Se connecter / S'enregistrer
Votre question

pc lent/Tracking cookie/virus

Tags :
  • Cookie
  • Sécurité
Dernière réponse : dans Sécurité et virus
3 Septembre 2007 21:25:10

Bonsoir:

Depuis quelques jour mon pc est lent mon antispyware ne fait que me détecté des tracking cookie et parfois des virus,alors qu'il y'a 2-3 jours ce n'était pas le cas.

Ensuite il y'a le ping quand je jou a des jeux en réseau qui est élevé alors que ce n'était pas le cas avant!

Les application prennent du temps à charger etc...
J'ai même acheté une barette de ram de 1go pour ça!
J'ai beau défragmenter,nettoyage avec ccleaner toujours pareil.

Donc je pense que c'est un virus car quand je fais des scan j'en ai toujours et le ping pendant les jeux et la lenteur me mette la puce à l'oreille.

Voici mon rapport hijackthis:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:24:43, on 03/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\windows\system32\ctfmon.exe
C:\windows\lclock.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\PROGRA~1\IncrediMail\bin\ImApp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Momo\Bureau\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.fr/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ustart.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.fr/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.fr/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winlsd.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] lclock.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [LSD_III] %systemroot%\LSD\end.cmd (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [LSD_III] %systemroot%\LSD\end.cmd (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [LSD_III] %systemroot%\LSD\end.cmd (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [LSD_III] %systemroot%\LSD\end.cmd (User 'Default user')
O8 - Extra context menu item: Ajouter à Kaspersky Anti-Bannière - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.ca...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.ca...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPACl...
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab569...
O20 - AppInit_DLLs: C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\windows\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\windows\system32\services.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: DSDM DDE réseau (NetDDEdsdm) - Unknown owner - C:\windows\system32\netdde.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\windows\system32\services.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\windows\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\windows\System32\vssvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 7814 bytes


Merci.

Autres pages sur : lent tracking cookie virus

3 Septembre 2007 22:28:49

Bonjour

Désinstalle et supprime AskTBar.


Télécharge Combofix.exe (par sUBs) sur ton Bureau
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double clique combofix.exe et suis les invites.
Lorsque le scan sera complété, un rapport apparaîtra.

Copie/colle ce rapport dans ta prochaine réponse avec un nouveau HijackThis.
3 Septembre 2007 22:31:39

Le problème c'est que depuis quelque jour quand je vais dans panneau de configuration->ajouter ou supprimé des programmes je n'ai plus tout mes fichier et je n'ai pas AskTBar.

Donc je ne sais pas comment l'enlever.

Merci.

EDIT: J'ai essayer de supprimé AskTBar à partir de internet explorer il y'a marqué une erreur c'est produite.
3 Septembre 2007 22:55:41

ComboFix 07-08-30.3 - "Momo" 2007-09-03 22:49:31.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.734 [GMT 2:00]


((((((((((((((((((((((((( Files Created from 2007-08-03 to 2007-09-03 )))))))))))))))))))))))))))))))


