algsec.exe : virus ? - Sécurité - Windows & Software
Marsh Posté le 05-06-2006 à 20:43:34
bonjour, 
 
telecharge la version original de hijackthis http://www.merijn.org/files/hijackthis.zip 
 
déconnecte toi du net et installe le. 
 
lance le en cliquant sur Do a system scan and save a logfile  a la fin du scan le bloc note va s' 
ouvrir tu fais un copier coller de tout son contenu.
Marsh Posté le 05-06-2006 à 20:48:55
ça y est : 
 
 
Logfile of HijackThis v1.99.1 
Scan saved at 20:48:19, on 05/06/2006 
Platform: Windows XP SP1 (WinNT 5.01.2600) 
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) 
 
Running processes: 
C:\WINDOWS\System32\smss.exe 
C:\WINDOWS\system32\winlogon.exe 
C:\WINDOWS\system32\services.exe 
C:\WINDOWS\system32\lsass.exe 
C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\System32\svchost.exe 
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe 
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe 
C:\WINDOWS\Explorer.EXE 
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe 
C:\WINDOWS\system32\spoolsv.exe 
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe 
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe 
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe 
C:\WINDOWS\SOUNDMAN.EXE 
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe 
C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe 
C:\WINDOWS\System32\ctfmon.exe 
C:\Program Files\Messenger\msmsgs.exe 
C:\WINDOWS\system32\algsec.exe 
C:\Program Files\ewido anti-malware\ewidoctrl.exe 
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe 
C:\WINDOWS\System32\nvsvc32.exe 
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe 
C:\WINDOWS\system32\ZoneLabs\vsmon.exe 
C:\Program Files\Mozilla Firefox\firefox.exe 
C:\Documents and Settings\tofcc\Bureau\HijackThis.exe 
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.hardware.fr/ 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens 
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll 
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll 
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll 
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx 
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll 
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup 
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install 
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit 
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" 
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe 
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" 
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer 
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe 
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE 
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s 
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe" /T 
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe 
O4 - HKLM\..\Run: [A64Tweaker] "C:\Documents and Settings\tofcc\Bureau\\a64tweaker.exe" C:\Documents and Settings\tofcc\Bureau\\startup.a64 
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe 
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background 
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll 
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/window [...] 9366256200 
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe 
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe 
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe 
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe 
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe 
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe 
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe 
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe 
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe 
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe 
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe 
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe 
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe 
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe 
 
j'ai aussi maintenant un truc : "adv.exe" qui veut se connecter....
Marsh Posté le 05-06-2006 à 20:56:40
re, 
 
ce rapport est propre, fais ceci: 
 
1/telecharge silent runners http://www.silentrunners.org/Silent%20Runners.vbs 
 
2/déconnecte toi du net et ferme toutes les applications en cours. 
 
3/lance silent runners laisse le travailler quand il aura finit de scanner tu en sauras averti par un message et un nouveau fichier texte sera crée ouvre ce fichier texte et colle la totalité du rapport.
Marsh Posté le 05-06-2006 à 21:13:31
voila :  
 
par contre norton ne veut plus se mettre en autoprotect ! et j'ai pas vu la fenetre de fin de "scan" mais il y avait ce texte là sur le bureau donc je suppose que c'est ça   
 
 
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/ 
Operating System: Windows XP 
Output limited to non-default values, except where indicated by "{++}" 
 
 
Startup items buried in registry: 
--------------------------------- 
 
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} 
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS] 
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS] 
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} 
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] 
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] 
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS] 
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] 
"SSC_UserPrompt" = "C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"] 
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs LLC"] 
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"] 
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" ["Sun Microsystems, Inc."] 
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] 
"VirtualCloneDrive" = ""C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s" ["Elaborate Bytes AG"] 
"RivaTuner" = ""C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe" /T" [empty string] 
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] 
"A64Tweaker" = ""C:\Documents and Settings\tofcc\Bureau\\a64tweaker.exe" C:\Documents and Settings\tofcc\Bureau\\startup.a64" [null data] 
 
