Aller au contenu

  • Pas encore inscrit ?

    Pourquoi ne pas vous inscrire ? C'est simple, rapide et gratuit.
    Pour en savoir plus, lisez Les avantages de l'inscription... et la Charte de Zébulon.
    De plus, les messages que vous postez en tant qu'invité restent invisibles tant qu'un modérateur ne les a pas validés. Inscrivez-vous, ce sera un gain de temps pour tout le monde, vous, les helpeurs et les modérateurs ! :wink:

rapport hijackthis, virus?

neothesayan

Par neothesayan
dans Analyses et éradication malwares

 Partager

Messages recommandés

neothesayan Power Member

neothesayan

Posté(e)
Posté(e)

bonjour mon équipe d'informaticiens préférée...

 

voilà, j'ai (comme conseillé sur votre site): antivir, zone alarm, spybot et adaware...

 

j'ai lancé antivir, spybot et adaware en mode sans échec, ils m'ont trouvé pas mal de choses que j'ai supprimé, mais j'ai toujours ces icones de *.exe qui reviennent sur mon bureau et de nombreuses pop up...

PS: depuis que j'essai d'installer le wifi j'ai l'impression que j'ai trop de ports ouverts avec zone alarm...

voilà mon rapport en mode normal...

 

Logfile of HijackThis v1.99.1

Scan saved at 00:10:47, on 30/11/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\utilitaires\CLAVIER\KMaestro.exe

C:\utilitaires\zonealarm\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ntvdm.exe

C:\utilitaires\antivir\AVWUPSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\utilitaires\cle wifi\SiSWLSvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\utilitaires\CLAVIER\WTS_KEY.EXE

C:\Program Files\Fichiers communs\Microsoft Shared\Source Engine\OSE.EXE

C:\utilitaires\hijackthis\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\pmkji.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A

O4 - HKLM\..\Run: [btcMaestro] C:\utilitaires\CLAVIER\KMaestro.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUN

 

 

DLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Zone Labs Client] C:\utilitaires\zonealarm\ZoneAlarm\zlclient.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Pense-bête.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\utilitaires\acrobat reader\Reader\reader_sl.exe

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\UTILIT~1\office\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\UTILIT~1\office\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\n2l80c3uef.dll

O20 - Winlogon Notify: pmkji - C:\WINDOWS\SYSTEM32\pmkji.dll

O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\UTILITAIRES\ANTIVIR\AVGUARD.EXE

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\utilitaires\antivir\AVWUPSRV.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\utilitaires\cle wifi\SiSWLSvc.exe

O23 - Service: Plug-n-Play SP2 Fix (sp2pnpfix) - Unknown owner - C:\WINDOWS\system32\pnpsp2fix.exe (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe (file missing)

 

 

pouvez vous m'analyser ça s'il vous plait...

Thanos Devil Member !

Thanos

Posté(e)
Posté(e)

salut neothesayan

 

Jolie infection par vundo+L2M(?)

 

Fais ceci:

 

Télécharge SpySweeper (de Webroot) ICI (version d'essai - 14 jours):

  • Clic sur le lien Free Trial sous la rubrique "SpySweeper".
  • Installe le programme. Une fois installé, il se lancera.
  • L'option de le mettre à jour s'affichera; clic Yes.
  • Lorsque les mises à jour seront installées, clic Options sur la gauche.
  • Clic sur l'onglet Sweep Options.
  • Sous What to Sweep, coche les options suivantes:

    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • DÉCOCHE Do not Sweep System Restore Folder.

    [*]Clic Sweep Now sur la gauche.

    [*]Clic sur Start.

    [*]Quand le scan est terminé, clic sur Next.

    [*]Assure-toi que tous les items sont cochés, puis clic sur Next.

    [*]Tous les items cochés seront éliminés.

    [*]Si Spy Sweeper veut redémarrer pour terminer le nettoyage : ACCEPTE.

    [*]Clic Session Log au haut - à droite, et copie tout ce qu'il y a dans la fenêtre.

