Log Hi Jack pour Acrobaze & Co :-)

Recherche :

Mot : Pseudo : Filtrer
Bas de page
Auteur	Sujet : Log Hi Jack pour Acrobaze & Co :-)

raoulpetite

Bonjour à tous,

J'ai vu qu'à priori j'ai le meme pblm que Kim...problème qu'Acrobaze a solutionné.
DOnc j'ai pris les devants et j'ai créer un log avec HJT et l2mfix.exe.
Voici les résultats.
Je ne pourrais pas intervenir sur l'ordinateur en question avant mercredi matin, donc la réponse n'est pas urgente.
M'enfin c'est l'ordinateur du boulot...alors j'aimerais bien solutionner cela sans effet de bord...hum.
Merci pour votre aide.

a+

Logfile of HijackThis v1.99.1

Scan saved at 13:38:19, on 22/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\PROGRA~1\NavNT\DefWatch.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\NavNT\rtvscan.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NavNT\vptray.exe

C:\Program Files\Spybot\SpybotSD.exe

C:\WINDOWS\System32\qttask.exe

C:\Program Files\Spybot\TeaTimer.exe

C:\WINDOWS\System32\j?vaw.exe

C:\Documents and Settings\Thierry BORDERIE\Application Data\bmon.exe

C:\Program Files\Commence Workgroup\COMMENCE.exe

C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE

C:\program files\microsoft office\Office10\WINWORD.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\EBP\Compta\compta.exe

C:\WINDOWS\System32\W32MKDE.EXE

C:\Program Files\Acrobat 5.0\Reader\AcroRd32.exe

C:\PROGRA~1\WinZip\winzip32.exe

C:\DOCUME~1\THIERR~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\THIERR~1\LOCALS~1\Temp\se.dll/sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O1 - Hosts: 69.20.16.183 ieautosearch

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll

O4 - HKLM\..\Run: [Watch] C:\PROGRA~1\Minitel\Watch.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe

O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot\SpybotSD.exe" /autocheck

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe

O4 - HKCU\..\Run: [Rzqkmjiy] C:\WINDOWS\System32\j?vaw.exe

O4 - HKCU\..\Run: [Cld2000.exe] C:\Program Files\Calendrier\Cld2000.exe

O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKCU\..\Run: [Hctt] C:\Documents and Settings\Thierry BORDERIE\Application Data\bmon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Pages liées - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Pages similaires - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html

O17 - HKLM\System\CCS\Services\Tcpip\..\{EE8616B5-CA44-405A-ACAD-F45D5020C4A4}: NameServer = 200.200.200.2,200.200.200.1

O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\en82l1lo1.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe

------------------------------------------------------------

L2MFIX find log 1.02b

These are the registry keys present

**********************************************************************************

Winlogon/notify:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\en82l1lo1.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]

"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"

"Logoff"="NavLogoffEvent"

"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

**********************************************************************************

useragent:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{954AFE66-29E6-4ABC-BB95-7CEC421A2273}"=""

**********************************************************************************

Shell Extension key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{00022613-0000-0000-C000-000000000046}"="Feuille de proprits du fichier multimdia"

"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM"

"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de scurit NTFS"

"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des proprits de OLE DocFile"

"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'environnement pour le partage"

"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"

"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration"

"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage cran du Panneau de configuration"

"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Panorama du Panneau de configuration"

"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Page de scurit DS"

"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Page de compatibilit"

"{56117100-C0CD-101B-81E2-00AA004AE837}"="Gestionnaire de donnes endommages de l'environnement"

"{59099400-57FF-11CE-BD94-0020AF85B590}"="Extension copie de disquette"

"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensions de l'environnement pour les objets rseau de Microsoft Windows"

"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gestion d'cran ICM"

"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gestion d'imprimante ICM"

"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensions de l'environnement de compression de fichiers"

"{77597368-7b15-11d0-a0c2-080036af3f03}"="Extension de l'environnement d'imprimante Web"

"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"

"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu contextuel de cryptage"

"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porte-documents"

"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Extension icne HyperTerminal"

"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"

"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profil ICC"

"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Page de scurit des imprimantes"

"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensions de l'environnement pour le partage"

"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"

"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie PKO"

"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie Sign"

"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Connexions rseau"

"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Connexions rseau"

"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&Scanneurs et appareils photo"

"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&Scanneurs et appareils photo"

"{905667aa-acd6-11d2-8080-00805f6596d2}"="&Scanneurs et appareils photo"

"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&Scanneurs et appareils photo"

"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&Scanneurs et appareils photo"

"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensions de l'interprteur de commandes pour l'environnement d'excution de scripts Windows"

"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Liaison de donnes Microsoft"

"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"

"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"

"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tches planifies"

"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barre des tches et menu Dmarrer"

"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Rechercher"

"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"

"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"

"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Excuter..."

