Infecté par spy sheriff _OS'COUR!Fermé

Question

salut !

je suis vraiment desperée : apres avoir lancer HijackThis et SmitfraudFix, j ai toujours les memes msges d erreur et impossible de se connecter au net.
ci dessous les 2 rapports en suppliant tous les experts genereux de sauver mon ancetre de PC !
merci d'avance !

Logfile of HijackThis v1.99.1
Scan saved at 20:29:25, on 18/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32_server.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\setup\avast05.setup
C:\Program Files\Hijackthis Version Française\VERSION TRADUITE ORIGINALE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.misterbot.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.misterbot.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.misterbot.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.misterbot.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: AutoSearchObj Class - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\AUTOSE~1.DLL
R3 - URLSearchHook: Misterbot Toolbar - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - C:\Program Files\Misterbot Toolbar\misterbot.dll
F2 - REG:system.ini: Shell=explorer.exe                                                                                                    "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00029.exe"
O1 - Hosts: ww.contextplus.net
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users.WINNT\Application Data\Prevx\pxbho.dll
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\AUTOSE~1.DLL
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: ALTAVISTA - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINNT\DOWNLO~1\ALTAVI~1.DLL
O3 - Toolbar: Misterbot Toolbar - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - C:\Program Files\Misterbot Toolbar\misterbot.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Win32 Update] C:\WINNT\system32\win32oleupdate.exe
O4 - HKLM\..\Run: [cc32] C:\WINNT\system32\cc32.exe
O4 - HKLM\..\Run: [Services] C:\iexplorer.exe
O4 - HKLM\..\Run: [Win Update] C:\iexplorer.exe
O4 - HKLM\..\Run: [Windows Security Protocol] sme.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:
efdw.exe
O4 - HKLM\..\Run: [kkmc] C:\WINNT\system32\kkmc.exe
O4 - HKLM\..\Run: [dcps] C:\WINNT\system32\dcps.exe
O4 - HKLM\..\Run: [dcpz] C:\WINNT\system32\dcpz.exe
O4 - HKLM\..\Run: [pcvp] C:\WINNT\system32\pcvp.exe
O4 - HKLM\..\Run: [lcps] C:\WINNT\system32\lcps.exe
O4 - HKLM\..\Run: [NAMED] C:\WINNT\system32\NAMED.exe
O4 - HKLM\..\Run: [MS22] C:\WINNT\system32\MS22.exe
O4 - HKLM\..\Run: [WrS_QULWQUxoK^XR] C:\Program Files\NavNT\vptray.txt:yartpv.exe
O4 - HKLM\..\Run: [MS Domain Name Server Deamon] p.exe
O4 - HKLM\..\Run: [HTTP] C:\WINNT\system32\HTTP.exe
O4 - HKLM\..\Run: [keyboard] C:\keyboard19.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [newname] C:\newname19.exe
O4 - HKLM\..\Run: [Installed] 229
O4 - HKLM\..\Run: [XXMa[SRJU[_K^PUSS_JS[J] C:\iexplorer.txt:rerolpxei.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [expload.exe] C:\WINNT\system32\expload.exe
O4 - HKLM\..\Run: [BF4P] C:\WINNT\system32\bf4p.exe
O4 - HKLM\..\Run: [Win32 Kernel Update] C:\sxe23.tmp
O4 - HKLM\..\Run: [Windows Configuration GUI] systemconfig32.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINNT\system32\intell321.exe
O4 - HKLM\..\Run: [SysTray] c:\Program Files\paytime.exe
O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINNT\system32\mmxp2passion.exe
O4 - HKLM\..\Run: [termcaps] C:\WINNT\system32	ermcaps.exe
O4 - HKLM\..\Run: [Windows Core Kernel Update] C:\WINNT\system32\win32bootcfg.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINNT\pop06ap2.exe
O4 - HKLM\..\Run: [sndraw32] C:\WINNT\system32\sndraw32.exe
O4 - HKLM\..\Run: [mil.exe] C:\WINNT\system32\mil.exe
O4 - HKLM\..\Run: [94542116.exe] C:\WINNT\system32\94542116.exe
O4 - HKLM\..\Run: [NI.UWFX5V_0001_N57M1412] "C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\Content.IE5\XK2W26XB\WinFixer2005ScannerInstallFRA[1].exe" -nag 
O4 - HKLM\..\Run: [defender] C:\defender19a.exe
O4 - HKLM\..\Run: [new.exe] C:\WINNT\system32
ew.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\win32bootcfg.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\RunServices: [Windows Security Protocol] sme.exe
O4 - HKLM\..\RunServices: [WrS_QULWQUxoK^XR] C:\Program Files\NavNT\vptray.txt:yartpv.exe
O4 - HKLM\..\RunServices: [MS Domain Name Server Deamon] p.exe
O4 - HKLM\..\RunServices: [XXMa[SRJU[_K^PUSS_JS[J] C:\iexplorer.txt:rerolpxei.exe
O4 - HKLM\..\RunServices: [Windows Configuration GUI] systemconfig32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\RunServices: [termcaps] C:\WINNT\system32	ermcaps.exe
O4 - HKLM\..\RunServices: [sndraw32] C:\WINNT\system32\sndraw32.exe
O4 - HKLM\..\RunServices: [ntdll.dll] C:\WINNT\system32	ermcaps.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Fichiers communs\Windows\mc-110-12-0000222.exe
O4 - HKCU\..\Run: [Windows Security Protocol] sme.exe
O4 - HKCU\..\Run: [MS Domain Name Server Deamon] p.exe
O4 - HKCU\..\Run: [Windows Configuration GUI] systemconfig32.exe
O4 - HKCU\..\Run: [termcaps] C:\WINNT\system32	ermcaps.exe
O4 - HKCU\..\Run: [sndraw32] C:\WINNT\system32\sndraw32.exe
O4 - HKCU\..\Run: [kuik] C:\PROGRA~1\FICHIE~1\kuik\kuikm.exe
O4 - HKCU\..\Run: [94542116.exe] C:\Documents and Settings\Administrateur\Local Settings\Application Data\94542116.exe
O4 - HKCU\..\Run: [ntdll.dll] C:\WINNT\system32	ermcaps.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunServices: [Windows Configuration GUI] systemconfig32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: AltaVista Search - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Translate - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextTranslation.htm
O9 - Extra button: Misterbot Toolbar - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - C:\Program Files\Misterbot Toolbar\misterbot.dll
O9 - Extra 'Tools' menuitem: Misterbot Toolbar - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - C:\Program Files\Misterbot Toolbar\misterbot.dll
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O14 - IERESET.INF: START_PAGE_URL=http://www.fr.msn.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.fr.msn.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webmasterexe/drsmartload229a.exe
O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (ALTAVISTA) - https://fr.yahoo.com/?p=us
O20 - AppInit_DLLs: C:\WINNT\system32\syst7.dll
O20 - Winlogon Notify: cdscsix3 - cdscsix3.dll (file missing)
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O20 - Winlogon Notify: IPConfTSP - C:\WINNT\system32\irp6l57s1.dll (file missing)
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: xptptt - xptptt.dll (file missing)
O21 - SSODL: VMgDJgk - {381D7950-92B7-D3FA-2800-23A065A4BF7A} - C:\WINNT\system32z.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O21 - SSODL: DCOM Server 3337 - {2C1CD3D7-86AC-4068-93BC-A02304BB3337} - C:\WINNT\system32\3337_32.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINNT\system32\kpvmx.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Li4\command.exe (file missing)
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InSec(inetsec) (InSec) - Unknown owner - C:\WINNT\system32\inetsec.exe (file missing)
O23 - Service: K4NV - Unknown owner - C:\WINNT\k4nv.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: MsHS64 - Unknown owner - C:\WINNT\MsHS64.exe (file missing)
O23 - Service: netconf32 - Unknown owner - C:\WINNT
etconf32.exe (file missing)
O23 - Service: Performance True Type Font (PerfFont) - Unknown owner - C:\WINNT\system32\perfont.exe (file missing)
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32_server.exe" /service (file missing)
O23 - Service: Socks-Cap (Sc32Inch) - Unknown owner - C:\WINNT\Sc32Inch.exe (file missing)
O23 - Service: Win32Sr - Unknown owner - C:\WINNT\win32ssr.exe (file missing)