2007-09-03 22:48 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-03 17:43 22,048 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-09-03 17:43 1,288,480 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-03 17:43 <REP> d-------- C:\Program Files\Kaspersky Lab
2007-09-03 17:43 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-03 17:39 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab Setup Files
2007-09-02 12:49 <REP> d-------- C:\Program Files\xchat
2007-09-01 12:07 <REP> d-------- C:\Program Files\Lavalys
2007-08-31 17:24 <REP> d-------- C:\Program Files\Lavasoft
2007-08-31 17:24 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-31 17:23 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2007-08-29 23:50 <REP> d-------- C:\Program Files\adslTV
2007-08-29 16:54 534 --a------ C:\WINDOWS\eReg.dat
2007-08-27 23:22 <REP> d-------- C:\Program Files\IncrediMail
2007-08-25 19:05 <REP> d--h----- C:\WINDOWS\PIF
2007-08-24 19:56 2,051 --a------ C:\WINDOWS\system32\sdbackup.reg
2007-08-22 18:53 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-08-20 13:58 <REP> d-------- C:\Program Files\Alcohol Toolbar
2007-08-20 13:58 <REP> d-------- C:\Program Files\Alcohol Soft
2007-08-20 13:47 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-17 17:51 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-08-17 17:51 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-08-17 17:50 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-08-16 01:23 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-16 01:23 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-16 01:23 54,672 --a------ C:\WINDOWS\system32\vsutil_loc040c.dll
2007-08-16 01:23 42,384 --a------ C:\WINDOWS\zllsputility_loc040c.dll
2007-08-16 01:23 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-08-16 01:23 21,904 --a------ C:\WINDOWS\system32\imsinstall_loc040c.dll
2007-08-16 01:23 17,808 --a------ C:\WINDOWS\system32\imslsp_install_loc040c.dll
2007-08-16 01:23 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-08-16 01:23 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-16 01:22 <REP> d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-16 01:17 <REP> d-------- C:\WINDOWS\Internet Logs
2007-08-15 23:02 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2007-08-15 23:02 <REP> d-------- C:\Program Files\Stardock
2007-08-15 21:46 6,491 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2007-08-15 21:34 59,577 --a------ C:\WINDOWS\BricoPackUninst.cmd
2007-08-15 21:30 <REP> d-------- C:\WINDOWS\BricoPacks
2007-08-15 01:10 <REP> d-------- C:\DOCUME~1\Momo\APPLIC~1\Media Player Classic
2007-08-14 15:49 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-08-14 15:49 740,442 --a------ C:\WINDOWS\system32\divx.dll
2007-08-14 15:49 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-08-14 15:49 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-08-14 15:49 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-08-14 15:49 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-08-14 15:49 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-08-14 15:49 163,840 --a------ C:\WINDOWS\system32\unrar.dll
2007-08-14 15:49 <REP> d-------- C:\Program Files\K-Lite Codec Pack
2007-08-14 15:44 <REP> d-------- C:\Program Files\CCleaner
2007-08-14 00:28 <REP> d-------- C:\Program Files\Sunbelt Software
2007-08-11 14:06 <REP> d-------- C:\DOCUME~1\Momo\OngameNetwork
2007-08-09 23:29 <REP> d-------- C:\DOCUME~1\Momo\APPLIC~1\Ahead
2007-08-09 23:29 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-08-09 23:20 <REP> d-------- C:\Program Files\AskTBar
2007-08-09 18:13 <REP> d---s---- C:\DOCUME~1\Momo\UserData
2007-08-09 13:30 <REP> d-------- C:\WINDOWS\pss
2007-08-08 22:15 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skyline
2007-08-08 13:54 <REP> d-------- C:\DOCUME~1\Momo\APPLIC~1\X-Chat 2
2007-08-07 13:58 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-06 19:58 <REP> d-------- C:\DOCUME~1\Momo\APPLIC~1\TuneUp Software
2007-08-06 19:58 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TuneUp Software
2007-08-04 22:25 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-08-04 21:14 <REP> d-------- C:\Program Files\Yahoo!
2007-08-04 18:40 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2007-08-04 11:23 <REP> d-------- C:\DOCUME~1\Momo\APPLIC~1\WinRAR
2007-08-04 02:55 <REP> d-------- C:\Program Files\Steam
2007-08-04 02:18 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2007-08-04 01:52 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-08-04 01:45 <REP> d-------- C:\DOCUME~1\Momo\APPLIC~1\vlc
2007-08-04 01:44 <REP> d-------- C:\Program Files\VideoLAN
2007-08-04 01:38 77,312 --a------ C:\WINDOWS\system32\usbui.dll
2007-08-04 01:37 <REP> d-------- C:\Program Files\Fichiers communs\SpeechEngines
2007-08-04 01:37 <REP> d-------- C:\Program Files\Fichiers communs\ODBC
2007-08-04 01:36 <REP> dr------- C:\DOCUME~1\DEFAUL~1\Menu D‚marrer
2007-08-04 01:36 <REP> dr------- C:\DOCUME~1\ALLUSE~1\Menu D‚marrer
2007-08-04 01:36 <REP> dr------- C:\DOCUME~1\ALLUSE~1\Documents
2007-08-04 01:36 <REP> d--h----- C:\DOCUME~1\DEFAUL~1\Voisinage r‚seau
2007-08-04 01:36 <REP> d--h----- C:\DOCUME~1\DEFAUL~1\Voisinage d'impression
2007-08-04 01:36 <REP> d--h----- C:\DOCUME~1\DEFAUL~1\ModŠles
2007-08-04 01:36 <REP> d--h----- C:\DOCUME~1\ALLUSE~1\ModŠles
2007-08-04 01:36 <REP> d-------- C:\WINDOWS\system32\CatRoot2
2007-08-04 01:36 <REP> d-------- C:\WINDOWS\system32\CatRoot
2007-08-04 01:36 <REP> d-------- C:\DOCUME~1\DEFAUL~1\Mes documents
2007-08-04 01:36 <REP> d-------- C:\DOCUME~1\DEFAUL~1\Favoris
2007-08-04 01:36 <REP> d-------- C:\DOCUME~1\DEFAUL~1\Bureau
2007-08-04 01:36 <REP> d-------- C:\DOCUME~1\ALLUSE~1\Favoris
2007-08-04 01:36 <REP> d-------- C:\DOCUME~1\ALLUSE~1\Bureau
2007-08-04 01:35 <REP> d-------- C:\Drivers
2007-08-04 01:00 <REP> d-------- C:\Program Files\Spider
2007-08-04 00:47 <REP> d-------- C:\Program Files\eMule
2007-08-04 00:27 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-04 00:23 <REP> d-------- C:\Program Files\Messenger Plus! Live
2007-08-04 00:22 <REP> d-------- C:\DOCUME~1\Momo\Contacts
2007-08-04 00:21 <REP> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-04 00:21 <REP> d-------- C:\Program Files\Windows Live
2007-08-04 00:21 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WindowsLiveInstaller
2007-08-04 00:20 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
2007-08-04 00:17 <REP> d-------- C:\Program Files\Winamp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-03 21:36 1820 --ahs---- C:\windows\system32\drivers\fidbox2.idx
2007-09-03 21:36 16700 --ahs---- C:\windows\system32\drivers\fidbox.idx
2007-08-15 21:34 219648 --a------ C:\windows\system32\uxtheme.dll
2007-07-20 00:48 77160 --a------ C:\DSETUP.dll
2007-07-20 00:48 503144 --a------ C:\dxsetup.exe
2007-07-20 00:48 1673576 --a------ C:\dsetup32.dll
2007-07-11 14:37 6272 --a------ C:\windows\system32\drivers\AWRTPD.sys
2007-06-28 12:51 206088 --a------ C:\windows\system32\klogon.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 C:\WINDOWS\soundman.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\windows\system32\ctfmon.exe" [2004-08-19 18:09]
"LClock"="lclock.exe" [2004-12-08 18:06 C:\WINDOWS\LClock.exe]
"Steam"="c:\program files\steam\steam.exe" [2007-08-04 03:01]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-05-17 13:11]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-08-21 11:44]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"LSD_III"=%systemroot%\LSD\end.cmd
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoSMBalloonTip"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-03-05 17:36 140976 C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\windows\system32\DRIVERS\klim5.sys