    [*]Clic sur l'onglet Summary, puis clic sur Finish.

    [*]Colle le contenu du "Session Log" dans ta prochaine réponse.

Avec le rapport de scan Spysweeper,tu colles un nouveau rapport hijackthis en mode normal :P

neothesayan Power Member

neothesayan

Posté(e)
  • Auteur
Posté(e) (modifié)

désolé pour le temps de réponse faut que je dorme un peu la nuit...

 

voilà le rapport

 

 

07:14: | End of Session, mercredi 30 novembre 2005 |

********

********

07:14: | Start of Session, mercredi 30 novembre 2005 |

07:14: Spy Sweeper started

07:14: Sweep initiated using definitions version 576

07:14: Starting Memory Sweep

07:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:15: Found Adware: icannnews

07:15: Detected running threat: C:\WINDOWS\system32\n2l80c3uef.dll (ID = 83)

07:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:16: Detected running threat: C:\WINDOWS\system32\ahptif.dll (ID = 83)

07:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:16: Found Adware: virtumonde

07:16: Detected running threat: C:\WINDOWS\system32\awvtr.dll (ID = 77)

07:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:16: Memory Sweep Complete, Elapsed Time: 00:02:31

07:16: Starting Registry Sweep

07:17: Found Adware: command

07:17: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)

07:17: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)

07:17: Registry Sweep Complete, Elapsed Time:00:00:17

07:17: Starting Cookie Sweep

07:17: Found Spy Cookie: weborama cookie

07:17: joe&marj@weborama[2].txt (ID = 3658)

07:17: Cookie Sweep Complete, Elapsed Time: 00:00:00

07:17: Starting File Sweep

07:17: Found Adware: look2me

07:17: appwrap[2].exe (ID = 65722)

07:17: a0039996.exe (ID = 185985)

07:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:17: appwrap[1].exe (ID = 65739)

07:17: Found Adware: targetsaver

07:17: a0039983.exe (ID = 195131)

07:18: a0039999.exe (ID = 65721)

07:18: installer[1].exe (ID = 168558)

07:18: appwrap[1].exe (ID = 65721)

07:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:18: a0039986.exe (ID = 195132)

07:18: Found Adware: dollarrevenue

07:18: a0039995.exe (ID = 193259)

07:18: asappsrv.dll (ID = 144945)

07:18: tsuninst.exe (ID = 193501)

07:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:19: a0039978.com (ID = 65721)

07:19: bw2.com (ID = 65721)

07:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:20: iconu.exe (ID = 65721)

07:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:20: a0039987.dll (ID = 195129)

07:21: a0040993.exe (ID = 65722)

07:21: a0041056.dll (ID = 159)

07:21: icont.exe (ID = 65722)

07:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:22: a0039984.exe (ID = 195130)

07:22: a0039985.exe (ID = 195128)

07:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:23: appwrap[1].exe (ID = 65722)

07:23: Found Adware: apropos

07:23: contextplus[1].exe (ID = 185940)

07:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:25: irnol5531.dll (ID = 159)

07:25: fp4403hqe.dll (ID = 159)

07:25: a0040967.exe (ID = 185940)

07:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:25: command.exe (ID = 144946)

07:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:25: a0041066.exe (ID = 65739)

07:26: appwrap[1].exe (ID = 65739)

07:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:26: tsupdate2[1].ini (ID = 193498)

07:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:26: appwrap[2].exe (ID = 65721)

07:26: a0039997.exe (ID = 193995)

07:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:27: a0040984.dll (ID = 163672)

07:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:30: a0040968.exe (ID = 168558)

07:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:30: a0041027.dll (ID = 159)

07:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:31: mbjet40.dll (ID = 159)

07:31: ahptif.dll (ID = 159)

07:31: ktpml7711.dll (ID = 159)

07:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:32: a0041007.dll (ID = 163672)

07:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:33: a0041063.dll (ID = 159)

07:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:35: smbrccsp.dll (ID = 159)

07:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:35: wjnsrv.dll (ID = 159)

