-25 09:02 ]

 

.

Contents of the 'Scheduled Tasks' folder

"2007-06-15 18:02:40 C:\WINNT\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2006-09-11 06:40:49 C:\WINNT\Tasks\BMMTask.job"

- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE

"2008-03-03 11:29:38 C:\WINNT\Tasks\Uniblue SpyEraser Nag.job"

- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

"2008-03-01 13:09:32 C:\WINNT\Tasks\Uniblue SpyEraser.job"

- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-11 09:50:04

Windows 5.0.2195 Service Pack 4 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]

"E:\\"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

.

------------------------ Other Running Processes ------------------------

.

C:\WINNT\System32\ibmpmsvc.exe

C:\Program Files\a-squared Anti-Malware\a2service.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\RCSERV.EXE

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

.

**************************************************************************

.

Completion time: 2008-03-11 9:52:06 - machine was rebooted

ComboFix-quarantined-files.txt 2008-03-11 08:52:02

ComboFix2.txt 2008-03-10 20:05:46

ComboFix3.txt 2008-03-10 13:48:45

 

 

voici le Kaspersky:

 

Tuesday, March 11, 2008 2:33:04 PM

Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 11/03/2008

Kaspersky Anti-Virus database records: 623475

Scan Settings

Scan using the following antivirus database extended

Scan Archives true

Scan Mail Bases true

Scan Target My Computer

C:\

D:\

E:\

Scan Statistics

Total number of scanned objects 64387

Number of viruses found 0

Number of infected objects 0

Number of suspicious objects 0

Duration of the scan process 04:10:05

 

Infected Object Name Virus Name Last Action

C:\DATA\USERS\P15750\KODAK.doc Object is locked skipped

C:\DATA\USERS\P15750\LABORATOIRE E.doc Object is locked skipped

C:\DATA\USERS\P15750\~WRL0003.tmp Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sue4fut3.default\cert8.db Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sue4fut3.default\formhistory.dat Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sue4fut3.default\history.dat Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sue4fut3.default\key3.db Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sue4fut3.default\parent.lock Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sue4fut3.default\search.sqlite Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sue4fut3.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\sue4fut3.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\sue4fut3.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\sue4fut3.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\sue4fut3.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped

C:\WINNT\CSC\00000001 Object is locked skipped

C:\WINNT\Debug\Netlogon.log Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\security\logs\scepol.log Object is locked skipped

C:\WINNT\system32\CatRoot\SYSMAST.cbd Object is locked skipped

C:\WINNT\system32\CatRoot\SYSMAST.cbk Object is locked skipped

C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbd Object is locked skipped

C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbk Object is locked skipped

C:\WINNT\system32\config\Antivirus.Evt Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\default Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\software Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\system Object is locked skipped

C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

Scan process completed.

 

Et enfin le HJT:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:35:59, on 11/03/2008

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\a-squared Anti-Malware\a2service.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\RCSERV.EXE

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINNT\explorer.exe

C:\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.kodak.com:81/proxy.pac

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [E:\] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - .DEFAULT Startup: ieproxychk.bat (User 'Default user')

O4 - .DEFAULT Startup: userdata.bat (User 'Default user')

O4 - .DEFAULT User Startup: ieproxychk.bat (User 'Default user')

O4 - .DEFAULT User Startup: userdata.bat (User 'Default user')

O4 - Global Startup: Collect Most Frequent Userid.lnk.disabled

O4 - Global Startup: McAfee Desktop Firewall Tray.lnk.disabled

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Créer un favori mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O14 - IERESET.INF: START_PAGE_URL=http://home.kodak.com

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fr.kodak.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fr.kodak.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fr.kodak.com

O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe

O23 - Service: McAfee Alert Manager (AlertManager) - McAfee Division of Network Associates, Inc. - C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe

O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE (file missing)

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: Norman ZANDA - Unknown owner - C:\VIRUSfighter\Npm\Bin\Zanda.exe (file missing)

O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINNT\RCSERV.EXE

 

--

End of file - 6013 bytes

 

On en a fini maintenant ou il reste encore quelques cochonneries qui traînent à droite ou à gauche?

angelique Devil Member !

angelique

Posté(e)
Posté(e)

c'est tout propre.

 

• desinstalle kaspersky online via ajout\suppression de programmes, puis copie\colle la ligne ci dessous dans executer et valide la pour desinstaller ComboFix:

 

ComboFix /u

 

• il reste ce service à supprimer:

 

O23 - Service: Norman ZANDA - Unknown owner - C:\VIRUSfighter\Npm\Bin\Zanda.exe (file missing)

 

mais je vois pas la ligne avec CF , on va le faire manuellement ;o)

 

executer---regedit , as tu cette valeur en gras?? si oui , supprime la valeur en gras UNIQUEMENT!!

