spyware MEDIATICKETS

[cedriquet]

re chercheur

 

voici les log

 

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}

"Ibz" = "C:\WINDOWS\ibz.exe" [null data]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]

"WooCnxMon" = "C:\PROGRA~1\Wanadoo\CnxMon.exe" [empty string]

"ccApp" = "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" ["Symantec Corporation"]

"NAV CfgWiz" = "C:\Program Files\Fichiers communs\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"" ["Symantec Corporation"]

"ccRegVfy" = "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe" ["Symantec Corporation"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"

-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E2CDF40-419B-11D2-A5A1-002018648BA7}" = "AVG Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Grisoft\AVG6\avgse.dll" ["GRISOFT©SOFTWARE s.r.o."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\systr.dll" [file not found]

 

 

Enabled Screen Saver:

---------------------

 

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]

 

 

Enabled Wallpaper and Active Desktop:

-------------------------------------

 

Active Desktop is disabled.

 

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\cedric\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

 

 

Startup items in "cedric" & "All Users" startup folders:

--------------------------------------------------------

 

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage

"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st800\dslmon.exe /W" [empty string]

 

 

Enabled Scheduled Tasks:

------------------------

 

"Norton AntiVirus - Analyser mon ordinateur" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"

-> {CLSID}\(Default) = "Yahoo! Compagnon"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll" ["Yahoo! Inc."]

 

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"

-> {CLSID}\(Default) = "Norton AntiVirus"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

 

"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"

-> {CLSID}\(Default) = "MSN"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fr\msntb.dll" [file not found]

 

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"

-> {CLSID}\(Default) = "Yahoo! Compagnon"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll" ["Yahoo! Inc."]

 

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"

-> {CLSID}\(Default) = "Norton AntiVirus"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

 

Dormant Explorer Bars in "View, Explorer Bar" menu

 

HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\

(Default) = "Volet Wanadoo"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\Wanadoo\audience\audience.dll" [empty string]

 

HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\

(Default) = "ToolBand Class"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\Wanadoo\audience\audience.dll" [empty string]

 

HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\

(Default) = "Volet Wanadoo"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\Wanadoo\audience\audience.dll" [empty string]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKCU\Software\Microsoft\Internet Explorer\Extensions\

{1462651F-F4BA-4C76-A001-C4284D0FE16E}\

"ButtonText" = "Wanadoo"

"Exec" = "http://www.wanadoo.fr" [file not found]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]

Norton Personal Firewall Accounts Manager, NISUM, "C:\Program Files\Norton Personal Firewall\NISUM.EXE" ["Symantec Corporation"]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

Service Norton AntiVirus Auto-Protect, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]

Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]

Symantec Proxy Service, ccPxySvc, "C:\Program Files\Norton Personal Firewall\ccPxySvc.exe" ["Symantec Corporation"]

Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

 

 

----------

This report excludes default entries except where indicated.

To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

 

 

 

et pour Hijack ----------

 

Logfile of HijackThis v1.99.1

Scan saved at 01:19:29, on 18/05/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe

C:\Program Files\Norton Personal Firewall\NISUM.EXE

C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Norton Personal Firewall\ccPxySvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\RUNDLL32.EXE

C:\PROGRA~1\Wanadoo\CnxMon.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\SAGEM\SAGEM F@st800\dslmon.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\WScript.exe

C:\Program Files\Windows NT\Accessoires\WORDPAD.EXE

C:\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Compagnon - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Fichiers communs\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: DSLMON.lnk = ?

O16 - DPF: {084DAC27-6FA3-4F55-9005-033F2F102F5C} (ITPPDiagIE Class) - http://downloads.winwise.fr/Common/npwwg.cab

O16 - DPF: {09C21411-B9A2-4DE6-8416-4E3B58577BE0} (France Telecom MDM ActiveX Control) - http://minitelweb.minitel.com/imin_data/ocx/MDM.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O23 - Service: AVG6 Service (AvgServ) - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe

 

bonne nuit cheucheur , moi aussi dodo

[chercheur]

Bonsoir,

 

Ouvre le Bloc-note et copie-colle les lignes entre --- ci-dessous

 

-----------------------------------------------------------

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12345678-0000-0010-8000-00AAFF6D2EA4}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{12345678-0000-0010-8000-00AAFF6D2EA4}"=-

-----------------------------------------------------------

 

Enregistre ce fichier sur ton bureau (Nom du fichier : "fix.reg" -sans inclure les guillemets- ; Type : Tous les fichiers).

Ferme Internet explorer.

Double-clique sur fix.reg et clique sur Oui lorsqu'on te demande confirmation pour Fusionner.

Lorsque tu reçois un message du bon déroulement, supprime le fichier fix.reg.

 

 

Relance un scan HijackThis [/b]et coche la ligne ci-dessous :

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/

 

Ferme toutes les fenêtres Windows, Internet explorer, Outlook,sauf le logiciel Hijackthis et clique sur « Fix checked »

 

 

Reposte un rapport.

As tu encore des dysfonctionnements ?