warning spyware detected on your computer

Section d'analyse de rapports et de désinfection : malwares en tous genre et autres indésirables. Demandes de nettoyage uniquement. Prise en charge restreinte : équipe spécialisée.

Modérateur: Modérateurs

Règles du forum :arrow: Les désinfections sont prises en charge par un groupe spécifique, tout le monde ne peut pas intervenir pour désinfecter les machines (règles).
:arrow: Les procédures sont sur-mesure, ne faites pas la même chose chez vous (explications).
:arrow: Un topic par machine, chacun crée le sien. ;)

warning spyware detected on your computer

Messagepar Asaracino » 17 Juin 2008 13:21

Bonjour à tous,

Comme certains, je viens de récolter le fameux écran bleu "warning spyware detected on your computer" et je n'arrive pas à m'en défaire.

J'ai utilisé Spybot, adware, kaspersky, ss succès..

Aidez-moi svp!

Pour faire gagner du tps, voici le rapport HijackThis!! Merci d'avance

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 09:52:25, on 17/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\LANDesk\LDClient\REG2REG2.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\TGJSERVER\bin\windows\wrapper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0\bin\jucheck.exe
C:\TGJSERVER\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\lphc54vj0eg7e.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\system32\Notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\shc34vj0eg7e\shc34vj0eg7e.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Downloaded Program Files\SiebelAx_Desktop_Integration_19221.exe
C:\Documents and Settings\antonys\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qas-intranet/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PROXY:8080
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\^^^^^.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C657AAF-22D9-5A16-E17D-31457D631863} - C:\WINDOWS\system\tlctw32.dll
O2 - BHO: (no name) - {432D4EBB-3639-42E6-AA21-E887CB3E70E8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=LANDESK2:5007 /S=LANDESK2 /I=HTTP://LANDESK2/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /agentBehavior=1
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [Reg2Reg2] C:\Program Files\LANDesk\LDClient\REG2REG2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O4 - HKLM\..\Run: [Flash Media] C:\WINDOWS\system32\^^^^^.exe
O4 - HKLM\..\Run: [Glock Suite 1.1] C:\WINDOWS\system32\glock32.exe
O4 - HKLM\..\Run: [AudioHQ] C:\WINDOWS\system32\audiohq.exe -noplay
O4 - HKLM\..\Run: [lphc54vj0eg7e] C:\WINDOWS\system32\lphc54vj0eg7e.exe
O4 - HKLM\..\Run: [SMshc34vj0eg7e] C:\Program Files\shc34vj0eg7e\shc34vj0eg7e.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdsyq.exe] C:\WINDOWS\system32\kdsyq.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupdates.exe"
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: QuickAddress Pro (2).lnk = C:\Program Files\qas\QuickAddress Pro\KEEPPRO.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://qas-intranet/
O15 - Trusted Zone: http://*.aussblweb1 (HKLM)
O15 - Trusted Zone: http://*.bossblweb1 (HKLM)
O15 - Trusted Zone: http://*.gwhsblweb1 (HKLM)
O15 - Trusted Zone: http://*.gwhweb (HKLM)
O15 - Trusted Zone: http://*.otsblweb1 (HKLM)
O15 - Trusted Zone: http://*.sfosblweb1 (HKLM)
O16 - DPF: {819647C8-39C0-4C59-811C-928277815701} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://gwhsblweb1/sales_enu/19221/apple ... d_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://gwhsblweb1/sales_enu/19221/apple ... ration.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f002.mail.caramail.lycos.fr/app/ ... loader.cab
O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://gwhsblweb1/sales_enu/19221/apple ... Client.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qas.webex.com/client/T25L/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = qas.com
O17 - HKLM\Software\..\Telephony: DomainName = qas.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = qas.com
O20 - Winlogon Notify: LogCrypt - C:\WINDOWS\SYSTEM32\LogCrypt.dll
O20 - Winlogon Notify: upigcfni - piplpip.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O20 - Winlogon Notify: WinNt32 - C:\WINDOWS\SYSTEM32\WinNt64.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: ProWeb - QAS Ltd - D:\QAS\WORLDP~1\ProWeb5.17\QASWVDN.EXE
O23 - Service: QuickAddress Pro Web ActiveX Adaptor 4.02 (QAPWWActiveX 4.02) - QAS Ltd. - D:\QAS\ids\proweb4.03\QAPWWSV.EXE
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Test Wrapper Sample Application (testwrapper) - Unknown owner - C:\TGJSERVER\bin\windows\wrapper.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 10563 bytes
Asaracino
 
Messages: 27
Inscription: 17 Juin 2008 13:16

Re: warning spyware detected on your computer

Messagepar Falkra » 17 Juin 2008 16:55

Bienvenue sur la section sécurité de libellules. :-D

Ton rapport n'est pas fait avec la version finale de HijackThis, et comporte donc des manques et peut-être des erreurs, utilise la version 2.0.2 et poste un nouveau rapport stp.
Je confirme l'infection toutefois.

Voici un tuto avec les liens nécessaires :
http://www.libellules.ch/poster_log_hijackthis.php
Avatar de l’utilisateur
Falkra
Admin libellules.ch
Admin libellules.ch
 
Messages: 25882
Inscription: 30 Jan 2005 13:44
Localisation: 127.0.0.1

Re: warning spyware detected on your computer

Messagepar Asaracino » 17 Juin 2008 17:07

Merci bcq, tiens voici le nouveau rapport:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:06:30, on 17/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
D:\QAS\WORLDP~1\ProWeb5.17\QASWVDN.EXE
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\TGJSERVER\bin\windows\wrapper.exe
C:\TGJSERVER\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\shc34vj0eg7e\shc34vj0eg7e.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
F:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qas.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qas-intranet/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PROXY:8080
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\^^^^^.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {432D4EBB-3639-42E6-AA21-E887CB3E70E8} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=LANDESK2:5007 /S=LANDESK2 /I=HTTP://LANDESK2/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /agentBehavior=1
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [Reg2Reg2] C:\Program Files\LANDesk\LDClient\REG2REG2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O4 - HKLM\..\Run: [Flash Media] C:\WINDOWS\system32\^^^^^.exe
O4 - HKLM\..\Run: [AudioHQ] C:\WINDOWS\system32\audiohq.exe -noplay
O4 - HKLM\..\Run: [SMshc34vj0eg7e] C:\Program Files\shc34vj0eg7e\shc34vj0eg7e.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdsyq.exe] C:\WINDOWS\system32\kdsyq.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: QuickAddress Pro (2).lnk = C:\Program Files\qas\QuickAddress Pro\KEEPPRO.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Statistiques de la protection du trafic Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://qas-intranet/
O15 - Trusted Zone: http://*.aussblweb1 (HKLM)
O15 - Trusted Zone: http://*.bossblweb1 (HKLM)
O15 - Trusted Zone: http://*.gwhsblweb1 (HKLM)
O15 - Trusted Zone: http://*.gwhweb (HKLM)
O15 - Trusted Zone: http://*.otsblweb1 (HKLM)
O15 - Trusted Zone: http://*.sfosblweb1 (HKLM)
O16 - DPF: {819647C8-39C0-4C59-811C-928277815701} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://gwhsblweb1/sales_enu/19221/apple ... d_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://gwhsblweb1/sales_enu/19221/apple ... ration.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f002.mail.caramail.lycos.fr/app/ ... loader.cab
O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://gwhsblweb1/sales_enu/19221/apple ... Client.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qas.webex.com/client/T25L/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = qas.com
O17 - HKLM\Software\..\Telephony: DomainName = qas.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = qas.com
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll
O20 - Winlogon Notify: upigcfni - piplpip.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: ProWeb - QAS Ltd - D:\QAS\WORLDP~1\ProWeb5.17\QASWVDN.EXE
O23 - Service: QuickAddress Pro Web ActiveX Adaptor 4.02 (QAPWWActiveX 4.02) - QAS Ltd. - D:\QAS\ids\proweb4.03\QAPWWSV.EXE
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Test Wrapper Sample Application (testwrapper) - Unknown owner - C:\TGJSERVER\bin\windows\wrapper.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 9933 bytes
Asaracino
 
Messages: 27
Inscription: 17 Juin 2008 13:16

Re: warning spyware detected on your computer

Messagepar Falkra » 17 Juin 2008 17:09

Ok on y va. :D

Télécharge SDFix (créé par AndyManchesta) et sauvegarde le sur ton Bureau.
***Si le lien ne fonctionne pas, essaie celui-ci : http://download.bleepingcomputer.com/an ... /SDFix.exe ***

Double clique sur SDFix.exe et choisis Install pour l'extraire à la racine de C:\. (cela donne C:\SDfix).

