spyware : pop up sous xp...
spyware : pop up sous xp... - Sécurité - Windows & Software
Marsh Posté le 15-07-2006 à 18:38:58
Bonjour,
Télécharge L2mfix (de Shadowwar) de l'un de ces liens :
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Sauvegarde-le sur le Bureau
double-clique l2mfix.exe.
Clique sur le bouton Install pour en extraire le contenu et suis les directives,
puis ouvre le nouveau dossier l2mfix qui se trouve sur le Bureau.
Double-clique l2mfix.bat et choisis l'option #1 pour Run Find Log en tapant 1 et ensuite Entrée.
Le scan débutera sans générer d'indications, puis, après une minute ou deux,
un fichier texte apparaîtra.
tu copies le contenu de ce rapport ("report.txt" ) dans ta prochaine réponse.
ATTENTION!
Par contre, si une erreur s'affiche en lançant l'option #1, similaire à ceci :
''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. Choose close to terminate the application.."...
alors utilise l'option #5 ou le lien web fourni dans le dossier "l2mfix" afin de résoudre cette erreur. Ne pas lancer d'autres options avant d'avoir réglé ce pépin.
Marsh Posté le 15-07-2006 à 18:41:28
Bonjour, j'ai vu que tu avais MessengerPlus! as(tu installé le sponsor ?
Coches et fixe :
| Citation : |
Télécharges ensuite la KillBox : http://www.bleepingccomputer.com/killbox.php
Copies les deux lignes suivantes d'un trait :
- C:\\dfndrad_5.exe
- C:\\kybrdad_5.exe
Ensuite suis cette procédure :
1. Déroules le menu File de la KillBox et choisis "Paste from clipboard"
2. Coche ensuite "Delete on reboot"
3.Appuie sur la croix blanche et accepte le redémarrage
Quand tu as redémarré suis ceci à la lettre :
1. Désactive la restauration du système (clic-droit sur le Poste de travail/Propriétées/Onglet Restauration du système/Coches la case "Désactiver la restauration du système sur tous les lecteurs")
2. Vide le contenu des dossiers suivants :
- C:\Temp
- C:\WINDOWS\Temp
- C:\WINDOWS\Prefetch
- C:\Documents and Settings\touslescomptes\Local Settings\Temp
- C:\Documents and Settings\touslescomptes\Temporary Internet Files\CONTENT.IE5
3. Vide le cache+cookies+historique de tous les navigateurs installés
4. Redémarres et repostes un log Hijackthis
EDIT : Excuse moi bruce, tu as du poster pendant que je rédigeais et je n'ai pas vu ton message avant d'envoyer le mien... 
biensur, je ne vois aucun inconvénient et je te laisse le topic si tu veux 
Message édité par med365 le 15-07-2006 à 18:47:02
Marsh Posté le 15-07-2006 à 18:45:02
salut med365,
les lignes 016 ne sont pas a fixer.
La desinfection de systeme il ne vaut mieux pas la desactiver car si il y a un gros pepin, on peut pas restaurer.
Med 365, si tu n'as vois pas d'inconvenient j'aimerai d'abord enlever look2me.