SmitFraudFix v2.110

Rapport fait à 21:29:28,05, mer. 18/10/2006
Executé à partir de E:\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix executé en mode sans echec

»»»»»»»»»»»»»»»»»»»»»»»» Avant SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB3337}"="DCOM Server 3337"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"


»»»»»»»»»»»»»»»»»»»»»»»» Arret des processus


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés

C:\country.exe supprimé
C:\exit supprimé
C:\secure32.html supprimé
C:\uniq supprimé
C:\WINNT\warnhp.html supprimé
C:\WINNT\system32\a.exe supprimé
C:\WINNT\system32\autodisc32.dll supprimé
C:\WINNT\system32\bin29a.log supprimé
C:\WINNT\system32\zlbw.dll supprimé
C:\Program Files\secure32.html supprimé
C:\Program Files\SpySheriff\ supprimé

»»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires


»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre
 
Nettoyage terminé. 
 
»»»»»»»»»»»»»»»»»»»»»»»» Après SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB3337}"="DCOM Server 3337"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"



»»»»»»»»»»»»»»»»»»»»»»»» Fin

green day · Answer

Salut

 oualal : tu es très infecté !!!

installe un parfeu !

kerio

en pré-nettoyage

télécharge ceci :

# Ewido (gratuit) :

ewido


tuto : (merci à Moe) http://perso.wanadoo.fr/entraide-hijackthis/Ewido/

# CleanUp40 (qui élimine les fichiers temporaires + cookies : gratuit )
http://pageperso.aol.fr/Balltrap34/CleanUp40.exe

tuto : (merci à Balltrap) http://pageperso.aol.fr/balltrap34/democleanup.htm 

ensuite reposte un nouveau hijackthis

++

green day · Answer

Salut

ok, fais le 1/ et 2/ de ce lien stp :

virus methode preliminaire de desinfection version fr

++

Infecté par spy sheriff _OS'COUR!

2 réponses

Discussions similaires

Newsletters