HKLM\Software\Microsoft\Active Setup\Installed Components\ 
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided) 
                                       \StubPath   = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS] 
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ 
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) 
  -> {HKLM...CLSID} = (no title provided) 
                   \InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"] 
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) 
  -> {HKLM...CLSID} = "SSVHelper Class" 
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] 
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper" 
  -> {HKLM...CLSID} = "CNavExtBho Class" 
                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] 
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ 
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration" 
  -> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration" 
                   \InProcServer32\(Default) = "deskpan.dll" [file not found] 
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal" 
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext" 
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] 
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" 
  -> {HKLM...CLSID} = "DesktopContext Class" 
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"] 
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" 
  -> {HKLM...CLSID} = "NVIDIA CPL Extension" 
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"] 
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" 
  -> {HKLM...CLSID} = "Desktop Explorer" 
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] 
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" 
  -> {HKLM...CLSID} = (no title provided) 
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] 
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" 
  -> {HKLM...CLSID} = "nView Desktop Context Menu" 
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] 
"{B7056B8E-4F99-44f8-8CBD-282390FE5428}" = "VirtualCloneDrive" 
  -> {HKLM...CLSID} = "VirtualCloneDrive Shell Extension" 
                   \InProcServer32\(Default) = "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\ElbyVCDShell.dll" ["Elaborate Bytes AG"] 
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" 
  -> {HKLM...CLSID} = "WinRAR" 
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] 
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ 
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" 
  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" 
                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"] 
 
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ 
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" 
  -> {HKLM...CLSID} = "IEContextMenu Class" 
                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] 
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 
  -> {HKLM...CLSID} = "WinRAR" 
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] 
 
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 
  -> {HKLM...CLSID} = "WinRAR" 
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] 
 
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ 
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" 
  -> {HKLM...CLSID} = "IEContextMenu Class" 
                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] 
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 
  -> {HKLM...CLSID} = "WinRAR" 
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] 
 
 
Active Desktop and Wallpaper: 
----------------------------- 
 
Active Desktop is disabled at this entry: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState 
 
 
Enabled Scheduled Tasks: 
------------------------ 
 
"Norton AntiVirus - Analyser mon ordinateur - tofcc" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"] 
 
 
Winsock2 Service Provider DLLs: 
------------------------------- 
 
Namespace Service Providers 
 
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 
 
Transport Service Providers 
 
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: 
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 
 
 
Toolbars, Explorer Bars, Extensions: 
------------------------------------ 
 
Toolbars 
 
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ 
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" 
  -> {HKLM...CLSID} = "Norton AntiVirus" 
                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] 
 
HKLM\Software\Microsoft\Internet Explorer\Toolbar\ 
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" 
  -> {HKLM...CLSID} = "Norton AntiVirus" 
                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] 
 
Extensions (Tools menu items, main toolbar menu buttons) 
 
HKLM\Software\Microsoft\Internet Explorer\Extensions\ 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ 
"MenuText" = "Console Java (Sun)" 
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}" 
  -> {HKCU...CLSID} = "Java Plug-in" 
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] 
  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_07" 
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll" ["Sun Microsystems, Inc."] 
 
 
Miscellaneous IE Hijack Points 
------------------------------ 
 
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings" ) 
 
Added lines (compared with English-language version): 
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/" 
 
Missing lines (compared with English-language version): 
[Strings]: 1 line 
 
 
Running Services (Display Name, Service Name, Path {Service DLL}): 
------------------------------------------------------------------ 
 
algsec(algsec), algsec, ""C:\WINDOWS\system32\algsec.exe"" [MS] 
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"] 
Norton AntiVirus Firewall Monitor Service, NPFMntor, "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" ["Symantec Corporation"] 
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"] 
Symantec Core LC, Symantec Core LC, "C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"] 
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] 
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"] 
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"] 
 