Marsh Posté le 15-07-2006 à 18:48:55
merci bien à vous deux je vais essayer et je vous tiens au courant
Marsh Posté le 15-07-2006 à 19:00:53
| the bruce lee a écrit : Bonjour, |
voila la réponse :
L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j6p0lg7m16.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EBD2492F-C35C-7F96-6AB2-C4E33F9BCED5}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Feuille de proprits du fichier multimdia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de scurit NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des proprits de OLE DocFile"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'environnement pour le partage"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage cran du Panneau de configuration"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Panorama du Panneau de configuration"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Page de scurit DS"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Page de compatibilit"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Gestionnaire de donnes endommages de l'environnement"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Extension copie de disquette"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensions de l'environnement pour les objets rseau de Microsoft Windows"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gestion d'cran ICM"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gestion d'imprimante ICM"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensions de l'environnement de compression de fichiers"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Extension de l'environnement d'imprimante Web"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu contextuel de cryptage"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porte-documents"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Extension icne HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profil ICC"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Page de scurit des imprimantes"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensions de l'environnement pour le partage"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie PKO"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie Sign"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Connexions rseau"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Connexions rseau"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&Scanneurs et appareils photo"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&Scanneurs et appareils photo"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="&Scanneurs et appareils photo"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&Scanneurs et appareils photo"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&Scanneurs et appareils photo"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensions de l'interprteur de commandes pour l'environnement d'excution de scripts Windows"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Liaison de donnes Microsoft"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tches planifies"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barre des tches et menu Dmarrer"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Rechercher"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Excuter..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Courrier lectronique"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Polices"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Outils d'administration"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barre d'outils Internet Microsoft"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="tat du tlchargement"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Dossier Bureau tendu"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Dossier du shell augment"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Bande du navigateur Microsoft"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Bande de recherche"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Volet intgr de recherche"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Recherche Web"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilitaire des options de l'arborescence du Registre"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Bote d'entre de l'adresse"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Saisie semi-automatique Microsoft"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="Liste de saisie semi-automatique MRU"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Liste de saisie semi-automatique personnalise MRU"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barre de progrs auto-ouvrante"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analyseur de la barre d'adresses"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Liste de saisie semi-automatique de l'historique Microsoft"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Liste de saisie semi-automatique du dossier Shell Microsoft"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Conteneur de la liste de saisie semi-automatique multiple Microsoft"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu Site de bandes"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Barre du Bureau"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistance utilisateur"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Paramtres du dossier global"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historique"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Image de dmarrage de la Suite IE4"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Dossier ActiveX Cache"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Dossier Inscription"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gestionnaire d'applications d'environnement"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="numrateur d'applications installes"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Publication d'application Darwin"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extracteur de miniatures de fichier + GDI"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Gestionnaire de miniatures - Informations de rsum (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extracteur de miniatures HTML"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Assistant Publication de sites Web"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Commande d'impressions via le Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objet Assistant de publication Shell"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Assistant Obtenir une identit Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Comptes d'utilisateurs"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Fichier de chane"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Raccourci de chane"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Dossier Fichiers hors connexion"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Des &personnes..