[Résolu]Activité suspect de svchost !

[Thanos]

salut Zewolf

 

On va jetter un oeil dans le registre pour voir ce qui s'active au démarrage:

 

Vas dans Démarrer\Exécuter et dans le champs tu tapes:

regedit /e C:\run.txt HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Puis tu valides.Ensuite tu vas ici=>

C:\Run.txt

 

et tu copies\colles le fichier texte ici.

 

(merci QC001 )

[Zewolf]

Voilou Charles :

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"

"BDSwitchAgent"="\"c:\\progra~1\\softwin\\bitdef~1\\bdswitch.exe\""

"BDMCon"="c:\\progra~1\\softwin\\bitdef~1\\bdmcon.exe"

"BDOESRV"="\"C:\\Program Files\\Softwin\\BitDefender9\\bdoesrv.exe\""

"BDNewsAgent"="\"c:\\progra~1\\softwin\\bitdef~1\\bdnagent.exe\""

"C-Media Mixer"="Mixer.exe /startup"

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Disabled]

"nwiz"="nwiz.exe /install"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\not active]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

[Zewolf]

Salut !

 

Comment ce fait-il que bitdefender 9 n'ai pas detecté les virus que ewido a détecté ?

Est-ce que cela veut dire qu'il vaudrai mieux que j'installe ewido plutot que bitdefender ?

 

Merci d'avance!!

[Zewolf]

Je pensais que le problème avait disparu, mais non, il est toujours présent !

 

Quelle est la prochaine étape ?

 

Merci d'avance !

[Thanos]

Salut Zewolf

 

Bon rien n'explique tous ces processus rundll.32 qui se lancent au démarrage!

 

Refais un scan en ligne ici stp:

 

-Panda:

http://www.pandasoftware.com/products/acti...CACHEHINT=Guest

 

Télécharge ceci:

 

Silentrunners :(download latest version of silent runners)

http://www.silentrunners.org/

 

Comment l'utiliser: copie l'intégralité dans un fichier texte:"puis enregistrer sous".(met le dans un dossier)

Dans la fenêtre qui s'ouvre: donne lui le nom silentrunners.vbs,puis dans type de fichier=>tout.

Double clique sur le script vbs,accepte les recherches supplémentaires.Poste le rapport.

[Zewolf]

Voila le rapport de silentrunner Charles Ingals :

 

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

"BDSwitchAgent" = ""C:\progra~1\softwin\bitdef~1\bdswitch.exe"" [null data]

"BDMCon" = "C:\progra~1\softwin\bitdef~1\bdmcon.exe" ["SOFTWIN S.R.L."]

"BDOESRV" = ""C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"" ["SOFTWIN SRL"]

"BDNewsAgent" = ""C:\progra~1\softwin\bitdef~1\bdnagent.exe"" ["SOFTWIN S.R.L"]

"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"

-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v9"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender9\bdshelxt.dll" [null data]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{A5110426-177D-4e08-AB3F-785F10B4439C}" = (no title provided)

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{00000000-5736-4205-0100-49529abfbdc3}" = "Coffre-fort Steganos 7"

-> {CLSID}\InProcServer32\(Default) = "c:\program files\steganos safe 7\safe7se.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\btneighborhood.dll" ["WIDCOMM, Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

 

HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! "BootExecute" = "autocheck autochk * OODBS" [file not found], [MS], [file not found], [file not found]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

INFECTION WARNING! taskmgr.exe\Debugger = "F:\Mes téléchargements\ProcessExplorerNt\procexp.exe" ["Sysinternals"]

 

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender9\bdshelxt.dll" [null data]

Coffre-fort Steganos 7\(Default) = "{00000000-5736-4205-0100-49529abfbdc3}"

-> {CLSID}\InProcServer32\(Default) = "c:\program files\steganos safe 7\safe7se.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

Coffre-fort Steganos 7\(Default) = "{00000000-5736-4205-0100-49529abfbdc3}"

-> {CLSID}\InProcServer32\(Default) = "c:\program files\steganos safe 7\safe7se.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender9\bdshelxt.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop is enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\Cell\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

 

 

Startup items in "Cell" & "All Users" startup folders:

------------------------------------------------------

 

C:\Documents and Settings\Cell\Menu Démarrer\Programmes\Démarrage

"TribalWeb.net" -> shortcut to: "G:\Program Files XP2\TribalWeb.net\tribalweb.exe -system:startup" ["ShalSoft"]

 

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage

"BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["WIDCOMM, Inc."]

