Spy introuvable, fenètres de Pub IE ...

Spy introuvable, fenètres de Pub IE ... - Sécurité - Windows & Software

Marsh Posté le 31-10-2005 à 10:10:31    

Salut,  
 
j'ai un pc à nettoyer et là je cale un peu. j'ai passé quelques anti-virus, anti-spy, anti-troyen qui ont éliminé quelques petites choses mais malgré tout les nettoyage que j'ai pu faire, je continue à avoir des fenètres IE publicitaire de m**** pour les casino, les voyages etc...
 
et pas moyen de mettre la main sur l'exe qui provoque ça ... une idée?

Reply

Marsh Posté le 31-10-2005 à 10:10:31   

Reply

Marsh Posté le 31-10-2005 à 13:52:23    

Ce n'est pas forcément un *.exe...
 
Télécharger "HijackThis" 1.99.1 sur:
 
http://www.spywareinfo.com/~merijn/downloads.html
 
-Le poser dans un dossier spécialement créé pour lui (par exemple:
C:\HijackThis ).
-Le lancer -> "Scan" -> "Save log"
-Récupérer ce log/texte avec le bloc notes.
-Le copier/coller ici, dans une réponse,sans rien faire d'autre.

Reply

Marsh Posté le 31-10-2005 à 18:25:17    

J'ai le même probleme....
 
Un spy introuvable... j'utilise firefox et aleatoirement, des pops up (under) IE s'ouvrent. ces pop ups ne sont pas liés aux sites que je visite.
 
Dans ma liste de programme en demarrage (msconfig) j'ai des ligne "blanche" sans aucun description.
 
Ce virus semble se reinstaller à chaque demarrage.
 
J'utilise :
-Virus Scan qui ne trouve rien
- spy sweeper qui m'a aidé a enlever pas mal de truc
- ad aware qui m'a aussi un peu aidé
- Advanced Uninstaller PRO 2005  
 
Mais malrgé tout ca le probleme reviens toujours...
 
voic ce qui Hijackthis donne pour moi :
Logfile of HijackThis v1.99.1
Scan saved at 18:19:38, on 31/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\XCSyncML.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bastien\Mes documents\Fichiers Telecharges\Programmes a reinstaller\Hijackthis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.grosbill.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [XCSyncML] C:\WINDOWS\system32\XCSyncML.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Envoyer à &Bluetooth - C:\Program Files\WIDCOMM\Logiciel Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.grosbill.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/ [...] insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/ [...] cgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
 
 
 
Merci de votre aide !!!
 

Reply

Marsh Posté le 31-10-2005 à 20:08:08    

Les lignes blanches ce peuvent être des commandes incomplètes:
O4 - HKCU\..\Run: [LDM] \Program\  
 
Fais ceci pour voir :
télécharge SilentRunners.vbs.
Lance-le et copie/colle le log qu'il produit.


Message édité par acrobaze le 31-10-2005 à 20:08:30
Reply

Marsh Posté le 31-10-2005 à 20:55:51    

Tout d'abord merci de m'aider...  :)  
 
 
Voici ce que silentrunners donne :
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
 
 
Startup items buried in registry:
---------------------------------
 
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"MessengerPlus3" = ""C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart" ["Patchou"]
"NCLaunch" = "C:\WINDOWS\NCLAUNCH.EXe" ["Northern Codeworks"]
"STYLEXP" = "C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide" [empty string]
"Creative Detector" = "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R" ["Creative Technology Ltd"]
"LDM" = "\Program\" [file not found]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"Jet Detection" = ""C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"" [empty string]
"zBrowser Launcher" = "C:\Program Files\Logitech\iTouch\iTouch.exe" ["Logitech Inc."]
"VSOCheckTask" = ""C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask" ["McAfee, Inc."]
"VirusScan Online" = "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" ["McAfee, Inc."]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"MessengerPlus3" = ""C:\Program Files\Messenger Plus! 3\MsgPlus.exe"" ["Patchou"]
"TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"XCSyncML" = "C:\WINDOWS\system32\XCSyncML.exe" ["Extended Systems Inc"]
"OASClnt" = "C:\Program Files\McAfee.com\VSO\oasclnt.exe" ["McAfee, Inc."]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{32A9D769-5B55-4a25-9A62-86B5683FE50A}" = "NikonView Drop Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nikon\NkView6\NkvDropExt.dll" ["Nikon Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{33D0B7CC-535E-4CD0-B33A-934372B1AEFD}" = "Wise-FTP Network Places"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\we.dll" ["AceBIT GmbH"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{00020000-0000-1011-8004-0000C06B5161}" = "WIBU-SYSTEMS Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll" ["WIBU-SYSTEMS AG"]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{BF05BB6E-442C-428B-8025-82280B7BC26C}" = "Zen Micro Media Explorer"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll" ["Creative Technology Ltd"]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
 
