Sujet Précédent Sujet Suivant

Rapport HijackThis... Spyware?

Résolu/Fermé
Kimboo Messages postés 49 Date d'inscription jeudi 14 août 2008 Statut Membre Dernière intervention 18 mai 2009 - 30 avril 2009 à 21:16
anthony5151 Messages postés 10573 Date d'inscription vendredi 27 juin 2008 Statut Contributeur sécurité Dernière intervention 2 mars 2015 - 19 mai 2009 à 05:53
Bonjour, j'ai un problèm avec ma vitesse internet de plus avec firefox je n'arrive jamais à accéder à google.ca. J'ai essayer de reinstaller Firefox mais aucun résulta et j'ai aussi quelque doute sur les programmes Java qui essaye de se connecter sur internet. Voici mon rapport HijackThis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:10:40, on 2009-04-30
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
C:\Documents and Settings\HP_Propriétaire\boi.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Personal Vault\VaultClientUpgrade.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Gestionnaire de securite\Rps.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\HP_Propriétaire\boi.exe \s
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Gestionnaire de securite\pkR.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [Gestionnaire de sécurité Sympatico] "C:\Program Files\Bell\Gestionnaire de securite\Rps.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Gestionnaire de securite\ZkRunOnceR.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1241110619.exe work (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1241110619.exe work (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\1300312.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\1300312.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O21 - SSODL: tFYlokyAofQ - {542161B8-FE8B-CB12-FFF5-98F073A6B3AE} - C:\WINDOWS\system32\xcbv.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Ma-Config Service (maconfservice) - CybelSoft - C:\Program Files\ma-config.com\maconfservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Gestionnaire de sécurité Sympatico (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Gestionnaire de securite\RpsSecurityAware.exe
O23 - Service: Service de mise-à-jour pour le Gestionnaire de sécurité Sympatico (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
O23 - Service: Gestionnaire de sécurité Sympatico Coupe-feu (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe
A voir également:

19 réponses

Réponse 1 / 19
anthony5151 Messages postés 10573 Date d'inscription vendredi 27 juin 2008 Statut Contributeur sécurité Dernière intervention 2 mars 2015 790
1 mai 2009 à 01:24
Bonsoir à tous les deux,


aloutchi, si tu n'es pas capable d'analyser un rapport hijackthis, ne dis pas n'importe quoi !
Tout ça c'est néfaste (et il y a d'autres lignes suspectes) :

O10 - Unknown file in Winsock LSP: c:\windows\system32\1300312.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\1300312.dll
O21 - SSODL: tFYlokyAofQ - {542161B8-FE8B-CB12-FFF5-98F073A6B3AE} - C:\WINDOWS\system32\xcbv.dll
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)



Kimboo

Un seul sujet sur le forum Virus/Sécurité, ça suffit... Choisis celui où tu veux rester, et ferme l'autre.

Si tu restes ici, fais ceci stp :

• Télécharge et installe Malwarebytes' Anti-Malware
• A la fin de l'installation, veille à ce que l'option « mettre a jour Malwarebyte's Anti-Malware » soit cochée
• Lance MBAM et laisse les Mises à jour se télécharger (sinon fais les manuellement au lancement du programme)
• Puis va dans l'onglet "Recherche", coche "Exécuter un examen complet" puis "Rechercher"
• Sélectionne tes disques durs" puis clique sur "Lancer l’examen"
• A la fin du scan, clique sur Afficher les résultats
• Coche tous les éléments détectés puis clique sur Supprimer la sélection
• Enregistre le rapport
• S'il t'est demandé de redémarrer, clique sur Yes

• Poste dans ta prochaine réponse le rapport apparaissant après la suppression stp

4
Réponse 2 / 19
Utilisateur anonyme
30 avril 2009 à 21:19
Aucune infection ;)
0
Réponse 3 / 19
Kimboo Messages postés 49 Date d'inscription jeudi 14 août 2008 Statut Membre Dernière intervention 18 mai 2009
2 mai 2009 à 07:26
Alors voici mon rapport Malwarebytes':

Malwarebytes' Anti-Malware 1.36
Version de la base de données: 2062
Windows 5.1.2600 Service Pack 3

2009-05-01 07:16:37
mbam-log-2009-05-01 (07-16-21).txt

Type de recherche: Examen complet (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|)
Eléments examinés: 167548
Temps écoulé: 1 hour(s), 3 minute(s), 59 second(s)

Processus mémoire infecté(s): 1
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 1
Valeur(s) du Registre infectée(s): 3
Elément(s) de données du Registre infecté(s): 1
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 14

Processus mémoire infecté(s):
C:\Documents and Settings\HP_Propriétaire\boi.exe (Backdoor.Bot) -> No action taken.