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Priphriques Plug and Play universels"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}"="EditPlus Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Dossiers Web"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}"="Messenger Sharing Folders"
"{E9BC27B9-477E-48E7-AAD9-9F01C62C1ECD}"=""
"{4478F8DB-DE19-411B-8B17-4EB14EB918B5}"=""
"{9E0EC849-B6A1-479F-B270-C4E4015B1C35}"=""
"{35285CEF-AD9F-460E-9F73-73BD7FCE1C94}"=""
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{E9BC27B9-477E-48E7-AAD9-9F01C62C1ECD}]
@=""
"IDEx"="ADDR"
[HKEY_CLASSES_ROOT\CLSID\{E9BC27B9-477E-48E7-AAD9-9F01C62C1ECD}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{E9BC27B9-477E-48E7-AAD9-9F01C62C1ECD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{E9BC27B9-477E-48E7-AAD9-9F01C62C1ECD}\InprocServer32]
@="C:\\WINDOWS\\system32\\MGnipulate.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{9E0EC849-B6A1-479F-B270-C4E4015B1C35}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{9E0EC849-B6A1-479F-B270-C4E4015B1C35}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{9E0EC849-B6A1-479F-B270-C4E4015B1C35}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{9E0EC849-B6A1-479F-B270-C4E4015B1C35}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{35285CEF-AD9F-460E-9F73-73BD7FCE1C94}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{35285CEF-AD9F-460E-9F73-73BD7FCE1C94}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{35285CEF-AD9F-460E-9F73-73BD7FCE1C94}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{35285CEF-AD9F-460E-9F73-73BD7FCE1C94}\InprocServer32]
@="C:\\WINDOWS\\system32\\hmpertrm.dll"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
browseui.dll Wed 10 May 2006 7:24:34 A.... 1 023 488 999,50 K
cdfview.dll Wed 10 May 2006 7:24:34 A.... 152 064 148,50 K
danim.dll Wed 10 May 2006 7:24:34 A.... 1 056 768 1,01 M
dxtmsft.dll Wed 10 May 2006 7:24:36 A.... 357 888 349,50 K
dxtrans.dll Wed 10 May 2006 7:24:36 A.... 205 312 200,50 K
extmgr.dll Wed 10 May 2006 7:24:36 ..... 55 808 54,50 K
hmpertrm.dll Sat 15 Jul 2006 17:28:00 ..S.R 234 986 229,48 K
iepeers.dll Wed 10 May 2006 7:24:36 A.... 251 392 245,50 K
inseng.dll Wed 10 May 2006 7:24:36 A.... 96 768 94,50 K
irpql5~1.dll Sat 15 Jul 2006 17:28:00 ..S.R 236 561 231,02 K
irr2l5~1.dll Sat 15 Jul 2006 17:04:16 ..S.R 236 281 230,74 K
j6p0lg~1.dll Sat 15 Jul 2006 16:36:18 ..S.R 234 986 229,48 K
jgdw400.dll Thu 1 Jun 2006 20:48:44 A.... 163 840 160,00 K
jgpl400.dll Thu 1 Jun 2006 20:48:44 A.... 27 648 27,00 K
jscript.dll Thu 18 May 2006 7:31:22 A.... 450 560 440,00 K
jsproxy.dll Wed 10 May 2006 7:24:36 A.... 16 384 16,00 K
mshtml.dll Fri 19 May 2006 17:09:50 A.... 3 073 536 2,93 M
mshtmled.dll Wed 10 May 2006 7:24:36 A.... 448 512 438,00 K
msrating.dll Wed 10 May 2006 7:24:36 A.... 146 432 143,00 K
mstime.dll Wed 10 May 2006 7:24:38 A.... 532 480 520,00 K
pngfilt.dll Wed 10 May 2006 7:24:38 A.... 39 424 38,50 K
rasmans.dll Sun 14 May 2006 10:48:16 A.... 181 248 177,00 K
shdocvw.dll Mon 29 May 2006 17:29:14 A.... 1 494 528 1,42 M
shlwapi.dll Wed 10 May 2006 7:24:40 A.... 474 624 463,50 K
sirenacm.dll Fri 16 Jun 2006 14:34:44 A.... 48 936 47,79 K
urlmon.dll Wed 10 May 2006 7:24:40 A.... 615 936 601,50 K
wininet.dll Wed 10 May 2006 7:24:40 A.... 662 528 647,00 K
wmp.dll Sat 29 Apr 2006 6:07:48 A.... 5 533 696 5,28 M
xpsp3res.dll Thu 11 May 2006 10:57:36 A.... 26 624 26,00 K
29 items found: 29 files (4 H/S), 0 directories.
Total of file sizes: 18 079 238 bytes 17,24 M
Locate .tmp files:
No matches found.
**********************************************************************************
Directory Listing of system files:
Le volume dans le lecteur C n'a pas de nom.
Le numro de srie du volume est 9063-B372
Rpertoire de C:\WINDOWS\System32
15/07/2006 17:27 234ÿ986 hmpertrm.dll
15/07/2006 17:27 236ÿ561 irpql5751.dll
15/07/2006 17:04 236ÿ281 irr2l59o1.dll
15/07/2006 16:36 234ÿ986 j6p0lg7m16.dll
06/07/2006 21:55 <REP> dllcache
23/09/2004 14:52 <REP> Microsoft
4 fichier(s) 942ÿ814 octets
2 Rp(s) 13ÿ465ÿ387ÿ008 octets libres
Marsh Posté le 15-07-2006 à 19:34:14
re,
Ferme toutes les applications en cours, car cette étape nécessite un redémarrage.
Du dossier l2mfix situé sur ton Bureau,
double-clique l2mfix.bat et choisis l'option #2 pour Run Fix en tapant 2 et ensuite Entrée .
Les icônes du Bureau vont disparaître (tout à fait normal).
L2mfix poursuivra le scan et lorsque terminé, il sera prêt à redémarrer le PC.
Appuie sur n'importe quelle touche pour redémarrer.
Après le redémarrage, un fichier texte devrait apparaître.
Copie/colle le contenu de ce rapport dans ta prochaine réponse.
**Si le fichier texte (rapport) n'apparaît pas au redémarrage, double-clique sur le fichier texte ("log.txt" ) situé dans le dossier "l2mfix".
Marsh Posté le 15-07-2006 à 19:53:36
voila après redémarrage, à noter que dans ma barres des taches, la barre d'outils "lancement rapide" disparait et les popup apparaissent tout de suite :s
L2mfix 051206
Creating Account.
La commande s'est termine correctement.
Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Running From:
C:\WINDOWS\system32
Killing Processes!