:!: Imprime ou note ce qui suit, tu n'auras pas accès à internet.

Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
  • Redémarre ton ordinateur.
  • Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde suffit).
  • A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
  • Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
  • Choisis ton compte.
Suis la liste des instructions ci-dessous :
  • Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
  • Appuie sur Y pour commencer le nettoyage.
  • SDFix va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
  • Appuie sur une touche pour redémarrer le PC.
  • Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
  • Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
  • Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
  • Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
  • Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum, avec un nouveau log Hijackthis !

    Si SDfix ne se lance pas (ça arrive!)

    * Démarrer->Exécuter
    * Copie/colle ceci:
    %systemroot%\system32\cmd.exe /K %systemdrive%\SDFix\apps\FixPath.exe

    * Clique sur ok, et valide.
    * Redémarre et essaye de nouveau de lancer SDfix.
Avatar de l’utilisateur
Falkra
Admin libellules.ch
Admin libellules.ch
 
Messages: 25882
Inscription: 30 Jan 2005 13:44
Localisation: 127.0.0.1

Re: warning spyware detected on your computer

Messagepar Asaracino » 17 Juin 2008 17:29

En choisissant mode ss echec, je n'arrive pas à valider mon password. Puis-je utiliser une autre option? (Network connection, etc..)
Asaracino
 
Messages: 27
Inscription: 17 Juin 2008 13:16

Re: warning spyware detected on your computer

Messagepar Falkra » 17 Juin 2008 17:31

Il le faut en mode sans échec, et dans ton compte habituel.
Peut-être un problème Azerty/Qwerty ou des chiffres genre pavé numérique pas activé, majuscules minuscules, etc...
Ou une erreur de mot de passe. Réessaie, ça doit passer. :-D
Avatar de l’utilisateur
Falkra
Admin libellules.ch
Admin libellules.ch
 
Messages: 25882
Inscription: 30 Jan 2005 13:44
Localisation: 127.0.0.1

Re: warning spyware detected on your computer

Messagepar Asaracino » 17 Juin 2008 17:51

Re,

Voilà les 2 rapports que tu m'as demandé:

1/ Report.txt:

SDFix: Version 1.194
Run by Antonys on 17/06/2008 at 18:38

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
runtime
tcpsr
KRX30

Path :
\??\C:\WINDOWS\System32\drivers\runtime.sys
\??\C:\WINDOWS\System32\drivers\tcpsr.sys
\SystemRoot\System32\Drivers\Krx30.sys

runtime - Deleted
tcpsr - Deleted
KRX30 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File


2/ Hijackthislog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:47:29, on 17/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
D:\QAS\WORLDP~1\ProWeb5.17\QASWVDN.EXE
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\TGJSERVER\bin\windows\wrapper.exe
C:\TGJSERVER\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\shc34vj0eg7e\shc34vj0eg7e.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\taskmgr.exe
F:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qas.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qas-intranet/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PROXY:8080
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\^^^^^.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {432D4EBB-3639-42E6-AA21-E887CB3E70E8} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=LANDESK2:5007 /S=LANDESK2 /I=HTTP://LANDESK2/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /agentBehavior=1
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [Reg2Reg2] C:\Program Files\LANDesk\LDClient\REG2REG2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\WINDOWS\system32\audiohq.exe -noplay
O4 - HKLM\..\Run: [SMshc34vj0eg7e] C:\Program Files\shc34vj0eg7e\shc34vj0eg7e.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdsyq.exe] C:\WINDOWS\system32\kdsyq.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: QuickAddress Pro (2).lnk = C:\Program Files\qas\QuickAddress Pro\KEEPPRO.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Statistiques de la protection du trafic Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://qas-intranet/
O15 - Trusted Zone: http://*.aussblweb1 (HKLM)
O15 - Trusted Zone: http://*.bossblweb1 (HKLM)
O15 - Trusted Zone: http://*.gwhsblweb1 (HKLM)
O15 - Trusted Zone: http://*.gwhweb (HKLM)
O15 - Trusted Zone: http://*.otsblweb1 (HKLM)
O15 - Trusted Zone: http://*.sfosblweb1 (HKLM)
O16 - DPF: {819647C8-39C0-4C59-811C-928277815701} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://gwhsblweb1/sales_enu/19221/apple ... d_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://gwhsblweb1/sales_enu/19221/apple ... ration.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f002.mail.caramail.lycos.fr/app/ ... loader.cab
O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://gwhsblweb1/sales_enu/19221/apple ... Client.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qas.webex.com/client/T25L/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = qas.com
O17 - HKLM\Software\..\Telephony: DomainName = qas.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = qas.com
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll
O20 - Winlogon Notify: upigcfni - piplpip.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: ProWeb - QAS Ltd - D:\QAS\WORLDP~1\ProWeb5.17\QASWVDN.EXE
O23 - Service: QuickAddress Pro Web ActiveX Adaptor 4.02 (QAPWWActiveX 4.02) - QAS Ltd. - D:\QAS\ids\proweb4.03\QAPWWSV.EXE
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Test Wrapper Sample Application (testwrapper) - Unknown owner - C:\TGJSERVER\bin\windows\wrapper.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 9787 bytes
Asaracino
 
Messages: 27
Inscription: 17 Juin 2008 13:16

Re: warning spyware detected on your computer

Messagepar Falkra » 17 Juin 2008 22:28

C'est nettement mieux, mais il en reste.

Relance HijackThis, coche cette ligne et fais "fix checked" :
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\^^^^^.exe


Ensuite, on vire à la main ce qui reste :

Télécharge combofix.exe de sUBs et sauvegarde le sur ton bureau (et pas ailleurs).
  • Assure toi que tous les programmes sont fermés avant de commencer.
  • Double-clique combofix.exe afin de l'exécuter.
  • Clique sur "Oui" au message de Limitation de Garantie qui s'affiche.
  • Il est possible que ton parefeu te demande si tu acceptes ou non l'accès de nircmd.cfexe à la zone sûre: accepte.
  • [color="#CC0000"]Ne ferme pas la fenêtre qui vient de s'ouvrir, tu te retrouverais avec un bureau vide.[/color]
  • Lorsque l'analyse sera terminée, un rapport apparaîtra.
  • Copie-colle ce rapport dans ta prochaine réponse.
    Le rapport se trouve dans : C:\Combofix.txt (si jamais).
  • Pour plus d'information et un tuto illustré, voici le seul tuto officiel et autorisé : http://www.bleepingcomputer.com/combofix/fr/comment-utiliser-combofix
Avatar de l’utilisateur
Falkra
Admin libellules.ch
Admin libellules.ch
 
Messages: 25882
Inscription: 30 Jan 2005 13:44
Localisation: 127.0.0.1

Re: warning spyware detected on your computer

Messagepar Asaracino » 18 Juin 2008 09:46

Re,

Merci encore pour ton aide...

