Win32.Tenga / Rapport HiJackThis

[Thanos]

salut sanchou

 

Bon Service Filter ne montre rien de mauvais! Par contre ton rapport avec Silentrunners n'est pas complêt??

 

à la question"Do you want to skip the supplementary searches" as tu répondu "Oui"?

 

escan a trouvé Gator dans un fichier et ne l'a pas éliminé:

 

*Supprime le fichier en gras :

 

C:\Documents and Settings\Nicolas Sanchez\Mes documents\DL à trier\à trier\partage\Téléchargements\internet\getright4.5d build 2.zip

 

-Vide la corbeille.

 

Avast ne détecte des fichiers infectés que dans le dossier "mes documents" ?

 

Je me répète, mais as tu mis Avast à jour et scanné ton pc en mode sans échec?(ca lui facilite le travail car les fichiers à scanner ne sont pas en cours d'utilsation)

[sanchou]

nouveau rapport silent runner :

"Silent Runners.vbs", revision 44, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Tvs" = "C:\Program Files\TOSHIBA\Tvs\TvsTray.exe" ["TOSHIBA Corporation"]

"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]

"TPNF" = "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" ["COMPAL ELECTRONIC INC."]

"PadTouch" = "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" ["TOSHIBA"]

"TCtryIOHook" = "TCtrlIOHook.exe" ["TOSHIBA"]

"TPSMain" = "TPSMain.exe" ["TOSHIBA Corporation"]

"SmoothView" = "C:\Program Files\TOSHIBA\Utilitaire de zoom TOSHIBA\SmoothView.exe" ["TOSHIBA Corporation"]

"HWSetup" = "C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP" ["TOSHIBA CO.,LTD."]

"SVPWUTIL" = "C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL" ["TOSHIBA"]

"TOSHIBA Accessibility" = "C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe" ["TOSHIBA"]

"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]

"EoEngine" = (empty string)

"EoWeather" = (empty string)

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "AcroIEHlprObj Class"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Google Toolbar Helper"

\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"

-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

-> {HKLM...CLSID} = "Portable Media Devices"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{9ED66769-A198-41FE-8615-601691C68846}" = "TouchPad Property Sheet"

-> {HKLM...CLSID} = "TouchPad PropSheet Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\TPprop.dll" ["COMPAL ELECTRONIC INC."]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {HKLM...CLSID} = "RealOne Player Context Menu Class"

\InProcServer32\(Default) = "C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll" ["RealNetworks, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"

-> {HKLM...CLSID} = "dBpShell Class"

\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]

"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"

-> {HKLM...CLSID} = "dMCIShell Class"

\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]

"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Périphériques Plug and Play universels"

-> {HKLM...CLSID} = "Périphériques Plug and Play universels"

\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

-> {HKLM...CLSID} = "Shell Search Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{1EBC3533-B289-409F-9924-B84B3F0717D2}" = "AceFTP Context Menu Shell Extension"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\PROGRA~1\VISICO~1\FTPEXP~1\ftpcntxt.dll" ["Visicom Media Inc."]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "AppInit_DLLs" = "MsgPlusLoader.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL" ["Patchou"]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

INFECTION WARNING! taskmgr.exe\Debugger = ""C:\Documents and Settings\Nicolas Sanchez\Bureau\procexp.exe"" ["Sysinternals"]

 

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

FTP Expert\(Default) = "{1EBC3533-B289-409F-9924-B84B3F0717D2}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\PROGRA~1\VISICO~1\FTPEXP~1\ftpcntxt.dll" ["Visicom Media Inc."]

tosAACFShlExt\(Default) = "{5a900bf8-09f0-4d1d-bb42-47617ee2eedc}"

-> {HKLM...CLSID} = "ConfigFree"

\InProcServer32\(Default) = "C:\Program Files\TOSHIBA\ConfigFree\CFShlExt.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

FTP Expert\(Default) = "{1EBC3533-B289-409F-9924-B84B3F0717D2}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\PROGRA~1\VISICO~1\FTPEXP~1\ftpcntxt.dll" ["Visicom Media Inc."]

tosAACFShlExt\(Default) = "{5a900bf8-09f0-4d1d-bb42-47617ee2eedc}"

-> {HKLM...CLSID} = "ConfigFree"

\InProcServer32\(Default) = "C:\Program Files\TOSHIBA\ConfigFree\CFShlExt.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Nicolas Sanchez\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

 

 

Enabled Screen Saver:

---------------------

 

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]

 

 

Startup items in "Nicolas Sanchez" & "All Users" startup folders:

-----------------------------------------------------------------

 

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage

"RAMASST" -> shortcut to: "C:\WINDOWS\system32\RAMASST.exe" ["Matsushita Electric Industrial Co., Ltd."]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 29

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

-> {HKLM...CLSID} = "&Google"

\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

 

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

-> {HKLM...CLSID} = "&Google"

\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

 

Added lines (compared with English-language version):

[strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

 

Missing lines (compared with English-language version):

[strings]: 1 line

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

ConfigFree Service, CFSvcs, "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" ["TOSHIBA CORPORATION"]

DVD-RAM_Service, DVD-RAM_Service, "C:\WINDOWS\system32\DVDRAMSV.exe" ["Matsushita Electric Industrial Co., Ltd."]