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\CLSID\{542161b8-fe8b-cb12-fff5-98f073a6b3ae} (Trojan.Downloader) -> No action taken.

Valeur(s) du Registre infectée(s):
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inetchk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tfylokyaofq (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> No action taken.

Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\documents and settings\hp_propriétaire\boi.exe -> No action taken.

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
C:\Documents and Settings\HP_Propriétaire\boi.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\temp\ms1241110619.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\HP_Propriétaire\Local Settings\temp\ms1240859922.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\HP_Propriétaire\Local Settings\temp\rsyncini.exe (Trojan.Shutdowner) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CNJQM3GN\inst[1].php (Trojan.Agent) -> No action taken.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0DMWYRNO\inst[1].php (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\ms1240862047.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\ms1240944893.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\ms1241027759.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\qmaks.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\xcbv.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UR11CYO5\inst[1].php (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> No action taken.
C:\WINDOWS\system32\kr_done1 (Malware.Trace) -> No action taken.



Voici aussi mon nouveau rapport HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:24:57, on 2009-05-02
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Personal Vault\VaultClientUpgrade.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Gestionnaire de securite\Rps.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, \s,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Gestionnaire de securite\pkR.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [Gestionnaire de sécurité Sympatico] "C:\Program Files\Bell\Gestionnaire de securite\Rps.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Gestionnaire de securite\ZkRunOnceR.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\1300312.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\1300312.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Ma-Config Service (maconfservice) - CybelSoft - C:\Program Files\ma-config.com\maconfservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de sécurité Sympatico (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Gestionnaire de securite\RpsSecurityAware.exe
O23 - Service: Service de mise-à-jour pour le Gestionnaire de sécurité Sympatico (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
O23 - Service: Gestionnaire de sécurité Sympatico Coupe-feu (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
O23 - Service: Spouleur d'impression (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe
0
Réponse 4 / 19
anthony5151 Messages postés 10573 Date d'inscription vendredi 27 juin 2008 Statut Contributeur sécurité Dernière intervention 2 mars 2015 790
2 mai 2009 à 11:50
MalwareBytes a déjà fait une bonne partie de la désinfection, mais ce n'est pas fini


/!\ A l'attention de ceux qui passent sur ce sujet /!\
Le logiciel qui suit n'est pas à utiliser à la légère et peut faire des dégâts s'il est mal utilisé ! Ne le faites que si un helpeur du forum qui connait bien cet outil vous l'a recommandé.


/!\ Désactive tous tes logiciels de protection /!\

• Télécharge ComboFix (de sUBs) sur ton Bureau.
• Double-clique sur ComboFix.exe afin de le lancer.
• Il va te demander d'installer la console de récupération : accepte.
• Ne touche à rien pendant le scan.
• Lorsque la recherche sera terminée, un rapport apparaîtra. Poste ce rapport (C:\Combofix.txt) dans ta prochaine réponse.

Tutoriel officiel de Combofix : https://www.bleepingcomputer.com/combofix/fr/comment-utiliser-combofix

0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 5 / 19
Kimboo Messages postés 49 Date d'inscription jeudi 14 août 2008 Statut Membre Dernière intervention 18 mai 2009
2 mai 2009 à 21:51
Voici mon rapport ComboFix que j'ai demarer en mode sans échec:

ComboFix 09-05-02.4 - HP_Propriétaire 2009-05-02 15:36.4 - NTFSx86 MINIMAL
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.2.1036.18.503.343 [GMT -4:00]
Lancé depuis: c:\documents and settings\HP_Propriétaire\Bureau\ComboFix.exe
AV: Gestionnaire de sécurité Sympatico Antivirus *On-access scanning disabled* (Updated)
FW: Gestionnaire de sécurité Sympatico Coupe-feu *enabled*
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\1300312.dll

.
((((((((((((((((((((((((((((( Fichiers créés du 2009-04-02 au 2009-05-02 ))))))))))))))))))))))))))))))))))))
.