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-08-07 09:25:16 C:\windows\Tasks\Maintenance en 1 clic.job - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-03 22:52:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PROCEXP90]


Completion time: 2007-09-03 22:53:54
C:\ComboFix-quarantined-files.txt ... 2007-09-03 22:53

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:55:12, on 03/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\windows\system32\ctfmon.exe
C:\windows\lclock.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\windows\explorer.exe
C:\Documents and Settings\Momo\Bureau\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ustart.org
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.fr/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winlsd.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] lclock.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [LSD_III] %systemroot%\LSD\end.cmd (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [LSD_III] %systemroot%\LSD\end.cmd (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [LSD_III] %systemroot%\LSD\end.cmd (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [LSD_III] %systemroot%\LSD\end.cmd (User 'Default user')
O8 - Extra context menu item: Ajouter à Kaspersky Anti-Bannière - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.ca...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.ca...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPACl...
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab569...
O20 - AppInit_DLLs: C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\windows\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\windows\system32\services.exe
O23 - Service: DSDM DDE réseau (NetDDEdsdm) - Unknown owner - C:\windows\system32\netdde.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\windows\system32\services.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\windows\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\windows\System32\vssvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 7184 bytes


J'ai pas pu enlever AskTBar.
3 Septembre 2007 23:05:37

Est-ce que je suis infecté?
Et la je fais quoi?

Merci :) .
3 Septembre 2007 23:19:43

Re


Pas grand chose dans ce rapport.


Relance un scan HijackThis et coche les lignes ci-dessous :

R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

Ferme toutes les fenêtres Windows, Internet explorer, Outlook,sauf le logiciel Hijackthis et clique sur « Fix checked »


Télécharge OTMoveIt (de Old_Timer) sur ton Bureau.
http://download.bleepingcomputer.com/oldtimer/OTMoveIt....
Double-clique sur OTMoveIt.exe pour le lancer.
Copie la liste qui se trouve ci-dessous, et colle-la dans le cadre de gauche de OTMoveIt :p aste List of Files/Folders to be moved.

C:\Program Files\AskTBar

Clique sur MoveIt! pour lancer la suppression.
Le résultat apparaitra dans le cadre Results.
Clique sur Exit pour fermer.

Il te sera peut-être demander de redémarrer le PC pour achever la suppression. Si c'est le cas accepte par Yes.

Poste le rapport situé dans C:\_OTMoveIt\MovedFiles.

Télécharge DiagHelp.zip (de Malekal_Morte) sur ton bureau
http://www.malekal.com/download/DiagHelp.zip
- Fais un clic droit sur le fichier et extraire tout
- Un nouveau dossier chercher va être créé DiagHelp
- Ouvre le et double-clic sur go.cmd (le .cmd peut ne pas apparaître)
- Une fenêtre va s'ouvrir, choisis l'option 1
- L'analyse va commencer, ceci peut durer quelques minutes, laisse faire et appuie sur une touche quand on te le demande

ATTENTION : pendant l'analyse, après le rapport catchme, il te sera demandé d'appuyer sur une touche afin de poursuivre le scan, suis bien les instructions à l'écran !

- A la fin de l'analyse, il te sera peut-être demandé de redémarrer l'ordinateur... Une fois l'ordinateur redémarré le rapport va apparaître sur le bloc-note.. Ce dernier se trouve sur C:\resultat.txt
- Copie/colle le contenu du bloc-note qui s'ouvre, pour cela :
-- Dans le bloc-note, cliquez sur le menu Edition / Selectionner tout
-- A nouveau menu Edition / copier
-- Dans un nouveau message ici, faire un clic droit / coller
3 Septembre 2007 23:25:12

Y'a juste un truc que je comprend pas je copie quel liste dans le cadre?

EDIT: non c'est bon j'ai trouver désolé.
3 Septembre 2007 23:37:52

C:\Program Files\AskTBar\SrchAstt moved successfully.
Folder move failed. C:\Program Files\AskTBar\PopSwatr\History\notallow scheduled to be moved on reboot.
Folder move failed. C:\Program Files\AskTBar\PopSwatr\History\allowed scheduled to be moved on reboot.
C:\Program Files\AskTBar\PopSwatr\History moved successfully.
C:\Program Files\AskTBar\PopSwatr moved successfully.
C:\Program Files\AskTBar\bar\Settings moved successfully.
Folder move failed. C:\Program Files\AskTBar\bar\History\search2 scheduled to be moved on reboot.
C:\Program Files\AskTBar\bar\History moved successfully.
Folder move failed. C:\Program Files\AskTBar\bar\Cache\00C4B433 scheduled to be moved on reboot.
Folder move failed. C:\Program Files\AskTBar\bar\Cache\004020FE scheduled to be moved on reboot.
Folder move failed. C:\Program Files\AskTBar\bar\Cache\00401D83 scheduled to be moved on reboot.
C:\Program Files\AskTBar\bar\Cache moved successfully.
C:\Program Files\AskTBar\bar moved successfully.
C:\Program Files\AskTBar moved successfully.

