[RESOLU]Win32:Agent-RE [Trj] etC:\WINDOWS\System32\mscl

[bruce lee]

re,

 

je suis désolé mais je n'arrive à avoir que ça.

 

il 'y a que ca ou il y a autre chose mais tu ne peux pas l'avoir (désole d'insister mais j'aimerai etre sur)

[fanouille]

je n'ai que ça, j'ai procédé comme pour les autres log postés

[bruce lee]

re,

 

est ce que pendant la procedure tu as rajouté des choses qui n'etaient pas mentionné comme fixer des lignes 04, faire une connexion manuelle....

 

@+

[fanouille]

je n'ai rien rajouté, d'un seul coup je n'ai eu que ça. Que dois-je faire maintenant?

[bruce lee]

bonjour,

 

instant acces est supprimé et ton log est propre, beau travail

 

as tu encore des problemes avec ton PC?

[fanouille]

Oses-tu me dire que cette merde est partie? En attendant ta réponse j'ai fait une analyse ewido et antivir. Voici les rapports dans l'ordre:

 

---------------------------------------------------------

ewido anti-malware - Rapport de scan

---------------------------------------------------------

 

+ Créé le: 10:30:11, 08/05/2006

+ Somme de contrôle: A379A582

 

+ Résultats du scan:

 

C:\Documents and Settings\C3PO\Cookies\c3po@advertising[1].txt -> TrackingCookie.Advertising : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Cookies\c3po@atdmt[2].txt -> TrackingCookie.Atdmt : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Cookies\c3po@bluestreak[2].txt -> TrackingCookie.Bluestreak : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Cookies\c3po@doubleclick[2].txt -> TrackingCookie.Doubleclick : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Cookies\c3po@mediaplex[1].txt -> TrackingCookie.Mediaplex : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Cookies\[email protected][1].txt -> TrackingCookie.Casinotropez : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Cookies\c3po@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Cookies\c3po@weborama[1].txt -> TrackingCookie.Weborama : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Cookies\[email protected][2].txt -> TrackingCookie.Smartadserver : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Cookies\c3po@zedo[2].txt -> TrackingCookie.Zedo : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Local Settings\Temp\Cookies\c3po@advertising[1].txt -> TrackingCookie.Advertising : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Local Settings\Temp\Cookies\c3po@atdmt[2].txt -> TrackingCookie.Atdmt : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Local Settings\Temp\Cookies\c3po@doubleclick[2].txt -> TrackingCookie.Doubleclick : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Local Settings\Temp\Cookies\c3po@mediaplex[1].txt -> TrackingCookie.Mediaplex : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Local Settings\Temp\Cookies\c3po@weborama[2].txt -> TrackingCookie.Weborama : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Smartadserver : Nettoyer et sauvegarder

C:\Documents and Settings\C3PO\Local Settings\Temp\ICD2.tmp\egaccess4_1061.dll -> Dialer.InstantAccess.r : Nettoyer et sauvegarder

 

 

::Fin du rapport

 

 

AntiVir PersonalEdition Classic

Report file date: lundi 8 mai 2006 10:32

 

 

Jobname: 'Windows System Directory'

 

Scanning for 370940 virus strains and unwanted programs.

 

Licensed to: AntiVir PersonalEdition Classic

Serial number: 0000149996-WURGE-0001

Platform: Windows XP

Windows version: (plain) [5.1.2600]

Username: C3PO

Computer name: C3PO-3P0G23ZDBF

 

Version informations:

AVSCAN.EXE : 7.0.0.35 540712 21/04/2006 12:47:04

AVSCAN.DLL : 7.0.0.34 41000 05/04/2006 11:03:57

LUKE.DLL : 7.0.0.34 114728 05/04/2006 11:03:58

LUKERES.DLL : 7.0.0.34 25640 05/04/2006 11:03:58

ANTIVIR0.VDF : 6.32.0.60 4323840 02/05/2006 08:29:08

ANTIVIR1.VDF : 6.34.0.209 1930240 02/05/2006 08:29:09

ANTIVIR2.VDF : 6.34.1.1 89600 01/05/2006 17:17:55

ANTIVIR3.VDF : 6.34.1.26 48128 01/05/2006 17:17:55

AVEWIN32.DLL : 7.0.0.8 1171968 21/04/2006 15:40:14

AVPREF.DLL : 6.34.0.0 38440 18/01/2006 12:06:00

AVREP.DLL : 6.34.1.20 2371624 01/05/2006 17:17:56

AVPACK32.DLL : 7.0.0.4 335912 29/03/2006 09:44:25

AVREG.DLL : 6.31.0.90 27688 28/07/2005 10:06:36

NETNT.DLL : 6.32.0.0 6696 27/09/2005 07:56:49

NETNW.DLL : 6.32.0.0 9768 27/09/2005 07:56:49

 

 

Start of the scan: lundi 8 mai 2006 10:32

 

 

Start scanning boot sectors:

 

Boot sector 'C:'

[NOTE] No virus was found!

