(resolu)infecté !!!

[topludo]

j'ai etait infecter par cette salo.... et j'arrive pas a le supprimer j'ai fait le pre nettoiyage mais sa na rien donner sa revien au demarrage le nom exacte de se truc et

Trojan.Downloader.Small.CML (Troj/BckDr-DKG [sophos]

Trojan.Win32.Agent.qt [Kaspersky]

Backdoor.Sualimpo.E [bitDefender]

Trojan.Click.1210 [Dr Web])

 

Type: Cheval de Troie

 

Niveau de menace : Haut

 

Description : Trojan.Downloader.Small.CML will attempt to connect to a pre-determined website and download additional malware. It will also download a list of commands to execute.

 

Conseils : Supprimer

 

 

ps si vous avais des idee HELP me car en plus il veut telecharger d autre saloperie mais sa va sa ces blocker

Modifié le 27 juin 2006 par topludo

[bruce lee]

Bonjour,

 

tes bestioles je pense qu'elles se lancent au demarrage, on va verifier:

 

telecharge la version original de hijackthis http://www.merijn.org/files/hijackthis.zip

 

déconnecte toi du net et installe le.

 

lance le en cliquant sur Do a system scan and save a logfile a la fin du scan le bloc note va s'

ouvrir tu fais un copier coller de tout son contenu.

[topludo]

merci pour la rapiditer voial mon raport

 

Logfile of HijackThis v1.99.1

Scan saved at 18:38 PC LUDO, on 27/06/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avast4\aswUpdSv.exe

C:\Program Files\Avast4\ashServ.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Avast4\ashMaiSv.exe

C:\Program Files\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\Avast4\ashDisp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\WINDOWS\system32\S3hotkey.exe

C:\WINDOWS\system32\S3tray2.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\eurobarre\erobar.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\ludo\Mes documents\HijackThis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.fr/ie

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = internet ludo

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\RunOnce: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /RM /FS /X

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - Startup: Eurobarre.lnk = C:\Program Files\eurobarre\erobar.exe

O8 - Extra context menu item: &Traduire à partir de l'anglais - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Recherche &Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Voir les cookies - C:\WINDOWS\web\showcookies.htm

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab

O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB

O16 - DPF: {29710C4C-4F0F-4A36-8312-CB5614829804} (DriverDetectiveNonMembers.nonmembers) - http://www.drivershq.com/files/cab/nonmemb...etective-nm.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/downl...lscbase5059.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148916307074

O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} (HardwareDetection Control) - http://drivers1.free.fr/telecharger.php?id=2&version=

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Fichiers communs\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

 

 

 

mais perso je n ai rien vu mais bon on sait jamais !

[bruce lee]

re,

 

1/telecharge silent runners http://www.silentrunners.org/Silent%20Runners.vbs

 

2/déconnecte toi du net et ferme toutes les applications en cours.

 

3/lance silent runners laisse le travailler quand il aura finit de scanner tu en sauras averti par un message et un nouveau fichier texte sera crée ouvre ce fichier texte et colle la totalité du rapport.

[topludo]

merci bruce lee pour ton aide voila mon raport

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

"STYLEXP" = "C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide" [empty string]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"avast!" = "C:\PROGRA~1\Avast4\ashDisp.exe" [null data]

"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]

"S3hotkey" = "S3hotkey.exe" ["S3 Graphics, Inc."]

"S3TRAY2" = "S3tray2.exe" ["S3 Graphics, Inc."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}

"Spyware Doctor" = ""C:\Program Files\Spyware Doctor\swdoctor.exe" /RM /FS /X" ["PC Tools Research Pty Ltd"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = (no title provided)

-> {HKLM...CLSID} = "PCTools Site Guard"

\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Google Toolbar Helper"

\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = (no title provided)

-> {HKLM...CLSID} = "PCTools Browser Monitor"

\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]

{C333CF63-767F-4831-94AC-E683D962C63C}\(Default) = "TGTSoft Explorer Toolbar Changer"