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norman ZANDA

 

ton antivirus firewall est McAfee??? j'en vois des traces, c'est lui que tu utilises??

Digger Mega Power Member

Digger

Posté(e)
  • Auteur
Posté(e)

J'ai trouvé Zanda mais pas en gras.

Je l'efface quand même?

 

Pour Mc afee, la réponse est non.

Il était installé, je l'ai enlevé et mis Avira comme tu me l'as dit.

angelique Devil Member !

angelique

Posté(e)
Posté(e)
'ai trouvé Zanda mais pas en gras.

Je l'efface quand même?

 

clic droit dessus "exporter" , tu l'enregistres sous le nom plop par exemple sur ton bureau.

Dirige toi sur ton bureau , clic droit sur plop.reg , modifier , copie\colle le contenu ici.

 

Pour Mc afee, la réponse est non.

Il était installé, je l'ai enlevé et mis Avira comme tu me l'as dit.

 

Ta FB est bien en mode routeur?? tu me le certifies stp.

 

Il va falloir virer les restes de Mcafee.

 

• Télécharger et exécuter l'outil de suppression McAfee

 

1. Téléchargez l'outil de suppression sur http://download.mcafee.com/products/licens...atches/MCPR.exe

2. Cliquez sur Enregistrer et enregistrez le fichier dans un dossier de votre ordinateur.

3. Allez au dossier où est enregistré le fichier.

4. Double-cliquez sur MCPR.exe.

5. Cliquez sur Exécuter. Une fenêtre de commande apparaît, puis se referme automatiquement. Attendez que la seconde fenêtre de commande s'affiche. (ne double-cliquez pas une seconde fois sur MCPR.exe.) Le programme va lancer le nettoyage.

6. Attendez la fin du processus, qui peut prendre quelques minutes. Le message suivant apparaîtra dans la fenêtre de commande :

 

L'ordinateur doit être redémarré pour conclure la désinstallation. Souhaitez-vous redémarrer maintenant ? [o.n]

7. Tapez O (ou Y si l'interface vous propose [y.n] comme choix) sur votre clavier.

8. Attendez que votre ordinateur redémarre.

 

Tous les produits McAfee ont maintenant été supprimés de votre ordinateur.

 

• reposte moi un nouveau rapport HJT

Digger Mega Power Member

Digger

Posté(e)
  • Auteur
Posté(e)

Le "plop", comme la grenouille? Hihihihi....

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norman ZANDA]

"Type"=dword:00000110

"Start"=dword:00000002

"ErrorControl"=dword:00000001

"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,56,00,49,00,52,00,55,00,53,00,66,00,\

69,00,67,00,68,00,74,00,65,00,72,00,5c,00,4e,00,70,00,6d,00,5c,00,42,00,69,\

00,6e,00,5c,00,5a,00,61,00,6e,00,64,00,61,00,2e,00,65,00,78,00,65,00,22,00,\

00,00

"DisplayName"="Norman ZANDA"

"ObjectName"="LocalSystem"

"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00

"DependOnGroup"=hex(7):00,00

"Group"="NDIS"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norman ZANDA\Security]

"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\

05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\

20,00,00,00,20,02,00,00,c1,9f,a0,11,00,00,18,00,8d,01,02,00,01,01,00,00,00,\

00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\

00,05,20,00,00,00,23,02,00,00,c1,9f,a0,11,01,01,00,00,00,00,00,05,12,00,00,\

00,01,01,00,00,00,00,00,05,12,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norman ZANDA\Enum]

"0"="Root\\LEGACY_NORMAN_ZANDA\\0000"

"Count"=dword:00000001

"NextInstance"=dword:00000001

 

la Fb est en routeur.

 

le HJT:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:30:09, on 11/03/2008

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\a-squared Anti-Malware\a2service.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\RCSERV.EXE

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.kodak.com:81/proxy.pac

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [E:\] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - .DEFAULT Startup: ieproxychk.bat (User 'Default user')

O4 - .DEFAULT Startup: userdata.bat (User 'Default user')

O4 - .DEFAULT User Startup: ieproxychk.bat (User 'Default user')

O4 - .DEFAULT User Startup: userdata.bat (User 'Default user')

O4 - Global Startup: Collect Most Frequent Userid.lnk.disabled

O4 - Global Startup: McAfee Desktop Firewall Tray.lnk.disabled

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Créer un favori mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O14 - IERESET.INF: START_PAGE_URL=http://home.kodak.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fr.kodak.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fr.kodak.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fr.kodak.com

O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe

O23 - Service: McAfee Alert Manager (AlertManager) - McAfee Division of Network Associates, Inc. - C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe

O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE (file missing)

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: Norman ZANDA - Unknown owner - C:\VIRUSfighter\Npm\Bin\Zanda.exe (file missing)

O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINNT\RCSERV.EXE

 

--

End of file - 5913 bytes

Le Mc afee est toujours là.