 

Starting to scan the registry.

 

The registry was scanned ( 13 files ).

 

 

Starting the file scan:

 

C:\WINDOWS\System32\config\default

[WARNING] The file could not be opened!

C:\WINDOWS\System32\config\default.LOG

[WARNING] The file could not be opened!

C:\WINDOWS\System32\config\SAM

[WARNING] The file could not be opened!

C:\WINDOWS\System32\config\SAM.LOG

[WARNING] The file could not be opened!

C:\WINDOWS\System32\config\SECURITY

[WARNING] The file could not be opened!

C:\WINDOWS\System32\config\SECURITY.LOG

[WARNING] The file could not be opened!

C:\WINDOWS\System32\config\software

[WARNING] The file could not be opened!

C:\WINDOWS\System32\config\software.LOG

[WARNING] The file could not be opened!

C:\WINDOWS\System32\config\system

[WARNING] The file could not be opened!

C:\WINDOWS\System32\config\system.LOG

[WARNING] The file could not be opened!

 

 

End of the scan: lundi 8 mai 2006 10:36

Used time: 04:28 min

 

The scan has been done completely.

 

147 Scanning directories

5711 Files were scanned

0 viruses and/or unwanted programs was found

0 files were deleted

0 files were repaired

0 files were moved to quarantine

0 files were renamed

9 Archives were scanned

10 Warnings

0 Notes

 

Sinon, des fois, quand je suis sur internet, j'ai des saloperies de fenêtre qui s'ouvrent comme crazy girls (femmes nues) comment faire pour ne plus qu'elles apparaissent.

 

Aussi, j'ai ces messages que se mettent à l'ouverture de windows:

RUNDLL

erreur de chargement EGACCESS_1059dll ou EGACCESS_1071dll. Le module spécifié est introuvable.

De quoi ça vient?

 

Sinon, maintenant que d'après toi mon ordi est propre, que dois-je mettre pour une presque totale sécurité. Sinon, GRAND MERCI BEAUCOUP POUR TA PATIENCE ET TOUT CES CONSEILS. MERCI

[bruce lee]

re,

 

2 bonne nouvelles:

 

pour l'adware il est parti ca c'est sur (ewido ne le montre plus il ne montre que des cookies casiment) pour ce qui est des virus antivir ne trouve rien.

 

1 mauvaise nouvelle (beh oui l'en faut bie une )

 

ton message d'erreur est du a instant access, ca doit etre le processus qui se lance en silence pour le denicher essaye ceci:

 

1/telecharge silent runners http://www.silentrunners.org/Silent%20Runners.vbs

 

2/déconnecte toi du net et ferme toutes les applications en cours.

 

3/lance silent runners laisse le travailler quand il aura finit de scanner tu en sauras averti par un message et un nouveau fichier texte sera crée ouvre ce fichier texte et colle nous la totalité du rapport.

 

@+

[fanouille]

Je suis en train de telecharge silent runners. En plus, je suis en train de faire un scan avast mais que c'est long avast...

 

Sinon, j'avais oublié, des fois quand je suis sur internet, j'ai des messages du service affichage des messages qui dit:

MESSAGE DE SYSTEM ALERT

STOP! WINDOWS REQUIERT IMMEDIATE ATTENTION

windows has found critical systems errors

run registry repair from http:// www.fixwin32.com

failure to act now may lead to data loss and corruption!

 

J'ai souvent des messages de ce type: de quoi ça vient?

Déjà, j'ai un windows xp pro où les mises à jour sont impossible.

Modifié le 8 mai 2006 par fanouille

[bruce lee]

re,

 

oublie avast pour le moment

[fanouille]

Voici le rapport:

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"avgnt" = ""C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"

-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Outlook File Icon Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

-> {HKLM...CLSID} = "Portable Media Devices"

\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

 

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]

 

 

Default executables:

--------------------

 

HKCU\Software\Classes\.bat\(Default) = (value not set)

 

HKCU\Software\Classes\.cmd\(Default) = (value not set)

 

HKCU\Software\Classes\.com\(Default) = (value not set)

 

HKCU\Software\Classes\.exe\(Default) = (value not set)

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\C3PO\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

 

 

Enabled Scheduled Tasks:

------------------------

 

"FRU Task #Hewlett-Packard#hp psc 1200 series#1089300013" -> launches: "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1089300013"" [empty string]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

-> {HKLM...CLSID} = "&Google"

\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"

-> {HKLM...CLSID} = "Yahoo! Toolbar avec bloqueur de fenêtres pop-up"

\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

 

Added lines (compared with English-language version):

[strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

 

Missing lines (compared with English-language version):

[strings]: 1 line

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"]

AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, "C:\Program Files\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

 

 

Print Monitors:

---------------

 

HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]

 

 

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 51 seconds, including 9 seconds for message boxes)

 

Sinon, j'ai oublié avast...