Killing 'smss.exe'
\SystemRoot\System32\smss.exe (480)
Killing 'winlogon.exe'
winlogon.exe (600)
Killing 'explorer.exe'
C:\WINDOWS\Explorer.EXE (372)
Killing 'rundll32.exe'
rundll32.exe "C:\WINDOWS\system32\hmpertrm.dll",DllGetVersion (1592)
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrateurs ... successful
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
1 fichier(s) copi(s).
1 fichier(s) copi(s).
Deleting: C:\WINDOWS\system32\hmpertrm.dll
Successfully Deleted: C:\WINDOWS\system32\hmpertrm.dll
Deleting: C:\WINDOWS\system32\irr2l59o1.dll
Successfully Deleted: C:\WINDOWS\system32\irr2l59o1.dll
msg11?.dll
0 fichier(s) copi(s).
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j6p0lg7m16.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\hmpertrm.dll
C:\WINDOWS\system32\irr2l59o1.dll
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{E9BC27B9-477E-48E7-AAD9-9F01C62C1ECD}]
@=""
"IDEx"="ADDR"
[HKEY_CLASSES_ROOT\CLSID\{E9BC27B9-477E-48E7-AAD9-9F01C62C1ECD}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{E9BC27B9-477E-48E7-AAD9-9F01C62C1ECD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{E9BC27B9-477E-48E7-AAD9-9F01C62C1ECD}\InprocServer32]
@="C:\\WINDOWS\\system32\\MGnipulate.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{9E0EC849-B6A1-479F-B270-C4E4015B1C35}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{9E0EC849-B6A1-479F-B270-C4E4015B1C35}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{9E0EC849-B6A1-479F-B270-C4E4015B1C35}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{9E0EC849-B6A1-479F-B270-C4E4015B1C35}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{35285CEF-AD9F-460E-9F73-73BD7FCE1C94}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{35285CEF-AD9F-460E-9F73-73BD7FCE1C94}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{35285CEF-AD9F-460E-9F73-73BD7FCE1C94}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{35285CEF-AD9F-460E-9F73-73BD7FCE1C94}\InprocServer32]
@="C:\\WINDOWS\\system32\\hmpertrm.dll"
"ThreadingModel"="Apartment"
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{E9BC27B9-477E-48E7-AAD9-9F01C62C1ECD}"=-
"{4478F8DB-DE19-411B-8B17-4EB14EB918B5}"=-
"{9E0EC849-B6A1-479F-B270-C4E4015B1C35}"=-
"{35285CEF-AD9F-460E-9F73-73BD7FCE1C94}"=-
[-HKEY_CLASSES_ROOT\CLSID\{E9BC27B9-477E-48E7-AAD9-9F01C62C1ECD}]
[-HKEY_CLASSES_ROOT\CLSID\{4478F8DB-DE19-411B-8B17-4EB14EB918B5}]
[-HKEY_CLASSES_ROOT\CLSID\{9E0EC849-B6A1-479F-B270-C4E4015B1C35}]
[-HKEY_CLASSES_ROOT\CLSID\{35285CEF-AD9F-460E-9F73-73BD7FCE1C94}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/hmpertrm.dll (164 bytes security) (deflated 5%)
adding: dlls/irr2l59o1.dll (164 bytes security) (deflated 5%)
adding: backregs/35285CEF-AD9F-460E-9F73-73BD7FCE1C94.reg (212 bytes security) (deflated 70%)
adding: backregs/9E0EC849-B6A1-479F-B270-C4E4015B1C35.reg (212 bytes security) (deflated 70%)
adding: backregs/E9BC27B9-477E-48E7-AAD9-9F01C62C1ECD.reg (212 bytes security) (deflated 69%)
adding: backregs/notibac.reg (164 bytes security) (deflated 63%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)
Marsh Posté le 15-07-2006 à 20:06:30
et de plus cette salo... me rajoute des liens vers des pages internets sur mon bureau, ils pointent tous vers http://www.zestyfind.com
Marsh Posté le 16-07-2006 à 11:55:07
Bonjour,
je ne pense pas que se rapport soit entier.
Post ausi un nouveau rapport hijackthis
Marsh Posté le 16-07-2006 à 18:43:06
Bonjour,
J'ai exactement le même problême de Pop-up, et depuis la même date que l'initiateur de ce Topic.
J'ai aujourd'hui installé FireFox 1.5, et je constate que je suis débarrassé de ces popup, (tant que je n'utilise pas IE.)
Biensur, ça ne vaut pas l'éradication de ces popup, mais c'est une toujours une solution...