-> {HKLM...CLSID} = "CoTGT_BHO Class"

\InProcServer32\(Default) = "C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll" [null data]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"

-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

-> {HKLM...CLSID} = "Mes dossiers de partage"

\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0792.00.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

-> {HKLM...CLSID} = "Shell Search Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{35786D3C-B075-49b9-88DD-029876E11C01}" = "Portable Devices"

-> {HKLM...CLSID} = "Portable Devices"

\InProcServer32\(Default) = "C:\WINDOWS\system32\wpdshext.dll" [MS]

"{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8}" = "Portable Devices Menu"

-> {HKLM...CLSID} = "Portable Devices Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\wpdshext.dll" [MS]

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"

-> {HKLM...CLSID} = "ShellLink for Application References"

\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"

-> {HKLM...CLSID} = "Shell Icon Handler for Application References"

\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohev.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\FICHIE~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\FICHIE~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

-> {HKLM...CLSID} = "Portable Media Devices"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

 

HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! "BootExecute" = "0 aswBoot.exe /M:47275bbac" [file not found], [null data], [file not found]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]

 

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE12\MSOXMLMF.DLL" [MS]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\ludo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

 

 

Startup items in "ludo" & "All Users" startup folders:

------------------------------------------------------

 

C:\Documents and Settings\ludo\Menu Démarrer\Programmes\Démarrage

"Eurobarre" -> shortcut to: "C:\Program Files\eurobarre\erobar.exe" [null data]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 38

%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

-> {HKLM...CLSID} = "&Google"

\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

-> {HKLM...CLSID} = "&Google"

\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

 

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

-> {HKLM...CLSID} = "&Google"

\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

 

Explorer Bars

 

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

{21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Shell Search Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\

"ButtonText" = "Spyware Doctor"

"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"

-> {HKLM...CLSID} = "PCTools Browser Monitor"

\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

 

Added lines (compared with English-language version):

[strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

 

Missing lines (compared with English-language version):

[strings]: 1 line

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]

HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}

Machine Debug Manager, MDM, ""C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\mdm.exe"" [MS]

PC Tools Spyware Doctor, SDhelper, "C:\Program Files\Spyware Doctor\sdhelp.exe" ["PC Tools Research Pty Ltd"]

Service d'application d'assistance IPv6, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}

StyleXPService, StyleXPService, ""C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe"" [empty string]

TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]

 

 

Print Monitors:

---------------

 

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

 

 

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 56 seconds, including 16 seconds for message boxes)

[bruce lee]

re,

 

Fais un scan en ligne avec http://webscanner.kaspersky.fr/

 

Sous Démonstration en ligne , on t'explique la marche à suivre , et pour lancer le scan il faut sélectionner Exécuter l'analyse en ligne .Le scan ne marche que sous Internet Explorer.

On va te demander de télécharger un contôle active x, accepte .

Dans le menu Choisissez la cible de l'analyse , sélectionne Poste de travail .

Le scan va commencer.Poste le rapport qui sera généré stp.

 

Si il y a un problème, assure toi que les contrôles active x sont bien configurés dans les options internet comme

 

décrit sur ce lien=> http://www.inoculer.com/activex.php3

[topludo]

ok je fais un scan pas de probleme je donne le rapport apré merci et bonne ap a toi

[topludo]

voila mon raport mais je sais pas comment supprimer ces virus on pourait m eclairé ?

 

 

mardi 27 juin 2006 20:32 PC LUDO

Système d'exploitation : Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Version de Kaspersky On-line Scanner: 5.0.78.0

Dernière mise à jour de la base antivirus Kaspersky : 27/06/2006

Enregistrements dans la base antivirus Kaspersky : 191064

 

 

Paramètres d'analyse

Analyser avec la base antivirus suivante standard

Analyser les archives vrai

Analyser les bases de messagerie. vrai

 

Cible de l'analyse Poste de travail

C:\

D:\

 

Statistiques de l'analyse

Total d'objets analysés : 26315

Nombre de virus trouvés 7

Nombre d'objets infectés 13

Nombre d'objets suspects 0

Durée de l'analyse 01:13:55

 