07:35: a0041039.dll (ID = 159)

07:35: a0041006.dll (ID = 163672)

07:35: n2l80c3uef.dll (ID = 159)

07:35: a0041048.dll (ID = 159)

07:35: a0041010.dll (ID = 159)

07:35: igrnonce.dll (ID = 159)

07:35: a0041005.dll (ID = 166754)

07:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:36: a0041018.dll (ID = 159)

07:36: ikq.dll (ID = 159)

07:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:37: a0041008.dll (ID = 163672)

07:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:38: ua65.vbs (ID = 185675)

07:38: File Sweep Complete, Elapsed Time: 00:21:37

07:38: Full Sweep has completed. Elapsed time 00:24:28

07:38: Traces Found: 72

07:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:40: Removal process initiated

07:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:40: Quarantining All Traces: icannnews

07:41: icannnews is in use. It will be removed on reboot.

07:41: C:\WINDOWS\system32\n2l80c3uef.dll is in use. It will be removed on reboot.

07:41: C:\WINDOWS\system32\ahptif.dll is in use. It will be removed on reboot.

07:41: Quarantining All Traces: look2me

07:41: look2me is in use. It will be removed on reboot.

07:41: ahptif.dll is in use. It will be removed on reboot.

07:41: ktpml7711.dll is in use. It will be removed on reboot.

07:41: n2l80c3uef.dll is in use. It will be removed on reboot.

07:41: Quarantining All Traces: virtumonde

07:41: Quarantining All Traces: apropos

07:41: Quarantining All Traces: command

07:41: Quarantining All Traces: dollarrevenue

07:41: Quarantining All Traces: targetsaver

07:41: Quarantining All Traces: weborama cookie

07:41: Warning: Launched explorer.exe

07:41: Warning: Quarantine process could not restart Explorer.

07:42: Preparing to restart your computer. Please wait...

07:42: Removal process completed. Elapsed time 00:01:23

********

07:12: | Start of Session, mercredi 30 novembre 2005 |

07:12: Spy Sweeper started

07:12: Sweep initiated using definitions version 576

07:12: Starting Memory Sweep

07:12: Sweep Canceled

07:12: Memory Sweep Complete, Elapsed Time: 00:00:08

07:12: Traces Found: 0

07:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:14: | End of Session, mercredi 30 novembre 2005 |

********

07:11: | Start of Session, mercredi 30 novembre 2005 |

07:11: Spy Sweeper started

07:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:11: Your spyware definitions have been updated.

07:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

07:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

07:12: | End of Session, mercredi 30 novembre 2005 |

 

 

 

 

 

 

et le hijackthis

 

 

Logfile of HijackThis v1.99.1

Scan saved at 07:47:32, on 30/11/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\utilitaires\CLAVIER\KMaestro.exe

C:\utilitaires\zonealarm\ZoneAlarm\zlclient.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Messenger\msmsgs.exe

C:\utilitaires\acrobat reader\Reader\reader_sl.exe

C:\WINDOWS\system32\ntvdm.exe

C:\utilitaires\antivir\AVWUPSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\utilitaires\cle wifi\SiSWLSvc.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\utilitaires\CLAVIER\WTS_KEY.EXE

C:\utilitaires\mozilla\firefox.exe

C:\WINDOWS\System32\wuauclt.exe

C:\utilitaires\hijackthis\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: (no name) - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A

O4 - HKLM\..\Run: [btcMaestro] C:\utilitaires\CLAVIER\KMaestro.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Zone Labs Client] C:\utilitaires\zonealarm\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Pense-bête.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\utilitaires\acrobat reader\Reader\reader_sl.exe

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\UTILIT~1\office\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\UTILIT~1\office\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: awvtr - C:\WINDOWS\System32\awvtr.dll (file missing)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\UTILITAIRES\ANTIVIR\AVGUARD.EXE

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\utilitaires\antivir\AVWUPSRV.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\utilitaires\cle wifi\SiSWLSvc.exe

O23 - Service: Plug-n-Play SP2 Fix (sp2pnpfix) - Unknown owner - C:\WINDOWS\system32\pnpsp2fix.exe (file missing)

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe (file missing)

 

 

 

ps: j'ai toujours ces executable sur mon bureau mais avant l'icone était une image et maintenant un icône de fichier inconnu...je parle chinois là?