Voici le rapport de combofix: (alors?)

ComboFix 08-06-16.5 - Antonys 2008-06-18 9:13:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.608 [GMT 2:00]
Running from: C:\Documents and Settings\antonys\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\How to Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Uninstall.lnk
C:\Documents and Settings\antonys\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk
C:\Documents and Settings\antonys\Application Data\shc34vj0eg7e
C:\Program Files\shc34vj0eg7e
C:\WINDOWS\system32\blphc54vj0eg7e.scr
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\Jqw17.sys
C:\WINDOWS\system32\phc54vj0eg7e.bmp
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\WLCtrl32.dll

----- BITS: Possible infected sites -----

hxxp://66.246.252.213
hxxp://67.18.114.98
hxxp://208.66.194.241
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EXAMPLE
-------\Legacy_JQW17
-------\Legacy_RUNTIME
-------\Legacy_SMTPDRV
-------\Legacy_TCPSR
-------\Service_Jqw17
-------\Service_Runtime


((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-17 18:24 . 2008-06-17 18:25 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-17 18:11 . 2008-06-17 18:40 <DIR> d-------- C:\SDFix
2008-06-17 10:13 . 2008-06-17 11:35 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-17 10:13 . 2008-06-17 11:35 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-17 10:12 . 2008-06-17 10:12 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-17 10:12 . 2008-06-17 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-16 21:11 . 2008-06-16 21:01 60,928 --a------ C:\WINDOWS\system32\1F75.tmp
2008-06-16 21:01 . 2008-06-16 20:51 60,928 --a------ C:\WINDOWS\system32\1F72.tmp
2008-06-16 20:51 . 2008-06-16 20:41 60,928 --a------ C:\WINDOWS\system32\1F6F.tmp
2008-06-16 19:58 . 2002-11-15 15:34 224,768 --a------ C:\WINDOWS\system32\dsquery.exe
2008-06-16 19:56 . 2008-06-18 09:18 1,154,080 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-16 19:56 . 2008-06-18 09:39 253,984 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-16 19:56 . 2008-06-18 09:18 11,144 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-16 19:56 . 2008-06-18 09:38 3,024 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-16 18:46 . 2008-06-16 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-16 18:12 . 2008-06-16 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-16 16:33 . 2008-06-16 16:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-16 16:33 . 2008-06-16 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-16 15:56 . 2008-06-16 19:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-16 15:56 . 2008-06-16 19:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-16 15:55 . 2008-06-16 15:55 9,722,720 --a------ C:\Program Files\spybotsd152.exe
2008-06-16 15:16 . 2008-06-16 15:16 18,473,000 --a------ C:\Program Files\sdsetup.exe
2008-06-16 14:17 . 2008-06-16 14:17 19,153,264 --a------ C:\Program Files\Lavasoft_Adaware_multi.exe
2008-06-16 14:17 . 2008-06-16 14:17 104 --a------ C:\Recycle Bin.lnk
2008-06-16 14:16 . 2008-06-16 14:16 9,722,720 --a------ C:\spybotsd152.exe
2008-06-16 14:15 . 2008-06-16 14:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-16 13:15 . 2008-06-16 13:15 586 --a------ C:\idxh2o.exe
2008-06-16 12:28 . 2006-05-22 11:31 586 --a------ C:\PWchange.bat
2008-06-11 18:31 . 2008-06-11 18:31 <DIR> d-------- C:\WINDOWS\htmCache
2008-06-11 10:00 . 2008-06-16 13:29 <DIR> d-------- C:\Mes fichiers
2008-06-06 16:45 . 1998-06-17 18:07 57,344 --a------ C:\WINDOWS\system32\Mfc42loc.dll
2008-06-06 16:26 . 2008-05-18 13:10 4,096,056 --a------ C:\WINDOWS\ExpQAS_Wallpaper8x5.bmp
2008-06-06 16:26 . 2008-05-18 13:12 3,932,216 --a------ C:\WINDOWS\ExpQAS_Wallpaper5x3.bmp
2008-06-06 16:26 . 2008-05-18 13:09 3,686,456 --a------ C:\WINDOWS\ExpQAS_Wallpaper16x9.bmp
2008-06-06 16:26 . 2008-05-18 13:08 3,145,784 --a------ C:\WINDOWS\ExpQAS_Wallpaper4x3.bmp
2008-06-06 16:26 . 2008-05-18 13:08 3,145,784 --a------ C:\WINDOWS\ExpQAS_Wallpaper.bmp
2008-06-03 19:16 . 2008-06-03 19:16 14 --a------ C:\WINDOWS\system32\SystemInfo32.sys
2008-06-03 19:15 . 2008-06-03 19:15 <DIR> d-------- C:\Program Files\DVD X Studios
2008-06-03 19:15 . 2008-06-03 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD X Studios
2008-06-03 17:50 . 2008-06-03 17:50 <DIR> d-------- C:\Documents and Settings\antonys\Application Data\vlc
2008-06-03 17:49 . 2008-06-03 17:49 <DIR> d-------- C:\Program Files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 07:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
2008-06-17 08:28 504,320 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-06-16 17:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 17:26 1,232,896 ----a-w C:\Program Files\qabwv010.idb
2008-06-12 17:24 2,953 ----a-w C:\Program Files\qabwv010.ssn
2008-06-11 07:07 --------- d-----w C:\Documents and Settings\antonys\Application Data\AdobeUM
2008-05-22 09:15 2,727 ----a-w C:\Program Files\qabwv009.ssn
2008-05-19 11:04 2,213,888 ----a-w C:\Program Files\qabwv009.idb
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-13 09:33 27,008 ----a-w C:\WINDOWS\system32\drivers\Krx30.sys
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-25 16:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
2008-04-25 16:21 26,964 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-04-24 09:18 --------- d-----w C:\Program Files\Experian Ltd
2008-04-24 07:36 202,827 ----a-w C:\WINDOWS\system32\atasnt40.dll
2007-10-12 10:10 602,112 ----a-w C:\Program Files\qabwv001.idb
2007-07-25 13:49 3,344 ----a-w C:\Program Files\qabwv001.ssn
2007-05-22 09:29 245,760 ----a-w C:\Program Files\qabwv008.idb
2007-05-22 09:29 2,664 ----a-w C:\Program Files\qabwv008.ssn
2007-03-15 11:23 2,201,600 ----a-w C:\Program Files\qabwv007.idb
2007-03-15 10:54 3,223 ----a-w C:\Program Files\qabwv007.ssn
2007-03-15 07:58 2,111,488 ----a-w C:\Program Files\qabwv006.idb
2007-03-14 18:09 2,571 ----a-w C:\Program Files\qabwv006.ssn
2007-02-28 11:45 1,415,168 ----a-w C:\Program Files\qabwv005.idb
2007-02-28 11:33 2,980 ----a-w C:\Program Files\qabwv005.ssn
2007-02-14 17:36 2,923 ----a-w C:\Program Files\qabwv004.ssn
2007-02-06 13:03 770,048 ----a-w C:\Program Files\qabwv004.idb
2007-01-23 10:36 245,760 ----a-w C:\Program Files\qabwv003.idb
2007-01-23 10:31 2,716 ----a-w C:\Program Files\qabwv003.ssn
2007-01-22 13:58 1,003,520 ----a-w C:\Program Files\qabwv000.idb
2007-01-22 13:54 3,244 ----a-w C:\Program Files\qabwv000.ssn
2007-01-22 13:28 921,600 ----a-w C:\Program Files\qabwv002.idb
2007-01-22 13:23 3,106 ----a-w C:\Program Files\qabwv002.ssn
.