Nom de l'objet infecté Nom du virus Dernière action

C:\Documents and Settings\ludo\Local Settings\Temporary Internet Files\Content.IE5\K5MZ8TEB\wind32[1].exe/data0002 Infecté: Trojan-Downloader.Win32.PurityScan.cq ignoré

 

C:\Documents and Settings\ludo\Local Settings\Temporary Internet Files\Content.IE5\K5MZ8TEB\wind32[1].exe NSIS: infecté - 1 ignoré

 

C:\Documents and Settings\ludo\Local Settings\Temporary Internet Files\Content.IE5\K5MZ8TEB\wizip32[1].exe Infecté: Trojan-Clicker.Win32.Small.kx ignoré

 

C:\Documents and Settings\ludo\Local Settings\Temporary Internet Files\Content.IE5\KGH7N68F\wizp32[1].exe Infecté: Trojan-Downloader.Win32.IstBar.ff ignoré

 

C:\Documents and Settings\ludo\Local Settings\Temporary Internet Files\Content.IE5\KGH7N68F\wlzip32[1].exe Infecté: Trojan-Downloader.Win32.Obfuscated.a ignoré

 

C:\Documents and Settings\ludo\Mes documents\Icecold Reloaded Msn Freezer Hack.zip/IceCold ReLoaded.exe Infecté: HackTool.Win32.Homac ignoré

 

C:\Documents and Settings\ludo\Mes documents\Icecold Reloaded Msn Freezer Hack.zip ZIP: infecté - 1 ignoré

 

C:\WINDOWS\system32\regperf.exe Infecté: Trojan-Downloader.Win32.Zlob.vr ignoré

 

C:\WINDOWS\system32\winheb32.dll Infecté: Trojan.Win32.Agent.vg ignoré

 

C:\WINDOWS\Temp\mst252.tmp Infecté: Trojan.Win32.Agent.vg ignoré

 

C:\WINDOWS\Temp\mst7E7.tmp Infecté: Trojan.Win32.Agent.vg ignoré

 

C:\WINDOWS\Temp\win14.tmp.exe Infecté: Trojan-Downloader.Win32.Obfuscated.a ignoré

 

C:\WINDOWS\Temp\win1E.tmp.exe Infecté: Trojan-Clicker.Win32.Small.kx ignoré

 

Analyse terminée.

[bruce lee]

re,

 

1/ demarre en mode sans echec http://www.sosordi.net/Faq/Faq.2.html

 

 

2/pour supprimer les fichiers nefastes on va tous les afficher en faisant comme ceci:

 

Démarrer, Poste de travail ou autre dossier, Menu Outils, Option des dossiers, onglet Affichage :

Cocher la case : Afficher les fichiers et dossiers cachés

Décocher la case : Masquer les extensions des fichiers dont le type est connu

Décocher la case : Masquer les fichiers protégés du système d'exploitation

cliquer sur "Appliquer"

cliquer sur le bouton "Appliquer à tous les dossiers" / OK

 

 

3/ supprime ce qui est en gras:

 

C:\WINDOWS\system32\ regperf.exe<== le fichier

C:\WINDOWS\system32\ winheb32.dll <== le fichier

C:\Documents and Settings\ludo\Mes documents\ Icecold Reloaded Msn Freezer Hack.zip <==

tout le dossier

 

rend toi ici et vide le contenu du dossier en gras:

 

C:\WINDOWS\ Temp

 

4/ vide la corbeille

 

 

5/redemarre en mode normal

 

 

6/ lance internet explorer, tu cliques sur outils puis sur options internet... tu vas

dans l'onglet general et dans Fichiers internet temporaires tu cliques sur:

 

supprimer les cookies...

supprimer les fichiers...

 

7/ refais un nouveau scan et post le nouveau rapport.

 

@+

[topludo]

impossible de supprimer C:\WINDOWS\system32\ winheb32.dll comment je peut faire??