"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"

"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Courrier lectronique"

"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Polices"

"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Outils d'administration"

"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"

"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"

"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"

"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"

"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"

"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"

"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barre d'outils Internet Microsoft"

"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="tat du tlchargement"

"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Dossier Bureau tendu"

"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Dossier du shell augment"

"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"

"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Bande du navigateur Microsoft"

"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Bande de recherche"

"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"

"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Volet intgr de recherche"

"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Recherche Web"

"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilitaire des options de l'arborescence du Registre"

"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"

"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Bote d'entre de l'adresse"

"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Saisie semi-automatique Microsoft"

"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"

"{6756A641-DE71-11d0-831B-00AA005B4383}"="Liste de saisie semi-automatique MRU"

"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Liste de saisie semi-automatique personnalise MRU"

"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"

"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barre de progrs auto-ouvrante"

"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analyseur de la barre d'adresses"

"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Liste de saisie semi-automatique de l'historique Microsoft"

"{03C036F1-A186-11D0-824A-00AA005B4383}"="Liste de saisie semi-automatique du dossier Shell Microsoft"

"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Conteneur de la liste de saisie semi-automatique multiple Microsoft"

"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu Site de bandes"

"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"

"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Barre du Bureau"

"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"

"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistance utilisateur"

"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Paramtres du dossier global"

"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"

"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"

"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"

"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"

"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"

"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"

"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historique"

"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"

"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Image de dmarrage de la Suite IE4"

"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"

"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"

"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"

"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"

"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"

"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{88C6C381-2E85-11D0-94DE-444553540000}"="Dossier ActiveX Cache"

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"

"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"

"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Dossier Inscription"

"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"

"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"

"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"

"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"

"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"

"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"

"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gestionnaire d'applications d'environnement"

"{0B124F8F-91F0-11D1-B8B5-006008059382}"="numrateur d'applications installes"

"{CFCCC7A0-A282-11D1-9082-006008059382}"="Publication d'application Darwin"

"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"

"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"

"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extracteur de miniatures de fichier + GDI"

"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Gestionnaire de miniatures - Informations de rsum (DOCFILES)"

"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extracteur de miniatures HTML"

"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"

"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Assistant Publication de sites Web"

"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Commande d'impressions via le Web"

"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objet Assistant de publication Shell"

"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Assistant Obtenir une identit Passport"

"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Comptes d'utilisateurs"

"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"

"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"

"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Fichier de chane"

"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Raccourci de chane"

"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"

"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"

"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"

"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"

"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"

"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"

"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"

"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"

"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"

"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"

"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"

"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"

"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"

"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"

"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"

"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"

"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"

"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"

"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"

"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"

"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Dossier Fichiers hors connexion"

"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"

"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"

"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"

"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"

"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"

"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Des &personnes..."

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Dossiers Web"

"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"

"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"

"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"

"{E0D79300-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79301-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79302-84BE-11CE-9641-444553540000}"="WinZip"

"{9BF0C49A-29E2-44CC-9F5F-345027442B62}"=""

"{5023BE11-9F23-4AC0-8458-8BA9603FAF4F}"=""

"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

"{4C19144F-893D-47AB-96C1-8527CDE6EA2B}"=""

**********************************************************************************

HKEY ROOT CLASSIDS:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9BF0C49A-29E2-44CC-9F5F-345027442B62}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{9BF0C49A-29E2-44CC-9F5F-345027442B62}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{9BF0C49A-29E2-44CC-9F5F-345027442B62}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{9BF0C49A-29E2-44CC-9F5F-345027442B62}\InprocServer32]

@="C:\\WINDOWS\\system32\\mqexcl40.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5023BE11-9F23-4AC0-8458-8BA9603FAF4F}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{5023BE11-9F23-4AC0-8458-8BA9603FAF4F}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{5023BE11-9F23-4AC0-8458-8BA9603FAF4F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{5023BE11-9F23-4AC0-8458-8BA9603FAF4F}\InprocServer32]