------- Sigcheck -------

2008-06-17 10:28 504320 50b7f5952fa2b0564596a454121a93e6 C:\WINDOWS\system32\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
2008-04-25 18:22 62728 --a------ C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2002-01-11 22:47 401496]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 11:32 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-25 11:29 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 11:32 114688]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 11:12 88209 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 19:40 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 19:38 688218]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 01:56 143360]
"IntelAPMClient"="C:\Program Files\LANDesk\LDClient\amclient.exe" [2005-08-30 08:05 307200]
"LANDeskInventoryClient"="C:\Program Files\LANDesk\LDClient\LDIScn32.exe" [2005-11-18 16:54 823296]
"LANDeskVulscanClient"="C:\Program Files\LANDesk\LDClient\vulScan.exe" [2006-01-06 02:00 892928]
"SDClientMonitor"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2005-08-30 07:55 258048]
"Reg2Reg2"="C:\Program Files\LANDesk\LDClient\REG2REG2.EXE" [2005-12-12 09:47 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-10-17 16:05 77824]
"AudioHQ"="C:\WINDOWS\system32\audiohq.exe" [ ]
"SMshc34vj0eg7e"="C:\Program Files\shc34vj0eg7e\shc34vj0eg7e.exe" [ ]
"C:\WINDOWS\system32\kdsyq.exe"="C:\WINDOWS\system32\kdsyq.exe" [ ]
"SDFix"="C:\SDFix\RunThis.bat /second" [ ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Firewall Client Connectivity Monitor.LNK - C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE [2005-07-06 13:26:01 52496]
QuickAddress Pro (2).lnk - C:\Program Files\qas\QuickAddress Pro\KEEPPRO.exe [2008-04-14 15:22:43 176192]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
"NoStartMenuEjectPC"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoAutoTrayNotify"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\upigcfni]
piplpip.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=\\qas.com\SYSVOL\qas.com\scripts\shutdown_par.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\qas\sysvol\qas.com\scripts\startup_par.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2138838754-819666832-1349916565-16607\Scripts\Logon\0\0]
"Script"=\\qas.com\SysVol\qas.com\scripts\REVISED_login_paris_main.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2138838754-819666832-1349916565-24255\Scripts\Logon\0\0]
"Script"=\\qas.com\SysVol\qas.com\scripts\REVISED_login_lon_main.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2138838754-819666832-1349916565-25650\Scripts\Logon\0\0]
"Script"=\\qas.com\SysVol\qas.com\scripts\REVISED_login_paris_main.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ciO63.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Iqy86.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Coordialis 2.0 PADI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Coordialis 2.0 PADI.lnk
backup=C:\WINDOWS\pss\Coordialis 2.0 PADI.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DialMessenger]
C:\Program Files\DialMessenger\dialmessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:55 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\CBA\\pds.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"%windir%\\system32\\msgsys.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"67:TCP"= 67:TCP:LANDesk(R) PXE TCP Port
"67:UDP"= 67:UDP:LANDesk(R) PXE UDP Port
"9535:TCP"= 9535:TCP:LANDesk(R) Remote Control Agent TCP Port
"9535:UDP"= 9535:UDP:LANDesk(R) Remote Control Agent UDP Port

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R2 CBA8;LANDesk(R) Management Agent;"C:\Program Files\LANDesk\Shared Files\residentagent.exe" [2006-01-11 10:32]
R2 ProWeb;ProWeb;D:\QAS\WORLDP~1\ProWeb5.17\QASWVDN.EXE [2007-03-23 12:26]
R2 testwrapper;Test Wrapper Sample Application;C:\TGJSERVER\bin\windows\wrapper.exe [2004-10-01 13:24]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2004-04-01 17:48]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-04 00:26]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2004-09-02 12:30]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2005-07-01 19:48]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2005-07-01 19:48]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2005-07-01 19:48]
R3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2004-04-01 17:48]
S0 Iqy86;Iqy86;C:\WINDOWS\system32\Drivers\Iqy86.sys []
S0 Sai18;Sai18;C:\WINDOWS\system32\Drivers\Sai18.sys []
S1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys []
S1 kbd;kbd;C:\WINDOWS\system32\drivers\kbd.sys []
S2 Softmon;LANDesk(R) Software Monitoring Service;"C:\Program Files\LANDesk\LDClient\softmon.exe" []
S3 QAPWWActiveX 4.02;QuickAddress Pro Web ActiveX Adaptor 4.02;D:\QAS\ids\proweb4.03\QAPWWSV.EXE [2003-12-18 13:30]
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe [2007-07-06 13:14]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7beab8d5-8217-11dc-9ec9-00166f7929a7}]
\Shell\AutoRun\command - F:\FRA_GUI.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 09:38:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\TGJSERVER\jre\bin\java.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\qas\QuickAddress Pro\QAPROWN.EXE
.
**************************************************************************
.
Completion time: 2008-06-18 9:41:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-18 07:41:36

Pre-Run: 5,721,276,416 bytes free
Post-Run: 5,654,200,320 bytes free

277 --- E O F --- 2008-02-06 16:01:58
Asaracino
 
Messages: 27
Inscription: 17 Juin 2008 13:16

Re: warning spyware detected on your computer

Messagepar Falkra » 18 Juin 2008 12:50

Bien ! :supers:
Poste un nouveau rapport HijackThis stp.
Avatar de l’utilisateur
Falkra
Admin libellules.ch
Admin libellules.ch
 
Messages: 25882
Inscription: 30 Jan 2005 13:44
Localisation: 127.0.0.1

Re: warning spyware detected on your computer

Messagepar Asaracino » 24 Juin 2008 09:51

Voilà mon nouveau rapport, mes quelques problèmes subsistent:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49, on 2008-06-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\antonys\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qas.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PROXY:8080
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=LANDESK2:5007 /S=LANDESK2 /I=HTTP://LANDESK2/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /agentBehavior=1
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [Reg2Reg2] C:\Program Files\LANDesk\LDClient\REG2REG2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\WINDOWS\system32\audiohq.exe -noplay
O4 - HKLM\..\Run: [SMshc34vj0eg7e] C:\Program Files\shc34vj0eg7e\shc34vj0eg7e.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdsyq.exe] C:\WINDOWS\system32\kdsyq.exe
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: QuickAddress Pro (2).lnk = C:\Program Files\qas\QuickAddress Pro\KEEPPRO.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Statistiques de la protection du trafic Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://qas-intranet/
O15 - Trusted Zone: http://*.aussblweb1 (HKLM)
O15 - Trusted Zone: http://*.bossblweb1 (HKLM)
O15 - Trusted Zone: http://*.gwhsblweb1 (HKLM)
O15 - Trusted Zone: http://*.gwhweb (HKLM)
O15 - Trusted Zone: http://*.otsblweb1 (HKLM)
O15 - Trusted Zone: http://*.sfosblweb1 (HKLM)
O16 - DPF: {819647C8-39C0-4C59-811C-928277815701} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://gwhsblweb1/sales_enu/19221/apple ... d_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://gwhsblweb1/sales_enu/19221/apple ... ration.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f002.mail.caramail.lycos.fr/app/ ... loader.cab
O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://gwhsblweb1/sales_enu/19221/apple ... Client.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qas.webex.com/client/T25L/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = qas.com
O17 - HKLM\Software\..\Telephony: DomainName = qas.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = qas.com
O20 - Winlogon Notify: upigcfni - piplpip.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: ProWeb - QAS Ltd - D:\QAS\WORLDP~1\ProWeb5.17\QASWVDN.EXE
O23 - Service: QuickAddress Pro Web ActiveX Adaptor 4.02 (QAPWWActiveX 4.02) - QAS Ltd. - D:\QAS\ids\proweb4.03\QAPWWSV.EXE
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - Unknown owner - C:\Program Files\LANDesk\LDClient\softmon.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Test Wrapper Sample Application (testwrapper) - Unknown owner - C:\TGJSERVER\bin\windows\wrapper.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 8585 bytes
Asaracino
 