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
 
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
 
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
 
 
Active Desktop and Wallpaper:
-----------------------------
 
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
 
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Bastien\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
 
 
Enabled Screen Saver:
---------------------
 
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ss3dfo.scr" [MS]
 
 
Startup items in "Bastien" & "All Users" startup folders:
---------------------------------------------------------
 
C:\Documents and Settings\Bastien\Menu Démarrer\Programmes\Démarrage
"Xfire" -> shortcut to: "C:\Program Files\Xfire\Xfire.exe" ["Xfire Inc."]
 
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W" [empty string]
"InterVideo WinCinema Manager" -> shortcut to: "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" [empty string]
"Logitech Desktop Messenger" -> shortcut to: "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" ["Logitech"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"NkvMon.exe" -> shortcut to: "C:\Program Files\Nikon\NkView6\NkvMon.exe" ["Nikon Corporation"]
 
 
Enabled Scheduled Tasks:
------------------------
 
"At10" -> launches: "C:\WINDOWS\system32\wuauclt10.exe" [null data]
"At6" -> launches: "C:\WINDOWS\system32\username.exe" [file not found]
"At8" -> launches: "C:\WINDOWS\system32\smmss.exe" [file not found]
"At9" -> launches: "C:\WINDOWS\system32\wudupdate.exe" [null data]
 
 
Winsock2 Service Provider DLLs:
-------------------------------
 
Namespace Service Providers
 
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
 
Transport Service Providers
 
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
 
 
Toolbars, Explorer Bars, Extensions:
------------------------------------
 
Toolbars
 
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
  -> {CLSID}\InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."]
 
Extensions (Tools menu items, main toolbar menu buttons)
 
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Console Java (Sun)"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]
 
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
 
 
Miscellaneous IE Hijack Points
------------------------------
 
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings" )
 
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.grosbill.com
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/"
 
Missing lines (compared with English-language version):
[Strings]: 2 lines
 
 
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
 
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
McAfee Task Scheduler, McTskshd.exe, "c:\PROGRA~1\mcafee.com\agent\mctskshd.exe" ["McAfee, Inc"]
McAfee WSC Integration, McDetect.exe, "c:\program files\mcafee.com\agent\mcdetect.exe" ["McAfee, Inc"]
McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["McAfee Inc."]
StyleXPService, StyleXPService, ""C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe"" [empty string]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]
 
 
Print Monitors:
---------------
 
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor i865\Driver = "CNMLM5m.DLL" ["CANON INC."]
 
 
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 114 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
  took 23 seconds.
---------- (total run time: 189 seconds)


Message édité par babasweb le 31-10-2005 à 21:01:48
Reply

Marsh Posté le 01-11-2005 à 01:31:51    

Bonjour, regardez mon post (Buggy83T) mon pb a le même symptôme que vous et semble avoir été résolu: à l'heure actuelle je n'ai plus eu de popups... mais je veille...
A+

Reply

Marsh Posté le 01-11-2005 à 11:22:42    

je suis désolé mais je n'ai pas compris comment ton probleme a été résolu....
 
petit up pour la forme...

Reply

Marsh Posté le 01-11-2005 à 11:41:48    

Va dans le gestionnaire de tâche et annule tout :

Citation :

Enabled Scheduled Tasks:  
------------------------  
 
"At10" -> launches: "C:\WINDOWS\system32\wuauclt10.exe" [null data]  
"At6" -> launches: "C:\WINDOWS\system32\username.exe" [file not found]  
"At8" -> launches: "C:\WINDOWS\system32\smmss.exe" [file not found]  
"At9" -> launches: "C:\WINDOWS\system32\wudupdate.exe" [null data]


 
Assure-toi que tu as accès aux fichiers cachés.
(explorateur windows->outils->options des dossiers->affichage
""Afficher les fichiers cachés"->coché
"Masquer les extensions.."->décoché)
 
Et supprime ces fichiers : wuauclt10.exe et wudupdate.exe.
(Fais attention : wuauclt10.exe  et non pas wuauclt.exe )
Tiensmoi au courant sur ce que tu auras trouvé.
 
 

Reply

Marsh Posté le 01-11-2005 à 12:07:12    

Merci Acrobaze
 
J'ai bien accès aux fichiers cachés (comme d'hab) ;)
 
Je ne trouve seulement que ceci dans l'ordre :
 
wuapi.dll
wuauclt1.exe
wuauclt.exe
wuaucpl.cpl
wuaucpl.cpl.manifest (caché)
 
wuauclt10.exe et wudupdate.exe sont introuvables (j'ai même lancé un recherche sur mon DD sur ces 2 fichiers...)
 