@="C:\\WINDOWS\\system32\\ccnsole.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4C19144F-893D-47AB-96C1-8527CDE6EA2B}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{4C19144F-893D-47AB-96C1-8527CDE6EA2B}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{4C19144F-893D-47AB-96C1-8527CDE6EA2B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{4C19144F-893D-47AB-96C1-8527CDE6EA2B}\InprocServer32]

@="C:\\WINDOWS\\system32\\guard.tmp"

"ThreadingModel"="Apartment"

**********************************************************************************

Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\

aelk.dll Mon Feb 21 2005 10:06:16a A.... 39,936 39.00 K

ccnsole.dll Tue Feb 22 2005 11:06:56a A.... 231,854 226.42 K

cfmmtb32.dll Thu Feb 17 2005 8:51:22a A.... 231,474 226.05 K

en82l1~1.dll Tue Feb 22 2005 11:06:56a ..S.R 228,840 223.48 K

fhog.dll Thu Feb 17 2005 10:15:58a A.... 41,472 40.50 K

fmga.dll Fri Feb 11 2005 11:02:24a A.... 41,472 40.50 K

fp0o03~1.dll Tue Feb 22 2005 11:07:08a ..S.R 228,774 223.41 K

gpjul3~1.dll Thu Feb 17 2005 8:33:44a ..S.R 231,474 226.05 K

irjml5~1.dll Thu Feb 17 2005 8:40:46a ..S.R 228,757 223.39 K

jijm.dll Tue Feb 22 2005 10:40:30a A.... 39,936 39.00 K

kjdusr.dll Fri Feb 18 2005 8:51:12a A.... 231,854 226.42 K

kt2ul7~1.dll Wed Feb 9 2005 11:48:40a ..S.R 231,257 225.84 K

ldda.dll Fri Feb 11 2005 9:56:46a A.... 41,472 40.50 K

m882li~1.dll Tue Feb 22 2005 11:38:42a ..S.R 230,128 224.73 K

mqexcl40.dll Tue Feb 22 2005 11:38:42a A.... 228,840 223.48 K

nvj029~1.dll Wed Feb 9 2005 10:22:46a ..S.R 231,098 225.68 K

o4nsle~1.dll Wed Feb 9 2005 10:06:18a ..S.R 229,077 223.71 K

sporder.dll Wed Feb 9 2005 9:34:30a A.... 8,464 8.27 K

18 items found: 18 files (8 H/S), 0 directories.

Total of file sizes: 2,976,179 bytes 2.84 M

Locate .tmp files:

No matches found.

**********************************************************************************

Directory Listing of system files:

Le volume dans le lecteur C s'appelle SYSTEM

Le numro de srie du volume est AC99-E0E3

Rpertoire de C:\WINDOWS\System32

22/02/2005 11:38 230ÿ128 m882lilo18qc.dll

22/02/2005 11:07 228ÿ774 fp0o03d3e.dll

22/02/2005 11:06 228ÿ840 en82l1lo1.dll

17/02/2005 16:11 <REP> dllcache

17/02/2005 08:40 228ÿ757 irjml5111.dll

17/02/2005 08:33 231ÿ474 gpjul3191.dll

09/02/2005 11:48 231ÿ257 kt2ul7f91.dll

09/02/2005 10:22 231ÿ098 nvj0291mg.dll

09/02/2005 10:06 229ÿ077 o4nsle571h.dll

08/02/2005 15:34 417ÿ792 j?vaw.exe

25/09/2002 11:07 <REP> Microsoft

9 fichier(s) 2ÿ257ÿ197 octets

2 Rp(s) 1ÿ225ÿ080ÿ832 octets libres

[*]

Message édité par raoulpetite le 26-03-2005 à 10:33:53

Publicité

acrobaze

Donc maintenant :

- Ferme tes applications, il va y avoir un reboot.
- Tu double-cliques l2mfix.bat et cette fois-ci, tu choisis l'option 2 (taper 2 et entrée). Ne t'inquiète pas si le bureau ou les icônes disparaissent un instant. C'est normal.
Pareil, il y aura un fichier texte à la fin.