 
---------- 
+ This report excludes default entries except where indicated. 
+ To see *everywhere* the script checks and *everything* it finds, 
  launch it from a command prompt or a shortcut with the -all parameter. 
+ To search all directories of local fixed drives for DESKTOP.INI 
  DLL launch points and all Registry CLSIDs for dormant Explorer Bars, 
  use the -supp parameter or answer "No" at the first message box. 
---------- (total run time: 51 seconds, including 18 seconds for message boxes)
Marsh Posté le 05-06-2006 à 21:21:43
re, 
 
j'ai un petit doute sur un fichier qui est apparement mauvais mais j'aimerai en etre sur: 
 
1/
| Citation : Démarrer, Poste de travail ou autre dossier, Menu Outils, Option des dossiers, onglet Affichage :  | 
 
 
2/rend toi ici: 
 
C:\WINDOWS\system32\algsec.exe 
 
3/fais analyser algsec.exe sur ce site http://virusscan.jotti.org/ et post le rapport  
s'il te plait 
Marsh Posté le 05-06-2006 à 21:27:39
j'ai deja essayé de trouvé algsec (c'est bien celui la qui essai de se connecter ds zone alarm sous la forme "microsoft operating system" )mais il n'apparait pas meme en decochant "fichier cachés" etc.....comment je fais ? 
 
par contre je crois que le scan précédent n'était pas complet car j'en ai refait un et il a duré 100sec au lieu de 50... 
 
je te le remet au cas où : 
 
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/ 
Operating System: Windows XP 
Output limited to non-default values, except where indicated by "{++}" 
 
 
Startup items buried in registry: 
--------------------------------- 
 
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} 
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS] 
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS] 
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} 
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] 
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] 
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS] 
"ccApp" = ""C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] 
"SSC_UserPrompt" = "C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"] 
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs LLC"] 
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"] 
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" ["Sun Microsystems, Inc."] 
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] 
"VirtualCloneDrive" = ""C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s" ["Elaborate Bytes AG"] 
"RivaTuner" = ""C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe" /T" [empty string] 
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] 
"A64Tweaker" = ""C:\Documents and Settings\tofcc\Bureau\\a64tweaker.exe" C:\Documents and Settings\tofcc\Bureau\\startup.a64" [null data] 
 
HKLM\Software\Microsoft\Active Setup\Installed Components\ 
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided) 
                                       \StubPath   = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS] 
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ 
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) 
  -> {HKLM...CLSID} = (no title provided) 
                   \InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"] 
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) 
  -> {HKLM...CLSID} = "SSVHelper Class" 
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] 
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper" 
  -> {HKLM...CLSID} = "CNavExtBho Class" 
                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] 
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ 
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration" 
  -> {HKLM...CLSID} = "Extension Affichage Panorama du Panneau de configuration" 
                   \InProcServer32\(Default) = "deskpan.dll" [file not found] 
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal" 
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext" 
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] 
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" 
  -> {HKLM...CLSID} = "DesktopContext Class" 
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"] 
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" 
  -> {HKLM...CLSID} = "NVIDIA CPL Extension" 
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"] 
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" 
  -> {HKLM...CLSID} = "Desktop Explorer" 
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] 
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" 
  -> {HKLM...CLSID} = (no title provided) 
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] 
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" 
  -> {HKLM...CLSID} = "nView Desktop Context Menu" 
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] 
"{B7056B8E-4F99-44f8-8CBD-282390FE5428}" = "VirtualCloneDrive" 
  -> {HKLM...CLSID} = "VirtualCloneDrive Shell Extension" 
                   \InProcServer32\(Default) = "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\ElbyVCDShell.dll" ["Elaborate Bytes AG"] 
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" 
  -> {HKLM...CLSID} = "WinRAR" 
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] 
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ 
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" 
  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" 
                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"] 
 
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ 
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" 
  -> {HKLM...CLSID} = "IEContextMenu Class" 
                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] 
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 
  -> {HKLM...CLSID} = "WinRAR" 
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] 
 
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 
  -> {HKLM...CLSID} = "WinRAR" 
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] 
 
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ 
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" 
  -> {HKLM...CLSID} = "IEContextMenu Class" 
                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] 
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 
  -> {HKLM...CLSID} = "WinRAR" 
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] 
 
 
Active Desktop and Wallpaper: 
----------------------------- 
 
Active Desktop is disabled at this entry: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState 
 
 
Enabled Scheduled Tasks: 
------------------------ 
 
"Norton AntiVirus - Analyser mon ordinateur - tofcc" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"] 
 
 
Winsock2 Service Provider DLLs: 
------------------------------- 
 
Namespace Service Providers 
 
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 
 
Transport Service Providers 
 
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: 
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 
 
 
Toolbars, Explorer Bars, Extensions: 
------------------------------------ 
 
Toolbars 
 
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ 
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" 
  -> {HKLM...CLSID} = "Norton AntiVirus" 
                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] 
 
HKLM\Software\Microsoft\Internet Explorer\Toolbar\ 
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" 
  -> {HKLM...CLSID} = "Norton AntiVirus" 
                   \InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] 
 
Extensions (Tools menu items, main toolbar menu buttons) 
 
HKLM\Software\Microsoft\Internet Explorer\Extensions\ 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ 
"MenuText" = "Console Java (Sun)" 
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}" 
  -> {HKCU...CLSID} = "Java Plug-in" 
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] 
  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_07" 
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll" ["Sun Microsystems, Inc."] 
 
 
Miscellaneous IE Hijack Points 
------------------------------ 
 
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings" ) 
 
Added lines (compared with English-language version): 
[Strings]: SAFESITE_VALUE="http://home.microsoft.com/intl/fr/" 
 
Missing lines (compared with English-language version): 
[Strings]: 1 line 
 
 
Running Services (Display Name, Service Name, Path {Service DLL}): 
------------------------------------------------------------------ 
 
algsec(algsec), algsec, ""C:\WINDOWS\system32\algsec.exe"" [MS] 
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"] 
Norton AntiVirus Firewall Monitor Service, NPFMntor, "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" ["Symantec Corporation"] 
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"] 
Symantec Core LC, Symantec Core LC, "C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"] 
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] 
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"] 
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"] 
 
 
---------- 
+ This report excludes default entries except where indicated. 
+ To see *everywhere* the script checks and *everything* it finds, 
  launch it from a command prompt or a shortcut with the -all parameter. 
+ The search for DESKTOP.INI DLL launch points on all local fixed drives 
  took 31 seconds. 
+ The search for all Registry CLSIDs containing dormant Explorer Bars 
  took 19 seconds. 
---------- (total run time: 103 seconds) 
 
ps : merci à toi de m'aider 
Marsh Posté le 05-06-2006 à 21:29:21
re, 
j'ai marqué une reponse au dessus de la tienne, lit la. 
 
P.S si ce fichier est une bestiole on a trouver ou il se cache: 
 
| Citation : algsec(algsec), algsec, ""C:\WINDOWS\system32\algsec.exe"" [MS]   | 
Marsh Posté le 05-06-2006 à 21:30:33
Va là, tout y est dit avec les outils pour te désinfecter: 
http://fileinfo.prevx.com/QQf4d821 [...] C.EXE.html
Marsh Posté le 05-06-2006 à 21:32:44
ok c'est bon je l'ai ; mais le server de virusscan.jotti est saturé....peux pas....faut attendre....décidément c'est la poisse...
Marsh Posté le 05-06-2006 à 21:33:40
re, 
 
essaye celui la alors: 
 
http://www.virustotal.com/flash/index_en.html
Marsh Posté le 05-06-2006 à 21:38:02
non c'est bon ; le site analyse le fichier en ce moment(et il trouve plein de truc); 
 
je fais pareil avec adv.exe ? 
Marsh Posté le 05-06-2006 à 21:40:18
re, 
 
| Citation : je fais pareil avec adv.exe ?  | 
 
 
pas la peine, lui c'est sur que c'est une bestiole 
Marsh Posté le 05-06-2006 à 21:41:50
voila : 
 
 Service load:    
0%        100% 
File:  algsec.exe 
Status:   
INFECTED/MALWARE 
MD5  c37caa4d919e8243c765af8103e81601 
Packers detected:   
PE_PATCH 
Scanner results 
AntiVir   
Found Worm/Sdbot.176640.7 
ArcaVir   
Found nothing 
Avast   
Found nothing 
AVG Antivirus   
Found nothing 
BitDefender   
Found GenPack:Backdoor.SDBot.A5FA8883 
ClamAV   
Found nothing 
Dr.Web   
Found nothing 
F-Prot Antivirus   
Found nothing 
Fortinet   
Found W32/SDBot.QW!worm 
Kaspersky Anti-Virus   
Found nothing 
NOD32   
Found a variant of IRC/SdBot 
Norman Virus Control   
Found nothing 
UNA   
Found nothing 
VirusBuster   
Found nothing 
VBA32   
Found nothing
Marsh Posté le 05-06-2006 à 21:47:26
re, 
 
donc c'est bien une bebete. 
 
pour adv.exe ou est t'il localisé? (donne le chemin complet)
Marsh Posté le 05-06-2006 à 21:49:43
ds windows/temp : je l'ai viré mais il y a aussi : ZLTO7375.TMP et lui veut pas s'effacer...et algsec non plus...
Marsh Posté le 06-06-2006 à 18:04:07
ok merci à vous deux ; mon pc semble bien réparé ! 
 
j'ai viré norton 2005 et j'ai mis avast.... ai-je bien fait ? 
 
avant de faire un ghost de mon disq au cas où, je vous remet un rapport de hijackthis...si vous pouvez me confirmer que c'est bon...merci encore 
 
d'ailleurs winlogon.exe , c'est pas une bestiole ? 
 
 
Logfile of HijackThis v1.99.1 
Scan saved at 18:01:30, on 06/06/2006 
Platform: Windows XP SP1 (WinNT 5.01.2600) 
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) 
 
Running processes: 
C:\WINDOWS\System32\smss.exe 
C:\WINDOWS\system32\winlogon.exe 
C:\WINDOWS\system32\services.exe 
C:\WINDOWS\system32\lsass.exe 
C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\System32\svchost.exe 
C:\WINDOWS\system32\spoolsv.exe 
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 
C:\Program Files\Alwil Software\Avast4\ashServ.exe 
C:\Program Files\ewido anti-malware\ewidoctrl.exe 
C:\WINDOWS\System32\GEARSec.exe 
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe 
C:\WINDOWS\System32\nvsvc32.exe 
C:\WINDOWS\system32\ZoneLabs\vsmon.exe 
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe 
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe 
C:\WINDOWS\Explorer.EXE 
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe 
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe 
C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe 
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe 
C:\WINDOWS\System32\ctfmon.exe 
C:\Documents and Settings\tofcc\Bureau\HijackThis.exe 
 
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup 
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit 
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" 
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s 
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe" /T 
O4 - HKLM\..\Run: [A64Tweaker] "C:\Documents and Settings\tofcc\Bureau\\a64tweaker.exe" C:\Documents and Settings\tofcc\Bureau\\startup.a64 
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe 
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/window [...] 9366256200 
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe 
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) 
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) 
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe 
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe 
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe 
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe 
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe 
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe 
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Marsh Posté le 06-06-2006 à 18:06:53
Yes, CLEAN  
 
 
EDIT: Tu ne veux vraiment pas passer à SP2?
Marsh Posté le 06-06-2006 à 18:23:51
ben j'ai lu que ça provoquait des bugs ou des incompatibilités de peripheriques....
Marsh Posté le 05-06-2006 à 19:25:26
bonsoir,
 
 
en faisant un bench cet après midi, j'ai arreté mon pare feu et mon antivirus mais j'ai oublié de debrancher l'adsl....
resultat :
au demarrage, j'ai un message de zone alarm qui me dit que " microsoft operating system veut se connecter" , je vais voir ds zone alarm et il s'agirait de algsec.exe...
j'ai vu ds le forum que c'etait un virus mais impossible de m'en debarasser, norton 2005 le voit pas et impossible de faire des scan en ligne chez kaspersky par exemple....
une aide serait la bienvenue !! merci à vous