Messages: 27
Inscription: 17 Juin 2008 13:16

Re: warning spyware detected on your computer

Messagepar Falkra » 24 Juin 2008 09:53

SDFix n'a pas terminé le travail, il va falloir redémarrer la machine, puis poster un nouveau rapport HijackThis pour lui permettre de terminer.
Avatar de l’utilisateur
Falkra
Admin libellules.ch
Admin libellules.ch
 
Messages: 25882
Inscription: 30 Jan 2005 13:44
Localisation: 127.0.0.1

Re: warning spyware detected on your computer

Messagepar Asaracino » 24 Juin 2008 10:31

Voilà le nouveau rapport:

file of Trend Micro HijackThis v2.0.2
Scan saved at 11:03, on 2008-06-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
D:\QAS\WORLDP~1\ProWeb5.17\QASWVDN.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\TGJSERVER\bin\windows\wrapper.exe
C:\TGJSERVER\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\LANDesk\LDClient\amclient.exe
C:\Program Files\LANDesk\LDClient\vulScan.exe
C:\Program Files\LANDesk\Shared Files\proxyhost.exe
C:\Program Files\LANDesk\LDClient\sdclient.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\antonys\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qas.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PROXY:8080
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=LANDESK2:5007 /S=LANDESK2 /I=HTTP://LANDESK2/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /agentBehavior=1
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [Reg2Reg2] C:\Program Files\LANDesk\LDClient\REG2REG2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\WINDOWS\system32\audiohq.exe -noplay
O4 - HKLM\..\Run: [SMshc34vj0eg7e] C:\Program Files\shc34vj0eg7e\shc34vj0eg7e.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdsyq.exe] C:\WINDOWS\system32\kdsyq.exe
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: QuickAddress Pro (2).lnk = C:\Program Files\qas\QuickAddress Pro\KEEPPRO.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Statistiques de la protection du trafic Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://qas-intranet/
O15 - Trusted Zone: http://*.aussblweb1 (HKLM)
O15 - Trusted Zone: http://*.bossblweb1 (HKLM)
O15 - Trusted Zone: http://*.gwhsblweb1 (HKLM)
O15 - Trusted Zone: http://*.gwhweb (HKLM)
O15 - Trusted Zone: http://*.otsblweb1 (HKLM)
O15 - Trusted Zone: http://*.sfosblweb1 (HKLM)
O16 - DPF: {819647C8-39C0-4C59-811C-928277815701} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://gwhsblweb1/sales_enu/19221/apple ... d_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://gwhsblweb1/sales_enu/19221/apple ... ration.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f002.mail.caramail.lycos.fr/app/ ... loader.cab
O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://gwhsblweb1/sales_enu/19221/apple ... Client.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qas.webex.com/client/T25L/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = qas.com
O17 - HKLM\Software\..\Telephony: DomainName = qas.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = qas.com
O20 - Winlogon Notify: upigcfni - piplpip.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: ProWeb - QAS Ltd - D:\QAS\WORLDP~1\ProWeb5.17\QASWVDN.EXE
O23 - Service: QuickAddress Pro Web ActiveX Adaptor 4.02 (QAPWWActiveX 4.02) - QAS Ltd. - D:\QAS\ids\proweb4.03\QAPWWSV.EXE
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - Unknown owner - C:\Program Files\LANDesk\LDClient\softmon.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Test Wrapper Sample Application (testwrapper) - Unknown owner - C:\TGJSERVER\bin\windows\wrapper.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 9793 bytes

Merci d'avance
Asaracino
 
Messages: 27
Inscription: 17 Juin 2008 13:16

Re: warning spyware detected on your computer

Messagepar Falkra » 24 Juin 2008 10:49

Bon, il en reste, on shoote ça. :D
Il va falloir faire plusieurs choses.

Retélécharge ComboFix.exe ici : combofix.exe
Sauvegarde-le sur ton bureau (toujours) et écrase ton ancienne version, celle là est plus récente.

  • Ouvre le bloc notes. Copie-colle ceci dedans :

File::
c:\windows\system32\audiohq.exe
C:\WINDOWS\system32\kdsyq.exe
C:\WINDOWS\system32\1F75.tmp
C:\WINDOWS\system32\1F72.tmp
C:\WINDOWS\system32\1F6F.tmp
C:\WINDOWS\system32\dllcache\winlogon.exe

Folder::
C:\Program Files\shc34vj0eg7e

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AudioHQ"=-
"SMshc34vj0eg7e"=-
"C:\WINDOWS\system32\kdsyq.exe"=-
"SDFix"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\upigcfni]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\upigcfni]


  • Sauvegarde cela comme fichier texte nommé CFScript, sur le bureau.
  • Fais un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe comme sur la capture
Image
  • Une fenêtre bleue va apparaître: au message qui apparaît (Type 1 to continue, or 2 to abort) , tape 1 puis valide.
  • Patiente le temps du scan. Le bureau va disparaître à plusieurs reprises: c'est normal ! Ne touche à rien tant que le scan n'est pas terminé.
  • Une fois le scan achevé, un rapport va s'afficher: poste son contenu.
  • Si le fichier ne s'ouvre pas, il se trouve ici > C:\ComboFix.txt
Avatar de l’utilisateur
Falkra
Admin libellules.ch
Admin libellules.ch
 
Messages: 25882
Inscription: 30 Jan 2005 13:44
Localisation: 127.0.0.1

Re: warning spyware detected on your computer

Messagepar Asaracino » 24 Juin 2008 11:27

Voilà le rapport de combofix:

ComboFix 08-06-20.4 - Antonys 2008-06-24 11:59:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.659 [GMT 2:00]
Running from: C:\Documents and Settings\antonys\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\antonys\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\1F6F.tmp
C:\WINDOWS\system32\1F72.tmp
C:\WINDOWS\system32\1F75.tmp
c:\windows\system32\audiohq.exe
C:\WINDOWS\system32\dllcache\winlogon.exe
C:\WINDOWS\system32\kdsyq.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\1F6F.tmp
C:\WINDOWS\system32\1F72.tmp
C:\WINDOWS\system32\1F75.tmp
C:\WINDOWS\system32\dllcache\winlogon.exe
C:\WINDOWS\system32\pskill.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.