- Copie/colle ce fichier texte et un nouvel HijackThis, pour finir.

raoulpetite

Ok Je le ferais Mercredi car je n'ai pas l'ordi. Merci de la réponse.
Je posterai cela Mercredi matin.
a+

raoulpetite

L2Mfix 1.02b

Running From:
C:\Documents and Settings\Thierry BORDERIE\Bureau\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Tout le monde
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Thierry BORDERIE\Bureau\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Thierry BORDERIE\Bureau\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 196 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\ccnsole.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\CFMMTB32.DLL
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\fp0o03d3e.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\gpjul3191.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\hrp4057qe.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\irjml5111.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\kjdusr.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\kt2ul7f91.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\kudda.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\nvj0291mg.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\o4nsle571h.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\guard.tmp
1 fichier(s) copi(s).
deleting: C:\WINDOWS\system32\ccnsole.dll
Successfully Deleted: C:\WINDOWS\system32\ccnsole.dll
deleting: C:\WINDOWS\system32\CFMMTB32.DLL
Successfully Deleted: C:\WINDOWS\system32\CFMMTB32.DLL
deleting: C:\WINDOWS\system32\fp0o03d3e.dll
Successfully Deleted: C:\WINDOWS\system32\fp0o03d3e.dll
deleting: C:\WINDOWS\system32\gpjul3191.dll
Successfully Deleted: C:\WINDOWS\system32\gpjul3191.dll
deleting: C:\WINDOWS\system32\hrp4057qe.dll
Successfully Deleted: C:\WINDOWS\system32\hrp4057qe.dll
deleting: C:\WINDOWS\system32\irjml5111.dll
Successfully Deleted: C:\WINDOWS\system32\irjml5111.dll
deleting: C:\WINDOWS\system32\kjdusr.dll
Successfully Deleted: C:\WINDOWS\system32\kjdusr.dll
deleting: C:\WINDOWS\system32\kt2ul7f91.dll
Successfully Deleted: C:\WINDOWS\system32\kt2ul7f91.dll
deleting: C:\WINDOWS\system32\kudda.dll
Successfully Deleted: C:\WINDOWS\system32\kudda.dll
deleting: C:\WINDOWS\system32\nvj0291mg.dll
Successfully Deleted: C:\WINDOWS\system32\nvj0291mg.dll
deleting: C:\WINDOWS\system32\o4nsle571h.dll
Successfully Deleted: C:\WINDOWS\system32\o4nsle571h.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: ccnsole.dll (164 bytes security) (deflated 6%)
adding: CFMMTB32.DLL (164 bytes security) (deflated 6%)
adding: fp0o03d3e.dll (164 bytes security) (deflated 4%)
adding: gpjul3191.dll (164 bytes security) (deflated 6%)
adding: hrp4057qe.dll (164 bytes security) (deflated 4%)
adding: irjml5111.dll (164 bytes security) (deflated 4%)
adding: kjdusr.dll (164 bytes security) (deflated 6%)
adding: kt2ul7f91.dll (164 bytes security) (deflated 5%)
adding: kudda.dll (164 bytes security) (deflated 5%)
adding: nvj0291mg.dll (164 bytes security) (deflated 5%)
adding: o4nsle571h.dll (164 bytes security) (deflated 4%)
adding: guard.tmp (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 46%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: desktop.ini (164 bytes security) (deflated 15%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 79%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 65%)
adding: test.txt (164 bytes security) (deflated 72%)
adding: test2.txt (164 bytes security) (deflated 27%)
adding: test3.txt (164 bytes security) (deflated 27%)
adding: test5.txt (164 bytes security) (deflated 27%)
adding: xfind.txt (164 bytes security) (deflated 64%)
adding: backregs/4C19144F-893D-47AB-96C1-8527CDE6EA2B.reg (164 bytes security) (deflated 70%)
adding: backregs/5023BE11-9F23-4AC0-8458-8BA9603FAF4F.reg (164 bytes security) (deflated 70%)
adding: backregs/9BF0C49A-29E2-44CC-9F5F-345027442B62.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for really "Everyone"