Created on 09/03/2007 23:25:53

catchme 0.3.1066 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-03 23:32:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:00,64,0b,fc,b2,c0,84,1b,31,85,dd,cb,82,19,09,dd,c8,f7,dd,ca,e5,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:00,64,0b,fc,b2,c0,84,1b,31,85,dd,cb,82,19,09,dd,c8,f7,dd,ca,e5,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

4 Septembre 2007 01:32:26

Le rapport de Diaghelp est incomplet.
4 Septembre 2007 02:26:14

A oui,j'ai mis celui qui c'est affiché.
Bon je relance Diaghelp alors.
4 Septembre 2007 02:29:33

DiagHelp version v1.2 - http://www.malekal.com
excute le 04/09/2007 à 2:26:54,81


Liste des derniers fichies modifies/crees dans windir\system32 et prefetch
C:\windows\prefetch\NTOSBOOT-B00DFAAD.pf -->15/08/2007 21:57:26
C:\windows\prefetch\Layout.ini -->14/08/2007 16:49:53
C:\windows\prefetch\WUAUCLT.EXE-399A8E72.pf -->03/08/2007 23:56:38
C:\windows\prefetch\W.EXE-023FC26E.pf -->03/08/2007 23:56:32
C:\windows\prefetch\REGEDIT.EXE-1B606482.pf -->03/08/2007 23:56:32
C:\windows\prefetch\IMAPI.EXE-0BF740A4.pf -->03/08/2007 23:56:31
C:\windows\prefetch\U2.EXE-0C867A1C.pf -->03/08/2007 23:56:29
C:\windows\prefetch\CTFMON.EXE-0E17969B.pf -->03/08/2007 23:56:29
C:\windows\prefetch\CMD.EXE-087B4001.pf -->03/08/2007 23:56:29
C:\windows\prefetch\RUNDLL32.EXE-49F747DB.pf -->03/08/2007 23:56:25

C:\windows\System32\drivers\fidbox.dat -->04/09/2007 02:23:48
C:\windows\System32\drivers\fidbox2.idx -->04/09/2007 01:07:08
C:\windows\System32\drivers\fidbox2.dat -->04/09/2007 01:07:08
C:\windows\System32\drivers\fidbox.idx -->04/09/2007 01:07:08
C:\windows\System32\drivers\klin.dat -->03/09/2007 18:12:20
C:\windows\System32\drivers\klick.dat -->03/09/2007 18:12:20
C:\windows\System32\drivers\sptd.sys -->20/08/2007 13:47:46

C:\windows\System32\wpa.dbl -->03/09/2007 21:48:36
C:\windows\System32\FNTCACHE.DAT -->30/08/2007 14:24:19
C:\windows\System32\sdbackup.reg -->24/08/2007 19:56:03
C:\windows\System32\zllictbl.dat -->16/08/2007 01:25:59
C:\windows\System32\uxtheme.dll -->15/08/2007 21:34:32
C:\windows\System32\nscompat.tlb -->04/08/2007 03:36:01
C:\windows\System32\amcompat.tlb -->04/08/2007 03:36:01
C:\windows\System32\h323log.txt -->04/08/2007 01:40:52
C:\windows\System32\jupdate-1.6.0_02-b06.log -->04/08/2007 00:33:26
C:\windows\System32\PerfStringBackup.INI -->04/08/2007 00:07:14
C:\windows\System32\perfh00C.dat -->04/08/2007 00:07:14
C:\windows\System32\perfh009.dat -->04/08/2007 00:07:14
C:\windows\System32\perfc00C.dat -->04/08/2007 00:07:14
C:\windows\System32\perfc009.dat -->04/08/2007 00:07:14
C:\windows\System32\$winnt$.inf -->03/08/2007 23:54:34
C:\windows\System32\CONFIG.NT -->03/08/2007 23:47:29
C:\windows\System32\WindowsLogon.manifest -->03/08/2007 23:45:46
C:\windows\System32\logonui.exe.manifest -->03/08/2007 23:45:46
C:\windows\System32\wuaucpl.cpl.manifest -->03/08/2007 23:45:37
C:\windows\System32\sapi.cpl.manifest -->03/08/2007 23:45:37
C:\windows\System32\nwc.cpl.manifest -->03/08/2007 23:45:37
C:\windows\System32\ncpa.cpl.manifest -->03/08/2007 23:45:37
C:\windows\System32\cdplayer.exe.manifest -->03/08/2007 23:45:37
C:\windows\System32\emptyregdb.dat -->03/08/2007 23:43:43
C:\windows\System32\swreg.exe -->22/07/2007 18:39:27

C:\windows\WindowsUpdate.log -->04/09/2007 01:14:19
C:\windows\0.log -->04/09/2007 01:08:46
C:\windows\bootstat.dat -->04/09/2007 01:08:06
C:\windows\wmsetup.log -->03/09/2007 21:48:38
C:\windows\setupapi.log -->03/09/2007 17:43:58
C:\windows\setuperr.log -->02/09/2007 13:29:02
C:\windows\setupact.log -->02/09/2007 13:29:02
C:\windows\eReg.dat -->29/08/2007 16:54:09
C:\windows\win.ini -->27/08/2007 23:06:50
C:\windows\WB.ini -->27/08/2007 18:09:07
C:\windows\ALCFDRTM.VER -->17/08/2007 17:54:54
C:\windows\BricoPackUninst.txt -->15/08/2007 21:51:22
C:\windows\BricoPackUninst.cmd -->15/08/2007 21:51:22
C:\windows\BricoPackFoldersDelete.cmd -->15/08/2007 21:51:22
C:\windows\BricoPack Wallpaper.bmp -->15/08/2007 21:51:07


MD5 des fichiers sensibles
tcpip.sys 77c0c5e7d6cfe2052b8cf28b8722f528
ndis.sys 558635d3af1c7546d26067d5d9b6959e
null.sys 73c1e1f395918bc2c6dd67af7591a3ad
svchost.exe 2979b03d5382a602623c0535b16ab9c0


Le volume dans le lecteur C n'a pas de nom.
Le numéro de série du volume est A457-E8CB

Répertoire de C:\windows\system32

19/08/2004 18:09 6 144 csrss.exe
1 fichier(s) 6 144 octets
0 Rép(s) 31 505 014 784 octets libres

Contenu de Downloaded Program Files
Le volume dans le lecteur C n'a pas de nom.
Le numéro de série du volume est A457-E8CB

Répertoire de C:\windows\Downloaded Program Files

19/08/2007 03:25 <REP> .
19/08/2007 03:25 <REP> ..
03/08/2007 23:45 65 desktop.ini
10/04/2000 17:12 1 765 fhg.inf
13/04/2007 02:14 382 344 GAME_UNO1.dll
17/01/2007 15:44 316 GAME_UNO1.INF
22/02/2007 23:41 304 544 MessengerStatsPAClient.dll
28/02/2007 14:21 130 472 MineSweeper.dll
11/06/2007 12:21 5 021 swflash.inf
09/09/2005 18:45 1 516 wvc1dmo.inf
19/02/2007 11:26 159 128 ZIntro.ocx
9 fichier(s) 985 171 octets

Total des fichiers listés :
9 fichier(s) 985 171 octets
2 Rép(s) 31 505 010 688 octets libres

Recherche de rootkit! (Merci S!Ri)

Recherche d'infections connues

Export des clefs sensibles..

Liste des fichiers en exception sur le pare-feu XP SP2



Export de la clef SharedTaskScheduler

[SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant"



exports des policies
REGEDIT4

[system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001



Export des clefs sensibles..
Rechercher adresses sensibles dans le fichier HOSTS...
catchme 0.3.1066 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 02:28:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:00,64,0b,fc,b2,c0,84,1b,31,85,dd,cb,82,19,09,dd,c8,f7,dd,ca,e5,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:00,64,0b,fc,b2,c0,84,1b,31,85,dd,cb,82,19,09,dd,c8,f7,dd,ca,e5,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

Process list by traversal of KiWaitListHead

4 - System
260 - avp.exe
296 - guard.exe
444 - StarWindService
868 - csrss.exe
892 - winlogon.exe
936 - services.exe
948 - lsass.exe
1048 - cmd.exe
1080 - svchost.exe
1180 - svchost.exe
1280 - svchost.exe
1316 - svchost.exe
1508 - firefox.exe
1796 - explorer.exe
1932 - jusched.exe
1964 - avp.exe
1972 - ctfmon.exe
1980 - LClock.exe
2004 - alg.exe
2008 - msnmsgr.exe
3280 - usnsvc.exe

Total number of processes = 22
NOTE: Under WinXP, this will not show all processes.

KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

Driver/Module list by traversal of PsLoadedModuleList

804D7000 - \windows\system32\ntoskrnl.exe
8070E000 - \windows\system32\hal.dll
F7987000 - \windows\system32\KDCOM.DLL
F7897000 - \windows\system32\BOOTVID.dll
F74EC000 - sptd.sys
F7989000 - \windows\System32\Drivers\WMILIB.SYS
F74D4000 - \windows\System32\Drivers\SCSIPORT.SYS
F74A5000 - ACPI.sys
F7494000 - pci.sys
F75F7000 - ohci1394.sys
F7607000 - \windows\system32\DRIVERS\1394BUS.SYS
F7617000 - isapnp.sys
F7A4F000 - pciide.sys
F7707000 - \windows\system32\DRIVERS\PCIIDEX.SYS
F7627000 - MountMgr.sys
F7868000 - ftdisk.sys
F798B000 - dmload.sys
F7842000 - dmio.sys
F770F000 - PartMgr.sys
F7637000 - VolSnap.sys
F782A000 - atapi.sys
F7647000 - disk.sys
F7657000 - \windows\system32\DRIVERS\CLASSPNP.SYS
F7968000 - fltMgr.sys
F7667000 - PxHelp20.sys
BA7E9000 - KSecDD.sys
BA75C000 - Ntfs.sys
BA72F000 - NDIS.sys
F7677000 - sisagp.sys
BA674000 - Mup.sys
BA658000 - kl1.sys
F7717000 - \windows\system32\drivers\TDI.SYS
F76A7000 - \SystemRoot\system32\DRIVERS\nic1394.sys
F7444000 - \SystemRoot\system32\DRIVERS\intelppm.sys
B9CD2000 - \SystemRoot\system32\DRIVERS\nv4_mini.sys
B9CBE000 - \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
F7434000 - \SystemRoot\system32\DRIVERS\cdrom.sys
F7424000 - \SystemRoot\system32\DRIVERS\redbook.sys
B9C9B000 - \SystemRoot\system32\DRIVERS\ks.sys
F7414000 - \SystemRoot\system32\DRIVERS\imapi.sys
B98C3000 - \SystemRoot\system32\drivers\ALCXWDM.SYS
B989F000 - \SystemRoot\system32\drivers\portcls.sys
F7404000 - \SystemRoot\system32\drivers\drmk.sys
F779F000 - \SystemRoot\system32\DRIVERS\usbohci.sys
B987C000 - \SystemRoot\system32\DRIVERS\USBPORT.SYS
F77A7000 - \SystemRoot\system32\DRIVERS\usbehci.sys
F77AF000 - \SystemRoot\system32\DRIVERS\sisnic.sys
B946D000 - \SystemRoot\System32\Drivers\aj9sjgww.SYS
F780F000 - \SystemRoot\system32\DRIVERS\fdc.sys
B945C000 - \SystemRoot\system32\DRIVERS\serial.sys
BA5C0000 - \SystemRoot\system32\DRIVERS\serenum.sys
B9448000 - \SystemRoot\system32\DRIVERS\parport.sys
F7887000 - \SystemRoot\system32\DRIVERS\i8042prt.sys
F7817000 - \SystemRoot\system32\DRIVERS\kbdclass.sys
BA200000 - \SystemRoot\system32\DRIVERS\gameenum.sys
B9528000 - \SystemRoot\system32\drivers\msmpu401.sys
F772F000 - \SystemRoot\system32\DRIVERS\klim5.sys
B9527000 - \SystemRoot\system32\DRIVERS\audstub.sys
BA71F000 - \SystemRoot\system32\DRIVERS\rasl2tp.sys
BA1FC000 - \SystemRoot\system32\DRIVERS\ndistapi.sys
B9369000 - \SystemRoot\system32\DRIVERS\ndiswan.sys
BA70F000 - \SystemRoot\system32\DRIVERS\raspppoe.sys
BA6FF000 - \SystemRoot\system32\DRIVERS\raspptp.sys
B9358000 - \SystemRoot\system32\DRIVERS\psched.sys
BA6EF000 - \SystemRoot\system32\DRIVERS\msgpc.sys
F7737000 - \SystemRoot\system32\DRIVERS\ptilink.sys
F773F000 - \SystemRoot\system32\DRIVERS\raspti.sys
B9327000 - \SystemRoot\system32\DRIVERS\rdpdr.sys
BA6DF000 - \SystemRoot\system32\DRIVERS\termdd.sys
F7747000 - \SystemRoot\system32\DRIVERS\mouclass.sys
F7999000 - \SystemRoot\system32\DRIVERS\swenum.sys
B92F3000 - \SystemRoot\system32\DRIVERS\update.sys
BA1E8000 - \SystemRoot\system32\DRIVERS\mssmbios.sys
BA6CF000 - \SystemRoot\System32\Drivers\NDProxy.SYS
BA6BF000 - \SystemRoot\system32\DRIVERS\usbhub.sys
F799F000 - \SystemRoot\system32\DRIVERS\USBD.SYS
F7757000 - \SystemRoot\system32\DRIVERS\flpydisk.sys
F79A1000 - \SystemRoot\System32\Drivers\Fs_Rec.SYS
B9513000 - \SystemRoot\System32\Drivers\Null.SYS
F79A3000 - \SystemRoot\System32\Drivers\Beep.SYS
B9512000 - \SystemRoot\System32\DRIVERS\AvgAsCln.sys
F7767000 - \SystemRoot\System32\drivers\vga.sys
F79A5000 - \SystemRoot\System32\Drivers\mnmdd.SYS
F79A7000 - \SystemRoot\System32\DRIVERS\RDPCDD.sys
F776F000 - \SystemRoot\System32\Drivers\Msfs.SYS
F7777000 - \SystemRoot\System32\Drivers\Npfs.SYS
BA5E0000 - \SystemRoot\system32\DRIVERS\rasacd.sys
B8148000 - \SystemRoot\system32\DRIVERS\ipsec.sys
B80F0000 - \SystemRoot\system32\DRIVERS\tcpip.sys
B80C8000 - \SystemRoot\system32\DRIVERS\netbt.sys
B80A6000 - \SystemRoot\System32\drivers\afd.sys
BA69F000 - \SystemRoot\system32\DRIVERS\netbios.sys
B807B000 - \SystemRoot\system32\DRIVERS\rdbss.sys
B7FE4000 - \SystemRoot\system32\DRIVERS\mrxsmb.sys
B7FA6000 - \??\C:\windows\system32\drivers\klif.sys
B7F85000 - \SystemRoot\system32\DRIVERS\ipnat.sys
F76B7000 - \SystemRoot\system32\DRIVERS\wanarp.sys
F76C7000 - \SystemRoot\System32\Drivers\Fips.SYS
F76D7000 - \SystemRoot\system32\DRIVERS\arp1394.sys
B9501000 - \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
B9394000 - \SystemRoot\system32\DRIVERS\hidusb.sys
F76F7000 - \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
F7797000 - \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
B9390000 - \SystemRoot\system32\DRIVERS\mouhid.sys
F7484000 - \SystemRoot\System32\Drivers\Cdfs.SYS
B7EA5000 - \SystemRoot\System32\Drivers\dump_atapi.sys
F79A9000 - \SystemRoot\System32\Drivers\dump_WMILIB.SYS
BF800000 - \SystemRoot\System32\win32k.sys
B81EB000 - \SystemRoot\System32\drivers\Dxapi.sys
F77B7000 - \SystemRoot\System32\watchdog.sys
BF000000 - \SystemRoot\System32\drivers\dxg.sys
F7A8B000 - \SystemRoot\System32\drivers\dxgthk.sys
BF012000 - \SystemRoot\System32\nv4_disp.dll
B5948000 - \SystemRoot\system32\drivers\wdmaud.sys
B6C95000 - \SystemRoot\system32\drivers\sysaudio.sys
F798F000 - \SystemRoot\System32\Drivers\ParVdm.SYS
B5651000 - \SystemRoot\system32\DRIVERS\srv.sys
AF985000 - \SystemRoot\system32\drivers\kmixer.sys
F7AC0000 - \SystemRoot\System32\DRIVERS\KProcCheck.sys

Total number of drivers = 119

Liste des programmes installes

Adobe Flash Player Plugin
adsl TV
Battlefield 1942
EVEREST Ultimate Edition v4.00
HijackThis 2.0.0
IncrediMail Xe
Kaspersky Internet Security 7.0
Kaspersky Internet Security 7.0
XChat 2 (remove only)



Le volume dans le lecteur C n'a pas de nom.
Le numéro de série du volume est A457-E8CB

Répertoire de C:\Program Files

03/09/2007 23:25 <REP> .
03/09/2007 23:25 <REP> ..
30/08/2007 20:12 <REP> adslTV
20/08/2007 13:58 <REP> Alcohol Soft
21/08/2007 03:29 <REP> Alcohol Toolbar
14/08/2007 15:44 <REP> CCleaner
03/08/2007 23:43 <REP> ComPlus Applications
02/09/2007 20:22 <REP> eMule
03/09/2007 22:46 <REP> Fichiers communs
04/08/2007 00:27 <REP> Grisoft
27/08/2007 23:24 <REP> IncrediMail
03/08/2007 23:51 <REP> Internet Explorer
04/08/2007 00:33 <REP> Java
03/09/2007 17:43 <REP> Kaspersky Lab
14/08/2007 15:49 <REP> K-Lite Codec Pack
01/09/2007 12:07 <REP> Lavalys
04/08/2007 00:23 <REP> Messenger Plus! Live
07/08/2007 21:35 <REP> Mozilla Firefox
03/08/2007 23:44 <REP> NetMeeting
03/08/2007 23:52 <REP> Outlook Express
04/08/2007 00:11 <REP> Realtek AC97
03/08/2007 23:45 <REP> Services en ligne
04/08/2007 01:00 <REP> Spider
15/08/2007 23:02 <REP> Stardock
04/09/2007 01:08 <REP> Steam
14/08/2007 00:28 <REP> Sunbelt Software
04/08/2007 01:44 <REP> VideoLAN
04/08/2007 00:20 <REP> Winamp
04/08/2007 00:21 <REP> Windows Live
04/08/2007 03:36 <REP> Windows Media Player
03/08/2007 23:42 <REP> Windows NT
04/08/2007 03:28 <REP> WinRAR
02/09/2007 12:49 <REP> xchat
04/08/2007 21:14 <REP> Yahoo!
0 fichier(s) 0 octets
34 Rép(s) 31 517 286 400 octets libres
Le volume dans le lecteur C n'a pas de nom.
Le numéro de série du volume est A457-E8CB

Répertoire de C:\Program Files\fichiers communs

03/09/2007 22:46 <REP> .
03/09/2007 22:46 <REP> ..
29/08/2007 18:12 <REP> Adobe
29/08/2007 16:45 <REP> InstallShield
04/08/2007 00:31 <REP> Java
04/08/2007 00:21 <REP> Microsoft Shared
03/08/2007 23:44 <REP> MSSoap
04/08/2007 01:37 <REP> ODBC
03/08/2007 23:44 <REP> Services
04/08/2007 01:37 <REP> SpeechEngines
03/08/2007 23:44 <REP> System
0 fichier(s) 0 octets
11 Rép(s) 31 517 286 400 octets libres
Le volume dans le lecteur C n'a pas de nom.
Le numéro de série du volume est A457-E8CB

Répertoire de C:\Program Files\fichiers communs\Microsoft Shared\Web Folders

03/08/2007 23:56 <REP> .
03/08/2007 23:56 <REP> ..
18/05/2001 15:57 561 209 MSONSEXT.DLL
03/06/1999 12:09 122 937 MSOWS409.DLL
07/03/2001 07:00 127 033 MSOWS40c.DLL
3 fichier(s) 811 179 octets
2 Rép(s) 31 517 282 304 octets libres
Le volume dans le lecteur C n'a pas de nom.
Le numéro de série du volume est A457-E8CB

Répertoire de C:\

20/07/2007 00:48 503 144 dxsetup.exe
1 fichier(s) 503 144 octets
0 Rép(s) 31 517 282 304 octets libres




Le volume dans le lecteur C n'a pas de nom.
Le numéro de série du volume est A457-E8CB

Répertoire de C:\

c:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 7.0.0.125\French\setup.exe
c:\Documents and Settings\Momo\Bureau\ComboFix.exe
c:\Documents and Settings\Momo\Bureau\HiJackThis_v2.exe
c:\Documents and Settings\Momo\Bureau\kis7.0.0.125fr.exe
c:\Documents and Settings\Momo\Bureau\OTMoveIt.exe
c:\Documents and Settings\Momo\Bureau\DiagHelp\catchme.exe
c:\Documents and Settings\Momo\Bureau\DiagHelp\diff.exe
c:\Documents and Settings\Momo\Bureau\DiagHelp\dumphive.exe
c:\Documents and Settings\Momo\Bureau\DiagHelp\FilesInfoCmd.exe
c:\Documents and Settings\Momo\Bureau\DiagHelp\find2.exe
c:\Documents and Settings\Momo\Bureau\DiagHelp\Fport.exe
c:\Documents and Settings\Momo\Bureau\DiagHelp\grep.exe
c:\Documents and Settings\Momo\Bureau\DiagHelp\KProcCheck.exe
c:\Documents and Settings\Momo\Bureau\DiagHelp\LFiles.exe
c:\Documents and Settings\Momo\Bureau\DiagHelp\LISTDLLS.exe
c:\Documents and Settings\Momo\Bureau\DiagHelp\md5sums.exe
c:\Documents and Settings\Momo\Bureau\DiagHelp\pslist.exe
c:\Documents and Settings\Momo\Bureau\DiagHelp\streams.exe
c:\Documents and Settings\Momo\Bureau\DiagHelp\swreg.exe
c:\Documents and Settings\All Users\Application Data\Grisoft\AVG Anti-Spyware 7.5\Downloads\help.dll
c:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig.dll
c:\Documents and Settings\Momo\Application Data\Mozilla\Firefox\Profiles\x0lthjua.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
c:\Documents and Settings\Momo\Application Data\Mozilla\Firefox\Profiles\x0lthjua.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll

****** Fin du rapport DiagHelp
4 Septembre 2007 14:23:34

Re

Pas grand chose dans ce rapport.