2009-04-30 18:31 . 2009-04-30 18:46 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-28 15:52 . 2009-04-29 00:11 -------- d-----w c:\documents and settings\All Users\Application Data\PMB Files
2009-04-27 19:54 . 2009-04-28 03:45 85 ----a-w c:\windows\system\hpsysdrv .DAT
2009-04-27 19:53 . 2009-04-27 19:53 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-27 19:18 . 2009-04-27 19:18 118784 ----a-w c:\windows\system32\sgcaqgj0e33a.dll
2009-04-27 19:18 . 2009-04-27 19:18 80191 ----a-w c:\windows\system32\qgceqgj0e33a .exe
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\documents and settings\All Users\Application Data\Raxco
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\program files\Raxco
2009-04-25 01:09 . 2009-04-25 01:09 -------- d-----w c:\program files\Personal Vault
2009-04-25 01:09 . 2009-04-25 02:18 53192 ----a-w c:\windows\system32\drivers\rp_skt32.sys
2009-04-25 01:08 . 2007-04-19 15:36 48384 ----a-w c:\windows\system32\drivers\rp_pkt32.sys
2009-04-25 01:08 . 2009-04-25 01:08 -------- d-----w c:\program files\Fichiers communs\Authentium
2009-04-25 01:08 . 2009-04-25 01:08 -------- d-----w c:\program files\CA
2009-04-25 01:08 . 2009-04-25 01:13 -------- d-----w c:\program files\Fichiers communs\Scanner
2009-04-25 00:09 . 2009-04-25 00:09 164816 ----a-w c:\windows\Crazi Video Uninstaller.exe
2009-04-25 00:09 . 2009-04-25 00:09 -------- d-----w c:\program files\Fichiers communs\River Past
2009-04-25 00:09 . 2009-04-25 00:09 -------- d-----w c:\program files\River Past
2009-04-24 19:32 . 2009-04-24 19:32 -------- d-----w c:\program files\DAEMON Tools Toolbar
2009-04-24 19:32 . 2009-04-24 19:32 -------- d-----w c:\program files\DAEMON Tools Lite
2009-04-21 19:36 . 2009-04-15 20:25 9336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-04-21 19:36 . 2009-04-15 20:25 9464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-04-21 19:36 . 2009-04-15 20:25 129784 ------w c:\windows\system32\pxafs.dll
2009-04-21 19:35 . 2009-04-21 19:36 -------- d-----w c:\program files\Fichiers communs\DivX Shared
2009-04-21 19:35 . 2009-04-21 19:37 -------- d-----w c:\program files\DivX
2009-04-16 07:03 . 2009-04-16 07:03 -------- d-sh--w c:\documents and settings\Default User\IETldCache
2009-04-16 04:21 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 04:20 . 2009-03-06 14:20 286720 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 04:20 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 04:20 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 04:20 . 2009-02-09 10:53 685568 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 04:20 . 2009-02-09 10:53 735744 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 04:20 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 04:20 . 2009-02-09 10:53 739840 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 04:20 . 2008-12-16 12:31 354304 -c----w c:\windows\system32\dllcache\winhttp.dll
2009-04-16 04:20 . 2008-04-21 21:15 219136 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w c:\windows\system32\DivX.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-04-11 00:33 . 2009-04-24 18:10 -------- d-----w c:\program files\Dofus
2009-04-10 07:32 . 2009-04-10 07:32 -------- d-----w c:\program files\iPod
2009-04-10 07:32 . 2009-04-10 07:33 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-10 07:32 . 2009-04-10 07:33 -------- d-----w c:\program files\iTunes
2009-04-09 20:49 . 2009-04-25 01:07 -------- d-----w c:\program files\Bell
2009-04-08 20:00 . 2009-04-08 20:00 -------- d-----w c:\program files\Subagames
2009-04-08 19:40 . 2009-04-28 15:51 -------- d-----w c:\program files\Pando Networks