Un message est apparu pendant le removal, en gros il était écrit que tout ne pourrait être désinstallé... On ne peut fonctionner avec ces restes? je comprends que ce n'est pas très "propre" mais je ne vois pas comment faire pour les enlever...

Zanda aussi d'ailleurs.

 

On peut les "fixer avec HJT?

angelique Devil Member !

angelique

Posté(e)
Posté(e)

• tu peux virer cette valeur registre que tu as exporté ^^

 

• pour McAfee c'est génant , c'est pas propre, j'aime pas ça.

Norman zanda , disparaitra si tu fais ce que j'ai juste dis au dessus : tu peux virer cette valeur registre que tu as exporté ^^

 

relance HJT , coche et fixchecked:

 

O4 - Global Startup: McAfee Desktop Firewall Tray.lnk.disabled

 

 

• ouvre ton bloc note[executer--notepad] et copies/colles le contenu du cadre ci dessous:

 

sc stop McAfeeFramework
sc delete McAfeeFramework
sc stop McTaskManager
sc delete McTaskManager
sc stop AlertManager
sc delete AlertManager
cd c:\
cd Program Files
del /q /f /s Network Associates
exit

 

[*]Va en haut de la page et clique sur le menu"Fichier" , une liste apparait=>

[*]Choisis "Enregistrer sous" et choisis "Bureau"

[*]Dans le champs "Nom du fichier" en bas de page donne le nom suivant:plop.bat , type de fichier "tous les fichiers" << tres important !! pour obtenir un .bat ,icone avec une roue crantée

[*]Clique sur le bouton "Enregistrer" à droite du champs "nom du fichier"

[*]Quitte le Bloc Notes.

 

 

*double clic sur plop.bat

 

*reposte un rapport HJT

Digger Mega Power Member

Digger

Posté(e)
  • Auteur
Posté(e) (modifié)

Et voilà le dernier HJT

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:55:31, on 11/03/2008

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\a-squared Anti-Malware\a2service.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\RCSERV.EXE

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.kodak.com:81/proxy.pac

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [E:\] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - .DEFAULT Startup: ieproxychk.bat (User 'Default user')

O4 - .DEFAULT Startup: userdata.bat (User 'Default user')

O4 - .DEFAULT User Startup: ieproxychk.bat (User 'Default user')

O4 - .DEFAULT User Startup: userdata.bat (User 'Default user')

O4 - Global Startup: Collect Most Frequent Userid.lnk.disabled

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Créer un favori mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O14 - IERESET.INF: START_PAGE_URL=http://home.kodak.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fr.kodak.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fr.kodak.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fr.kodak.com

O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe

O23 - Service: McAfee Alert Manager (AlertManager) - McAfee Division of Network Associates, Inc. - C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe

O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE (file missing)

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: Norman ZANDA - Unknown owner - C:\VIRUSfighter\Npm\Bin\Zanda.exe (file missing)

O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINNT\RCSERV.EXE

 

--

End of file - 5803 bytes

 

J'ai dû me rater sur le Zanda, j'ai pourtant sorti le .reg mais je viens de me rendre compte que je n'avais pas vidé la corbeille.

 

Pour les Mc A, il en reste... Qu'est qu'on faisions?

Modifié par Digger

Rejoindre la conversation

Vous pouvez publier maintenant et vous inscrire plus tard. Si vous avez un compte, connectez-vous maintenant pour publier avec votre compte.
Remarque : votre message nécessitera l’approbation d’un modérateur avant de pouvoir être visible.

Invité
Répondre à ce sujet…

×   Collé en tant que texte enrichi.   Coller en tant que texte brut à la place

  Seulement 75 émoticônes maximum sont autorisées.

×   Votre lien a été automatiquement intégré.   Afficher plutôt comme un lien

×   Votre contenu précédent a été rétabli.   Vider l’éditeur

×   Vous ne pouvez pas directement coller des images. Envoyez-les depuis votre ordinateur ou insérez-les depuis une URL.

×
 Partager
Aller sur la liste des sujets

  • En ligne récemment   0 membre est en ligne

    • Aucun utilisateur enregistré regarde cette page.
×
×
  • Créer...