Modifié par neothesayan
Jack_Burton Godlike Member

Jack_Burton

Posté(e)
Posté(e) (modifié)

Bonjour,

 

J analyse ton rapport, réponse dans un moment!

 

Re bonjour,

 

Imprime ces instructions ou sauvegarde les dans un fichier texte de façon à pouvoir les consulter en mode sans échec.

 

1/ Télécharge et installe EasyCleaner de Toni Helenius: http://personal.inet.fi/business/toniarts/ecleane.htm

 

2/ Redémarre en mode sans échec.

 

3/ Vérifie d'avoir accès à tous les fichiers

Démarrer, Poste de travail ou autre dossier, Menu Outils, Option des dossiers, onglet Affichage :

Activer la case : Afficher les fichiers et dossiers cachés

Désactiver la case : Masquer les extensions des fichiers dont le type est connu

Désactiver la case : Masquer les fichiers protégés du système d'exploitation

Puis Appliquer

 

4/ Dans le menu Demarrer>Executer >tape: Services.msc

 

Recherche le service avec cette orthographe exacte:

-MS Dns Service (WinNet)

-Plug-n-Play SP2 Fix (sp2pnpfix)

 

Double clic dessus et clic sur [arreter] puis dans :

type de demarrage --> sélectionne désactivé.

 

5/ Relance un scan HijackThis, clique sur "Do a system scan only" et coche les lignes ci-dessous :

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/

 

O2 - BHO: (no name) - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - (no file)

 

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Pense-bête.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\utilitaires\acrobat reader\Reader\reader_sl.exe

 

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\UTILIT~1\office\OFFICE11\EXCEL.EXE/3000

 

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\UTILIT~1\office\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

 

O20 - Winlogon Notify: awvtr - C:\WINDOWS\System32\awvtr.dll (file missing)

 

O23 - Service: Plug-n-Play SP2 Fix (sp2pnpfix) - Unknown owner - C:\WINDOWS\system32\pnpsp2fix.exe (file missing)

O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe (file missing)<---ces 2 dernieres lignes ne devraient plus apparaitre du fait que l on a stoppé les services en question!

 

Ferme toutes les fenêtres sauf HijackThis et "Fix Checked".

 

6/ Supprime le(s) fichier(s) incriminé(s) [s'il(s) existe(nt) encore] par l'Explorateur Windows :

 

-C:\WINDOWS\System32\awvtr.dll

-C:\WINDOWS\system32\pnpsp2fix.exe

-C:\WINDOWS\system32\wincntrl.exe

 

7/ Execute EasyCleaner: Utilise les fonctions "Inutiles" et "Registre" seulement. Ne touche pas à la fonction "doublons".

 

8/ Redémarre l'ordinateur en mode normal et poste un nouveau rapport HijackThis à titre de vérification.

 

Edit : rétablis ta page de démarrage dans les options de ton navigateur web

Modifié par Jack_Burton
neothesayan Power Member

neothesayan

Posté(e)
  • Auteur
Posté(e)

ok j'ia suivi la procédure que vous m'avez donnée...

 

 

 

Recherche le service avec cette orthographe exacte:

-MS Dns Service (WinNet)

-Plug-n-Play SP2 Fix (sp2pnpfix)

 

Double clic dessus et clic sur [arreter] puis dans :

type de demarrage --> sélectionne désactivé.

communs\Adobe\Calibration\Adobe Gamma Loader.exe

 

ils étaient déjà désactivés

 

 

rapport hijackthis

 

Logfile of HijackThis v1.99.1

Scan saved at 20:36:02, on 30/11/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\utilitaires\CLAVIER\KMaestro.exe