Aucun de ces "scheduled task" n'est visible dans le gestionnaire de taches non plus...

Reply

Marsh Posté le 01-11-2005 à 12:21:12    

On va faire ça :
Démarrer -> exécuter->tape:   cmd
Dans la boîte qui s'affiche, copie/colle une par une en tapant Entrée à chaque fois:
 
schtasks /delete /tn "At10" /f
Entrée
schtasks /delete /tn "At6" /f
Entée
schtasks /delete /tn "At8" /f
Entrée
schtasks /delete /tn "At9" /f
Entrée
 
Ferme cmd, redémarre, poste un log SilentRunners.

Reply

Marsh Posté le 01-11-2005 à 12:21:12   

Reply

Marsh Posté le 01-11-2005 à 12:28:31    

ca me donne ca
 
'schtasks' n'est pas reconnu en tant que commande interne ou externe. un programme executable ou un fichier de commandes.
 
j'ai essayé avec et sans les espaces dans tes lignes...

Reply

Marsh Posté le 01-11-2005 à 14:47:52    

J'ai lancé Spy Doctor et voici ce qu'il me donne :
 
Scan Results:
scan start: 01/11/2005 14:25:31  
scan stop: 01/11/2005 14:43:18  
scanned items: 123869  
found items: 35  
found and ignored: 0  
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Browser Defaults, Favorites and ZoneMap Scanner, ActiveX Scanner, Browser Activity Scanner, Disk Scanner  
 
 
     
 Infection Name Location Risk  
 AproposMedia Explorer.EXE (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia atiptaxx.exe (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia CTHELPER.EXE (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia iTouch.exe (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia mcvsshld.exe (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia mcagent.exe (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia MsgPlus.exe (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia mcvsescn.exe (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia oasclnt.exe (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia SpySweeper.exe (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia msmsgs.exe (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia Xfire.exe (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia em_exec.exe (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia msnmsgr.exe (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia mcvsftsn.exe (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia firefox.exe (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 AproposMedia eye.exe (C:\WINDOWS\system32\nmemg13n.dll) Medium  
 PeopleOnPage HKCR\Interface\{A7D0472E-C1FC-4D8F-ABA1-98A7692561BF} High  
 PeopleOnPage HKCR\Interface\{A7D0472E-C1FC-4D8F-ABA1-98A7692561BF}## High  
 PeopleOnPage HKCR\Interface\{A7D0472E-C1FC-4D8F-ABA1-98A7692561BF}\NumMethods High  
 PeopleOnPage HKCR\Interface\{A7D0472E-C1FC-4D8F-ABA1-98A7692561BF}\NumMethods## High  
 PeopleOnPage HKCR\Interface\{A7D0472E-C1FC-4D8F-ABA1-98A7692561BF}\ProxyStubClsid32 High  
 PeopleOnPage HKCR\Interface\{A7D0472E-C1FC-4D8F-ABA1-98A7692561BF}\ProxyStubClsid32## High  
 MediaPass HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} High  
 MediaPass HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\iexplore High  
 NavHelper HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} Info & PUAs  
 NavHelper HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}\iexplore Info & PUAs  
 AproposMedia C:\Documents and Settings\Bastien\Local Settings\Temporary Internet Files\Content.IE5\M9JGL4N6\nonbranded[1].htm Medium  
 Tracking Cookie(s) C:\Documents and Settings\Bastien\Cookies\bastien@rn11[2].txt Medium  
 Advertising C:\Documents and Settings\Bastien\Cookies\bastien@adtech[2].txt Low  
 eXact Advertising C:\Documents and Settings\Bastien\Cookies\bastien@trafficmp[1].txt Elevated  
 Tracking Cookie(s) C:\Documents and Settings\Bastien\Cookies\bastien@sento.122.2o7[1].txt Medium  
 Tracking Cookie(s) C:\Documents and Settings\Bastien\Cookies\bastien@bluestreak[1].txt Medium  
 SearchCentrix C:\WINDOWS\inf\gsim.inf Elevated  
 AproposMedia C:\WINDOWS\system32\nmemg13n.dll Medium  
 
Je n'ai encore rien touché....

Reply

Marsh Posté le 01-11-2005 à 15:04:00    

Pour les tâches...fais une recherche, je ne connais que cette commande.
 
Pour le reste :
Télécharge The registry search tool
Lance-le et ds la boîte, copie/colle : adchannel  
 
Et ici, copie/colle le résultat.
(c'est une simple vérification, il ne supprimera rien.)