 

 

Enabled Scheduled Tasks:

------------------------

 

"Spybot - Search & Destroy - Scheduled Task" -> launches: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe /AUTOCHECK /AUTOFIX /AUTOCLOSE" ["Safer Networking Limited"]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 27

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{F2E259E8-0FC8-438C-A6E0-342DD80FA53E}" = "Copernic Agent" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COPERN~1\COPERN~1.DLL" ["Copernic Technologies Inc."]

 

Explorer Bars

 

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

{6F480F82-C3A6-4D35-96F7-B297AD49FBE8}\ = "Résultats de Copernic Agent" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Copernic Agent\CopernicAgentExt.dll" ["Copernic Technologies Inc."]

 

{F2E259E8-0FC8-438C-A6E0-342DD80FA53E}\ = "Copernic Agent" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COPERN~1\COPERN~1.DLL" ["Copernic Technologies Inc."]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{CCA281CA-C863-46EF-9331-5C8D4460577F}\

"ButtonText" = "@btrez.dll,-4015"

"MenuText" = "@btrez.dll,-4017"

"Script" = "C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

 

Added lines (compared with English-language version):

[strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

 

Missing lines (compared with English-language version):

[strings]: 1 line

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

BitDefender Communicator, XCOMM, ""C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]

BitDefender Desktop Update Service, LIVESRV, ""C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe" /service" ["SOFTWIN S.R.L."]

BitDefender Scan Server, bdss, ""C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]

BitDefender Virus Shield, VSSERV, ""C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service" ["SOFTWIN S.R.L."]

Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["WIDCOMM, Inc."]

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

O&O CleverCache Pro, OOCleverCache, ""C:\Program Files\OO Software\CleverCache\OOCCSVC.exe"" ["O&O Software GmbH"]

Steganos Live Encryption Engine (Version 503) [service], SLEE_503_SERVICE, "C:\WINDOWS\System32\SLEE503.exe" [null data]

Steganos Live Encryption Engine 8.1 [service], SLEE_81_SERVICE, "C:\WINDOWS\System32\SLEE81.exe" [null data]

TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

 

 

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 215 seconds, including 5 seconds for message boxes)

 

 

J'y ai jeté un coup d'oeil, mais je n'ai pas trouvé de choses suspectes, mais je pense que tu examineras mieux ce rapport que moi !

J'espère que l'on va réussir à trouver la cause de ce problème et d'ailleurs je te remercie beaucoup de m'aider comme tu le fais!

 

Merci d'avance !

[Thanos]

salut zewolf,seb

Refais cette manip,stp:

 

Vas dans Démarrer\Exécuter et dans le champs tu tapes:

regedit /e C:\run.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

Puis tu valides.Ensuite tu vas ici=>

 

C:\Run.txt

 

et tu copies\colles le fichier texte ici.

Modifié le 15 novembre 2005 par charles ingals

[Zewolf]

Salut Charles !

Là commande que tu m'as donné ne marchait pas alors j'ai réutilisé celle que tu m'avais donné la première fois !

Voila le rapport :

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"

"BDSwitchAgent"="\"c:\\progra~1\\softwin\\bitdef~1\\bdswitch.exe\""

"BDMCon"="c:\\progra~1\\softwin\\bitdef~1\\bdmcon.exe"

"BDOESRV"="\"C:\\Program Files\\Softwin\\BitDefender9\\bdoesrv.exe\""

"BDNewsAgent"="\"c:\\progra~1\\softwin\\bitdef~1\\bdnagent.exe\""

"C-Media Mixer"="Mixer.exe /startup"

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Disabled]

"nwiz"="nwiz.exe /install"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\not active]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

 

Merci d'avance !

[Thanos]

salut zewolf

 

Désolé, je me suis planté! :

regedit /e C:\RegKey.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

Voilà la bonne commande à taper! puis tu récupères le fichier C:\RegKey.txt et tu le colles là

 

@+ tard

[Zewolf]

C'est trop long je ne peux pas tout mettre !

Je te l'envoi en MP ! Je ne sais pas si tu vas tout voir car c'est extrêmement long!

Modifié le 15 novembre 2005 par Zewolf