2008-06-17 18:24 . 2008-06-17 18:25 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-17 18:11 . 2008-06-17 13:12 <DIR> d-------- C:\SDFix
2008-06-17 10:13 . 2008-06-17 11:35 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-17 10:13 . 2008-06-17 11:35 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-17 10:12 . 2008-06-17 10:12 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-17 10:12 . 2008-06-24 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-16 19:58 . 2002-11-15 17:34 224,768 --a------ C:\WINDOWS\system32\dsquery.exe
2008-06-16 19:56 . 2008-06-24 12:04 1,290,272 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-16 19:56 . 2008-06-24 12:04 294,944 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-16 19:56 . 2008-06-24 12:04 12,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-16 19:56 . 2008-06-24 12:04 3,136 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-16 18:46 . 2008-06-16 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-16 18:12 . 2008-06-16 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-16 16:33 . 2008-06-16 16:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-16 16:33 . 2008-06-16 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-16 15:56 . 2008-06-16 19:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-16 15:16 . 2008-06-16 15:16 18,473,000 --a------ C:\Program Files\sdsetup.exe
2008-06-16 14:17 . 2008-06-16 14:17 19,153,264 --a------ C:\Program Files\Lavasoft_Adaware_multi.exe
2008-06-16 14:17 . 2008-06-16 14:17 104 --a------ C:\Recycle Bin.lnk
2008-06-16 14:15 . 2008-06-16 14:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-16 13:15 . 2008-06-16 13:15 586 --a------ C:\idxh2o.exe
2008-06-11 18:31 . 2008-06-11 18:31 <DIR> d-------- C:\WINDOWS\htmCache
2008-06-11 10:00 . 2008-06-16 13:29 <DIR> d-------- C:\Mes fichiers
2008-06-06 16:45 . 1998-06-17 18:07 57,344 --a------ C:\WINDOWS\system32\Mfc42loc.dll
2008-06-06 16:26 . 2008-05-18 13:10 4,096,056 --a------ C:\WINDOWS\ExpQAS_Wallpaper8x5.bmp
2008-06-06 16:26 . 2008-05-18 13:12 3,932,216 --a------ C:\WINDOWS\ExpQAS_Wallpaper5x3.bmp
2008-06-06 16:26 . 2008-05-18 13:09 3,686,456 --a------ C:\WINDOWS\ExpQAS_Wallpaper16x9.bmp
2008-06-06 16:26 . 2008-05-18 13:08 3,145,784 --a------ C:\WINDOWS\ExpQAS_Wallpaper4x3.bmp
2008-06-06 16:26 . 2008-05-18 13:08 3,145,784 --a------ C:\WINDOWS\ExpQAS_Wallpaper.bmp
2008-06-03 19:16 . 2008-06-03 19:16 14 --a------ C:\WINDOWS\system32\SystemInfo32.sys
2008-06-03 19:15 . 2008-06-03 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD X Studios
2008-06-03 17:50 . 2008-06-03 17:50 <DIR> d-------- C:\Documents and Settings\antonys\Application Data\vlc
2008-06-03 17:49 . 2008-06-03 17:49 <DIR> d-------- C:\Program Files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 09:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
2008-06-24 08:08 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-18 09:34 2,927 ----a-w C:\Program Files\qabwv010.ssn
2008-06-18 08:40 1,232,896 ----a-w C:\Program Files\qabwv010.idb
2008-06-17 08:28 504,320 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-06-16 17:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-11 07:07 --------- d-----w C:\Documents and Settings\antonys\Application Data\AdobeUM
2008-05-22 09:15 2,727 ----a-w C:\Program Files\qabwv009.ssn
2008-05-19 11:04 2,213,888 ----a-w C:\Program Files\qabwv009.idb
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-13 09:33 27,008 ----a-w C:\WINDOWS\system32\drivers\Krx30.sys
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-25 16:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
2008-04-25 16:21 26,964 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-04-24 09:18 --------- d-----w C:\Program Files\Experian Ltd
2008-04-24 07:36 202,827 ----a-w C:\WINDOWS\system32\atasnt40.dll
2007-10-12 10:10 602,112 ----a-w C:\Program Files\qabwv001.idb
2007-07-25 13:49 3,344 ----a-w C:\Program Files\qabwv001.ssn
2007-05-22 09:29 245,760 ----a-w C:\Program Files\qabwv008.idb
2007-05-22 09:29 2,664 ----a-w C:\Program Files\qabwv008.ssn
2007-03-15 11:23 2,201,600 ----a-w C:\Program Files\qabwv007.idb
2007-03-15 10:54 3,223 ----a-w C:\Program Files\qabwv007.ssn
2007-03-15 07:58 2,111,488 ----a-w C:\Program Files\qabwv006.idb
2007-03-14 18:09 2,571 ----a-w C:\Program Files\qabwv006.ssn
2007-02-28 11:45 1,415,168 ----a-w C:\Program Files\qabwv005.idb
2007-02-28 11:33 2,980 ----a-w C:\Program Files\qabwv005.ssn
2007-02-14 17:36 2,923 ----a-w C:\Program Files\qabwv004.ssn
2007-02-06 13:03 770,048 ----a-w C:\Program Files\qabwv004.idb
2007-01-23 10:36 245,760 ----a-w C:\Program Files\qabwv003.idb
2007-01-23 10:31 2,716 ----a-w C:\Program Files\qabwv003.ssn
2007-01-22 13:58 1,003,520 ----a-w C:\Program Files\qabwv000.idb
2007-01-22 13:54 3,244 ----a-w C:\Program Files\qabwv000.ssn
2007-01-22 13:28 921,600 ----a-w C:\Program Files\qabwv002.idb
2007-01-22 13:23 3,106 ----a-w C:\Program Files\qabwv002.ssn
.

------- Sigcheck -------

2008-06-17 10:28 504320 50b7f5952fa2b0564596a454121a93e6 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-18_ 9.41.15.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-18 07:19:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-24 10:05:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2006-07-25 11:12:01 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-06-24 08:08:41 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2006-07-25 11:12:01 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-06-24 08:08:41 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-07-25 11:12:01 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-06-24 08:08:41 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2006-07-25 11:12:01 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-06-24 08:08:41 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-07-25 11:12:01 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-06-24 08:08:41 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-07-25 11:12:01 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-06-24 08:08:42 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-07-25 11:12:01 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-06-24 08:08:42 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2006-07-25 11:12:01 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-06-24 08:08:42 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-07-25 11:12:01 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-06-24 08:08:41 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-07-25 11:12:01 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-06-24 08:08:41 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-07-25 11:12:01 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-06-24 08:08:42 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-07-25 11:12:01 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-06-24 08:08:41 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-07-25 11:12:01 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-06-24 08:08:41 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2000-08-31 06:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 06:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-06-18 07:22:11 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-24 10:08:06 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-18 07:22:11 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-24 10:08:06 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-18 07:22:11 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-24 10:08:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2002-11-15 13:34:46 218,624 ----a-w C:\WINDOWS\system32\dsget.exe
+ 2002-11-15 15:34:46 218,624 ----a-w C:\WINDOWS\system32\dsget.exe
- 2008-06-18 07:22:47 209,198 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-06-24 10:08:39 209,206 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-06-16 14:32:51 72,744 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-24 08:11:29 72,744 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-16 14:32:51 441,616 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-24 08:11:29 441,616 ----a-w C:\WINDOWS\system32\perfh009.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
2008-04-25 18:22 62728 --a------ C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2002-01-11 22:47 401496]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 11:32 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-25 11:29 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 11:32 114688]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 11:12 88209 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 19:40 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 19:38 688218]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 01:56 143360]
"IntelAPMClient"="C:\Program Files\LANDesk\LDClient\amclient.exe" [2005-08-30 08:05 307200]
"LANDeskInventoryClient"="C:\Program Files\LANDesk\LDClient\LDIScn32.exe" [2005-11-18 16:54 823296]
"LANDeskVulscanClient"="C:\Program Files\LANDesk\LDClient\vulScan.exe" [2006-01-06 02:00 892928]
"SDClientMonitor"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2005-08-30 07:55 258048]
"Reg2Reg2"="C:\Program Files\LANDesk\LDClient\REG2REG2.EXE" [2005-12-12 09:47 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-10-17 16:05 77824]
"C:\WINDOWS\system32\kdsyq.exe"="C:\WINDOWS\system32\kdsyq.exe" [ ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Firewall Client Connectivity Monitor.LNK - C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE [2005-07-06 13:26:01 52496]
QuickAddress Pro (2).lnk - C:\Program Files\qas\QuickAddress Pro\KEEPPRO.exe [2008-04-14 15:22:43 176192]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
"NoStartMenuEjectPC"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoAutoTrayNotify"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=\\qas.com\SYSVOL\qas.com\scripts\shutdown_par.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\qas\sysvol\qas.com\scripts\startup_par.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2138838754-819666832-1349916565-16607\Scripts\Logon\0\0]
"Script"=\\qas.com\SysVol\qas.com\scripts\REVISED_login_paris_main.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2138838754-819666832-1349916565-24255\Scripts\Logon\0\0]
"Script"=\\qas.com\SysVol\qas.com\scripts\REVISED_login_lon_main.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2138838754-819666832-1349916565-25650\Scripts\Logon\0\0]
"Script"=\\qas.com\SysVol\qas.com\scripts\REVISED_login_paris_main.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ciO63.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Iqy86.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Coordialis 2.0 PADI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Coordialis 2.0 PADI.lnk
backup=C:\WINDOWS\pss\Coordialis 2.0 PADI.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DialMessenger]
C:\Program Files\DialMessenger\dialmessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:55 5674352 C:\Program Files\MSN Messenger\MsnMsgr.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\CBA\\pds.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"%windir%\\system32\\msgsys.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"67:TCP"= 67:TCP:LANDesk(R) PXE TCP Port
"67:UDP"= 67:UDP:LANDesk(R) PXE UDP Port
"9535:TCP"= 9535:TCP:LANDesk(R) Remote Control Agent TCP Port
"9535:UDP"= 9535:UDP:LANDesk(R) Remote Control Agent UDP Port

