Trojan.Downloader.Small.CML

[bruce lee]

Bonjour,

 

est ce que on zonealarm fait aussi antivirus?

Si il ne le fais pas reinstalle antivir.

 

1/ Télécharge et installe EasyCleaner de Toni Helenius: http://personal.inet.fi/business/toniarts/ecleane.htm

 

2/ avec hijackthis, tu coches et tu fixes cette ligne:

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com

 

3/ Redémarre en mode sans échec.

(au redémarrage de l'ordinateur, une fois le chargement du BIOS terminé, il y a un écran noir qui apparaît rapidement, appuyer sur la touche [F8] ou [F5] jusqu'à l'affichage du menu des options avancées de Windows. Sélectionner "Mode sans échec" et appuyer sur [Entrée].)

 

4/ Execute EasyCleaner: Utilise les fonctions "Inutiles" et "Registre" seulement. Ne touche pas à la fonction "doublons".

 

 

5/ redemarre en mode normal, puis refais un scan en ligne et poste le rapport puis post aussi un

nouveau rapport hijackthis.

 

@+

[gunbee]

bonjour

 

AntiVir PersonalEdition Classic

Report file date: mercredi 12 juillet 2006 17:28

 

Scanning for 453057 virus strains and unwanted programs.

 

Licensed to: AntiVir PersonalEdition Classic

Serial number: 0000149996-WURGE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Username:

Computer name: -58A8D3

 

Version informations:

AVSCAN.EXE : 7.0.0.42 376872 12/07/2006 15:25:52

AVSCAN.DLL : 7.0.0.42 53288 12/07/2006 15:25:52

LUKE.DLL : 7.0.0.42 110632 12/07/2006 15:25:55

LUKERES.DLL : 7.0.0.42 25640 12/07/2006 15:25:55

ANTIVIR0.VDF : 6.35.0.1 7371264 12/07/2006 15:25:49

ANTIVIR1.VDF : 6.35.0.168 730112 12/07/2006 15:25:49

ANTIVIR2.VDF : 6.35.0.181 78336 12/07/2006 15:25:49

ANTIVIR3.VDF : 6.35.0.194 22016 12/07/2006 15:25:49

AVEWIN32.DLL : 7.1.0.21 1552896 12/07/2006 15:25:50

AVPREF.DLL : 7.0.0.1 33832 12/07/2006 15:25:51

AVREP.DLL : 6.35.0.154 487464 12/07/2006 15:25:51

AVRPBASE.DLL : 7.0.0.0 1544232 12/07/2006 15:25:52

AVPACK32.DLL : 7.1.0.1 331816 12/07/2006 15:25:51

AVREG.DLL : 6.31.0.90 25128 12/07/2006 15:25:51

NETNT.DLL : 6.32.0.0 6696 12/07/2006 15:25:56

NETNW.DLL : 6.32.0.0 9768 12/07/2006 15:25:56

RCIMAGE.DLL : 7.0.0.71 1642536 12/07/2006 15:26:01

RCTEXT.DLL : 7.0.0.75 77864 12/07/2006 15:26:01

 

Configuration settings for the scan:

Jobname: '%s'.................: Manual Selection

Configuration file............: D:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\PROFILES\folder.avp

Boot sectors..................: C,D,E

Scan memory...................: 1

Process scan..................: 1

Scan all files................: 2

Scan archives.................: 1

Recursion depth...............: 20

Smart extensions..............: 1

Macro heuristic...............: 1

File heuristic................: -1

Primary action................: 1

Secondary action..............: 0

 

Start of the scan: mercredi 12 juillet 2006 17:28

 

 

The scan over running processes will be started

41 Processes was scanned

 

Start scanning boot sectors:

 

Boot sector 'C:\'

[NOTE] No virus was found!

Boot sector 'D:\'

[NOTE] No virus was found!

Boot sector 'E:\'

[NOTE] No virus was found!

 

Starting to scan the registry.

The registry was scanned ( 25 files ).

 

 

Starting the file scan:

 

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp

[WARNING] The file could not be opened!

C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0237\0192\values

[WARNING] The file could not be opened!

C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Dr Watson\user.dmp

[WARNING] The file could not be opened!

D:\pagefile.sys

[WARNING] The file could not be opened!

D:\Documents and Settings\LocalService\NTUSER.DAT

[WARNING] The file could not be opened!

D:\Documents and Settings\LocalService\ntuser.dat.LOG

[WARNING] The file could not be opened!

D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

[WARNING] The file could not be opened!

D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

[WARNING] The file could not be opened!

D:\Documents and Settings\NetworkService\NTUSER.DAT

[WARNING] The file could not be opened!

D:\Documents and Settings\NetworkService\ntuser.dat.LOG

[WARNING] The file could not be opened!

D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

[WARNING] The file could not be opened!

D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

[WARNING] The file could not be opened!

D:\Documents and Settings\NTUSER.DAT

[WARNING] The file could not be opened!

D:\Documents and Settings\ntuser.dat.LOG

[WARNING] The file could not be opened!

D:\Documents and Settings\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

[WARNING] The file could not be opened!

D:\Documents and Settings\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

[WARNING] The file could not be opened!