Sinon, sous IE, quand un Popup s'ouvre, je ne le ferme pas.
J'ai constaté que tant qu'un a pas fermé un de ces Popup, un autre ne s'ouvrira pas. Sinon, on arrete pas de les fermés :-(
Voilà voilà, si ça peut aider...
A bientôt, et bon courage ;-)
Strasfrantz
Marsh Posté le 16-07-2006 à 22:05:20
Voila le rapport, qui ne peut qu'etre complet puisque j'ai fait "sélectionner tout -> copier"
L2mfix 051206
Creating Account.
La commande s'est termine correctement.
Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Running From:
C:\WINDOWS\system32
Killing Processes!
Killing 'smss.exe'
\SystemRoot\System32\smss.exe (480)
Killing 'winlogon.exe'
winlogon.exe (600)
Killing 'explorer.exe'
C:\WINDOWS\Explorer.EXE (744)
Killing 'rundll32.exe'
rundll32.exe "C:\WINDOWS\system32\guard.tmp",DllGetVersion (3896)
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrateurs ... successful
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
1 fichier(s) copi(s).
1 fichier(s) copi(s).
1 fichier(s) copi(s).
1 fichier(s) copi(s).
1 fichier(s) copi(s).
Deleting: C:\WINDOWS\system32\cbrtmgr.dll
Successfully Deleted: C:\WINDOWS\system32\cbrtmgr.dll
Deleting: C:\WINDOWS\system32\irpql5751.dll
Successfully Deleted: C:\WINDOWS\system32\irpql5751.dll
Deleting: C:\WINDOWS\system32\nfopenal.dll
Successfully Deleted: C:\WINDOWS\system32\nfopenal.dll
Deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
Deleting: C:\WINDOWS\system32\guard.tmp_tobedeleted
Successfully Deleted: C:\WINDOWS\system32\guard.tmp_tobedeleted
msg11?.dll
0 fichier(s) copi(s).
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DIFx]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dn0201doe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\cbrtmgr.dll
C:\WINDOWS\system32\irpql5751.dll
C:\WINDOWS\system32\nfopenal.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp_tobedeleted
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{C225F23C-BE49-45B8-93F1-007CB5F4998B}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{C225F23C-BE49-45B8-93F1-007CB5F4998B}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{C225F23C-BE49-45B8-93F1-007CB5F4998B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{C225F23C-BE49-45B8-93F1-007CB5F4998B}\InprocServer32]
@="C:\\WINDOWS\\system32\\nfopenal.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{E9B4EC99-0406-4F77-9EF1-091B2B019F77}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{E9B4EC99-0406-4F77-9EF1-091B2B019F77}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{E9B4EC99-0406-4F77-9EF1-091B2B019F77}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{E9B4EC99-0406-4F77-9EF1-091B2B019F77}\InprocServer32]
@="C:\\WINDOWS\\system32\\cbrtmgr.dll"
"ThreadingModel"="Apartment"
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{C225F23C-BE49-45B8-93F1-007CB5F4998B}"=-
"{E9B4EC99-0406-4F77-9EF1-091B2B019F77}"=-
[-HKEY_CLASSES_ROOT\CLSID\{C225F23C-BE49-45B8-93F1-007CB5F4998B}]
[-HKEY_CLASSES_ROOT\CLSID\{E9B4EC99-0406-4F77-9EF1-091B2B019F77}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/cbrtmgr.dll (164 bytes security) (deflated 5%)
adding: dlls/guard.tmp (164 bytes security) (deflated 5%)
adding: dlls/guard.tmp_tobedeleted (164 bytes security) (deflated 5%)
adding: dlls/hmpertrm.dll (164 bytes security) (deflated 5%)
adding: dlls/irpql5751.dll (164 bytes security) (deflated 5%)
adding: dlls/irr2l59o1.dll (164 bytes security) (deflated 5%)
adding: dlls/nfopenal.dll (164 bytes security) (deflated 5%)
adding: backregs/35285CEF-AD9F-460E-9F73-73BD7FCE1C94.reg (212 bytes security) (deflated 70%)
adding: backregs/9E0EC849-B6A1-479F-B270-C4E4015B1C35.reg (212 bytes security) (deflated 70%)
adding: backregs/C225F23C-BE49-45B8-93F1-007CB5F4998B.reg (212 bytes security) (deflated 70%)
adding: backregs/E9B4EC99-0406-4F77-9EF1-091B2B019F77.reg (212 bytes security) (deflated 70%)
adding: backregs/E9BC27B9-477E-48E7-AAD9-9F01C62C1ECD.reg (212 bytes security) (deflated 69%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)
et le second :
Logfile of HijackThis v1.99.1
Scan saved at 22:05:02, on 16/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\service.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\Program Files\SuperCopier\SuperCopier.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\wlancfg.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\InetKb\Inetkb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
H:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SuperCopier.exe] C:\Program Files\SuperCopier\SuperCopier.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: Gestionnaire réseau sans fil.lnk = C:\WINDOWS\wlancfg.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bina [...] b31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/micros [...] 0274114906
O17 - HKLM\System\CCS\Services\Tcpip\..\{51ECA93A-3218-46DD-BBD7-0DE53ECD7C34}: NameServer = 193.252.19.4,193.252.19.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\dn0201doe.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
Marsh Posté le 16-07-2006 à 23:17:34
j'avais le m^me prob avec une popup du genre "Adulfriendfinder" et aussi ma premiére page qui s'ouvrait sans arret sur "sysprotectionpage" ou "systemdoctor" , pas moyen de m'en débarrasser m^meprés reinstall de IE6 toute la semaine passée et puis j'ai trouvé un lien vers une version de smitfraudfix que je ne connaissait pas . J'ai téléchargé et elle m'a tout de suite détecté plusieurs probs que m'a version avait ignoré , et depuis tout est rentré dans l'ordre .
Voici le lien tu peux essayer , si ça marche aussi pour toi tant mieux .
http://siri.urz.free.fr/Fix/SmitfraudFix.php
Avec firefox par contre aucun probléme , rien ne semble passer .
Marsh Posté le 17-07-2006 à 08:43:38
Bonjour,
Prière d'imprimer ces instructions, ou de les coller dans un fichier texte, pour lecture durant ce fix. Regarde bien la note au bas, avant de débuter.
Télécharge [color=red]Look2Me-Destroyer.exe[/color] (par Atribune) sur ton Bureau.[list]
- Ferme toutes les fenêtres actives avant de passer à l'étape suivante.
- Double-clique Look2Me-Destroyer.exe afin de lancer l'outil.
- Coche Run this program as a task
- Un message s'affichera, te disant ceci : "Look2Me-Destroyer will close and re-open in approximately 1 minute". Clique OK
- Il se relancera après la minute, puis clique sur le bouton Scan for L2M; les icônes de ton Bureau vont disparaître : c'est normal.
- Lorsque le scan termine, clique sur le bouton Remove L2M
- Un message Done Scanning apparaîtra, clique OK.
- Un nouveau message s'affichera : Done removing infected files! Look2Me-Destroyer will now shutdown your computer; clique OK.
- Ton PC va maintenant s'éteindre.
- Démarre ton PC normalement.
- Colle le rapport généré (Look2Me-Destroyer.txt), situé sur le Bureau, ainsi qu'un nouveau rapport HijackThis! dans ta prochaine réponse.
[/list]
*Si Look2Me-Destroyer ne se relance pas automatiquement après la minute, redémarre et essaie à nouveau.
Marsh Posté le 22-07-2006 à 20:53:04
voici le rapport look2Me :
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 22/07/2006 20:41:07
Infected! C:\WINDOWS\system32\k8no0i53e8.dll
Infected! C:\Documents and Settings\zik_man\Bureau\l2mfix\dlls\cbrtmgr.dll
Infected! C:\Documents and Settings\zik_man\Bureau\l2mfix\dlls\hmpertrm.dll
Infected! C:\Documents and Settings\zik_man\Bureau\l2mfix\dlls\irpql5751.dll
Infected! C:\Documents and Settings\zik_man\Bureau\l2mfix\dlls\irr2l59o1.dll
Infected! C:\Documents and Settings\zik_man\Bureau\l2mfix\dlls\nfopenal.dll
Infected! C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP573\A0206970.dll
Infected! C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP574\A0208003.dll
Infected! C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP574\A0208004.dll
Infected! C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP574\A0208148.dll
Infected! C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208199.dll
Infected! C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208222.dll
Infected! C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208223.dll
Infected! C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208361.dll
Infected! C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208373.dll
Infected! C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208374.dll
Infected! C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208387.dll
Infected! C:\WINDOWS\system32\irnml5511.dll
Infected! C:\WINDOWS\system32\guard.tmp
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\k8no0i53e8.dll
C:\WINDOWS\system32\k8no0i53e8.dll Deleted successfully!