Reply

Marsh Posté le 01-11-2005 à 15:37:13    

the registry search tool n'a pas trouvé "adchannel"
 
entre temps j'ai néttoyé avec Spy Doctor et il m'a viré pas mal de trucs...
ca semble s'etre arreté, j'ai rebooté refait une verif spy doctor et il n'a rien trouvé...
 
je vais continuer d'ouvrir l'oeil...  si ca revient je te tiens au courant
 
encore merci de m'aider Acrobaze ;)

Reply

Marsh Posté le 01-11-2005 à 17:14:53    

No problem, je craignais un "rootkit".
 
Sois vigilent. A+!

Reply

Marsh Posté le 01-11-2005 à 20:07:34    

bon fausse joie.... c'est revenu

Reply

Marsh Posté le 01-11-2005 à 21:01:37    

On va tenter ça, sans garantie :
télécharge ce fichier.
Pose-le sur ton bureau.
 
Redémarre en mode san échec.
 
Dézipe le fichier sur le bureau et lance RunThis.bat. Suis les indications.
 
Quand il a terminé son scan, repars en mode normal, copie/colle le log : log.txt qui se trouvera ds le mm dossier et dis ce qu'il en est des popups.


Message édité par acrobaze le 02-11-2005 à 17:52:16
Reply

Marsh Posté le 01-11-2005 à 23:14:11    

Ok j'ai tout fait !!!
 
alors voici le log obtenu :
Log of AproposFix v1  
 
************  
 
Running from directory:  
C:\Documents and Settings\Bastien\Bureau\aproposfix
 
************  
 
Registry entries found:  
 
[HKEY_LOCAL_MACHINE\Software\CrPioA0sZj7D]
@="fli6978FGGFGGHGEjEX8gDjFGGFVIGpbgWhplG7D78x1MLGw6\\Ax67G1747uy1vH7D7"
"Device"="\\\\.\\zQzEtNyQ"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\mspsbfmc.sys"
"DriverName"="MSPrust"
"HideUninstallerName"="C:\\Program Files\\Divemule\\dsqrslvr.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\wowmsutb.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{4CA7CB75-518D-411F-8922-003E23C0AD99}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\nmemg13n.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X6d59434-d1f5-39f2-9ab0-97359f00e828}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Divemule\\swpdsldp.exe"
 
************  
 
Removing hidden service:  
Service MSPrust removed.  
 
Removing hidden folder:  
Deletion of folder Divemule succeeded!  
 
Deleting files:  
 
Deletion of file C:\WINDOWS\system32\drivers\mspsbfmc.sys succeeded!  
Deletion of file C:\WINDOWS\system32\devbdgkl.exe succeeded!  
Deletion of file C:\WINDOWS\system32\nmemg13n.dll succeeded!  
Deletion of file C:\WINDOWS\system32\wowmsutb.exe succeeded!  
 
Backing up files:  
Done!  
 
Removing registry entries:  
 
REGEDIT4  
 
[-HKEY_CURRENT_USER\Software\CrPioA0sZj7D]
[-HKEY_LOCAL_MACHINE\Software\CrPioA0sZj7D]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4CA7CB75-518D-411F-8922-003E23C0AD99}]
 
Done!  
 
Finished!  
 
 
 
 
et voici le nouveau hijackthis :
Logfile of HijackThis v1.99.1
Scan saved at 23:11:01, on 01/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\XCSyncML.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Xfire\Xfire.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Bastien\Mes documents\Fichiers Telecharges\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.grosbill.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [XCSyncML] C:\WINDOWS\system32\XCSyncML.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Envoyer à &Bluetooth - C:\Program Files\WIDCOMM\Logiciel Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.grosbill.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/ [...] insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/ [...] cgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
 
pour l'instant pas de pop ups...
 
 
 

Reply

Marsh Posté le 02-11-2005 à 17:53:16    

Oki. Tu tiens au courant. c'était donc certainement un rootkit.

Reply

Marsh Posté le 02-11-2005 à 23:19:44    

Ca a l'air efficace, toujours pas de pop up...
 
J'ai redémarré plusieurs fois et toujours rien.
Je surveille encore histoire que le schedule ai été planifié plus tard et je repasserai pour confirmer demain :p
 
encore merci acrobaze, je vais m'epargner un formatage :p
 

Reply

Marsh Posté le 03-11-2005 à 17:29:00    

Ca a bel et bien disparu merci acrobaze !!

Reply

Marsh Posté le 03-11-2005 à 22:13:45    

Well done!
 
A+!

Reply

Marsh Posté le    

Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed