apres un nettoyage avec cclaener, ad-aware, spybot, stinger, anti-troyan5.5, et avast cleaner, tout en etant proteger par zone alarm et ayant ferme les port avec zeb-protect et XP Antispi, j’ai mon anti-virus qui est viruskeeper pro 2006 qui m’alerte d’etre infecte par “edlm.exe” qui ce trouve dans Windows\System32\. Comment puis je m’en debarrasser car etant novice ce n’est pas facile. J’utilise windows XP Pro SP2. Merci de bien vouloire m’aider et bonne chance a ce sit. Comme lu prcedemment dans votre forum voici le fichier hijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 22:35:23, on 22/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\VirusKeeper 2006 Pro\VirusKeeper.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\Twain_32\SlimU2TA\HotKey.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Antipub\antipub.exe
C:\WINDOWS\system32\MGE\RunSC.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\MGE\PCtl.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
C:\Program Files\ADSL Autoconnect\ADSL Autoconnect.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\PROGRA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Micro Application\Internet Anonyme 2\CGhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bruno\Bureau\Protections\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Bugnosis - {3A6514CD-A457-11D4-8AF3-000102686B79} - C:\Program Files\Bugnosis\WebBug.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60DF4425-F36F-42D7-AECF-A409EBE4558C} - C:\PROGRA~1\MICROA~1\INTERN~1\tbcghost.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: SimonTools - {CC48EB38-F950-48C0-9F22-D64F829AE3DF} - C:\PROGRA~1\MICROA~1\INTERN~1\tbcghost.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Bugnosis - {930E4DE1-973D-42D6-BF6E-6788E06BD003} - C:\Program Files\Bugnosis\WebBug.dll
O4 - HKLM\…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033
O4 - HKLM\…\Run: [VirusKeeper] C:\Program Files\VirusKeeper 2006 Pro\VirusKeeper.exe
O4 - HKLM\…\Run: [awxDTools] rundll32 C:\PROGRA~1\D-Tools\AWXDTO~1\awxDTools.dll,awxRegisterDll /r /s
O4 - HKLM\…\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\…\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2TA\HotKey.exe
O4 - HKLM\…\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
O4 - HKLM\…\Run: [SpeedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM\…\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\…\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\…\Run: [SSBkgdUpdate] C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\…\Run: [Zone Labs Client] C:\Program Files\ZoneAlarm\zlclient.exe
O4 - HKLM\…\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\…\Run: [CursorXP] “C:\Program Files\CursorXP\CursorXP.exe” -s
O4 - HKCU\…\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\…\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\…\Run: [CyberGhost2006] “C:\Program Files\Micro Application\Internet Anonyme 2\CGhost.exe” min
O4 - Startup: Anti-Pub.lnk = C:\Program Files\Antipub\antipub.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Global Startup: Ashampoo Magic Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Traduire à partir de l’anglais - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: SYSTRAN: &Effacer le cache de traduction - C:\Program Files\Systran\Premium\menuClearCache.html
O8 - Extra context menu item: SYSTRAN: &Options - C:\Program Files\Systran\Premium\menuConfigure.html
O8 - Extra context menu item: SYSTRAN: &Traduire - C:\Program Files\Systran\Premium\menuTranslate.html
O8 - Extra context menu item: SYSTRAN: En®istrement - C:\Program Files\Systran\Premium\menuRegister.html
O8 - Extra context menu item: SYSTRAN: Rechercher les &mises à jour - C:\Program Files\Systran\Premium\menuUpdate.html
O8 - Extra context menu item: SYSTRAN: Traduire les &cadres - C:\Program Files\Systran\Premium\menuTranslateAll.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: @sysiecom.dll,-2100 - {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuTranslate.html
O9 - Extra ‘Tools’ menuitem: @sysiecom.dll,-2102 - {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuTranslate.html
O9 - Extra button: @sysiecom.dll,-2103 - {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuTranslateAll.html
O9 - Extra ‘Tools’ menuitem: @sysiecom.dll,-2105 - {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuTranslateAll.html
O9 - Extra button: @sysiecom.dll,-2115 - {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuConfigure.html
O9 - Extra ‘Tools’ menuitem: @sysiecom.dll,-2117 - {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuConfigure.html
O9 - Extra button: (no name) - {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuClearCache.html
O9 - Extra ‘Tools’ menuitem: @sysiecom.dll,-2108 - {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuClearCache.html
O9 - Extra button: (no name) - {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuRegister.html
O9 - Extra ‘Tools’ menuitem: @sysiecom.dll,-2111 - {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuRegister.html
O9 - Extra button: (no name) - {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuUpdates.html (file missing)
O9 - Extra ‘Tools’ menuitem: @sysiecom.dll,-2114 - {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuUpdates.html (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messager Wanadoo - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messager.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Messager Wanadoo - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messager.exe (file missing)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\…\{2A31D54D-AF26-4679-AA64-50F4AC3063BA}: NameServer = 80.10.246.130 80.10.246.3
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O20 - Winlogon Notify: ldr64 - C:\WINDOWS\SYSTEM32\ldr64.dll
O23 - Service: ADSLAutoconnect - Unknown owner - C:\Program Files\ADSL Autoconnect\ADSL Autoconnect.exe" -z (file missing)
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MGE Service module - Unknown owner - C:\WINDOWS\system32\MGE\RunSC.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Onduleur (UPS) - Unknown owner - C:\WINDOWS\System32\ups2.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
ci joint un rapport avec RootKit Revealer:
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 15/04/2006 20:38 0 bytes Key name contains embedded nulls ()
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 15/04/2006 20:38 0 bytes Key name contains embedded nulls ()
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 15/04/2006 20:38 0 bytes Key name contains embedded nulls ()
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 15/04/2006 20:38 0 bytes Key name contains embedded nulls ()
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 15/04/2006 20:38 0 bytes Key name contains embedded nulls ()
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 15/04/2006 20:38 0 bytes Key name contains embedded nulls ()
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 15/04/2006 20:38 0 bytes Key name contains embedded nulls ()
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 15/04/2006 20:38 0 bytes Key name contains embedded nulls ()
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 15/04/2006 20:38 0 bytes Key name contains embedded nulls ()
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 15/04/2006 20:38 0 bytes Key name contains embedded nulls ()
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 15/04/2006 20:38 0 bytes Key name contains embedded nulls ()
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 15/04/2006 20:38 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName 15/04/2006 22:58 26 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\RootCertExtraction 22/04/2006 22:50 8 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName 15/04/2006 22:59 26 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Skwat_ADSLAutoconnect\PALETTE\TOT_UP 22/04/2006 22:49 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Skwat_ADSLAutoconnect\PALETTE\TOT_DOWN 22/04/2006 22:49 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet002\Services\d347prt\Cfg\0Jf40 22/04/2006 21:20 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\d347prt\Cfg\0Jf41 15/04/2006 22:16 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\d347prt\Cfg\0Jf42 15/04/2006 22:16 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\d347prt\Cfg\0Jf43 15/04/2006 22:16 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\Vax347s\Config\jdgg40 15/04/2006 23:01 0 bytes Hidden from Windows API.
C:\$AttrDef 15/04/2006 15:23 2.50 KB Hidden from Windows API.
C:\$BadClus 15/04/2006 15:23 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 15/04/2006 15:23 115.04 GB Hidden from Windows API.
C:\$Bitmap 15/04/2006 15:23 3.59 MB Hidden from Windows API.
C:\$Boot 15/04/2006 15:23 8.00 KB Hidden from Windows API.
C:\$Extend 15/04/2006 15:23 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 15/04/2006 15:23 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 15/04/2006 15:23 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 15/04/2006 15:23 0 bytes Hidden from Windows API.
C:\$LogFile 15/04/2006 15:23 64.00 MB Hidden from Windows API.
C:\$MFT 15/04/2006 15:23 143.09 MB Hidden from Windows API.
C:\$MFTMirr 15/04/2006 15:23 4.00 KB Hidden from Windows API.
C:\$Secure 15/04/2006 15:23 0 bytes Hidden from Windows API.
C:\$UpCase 15/04/2006 15:23 128.00 KB Hidden from Windows API.
C:\$Volume 15/04/2006 15:23 0 bytes Hidden from Windows API.