Attempting to delete: C:\Documents and Settings\zik_man\Bureau\l2mfix\dlls\cbrtmgr.dll
C:\Documents and Settings\zik_man\Bureau\l2mfix\dlls\cbrtmgr.dll Deleted successfully!
Attempting to delete: C:\Documents and Settings\zik_man\Bureau\l2mfix\dlls\hmpertrm.dll
C:\Documents and Settings\zik_man\Bureau\l2mfix\dlls\hmpertrm.dll Deleted successfully!
Attempting to delete: C:\Documents and Settings\zik_man\Bureau\l2mfix\dlls\irpql5751.dll
C:\Documents and Settings\zik_man\Bureau\l2mfix\dlls\irpql5751.dll Deleted successfully!
Attempting to delete: C:\Documents and Settings\zik_man\Bureau\l2mfix\dlls\irr2l59o1.dll
C:\Documents and Settings\zik_man\Bureau\l2mfix\dlls\irr2l59o1.dll Deleted successfully!
Attempting to delete: C:\Documents and Settings\zik_man\Bureau\l2mfix\dlls\nfopenal.dll
C:\Documents and Settings\zik_man\Bureau\l2mfix\dlls\nfopenal.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP573\A0206970.dll
C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP573\A0206970.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP574\A0208003.dll
C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP574\A0208003.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP574\A0208004.dll
C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP574\A0208004.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP574\A0208148.dll
C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP574\A0208148.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208199.dll
C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208199.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208222.dll
C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208222.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208223.dll
C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208223.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208361.dll
C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208361.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208373.dll
C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208373.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208374.dll
C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208374.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208387.dll
C:\System Volume Information\_restore{29507B35-29AD-4CD9-9434-B8F747E5B076}\RP575\A0208387.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\irnml5511.dll
C:\WINDOWS\system32\irnml5511.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F729EAC7-B796-46D7-8FE3-DFA2046F55BE}"
HKCR\Clsid\{F729EAC7-B796-46D7-8FE3-DFA2046F55BE}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8B331BD8-671E-49AE-88DB-24508D9B1A9E}"
HKCR\Clsid\{8B331BD8-671E-49AE-88DB-24508D9B1A9E}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrateurs - Succeeded
Marsh Posté le 22-07-2006 à 20:53:47
Logfile of HijackThis v1.99.1
Scan saved at 20:53:25, on 22/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\service.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\Program Files\SuperCopier\SuperCopier.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\wlancfg.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\InetKb\Inetkb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
H:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SuperCopier.exe] C:\Program Files\SuperCopier\SuperCopier.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: Gestionnaire réseau sans fil.lnk = C:\WINDOWS\wlancfg.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bina [...] b31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/micros [...] 0274114906
O17 - HKLM\System\CCS\Services\Tcpip\..\{51ECA93A-3218-46DD-BBD7-0DE53ECD7C34}: NameServer = 193.252.19.4,193.252.19.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
Marsh Posté le 22-07-2006 à 22:57:44
Bonjour,
Si durant la procedure ci bas, il y a des etapes que tu n'as pas reussi a faire, merci de
continuer la procedure jusqu'au bout et de les signaler dans ta prochaine reponse.
Tu n'as pas d'antivirus ni de firewall, c'est pourtant indispensable!
telecharge:
_avast que tu peux telecharger ici: http://www.01net.com/telecharger/w [...] 25899.html
_sa clef (gratuite) a renouveler a peut pres tout les 12 mois (renouvelement gratuit aussi) que tu peux avoir ici: http://www.01net.com/telecharger/w [...] 25899.html
un tuto http://mr.dodo.perso.cegetel.net/tuto04.htm
choisis un de ces trois firewall:
_zone alarm que tu peux télecharger ici http://www.zonelabs.com/store/cont [...] lid=nav_za
_tuto pour zone alarm ici http://forum.telecharger.01net.com [...] ges-1.html
_sygate que tu peux télecharger ici http://www.symantecstore.com/dr/v2 [...] _ID=203890
_tuto pour sygate ici http://geeksasylum.free.fr/article [...] part01.htm
_kerio que tu peux télecharger ici http://www.inoculer.com/firewall5.php3
-tuto pour kerio http://www.vulgarisation-informatique.com/kerio.php
Installe avast et le firewall de ton choix, puis mets a jour les deux.