MySQL, MySQL, ""C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="C:\Program Files\MySQL\MySQL Server 5.0\my.ini" MySQL" [null data]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

Print Monitors:

---------------

 

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."]

 

 

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 109 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

took 5 seconds.

---------- (total run time: 138 seconds)

Pour ce qui est d'avast, il est à jour et a été exécuté en mode sans échec.

J'ai viré le fichier que tu m'as dit et vidé la corbeille.

Nico

[sanchou]

nouveau rapport silent runner :

 

Pour ce qui est d'avast, il est à jour et a été exécuté en mode sans échec.

J'ai viré le fichier que tu m'as dit et vidé la corbeille.

Nico

Personne n'a une idée pour mon pb ???

[Thanos]

salut sanchou

 

Houlàà!! on arrive! Bon ton rapport silentrunners est propre! Pas évident de repérer une infection quelconque!

 

Les symptômes: des alertes de la part d'Avast donc, mais est ce que tu as du mal à lancer tes exécutables??

 

De plus tu dis que ces infections sont repérées dans "Mes documents", est ce que c'est toujours ce répertoire qui est concerné??

 

Un dernier scan si tu as le courage avec SPysweeper:

 

Télécharge SpySweeper (de Webroot) de ce lien (version d'essai de 14 jours) : http://www.webroot.com/fr/land/karangatria...lefr&ac=webroot

• Clique sur "Télécharger la version test".
  
• Installe le programme. Une fois installé, il se lancera.
  
• L'option de le mettre à jour s'affichera; clic Yes.
  
• Lorsque les mises à jour seront installées, clic Options sur la gauche.
  
• Clic sur l'onglet Sweep Options.
  
• Sous What to Sweep, coche les options suivantes:
  • 
    
  • Sweep Memory
    
  • Sweep Registry
    
  • Sweep Cookies
    
  • Sweep All User Accounts
    
  • Enable Direct Disk Sweeping
    
  • Sweep Contents of Compressed Files
    
  • Sweep for Rootkits
    
  • DÉCOCHE Do not Sweep System Restore Folder.
    

  [*]Clic Sweep Now sur la gauche.

  [*]Clic sur Start.

  [*]Quand le scan est terminé, clic sur Next.

  [*]Assure-toi que tous les items sont cochés, puis clic sur Next.

  [*]Tous les items cochés seront éliminés.

  [*]Si Spy Sweeper veut redémarrer pour terminer le nettoyage : ACCEPTE.

  [*]Clic Session Log au haut - à droite, et copie tout ce qu'il y a dans la fenêtre.

  [*]Clic sur l'onglet Summary, puis clic sur Finish.

  [*]Colle le contenu du "Session Log" dans ta prochaine réponse.

[sanchou]

bon ok, je v faire çà ...

Mais çà cmmence à être barbant

C'est tjs comme çà pour se débarasser d'une m...e ???

 

Nico

[Thanos]

Non , ca dépend de la bestiolle! je sais que c'est chiant, mais nécéssaire! T'aspas répondu à ceci:

 

mais est ce que tu as du mal à lancer tes exécutables??

 

De plus tu dis que ces infections sont repérées dans "Mes documents", est ce que c'est toujours ce répertoire qui est concerné??

[sanchou]

Après avoir mi "réparer" dans avast la plupart des fichiers sont considérés comme corrompus ...

J'ai du mal à comprendre ce qui se passe ....

 

mé oui, actuellement, ce n'est que ce rép qui est concerné ....

Nico

[sanchou]

Spysweeper me dit :

"An error has occured in the application"

et il ne veux pas se lacer ....

[Thanos]

Tu as bien droits administrateur?

 

Si ca ne marche toujours pas,essaie de scanner ton pc avec ceci:

 

Malicious Software removal tool from Microsoft

 

As tu des fichiers importants dans "Mes documents" ?Une solution bête et méchante consisterait à en vider le

 

contenu...Dis moi si le tool de Microsoft a trouvé quelque chose

Modifié le 17 mars 2006 par charles ingals

[Mark]

Notre ami reçoit de l'aide en double... sinon en triple ou plus... il pourra nous le dire :

 

http://forum.pcastuces.com/sujet.asp?SUJET_ID=256614&Page=1

 

Je viens de poster là-bas, n'ayant pas remarqué le doublon... J'avertis Philae de ce pas..