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

deleting local copy: ccnsole.dll
deleting local copy: CFMMTB32.DLL
deleting local copy: fp0o03d3e.dll
deleting local copy: gpjul3191.dll
deleting local copy: hrp4057qe.dll
deleting local copy: irjml5111.dll
deleting local copy: kjdusr.dll
deleting local copy: kt2ul7f91.dll
deleting local copy: kudda.dll
deleting local copy: nvj0291mg.dll
deleting local copy: o4nsle571h.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ccnsole.dll
C:\WINDOWS\system32\CFMMTB32.DLL
C:\WINDOWS\system32\fp0o03d3e.dll
C:\WINDOWS\system32\gpjul3191.dll
C:\WINDOWS\system32\hrp4057qe.dll
C:\WINDOWS\system32\irjml5111.dll
C:\WINDOWS\system32\kjdusr.dll
C:\WINDOWS\system32\kt2ul7f91.dll
C:\WINDOWS\system32\kudda.dll
C:\WINDOWS\system32\nvj0291mg.dll
C:\WINDOWS\system32\o4nsle571h.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{9BF0C49A-29E2-44CC-9F5F-345027442B62}"=-
"{5023BE11-9F23-4AC0-8458-8BA9603FAF4F}"=-
"{4C19144F-893D-47AB-96C1-8527CDE6EA2B}"=-
[-HKEY_CLASSES_ROOT\CLSID\{9BF0C49A-29E2-44CC-9F5F-345027442B62}]
[-HKEY_CLASSES_ROOT\CLSID\{5023BE11-9F23-4AC0-8458-8BA9603FAF4F}]
[-HKEY_CLASSES_ROOT\CLSID\{4C19144F-893D-47AB-96C1-8527CDE6EA2B}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{954AFE66-29E6-4ABC-BB95-7CEC421A2273}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{954AFE66-29E6-4ABC-BB95-7CEC421A2273}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 08:50:43, on 02/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\WINDOWS\System32\j?vaw.exe
C:\Documents and Settings\Thierry BORDERIE\Application Data\bmon.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\THIERR~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\THIERR~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [Watch] C:\PROGRA~1\Minitel\Watch.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [Rzqkmjiy] C:\WINDOWS\System32\j?vaw.exe
O4 - HKCU\..\Run: [Cld2000.exe] C:\Program Files\Calendrier\Cld2000.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Hctt] C:\Documents and Settings\Thierry BORDERIE\Application Data\bmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Pages liées - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE8616B5-CA44-405A-ACAD-F45D5020C4A4}: NameServer = 200.200.200.2,200.200.200.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe

acrobaze

Bon....il n'y a pas que le Vx2..il faudra être beaucoup plus prudent pour ne pas réinfecter.

----------1

Téléchrge cet uninstaller..

Lance-le et redémarre.

----------2
Télécharge CoolWebSchredder (Alone) sur:
http://www.intermute.com/spysubtra [...] nload.html
Updater et laisser en attente sur ton bureau.

Munis-toi de la dernière version d'AdAware SE sur:
http://lavasoft.element5.com/french/support/download/
Télécharge aussi le "Language pack" pour le franciser.
télécharger->installer, mettre à jour.

-----------3

Redémarre en mode sans échec.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\THIERR~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

Lance HijackThis. Coche ces lignes et clique "Fix checked".

Vide ces dossiers:
-C:\documents and settings\<your name>\local settings\temp
-C:\temp (si présent)
-C:\windows\temp
(Ne supprime pas les dossiers eux-mêmes, mais tous les fichiers contenus.)

Toujours en sans échec:
-Lance CoolWebSchredder (Fix->next
-Lance une analyse complète Ad-Aware SE. Sélectionne et supprime tout ce qu'il trouvera.

----------------4

Redémarre en mode normal et poste un (dernier ?) log.

raoulpetite

ok je ferai cela demain matin, maintenant.
Merci de ton aide.

raoulpetite

Logfile of HijackThis v1.99.1
Scan saved at 09:33:17, on 03/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\DOCUME~1\THIERR~1\LOCALS~1\Temp\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [Watch] C:\PROGRA~1\Minitel\Watch.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [Cld2000.exe] C:\Program Files\Calendrier\Cld2000.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE8616B5-CA44-405A-ACAD-F45D5020C4A4}: NameServer = 200.200.200.2,200.200.200.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe

acrobaze

C'est terminé! :hello:

raoulpetite

Super.
Encore une fois MERCI de ton aide.

FORUM HardWare.fr

Windows & Software

Win NT/2K/XP

Log Hi Jack pour Acrobaze & Co :-)

Sujets relatifs
Log Hijack à regarder please	Log Hijackthis ok?
Log Hijacthis pour suppression url de redirection IE	Log HijackThis
HiJack This Log: Un package de Trojan	log window sur tout ce que l'on fait???
Analyse d'un log Highjackthis, plizz	demande aide pour le log de hijackthis
[HELP] Besoin de faire un graphe log/log sous excel 2003	log hijack et Logitec
Plus de sujets relatifs à : Log Hi Jack pour Acrobaze & Co :-)

Page générée en 0.096 secondes