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R2 CBA8;LANDesk(R) Management Agent;"C:\Program Files\LANDesk\Shared Files\residentagent.exe" [2006-01-11 10:32]
R2 ProWeb;ProWeb;D:\QAS\WORLDP~1\ProWeb5.17\QASWVDN.EXE [2007-03-23 12:26]
R2 testwrapper;Test Wrapper Sample Application;C:\TGJSERVER\bin\windows\wrapper.exe [2004-10-01 13:24]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2004-04-01 17:48]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-04 00:26]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2004-09-02 12:30]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2005-07-01 19:48]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2005-07-01 19:48]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2005-07-01 19:48]
R3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2004-04-01 17:48]
S0 Iqy86;Iqy86;C:\WINDOWS\system32\Drivers\Iqy86.sys []
S0 Sai18;Sai18;C:\WINDOWS\system32\Drivers\Sai18.sys []
S1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys []
S1 kbd;kbd;C:\WINDOWS\system32\drivers\kbd.sys []
S2 Softmon;LANDesk(R) Software Monitoring Service;"C:\Program Files\LANDesk\LDClient\softmon.exe" []
S3 QAPWWActiveX 4.02;QuickAddress Pro Web ActiveX Adaptor 4.02;D:\QAS\ids\proweb4.03\QAPWWSV.EXE [2003-12-18 13:30]
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe [2007-07-06 13:14]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d74ba08-3d11-11dd-9f3d-545543445200}]
\Shell\AutoRun\command - jfvkcsy.bat
\Shell\explore\Command - jfvkcsy.bat
\Shell\open\Command - jfvkcsy.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7beab8d5-8217-11dc-9ec9-00166f7929a7}]
\Shell\AutoRun\command - F:\FRA_GUI.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 12:09:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\TGJSERVER\jre\bin\java.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\qas\QuickAddress Pro\QAPROWN.EXE
.
**************************************************************************
.
Completion time: 2008-06-24 12:12:36 - machine was rebooted [Antonys]
ComboFix-quarantined-files.txt 2008-06-24 10:12:30
ComboFix2.txt 2008-06-18 07:41:42

Pre-Run: 5,621,186,560 bytes free
Post-Run: 5,608,665,088 bytes free

300 --- E O F --- 2008-02-06 16:01:58
Asaracino
 
Messages: 27
Inscription: 17 Juin 2008 13:16

Re: warning spyware detected on your computer

Messagepar Falkra » 24 Juin 2008 12:53

Ok, bien ! :supers:

ajoute un rapport Hjt stp. :-D
Avatar de l’utilisateur
Falkra
Admin libellules.ch
Admin libellules.ch
 
Messages: 25882
Inscription: 30 Jan 2005 13:44
Localisation: 127.0.0.1

Re: warning spyware detected on your computer

Messagepar Asaracino » 24 Juin 2008 12:57

Et voilà:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:55, on 2008-06-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
D:\QAS\WORLDP~1\ProWeb5.17\QASWVDN.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\TGJSERVER\bin\windows\wrapper.exe
C:\TGJSERVER\jre\bin\java.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\antonys\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qas.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PROXY:8080
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=LANDESK2:5007 /S=LANDESK2 /I=HTTP://LANDESK2/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /agentBehavior=1
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [Reg2Reg2] C:\Program Files\LANDesk\LDClient\REG2REG2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdsyq.exe] C:\WINDOWS\system32\kdsyq.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: QuickAddress Pro (2).lnk = C:\Program Files\qas\QuickAddress Pro\KEEPPRO.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Statistiques de la protection du trafic Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://qas-intranet/
O15 - Trusted Zone: http://*.aussblweb1 (HKLM)
O15 - Trusted Zone: http://*.bossblweb1 (HKLM)
O15 - Trusted Zone: http://*.gwhsblweb1 (HKLM)
O15 - Trusted Zone: http://*.gwhweb (HKLM)
O15 - Trusted Zone: http://*.otsblweb1 (HKLM)
O15 - Trusted Zone: http://*.sfosblweb1 (HKLM)
O16 - DPF: {819647C8-39C0-4C59-811C-928277815701} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://gwhsblweb1/sales_enu/19221/apple ... d_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://gwhsblweb1/sales_enu/19221/apple ... ration.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f002.mail.caramail.lycos.fr/app/ ... loader.cab
O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://gwhsblweb1/sales_enu/19221/apple ... Client.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qas.webex.com/client/T25L/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = qas.com
O17 - HKLM\Software\..\Telephony: DomainName = qas.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = qas.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: ProWeb - QAS Ltd - D:\QAS\WORLDP~1\ProWeb5.17\QASWVDN.EXE
O23 - Service: QuickAddress Pro Web ActiveX Adaptor 4.02 (QAPWWActiveX 4.02) - QAS Ltd. - D:\QAS\ids\proweb4.03\QAPWWSV.EXE
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - Unknown owner - C:\Program Files\LANDesk\LDClient\softmon.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Test Wrapper Sample Application (testwrapper) - Unknown owner - C:\TGJSERVER\bin\windows\wrapper.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 9294 bytes
Asaracino
 
Messages: 27
Inscription: 17 Juin 2008 13:16

Re: warning spyware detected on your computer

Messagepar Falkra » 24 Juin 2008 13:05

Ok, relance hijackThis, coche cette ligne et fais "fix checked" :
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdsyq.exe] C:\WINDOWS\system32\kdsyq.exe


Un test complémentaire pour un petit truc.

  • Clique sur ce lien de navilog1 de IL-MAFIOSO :
    http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe
  • Enregistre le fichier sur ton bureau.
  • Ensuite double clique sur navilog1.exe pour lancer l'installation.
  • Une fois l'installation terminée, le fix s'exécutera automatiquement.
    (Si ce n'est pas le cas, double-clique sur le raccourci Navilog1 présent sur le bureau).
  • Laisse-toi guider. Au menu principal, choisis 1 et valide.
    (ne fais pas le choix 2,3 ou 4 sans accord)
  • Cela dure un moment, attends le message :
    *** Analyse Termine le ..... ***
  • Appuie sur une touche comme demandé, le Bloc-notes va s'ouvrir.
  • Copie-colle l'intégralité du rapport dans ton prochain post. Referme le bloc note.

Note :
Le rapport est aussi sauvegardé à la racine du disque (fixnavi.txt)
Si ton antivirus se plaint de fichiers de Navilog1, dis lui d'ignorer les fichiers.
Avatar de l’utilisateur
Falkra
Admin libellules.ch
Admin libellules.ch
 
Messages: 25882
Inscription: 30 Jan 2005 13:44
Localisation: 127.0.0.1

Re: warning spyware detected on your computer

Messagepar Asaracino » 24 Juin 2008 13:26

Voilà le rapport (encore merci pour ton aide):

Search Navipromo version 3.5.8 commencé le 2008-06-24 à 14:19:31.42

!!! Attention,ce rapport peut indiquer des fichiers/programmes légitimes!!!
!!! Postez ce rapport sur le forum pour le faire analyser !!!
!!! Ne lancez pas la partie désinfection sans l'avis d'un spécialiste !!!