C:\utilitaires\zonealarm\ZoneAlarm\zlclient.exe

C:\utilitaires\antivir\AVWUPSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\utilitaires\cle wifi\SiSWLSvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\utilitaires\mozilla\firefox.exe

C:\utilitaires\CLAVIER\WTS_KEY.EXE

C:\utilitaires\hijackthis\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: (no name) - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A

O4 - HKLM\..\Run: [btcMaestro] C:\utilitaires\CLAVIER\KMaestro.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Zone Labs Client] C:\utilitaires\zonealarm\ZoneAlarm\zlclient.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\UTILITAIRES\ANTIVIR\AVGUARD.EXE

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\utilitaires\antivir\AVWUPSRV.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\utilitaires\cle wifi\SiSWLSvc.exe

O23 - Service: Plug-n-Play SP2 Fix (sp2pnpfix) - Unknown owner - C:\WINDOWS\system32\pnpsp2fix.exe (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe (file missing)

 

 

voilà

 

si mon rapport vous semble bon j'aurai encore un ou deux conseil pour fermer quelques ports sur zone alarm...

Thanos Devil Member !

Thanos

Posté(e)
Posté(e)

salut

 

Les lignes 023 sont encore présentes:

 

Vas dans Exécuter/Démarrer et tapes cmd

 

Puis dans la fenêtre qui s'ouvre tu tapes ceci:

sc delete Plug-n-Play SP2 Fix

 

sc delete MS Dns Service

 

Un message t'avertit du succès de l'opération(essaie avec les noms suivants si ca ne marche pas:

 

sc delete sp2pnpfix et sc delete WinNet)

 

Démarre Hijackthis "Do a system scan only", et coche les lignes suivantes :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

 

O2 - BHO: (no name) - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - (no file)

 

O23 - Service: Plug-n-Play SP2 Fix (sp2pnpfix) - Unknown owner - C:\WINDOWS\system32\pnpsp2fix.exe (file missing)

O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe (file missing)

Ferme toutes les fenêtres, tous les programmes et clique surFix checked

 

-Exécute EasyCleaner Registre et Inutiles.Ne pas toucher à la fonction doublons. Supprime tout ce qu'il te propose.

 

Redémarre normalement et poste un nouveau rapport Hijackthis(en mode normal) pour vérification.

 

 

Vas faire le scan en ligne suivant et poste le rapport:

 

-Symantec:

Choisir virus détection

neothesayan Power Member

neothesayan

Posté(e)
  • Auteur
Posté(e) (modifié)

j'ai fait le test:

Virus Status: Safe!

Your computer is free of known threats.

Virus Status: Infected!

Your computer is infected with at least one known threat.

 

 

 

51546 files scanned, 2 file(s) infected on your disk drives.

 

 

C:\WINDOWS\system32\pmkji.dll is infected with Trojan.Vundo

C:\WINDOWS\system32\ssqpp.dll is infected with Trojan.Vundo

 

 

 

 

et le hijackthis

Logfile of HijackThis v1.99.1

Scan saved at 06:55:10, on 01/12/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\utilitaires\antivir\AVWUPSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\utilitaires\cle wifi\SiSWLSvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\TBPanel.exe

C:\utilitaires\CLAVIER\KMaestro.exe

C:\utilitaires\zonealarm\ZoneAlarm\zlclient.exe

C:\utilitaires\CLAVIER\WTS_KEY.EXE

C:\utilitaires\mozilla\firefox.exe

C:\utilitaires\hijackthis\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A

O4 - HKLM\..\Run: [btcMaestro] C:\utilitaires\CLAVIER\KMaestro.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Zone Labs Client] C:\utilitaires\zonealarm\ZoneAlarm\zlclient.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\UTILITAIRES\ANTIVIR\AVGUARD.EXE

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\utilitaires\antivir\AVWUPSRV.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\utilitaires\cle wifi\SiSWLSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Modifié par neothesayan
Jack_Burton Godlike Member

Jack_Burton

Posté(e)
Posté(e) (modifié)

Bonsoir neothesayan,

 

Ton rapport est propre!

Fixe enxore ces lignes :

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

 

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

 

O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/

 

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

 

elles te sont inutiles puisque tu es sur Firefox

 

 

C:\WINDOWS\system32\pmkji.dll is infected with Trojan.Vundo

C:\WINDOWS\system32\ssqpp.dll is infected with Trojan.Vundo

Humm, le scan symantec indique la présence de vundo, pourtant il n apparait pas sur le rapport :P

Bon voila ce que tu vas faire:

 

 

 

1/ redémarre en mode sans échec

 

2/ Vérifie d'avoir accès à tous les fichiers

Démarrer, Poste de travail ou autre dossier, Menu Outils, Option des dossiers, onglet Affichage :

Activer la case : Afficher les fichiers et dossiers cachés

Désactiver la case : Masquer les extensions des fichiers dont le type est connu

Désactiver la case : Masquer les fichiers protégés du système d'exploitation

Puis Appliquer

 

3/ Supprime le(s) fichier(s) incriminé(s) [s'il(s) existe(nt) encore] par l'Explorateur Windows :

 

-C:\WINDOWS\system32\pmkji.dll

-C:\WINDOWS\system32\ssqpp.dll

 

4/ Redémarre en mode normal et refais un nouveau scan en ligne chez symantec et poste nous le rapport

Modifié par Jack_Burton
neothesayan Power Member

neothesayan

Posté(e)
  • Auteur
Posté(e) (modifié)

j'ai viré les deux fichiers...

 

impossilble de faire le test symantec

Unable to run Virus Detection

 

In order to run Virus Detection you must be using Microsoft Internet Explorer 5.0 or higher with ActiveX and Scripting enabled.

 

To learn more, see our Help.

j'ai pourtant essayé avec iexploxer vu que ça n'a pas l'ai r de marcher avec mozilla firefox

 

 

 

 

je laisse mon hijakthis au cas où....

 

Logfile of HijackThis v1.99.1

Scan saved at 22:06:03, on 01/12/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\utilitaires\antivir\AVWUPSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\utilitaires\cle wifi\SiSWLSvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\TBPanel.exe

C:\utilitaires\CLAVIER\KMaestro.exe

C:\utilitaires\zonealarm\ZoneAlarm\zlclient.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\utilitaires\CLAVIER\WTS_KEY.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\utilitaires\mozilla\firefox.exe

C:\utilitaires\hijackthis\hijackthis\HijackThis.exe

 

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A

O4 - HKLM\..\Run: [btcMaestro] C:\utilitaires\CLAVIER\KMaestro.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Zone Labs Client] C:\utilitaires\zonealarm\ZoneAlarm\zlclient.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\UTILITAIRES\ANTIVIR\AVGUARD.EXE

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\utilitaires\antivir\AVWUPSRV.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\utilitaires\cle wifi\SiSWLSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

 

j'ai essayé d'installer le freeplayer depuis mon dernier post(pas que ça fausse votre analyse)

 

 

 

encore merci de vous prendre la tête pour le médiocre informaticien que je fais...

Modifié par neothesayan

Rejoindre la conversation

Vous pouvez publier maintenant et vous inscrire plus tard. Si vous avez un compte, connectez-vous maintenant pour publier avec votre compte.
Remarque : votre message nécessitera l’approbation d’un modérateur avant de pouvoir être visible.

Invité
Répondre à ce sujet…

×   Collé en tant que texte enrichi.   Coller en tant que texte brut à la place

  Seulement 75 émoticônes maximum sont autorisées.

×   Votre lien a été automatiquement intégré.   Afficher plutôt comme un lien

×   Votre contenu précédent a été rétabli.   Vider l’éditeur

×   Vous ne pouvez pas directement coller des images. Envoyez-les depuis votre ordinateur ou insérez-les depuis une URL.

×
 Partager
Aller sur la liste des sujets

  • En ligne récemment   0 membre est en ligne

    • Aucun utilisateur enregistré regarde cette page.
×
×
  • Créer...