Télécharge clean.zip
http://www.malekal.com/download/clean.zip
Décompresse le sur ton bureau
Double-clic sur clean qui se trouve dans le dossier clean.
Choisis l'option 1
Un rapport va etre généré, colle le contenu entier ici.
4 Septembre 2007 18:23:44

04/09/2007 a 18:22:50,70

*** Recherche des fichiers dans C:

*** Recherche des fichiers dans C:\windows\

*** Recherche des fichiers dans C:\windows\system32

*** Recherche des fichiers dans C:\Program Files
*** Fin du rapport !
4 Septembre 2007 19:02:27

Rien dans ce rapport.
J'ai un doute sur une infection.

Télécharge Silent Runners
http://www.silentrunners.org/Silent%20Runners.zip

Si tu as une alerte de ton antivirus au cours du téléchargement, ou au cours de son utilisation au sujet de ce script, n'en tiend pas compte.

Une fois téléchargé,tu le dézippes dans un dossier dédié.
Puis tu double cliques sur ce fichier,il va travailler, patiente jusqu'à l'affichage d'un message.
Un rapport est généré dans le meme dossier, colle le ici.
La fin doit ressembler à ceci

Citation :
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 104 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 14 seconds.
---------- (total run time: 162 seconds)
4 Septembre 2007 19:20:13

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\windows\system32\ctfmon.exe" [MS]
"LClock" = "lclock.exe" [null data]
"Steam" = ""c:\program files\steam\steam.exe" -silent" ["Valve Corporation"]
"MsnMsgr" = ""C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background" [MS]
"IncrediMail" = "C:\Program Files\IncrediMail\bin\IncMail.exe /c" ["IncrediMail, Ltd."]
"BitTorrent" = ""C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"" ["Kaspersky Lab"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
4 Septembre 2007 19:48:14

Je vient de refaire un scan avec Kaspersky il ma détecté un virus que j'ai supprimé.

Sinon sur mon rapport vous voyez quelque chose de suspect?

Merci.
4 Septembre 2007 21:29:19

Le rapport est incomplet.

Regarde ce que je t'ai dit.
Il doit terminer par

Citation :
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 104 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 14 seconds.
---------- (total run time: 162 seconds)
4 Septembre 2007 21:49:53

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\windows\system32\ctfmon.exe" [MS]
"LClock" = "lclock.exe" [null data]
"Steam" = ""c:\program files\steam\steam.exe" -silent" ["Valve Corporation"]
"MsnMsgr" = ""C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background" [MS]
"IncrediMail" = "C:\Program Files\IncrediMail\bin\IncMail.exe /c" ["IncrediMail, Ltd."]
"BitTorrent" = ""C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"" ["Kaspersky Lab"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Mes dossiers de partage"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1235.0517.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\windows\system32\Audiodev.dll" [MS]
"{2F5AC606-70CF-461C-BFE1-734234536262}" = "WindowBlinds CPL Extension"
-> {HKLM...CLSID} = "DisplayCplExt Class"
\InProcServer32\(Default) = "C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbui.dll" ["Stardock.Net, Inc"]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statistiques d’Anti-Virus Internet"
-> {HKLM...CLSID} = "Statistiques d’Anti-Virus Internet"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\windows\System32\uxtuneup.dll" ["TuneUp Software GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll" ["Kaspersky Lab"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\windows\system32\klogon.dll" ["Kaspersky Lab"]
<<!>> WBSrv\DLLName = "C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\wbsrv.dll" ["Stardock Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\

"SaveZoneInformation" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"HideZoneInfoOnProperties" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"ForceClassicControlPanel" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000040
{unrecognized setting}

"NoSMBalloonTip" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Momo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Scheduled Tasks:
------------------------

"Maintenance en 1 clic" -> launches: "C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar avec bloqueur de fenêtres pop-up"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar avec bloqueur de fenêtres pop-up"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statistiques d’Anti-Virus Internet"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Statistiques d’Anti-Virus Internet"


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"

Missing lines (compared with English-language version):
[Strings]: 1 line

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "*b" (unwritable string)
-> {HKLM...CLSID} = "Yahoo! Toolbar avec bloqueur de fenêtres pop-up"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
Kaspersky Internet Security 7.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r" ["Kaspersky Lab"]
StarWind AE Service, StarWindServiceAE, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe" ["Rocket Division Software"]
TuneUp Extension de thème, UxTuneUp, "C:\windows\System32\svchost.exe -k netsvcs" {"C:\windows\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


---------- (launch time: 2007-09-04 19:19:37)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 54 seconds, including 6 seconds for message boxes)
Tom's guide dans le monde
  • Allemagne
  • Italie
  • Irlande
  • Royaume Uni
  • Etats Unis
Suivre Tom's Guide
Inscrivez-vous à la Newsletter
  • ajouter à twitter
  • ajouter à facebook
  • ajouter un flux RSS