D:\PALM\Flipchart.Express.v5.4.PalmOS.Cracked-BLZPDA\b-fegg54.zip

[0] Archive type: ZIP

--> cracktro.exe

[DETECTION] Contains signature of the Windows virus W32/Zmist

[iNFO] The file was moved to 'ac1a846a.qua'!

D:\WINDOWS\system32\CatRoot2\edb.log

[WARNING] The file could not be opened!

D:\WINDOWS\system32\CatRoot2\tmp.edb

[WARNING] The file could not be opened!

D:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb

[WARNING] The file could not be opened!

D:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

[WARNING] The file could not be opened!

D:\WINDOWS\system32\config\default

[WARNING] The file could not be opened!

D:\WINDOWS\system32\config\default.LOG

[WARNING] The file could not be opened!

D:\WINDOWS\system32\config\SAM

[WARNING] The file could not be opened!

D:\WINDOWS\system32\config\SAM.LOG

[WARNING] The file could not be opened!

D:\WINDOWS\system32\config\SECURITY

[WARNING] The file could not be opened!

D:\WINDOWS\system32\config\SECURITY.LOG

[WARNING] The file could not be opened!

D:\WINDOWS\system32\config\software

[WARNING] The file could not be opened!

D:\WINDOWS\system32\config\software.LOG

[WARNING] The file could not be opened!

D:\WINDOWS\system32\config\system

[WARNING] The file could not be opened!

D:\WINDOWS\system32\config\system.LOG

[WARNING] The file could not be opened!

D:\WINDOWS\Temp\win112.tmp.exe

[DETECTION] Is the Trojan horse TR/PCK.Klone.G.10

[iNFO] The file was moved to '75e6926d.qua'!

D:\WINDOWS\Temp\win115.tmp.exe

[DETECTION] Is the Trojan horse TR/PCK.Klone.G.10

[iNFO] The file was moved to '75e69270.qua'!

D:\WINDOWS\Temp\ZLT006a0.TMP

[WARNING] The file could not be opened!

D:\WINDOWS\Temp\ZLT006a3.TMP

[WARNING] The file could not be opened!

 

 

End of the scan: mercredi 12 juillet 2006 18:32

Used time: 1:04:01 min

 

The scan has been done completely.

 

9164 Scanning directories

295508 Files were scanned

3 viruses and/or unwanted programs was found

0 files were deleted

0 files were repaired

3 files were moved to quarantine

0 files were renamed

6243 Archives were scanned

32 Warnings

1 Notes

 

Logfile of HijackThis v1.99.1

Scan saved at 18:46:14, on 12/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\SOUNDMAN.EXE

D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

D:\Program Files\Launch Manager\LaunchAp.exe

D:\Program Files\Launch Manager\HotkeyApp.exe

D:\Program Files\Launch Manager\OSD.exe

D:\Program Files\Launch Manager\Wbutton.exe

D:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\iTunes\iTunesHelper.exe

c:\Program Files\ewido anti-spyware 4.0\guard.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\Tapwave\HOTSYNC.EXE

D:\WINDOWS\system32\ZoneLabs\vsmon.exe

D:\Program Files\iPod\bin\iPodService.exe

D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

D:\Program Files\AntiVir PersonalEdition Classic\sched.exe

D:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe

C:\Program Files\Satsuki Decoder Pack\mpc\mplayerc.exe

C:\Program Files\firefox.exe

C:\Program Files\hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.fra.chello.fr/ssi/welcome/welc...home&src=ie

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par chello broadband n.v.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.chello.fr:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [LaunchAp] D:\Program Files\Launch Manager\LaunchAp.exe

O4 - HKLM\..\Run: [HotkeyApp] D:\Program Files\Launch Manager\HotkeyApp.exe

O4 - HKLM\..\Run: [CtrlVol] D:\Program Files\Launch Manager\CtrlVol.exe

O4 - HKLM\..\Run: [LMgrOSD] D:\Program Files\Launch Manager\OSD.exe

O4 - HKLM\..\Run: [Wbutton] "D:\Program Files\Launch Manager\Wbutton.exe"

O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [iSUSPM Startup] D:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "D:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Zone Labs Client] "c:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avgnt] "D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: HotSync Manager.lnk = D:\Program Files\Tapwave\HOTSYNC.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://home.fra.chello.fr/ssi/welcome/welcome.php?url=home&src=ie

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - c:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

[bruce lee]

Bonjour,

 

avec hijackthis, coche et fixe cette ligne:

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com

 

 

Fais un scan en ligne avec http://webscanner.kaspersky.fr/

 

Sous Démonstration en ligne , on t'explique la marche à suivre , et pour lancer le scan il faut sélectionner Exécuter l'analyse en ligne .Le scan ne marche que sous Internet Explorer.

On va te demander de télécharger un contôle active x, accepte .

Dans le menu Choisissez la cible de l'analyse , sélectionne Poste de travail .

Le scan va commencer.Poste le rapport qui sera généré stp.

 

Si il y a un problème, assure toi que les contrôles active x sont bien configurés dans les options internet comme

 

décrit sur ce lien=> http://www.inoculer.com/activex.php3

 

NOTE: le scan est a faire avec Internet Explorer

 

@+