Outil exécuté depuis C:\Program Files\navilog1
Session actuelle : "Antonys"

Mise à jour le 06.06.2008 à 18h00 par IL-MAFIOSO


Microsoft Windows XP [Version 5.1.2600]
Internet Explorer : 6.0.2900.2180
Système de fichiers : NTFS

Recherche executé en mode normal

*** Recherche Programmes installés ***


*** Recherche dossiers dans "C:\WINDOWS" ***


*** Recherche dossiers dans "C:\Program Files" ***


*** Recherche dossiers dans "c:\docume~1\alluse~1\applic~1" ***


*** Recherche dossiers dans "c:\docume~1\alluse~1\startm~1\programs" ***


*** Recherche dossiers dans "C:\Documents and Settings\antonys\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\ADMINI~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\antonys\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\CHRIST~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\jamesc\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\jamesc.QAS\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\JAMESC~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\Owen\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\richardo\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\SYSPRE~1\applic~1" ***


*** Recherche dossiers dans "C:\Documents and Settings\antonys\locals~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\ADMINI~1\locals~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\antonys\locals~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\jamesc.QAS\locals~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\JAMESC~1\locals~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\Owen\locals~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\richardo\locals~1\applic~1" ***


*** Recherche dossiers dans "C:\DOCUME~1\SYSPRE~1\locals~1\applic~1" ***


*** Recherche dossiers dans "C:\Documents and Settings\antonys\startm~1\programs" ***


*** Recherche dossiers dans "C:\DOCUME~1\ADMINI~1\startm~1\programs" ***


*** Recherche dossiers dans "C:\DOCUME~1\antonys\startm~1\programs" ***


*** Recherche dossiers dans "C:\DOCUME~1\CHRIST~1\startm~1\programs" ***


*** Recherche dossiers dans "C:\DOCUME~1\jamesc\startm~1\programs" ***


*** Recherche dossiers dans "C:\DOCUME~1\jamesc.QAS\startm~1\programs" ***


*** Recherche dossiers dans "C:\DOCUME~1\JAMESC~1\startm~1\programs" ***


*** Recherche dossiers dans "C:\DOCUME~1\Owen\startm~1\programs" ***


*** Recherche dossiers dans "C:\DOCUME~1\richardo\startm~1\programs" ***


*** Recherche dossiers dans "C:\DOCUME~1\SYSPRE~1\startm~1\programs" ***

*** Recherche avec Catchme-rootkit/stealth malware detector par gmer ***
pour + d'infos : http://www.gmer.net

Aucun Fichier trouvé


*** Recherche avec GenericNaviSearch ***
!!! Tous ces résultats peuvent révéler des fichiers légitimes !!!
!!! A vérifier impérativement avant toute suppression manuelle !!!

* Recherche dans "C:\WINDOWS\system32" *

Fichiers suspects :

gsw32.exe trouvé !

* Recherche dans "C:\Documents and Settings\antonys\locals~1\applic~1" *

* Recherche dans "C:\DOCUME~1\ADMINI~1\locals~1\applic~1" *

* Recherche dans "C:\DOCUME~1\antonys\locals~1\applic~1" *

* Recherche dans "C:\DOCUME~1\jamesc.QAS\locals~1\applic~1" *

* Recherche dans "C:\DOCUME~1\JAMESC~1\locals~1\applic~1" *

* Recherche dans "C:\DOCUME~1\Owen\locals~1\applic~1" *

* Recherche dans "C:\DOCUME~1\richardo\locals~1\applic~1" *

* Recherche dans "C:\DOCUME~1\SYSPRE~1\locals~1\applic~1" *



*** Recherche fichiers ***



*** Recherche clés spécifiques dans le Registre ***


*** Module de Recherche complémentaire ***
(Recherche fichiers spécifiques)

1)Recherche nouveaux fichiers Instant Access :


2)Recherche Heuristique :

* Dans "C:\WINDOWS\system32" :


* Dans "C:\Documents and Settings\antonys\locals~1\applic~1" :


* Dans "C:\DOCUME~1\ADMINI~1\locals~1\applic~1" :


* Dans "C:\DOCUME~1\antonys\locals~1\applic~1" :


* Dans "C:\DOCUME~1\jamesc.QAS\locals~1\applic~1" :


* Dans "C:\DOCUME~1\JAMESC~1\locals~1\applic~1" :


* Dans "C:\DOCUME~1\Owen\locals~1\applic~1" :


* Dans "C:\DOCUME~1\richardo\locals~1\applic~1" :


* Dans "C:\DOCUME~1\SYSPRE~1\locals~1\applic~1" :


3)Recherche Certificats :

Certificat Egroup absent !
Certificat Electronic-Group absent !
Certificat OOO-Favorit absent !
Certificat Sunny-Day-Design-Ltd absent !

4)Recherche fichiers connus :



*** Analyse terminée le 2008-06-24 à 14:22:35.50 ***
Asaracino
 
Messages: 27
Inscription: 17 Juin 2008 13:16

Re: warning spyware detected on your computer

Messagepar Falkra » 24 Juin 2008 13:32

Intéressant. Ne lance pas l'option 2 tout de suite, je vais devoir faire remonter un fichier.

Ce fichier est intéressant, pas forcément infectieux :
C:\WINDOWS\system32\gsw32.exe
On va faire 2-3 choses.

:arrow: Rends toi sur ce lien : Virus Total
  • Clique sur le bouton Parcourir...
  • Parcours tes dossiers jusque à ce fichier, si tu le trouves :
    C:\WINDOWS\system32\gsw32.exe
  • Clique sur Envoyer le fichier, et si VirusTotal dit que le fichier a déjà été analysé, clique sur le bouton Reanalyse le fichier maintenant.
  • Laisse le site travailler tant que "Situation actuelle : en cours d'analyse" est affiché.
  • Il est possible que le fichier soit mis en file d'attente en raison d'un grand nombre de demandes d'analyses. Dans ce cas, il te faudra patienter sans réactualiser la page.
  • Lorsque l'analyse est terminée ("Situation actuelle: terminé"), clique sur Formaté (en haut à gauche)
  • Une nouvelle fenêtre de ton navigateur va apparaître
  • Clique alors sur cette image : Image
  • Fais un clic droit sur la page, et choisis Sélectionner tout, puis copier
  • Enfin colle le résultat dans ta prochaine réponse.
    NB : Peu importe le résultat, il est important de me communiquer le résultat de toute l'analyse.
Il est possible que tes outils de sécurité réagissent à l'envoi du fichier, auquel cas il faudra leur faire ignorer les alertes.

Tu auras sans doute besoin d'afficher les fichiers cachés et ceux du système :
http://www.libellules.ch/afficher_fichiers.php

:arrow: Télécharge ici Catchme et mets-le sur ton bureau :
http://files.thespykiller.co.uk/catchme.exe

Double clique sur catchme.exe : une fenêtre noire s'ouvre, on patiente, puis une interface graphique.
Clique sur le bouton "ADD" et va chercher le fichier C:\WINDOWS\system32\gsw32.exe
Clique sur le bouton "ZIP" et un zip sera créé sur le bureau, contenant le fichier.

Confirme moi que le zip est créé, qu'il n'est pas vide et que le fichier gsw32.exe est bien dedans.
Avatar de l’utilisateur
Falkra
Admin libellules.ch
Admin libellules.ch
 
Messages: 25882
Inscription: 30 Jan 2005 13:44
Localisation: 127.0.0.1

Suivante

Retourner vers Désinfections et demandes d'analyse

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 0 invités