1/Télécharge http://www.ewido.net/en/download/ Ewido anti-spyware
Lance Ewido et clique sur le bouton Update (barre d'outils - au haut). Sous Manual Update clique Start update.
Tu verras ceci juste au bas, lorsque la mise à jour sera complétée : "Update successful"
Ferme Ewido. Ne pas le lancer tout de suite.
2/demarre en mode sans echec http://www.sosordi.net/Faq/Faq.2.html
3/ fais:
demarer executer services.msc repere Netbios Helper Service
Double clic dessus 
ans le champs Statut du service met le sur [color=red]arrêté [/color]
dans le champs Type de démarrage met le sur [color=red]désactivé [/color] puis
Appliquer puis ok .
4/ fais la meme chose avec:
Network DDE Connections
5/maintenant on supprimer le service:
demarrer/executer/ cmd
execute cette commande qui est en citation sans le mot citation:
| Citation : |
6/pour supprimer les fichiers nefastes on va tous les afficher en faisant comme ceci:
| Citation : Démarrer, Poste de travail ou autre dossier, Menu Outils, Option des dossiers, onglet Affichage : |
7/supprime ce qui est en gras:
C:\WINDOWS\system32\ altsvc.exe <== le fichier
C:\WINDOWS\system32\ service.exe <== le fichier ATTENTION A LA SYNTAXE!
8/ Du mode Sans Échec, lance Ewido et clique sur le bouton Scanner (de la barre d'outils) et ensuite clique sur Complete System Scan. Le scan prendra un certain temps, donc sois patient.
Ewido affichera une liste des fichiers détectés, sur la gauche. En fin de scan, l'outil appliquera les "Actions" à appliquer automatiquement. Clique sur le bouton Apply all actions. Ewido affichera "All actions have been applied" du côté droit.
Clique sur "Save Report", puis "Save Report As". Ceci génère un rapport en fichier texte. Assure-toi de le sauvegarder dans un endroit sûr (sur ton Bureau, par exemple).
9/redemarre en mode normal
10/poste le rapport d'ewido ainsi qu'un nouveau log hijackthis.
bon courage, et si tu as la moindre question n'hesite surtout pas
@+
Sujets relatifs:
- spyware, page d'accueil IE
- hidewindow .spyware , ou intox ?
- Spyware Quake trojan HELP
- Probleme SPyware
- anti spyware
- Probleme avec un virus(trojan)/spyware qui veut pas partir
- Spyware dure a cuire!
- [Freebox] USB + Win98 = soucis
- Comment supprimer le spyware : SystemDoctor2006 ?
- des .exe louches dans gestionnaires de taches + spyware "collant"
Marsh Posté le 15-07-2006 à 17:46:25
Bonjour,
Depuis ce matin j'ai des popup qui s'ouvrent sous XP de temps en temps, j'ai donc scanné mon pc avec sypbot et supprimé quelques prog et maintenant spybot ne me détecte rien d'anormal mais les popup sont toujours la :s
j'ai fait un scan avec hijack voila le résultat :
Logfile of HijackThis v1.99.1
Scan saved at 17:45:56, on 15/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\service.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\Program Files\SuperCopier\SuperCopier.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\InetKb\Inetkb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wlancfg.exe
C:\Program Files\FreshDevices\FreshDownload\fd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
H:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Easy PDF Creator] C:\Program Files\Easy PDF Creator\EasyPDFCreator.exe
O4 - HKLM\..\Run: [RemoveWGA] C:\Documents and Settings\zik_man\Bureau\RemoveWGA.exe -startup
O4 - HKLM\..\Run: [defender] C:\\dfndrad_5.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdad_5.exe
O4 - HKCU\..\Run: [SuperCopier.exe] C:\Program Files\SuperCopier\SuperCopier.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: Gestionnaire réseau sans fil.lnk = C:\WINDOWS\wlancfg.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bina [...] b31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/ [...] insctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/micros [...] 0274114906
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/bina [...] b32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/ [...] cgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51ECA93A-3218-46DD-BBD7-0DE53ECD7C34}: NameServer = 193.252.19.4,193.252.19.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\j6p0lg7m16.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
Si quelqu'un peut m'aider, merci bien