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 19:32 . 2004-11-05 00:52 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-01 21:58 . 2008-12-25 21:56 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-05-01 16:00 . 2009-03-07 01:39 -------- d-----w c:\program files\EternityRO
2009-04-30 19:08 . 2009-01-18 18:18 -------- d-----w c:\program files\DNA
2009-04-25 01:06 . 2004-11-05 03:36 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-24 19:27 . 2008-12-26 00:19 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-24 18:29 . 2008-12-29 02:28 142 ----a-w c:\windows\system32\[u]0/u9wutili.sys
2009-04-16 07:22 . 2004-11-05 02:29 514960 ----a-w c:\windows\system32\perfh00C.dat
2009-04-16 07:22 . 2004-11-05 02:29 86478 ----a-w c:\windows\system32\perfc00C.dat
2009-04-15 20:25 . 2004-11-05 03:18 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-04-15 20:25 . 2004-11-05 03:18 118520 ------w c:\windows\system32\pxinsi64.exe
2009-04-15 20:25 . 2004-07-13 14:03 43528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-04-10 07:32 . 2008-12-25 21:56 -------- d-----w c:\program files\Fichiers communs\Apple
2009-04-10 07:21 . 2008-12-25 22:11 -------- d-----w c:\program files\Notepad++
2009-04-10 01:54 . 2008-12-29 21:28 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-08 20:05 . 2009-01-02 02:08 -------- d-----w c:\program files\Common Files
2009-04-06 19:32 . 2008-12-29 21:28 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-12-29 21:28 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 05:29 . 2009-04-02 05:29 -------- d-----w c:\program files\Xilisoft
2009-03-29 23:53 . 2008-12-25 22:47 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-29 23:26 . 2008-12-26 00:23 -------- d-----w c:\program files\CDBurnerXP
2009-03-29 23:19 . 2009-03-29 23:19 -------- d-----w c:\program files\Fichiers communs\xing shared
2009-03-29 23:18 . 2004-11-05 03:22 -------- d-----w c:\program files\Fichiers communs\Real
2009-03-29 23:08 . 2008-12-25 19:21 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-29 23:08 . 2004-11-05 02:05 -------- d-----w c:\program files\Java
2009-03-29 23:02 . 2009-03-29 23:01 -------- d-----w c:\program files\Fichiers communs\Adobe
2009-03-29 03:59 . 2009-03-29 03:59 -------- d-----w c:\program files\Veoh Networks
2009-03-25 19:56 . 2004-11-05 03:56 -------- d-----w c:\program files\Easy Internet signup
2009-03-19 20:32 . 2004-04-06 05:42 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 04:38 . 2009-03-18 04:37 -------- d-----w c:\program files\Safari
2009-03-14 01:03 . 2009-03-14 00:51 -------- d-----w c:\program files\mIRC
2009-03-13 21:38 . 2009-03-13 21:38 -------- d-----w c:\program files\Gravity
2009-03-08 08:34 . 2004-11-05 02:29 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2004-11-05 02:28 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2004-11-05 02:28 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2004-11-05 02:29 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2004-11-05 02:28 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2004-11-05 02:28 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2004-11-05 02:28 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2004-11-05 02:28 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2004-11-05 02:28 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2008-12-24 22:28 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:20 . 2004-11-05 02:28 286720 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-18 04:54 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2008-12-25 21:59 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 20:27 . 2008-12-26 00:29 -------- d-----w c:\program files\Shareaza
2009-03-01 01:06 . 2009-03-01 01:06 43520 ----a-w c:\windows\system32\CmdLineExt03.dll
2009-02-21 21:02 . 2009-02-21 21:02 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-02-17 17:11 . 2009-02-17 17:11 24232 ----a-w c:\windows\system32\drivers\ElbyCDIO.sys
2009-02-17 13:33 . 2009-02-17 13:33 89256 ----a-w c:\windows\system32\ElbyCDIO.dll
2009-02-10 23:06 . 2004-08-04 07:48 2068096 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 14:05 . 2004-11-05 02:29 1846912 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:24 . 2004-11-05 02:28 2191104 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:23 . 2004-11-05 02:29 113152 ----a-w c:\windows\system32\services.exe
2009-02-09 10:53 . 2004-11-05 02:28 735744 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:53 . 2004-11-05 02:29 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:53 . 2004-11-05 02:28 739840 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:53 . 2004-11-05 02:28 685568 ----a-w c:\windows\system32\advapi32.dll
2009-02-06 23:52 . 2009-02-06 23:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 10:39 . 2008-12-24 22:29 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:58 . 2004-11-05 02:29 56832 ----a-w c:\windows\system32\secur32.dll
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2004-08-05 03:00 14336 1BD6C2F707A275CB7C16FD99FE0F31CA c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-14 02:34 14336 E4BDF223CD75478BF44567B4D5C2634D c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 02:34 17408 432006FAC7181684AA4793B500814498 c:\windows\system32\svchost.exe

[7] 2004-08-05 03:00 506368 D2DE785AEAB0BB8CA4C14A8A199DBE4E c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 02:34 512000 DD73D6B9F6B4CB630CF35B438B540174 c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 02:34 516096 B00A21F741FE97ACB1ABADC807FEF738 c:\windows\system32\winlogon.exe

[-] 2008-04-14 02:34 1040384 2802CEB675BD478CFDBC1D076518EDCE c:\windows\explorer.exe
[7] 2004-08-05 03:00 1036288 4C33E5B9A6197B6ED215F6CFBA0A2DAA c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-14 02:34 1037824 F2317622D29F9FF0F88AEECD5F60F0DD c:\windows\ServicePackFiles\i386\explorer.exe

[7] 2009-02-09 11:16 111104 62789101F9C2401ED598AA2CDE7450C0 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2004-08-05 03:00 108544 732E0B1ABAACE15D80EC19056B0A2AF9 c:\windows\$NtServicePackUninstall$\services.exe
[7] 2008-04-14 02:34 109056 54CB50058851D95E56EC70D09F70857F c:\windows\ServicePackFiles\i386\services.exe
[7] 2009-02-09 10:08 111104 9D6BF82FE50D55F20F8E10E0F6653886 c:\windows\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP2GDR\services.exe
[7] 2009-02-09 09:53 111104 51A24094F076961A7FF73E5F7E991D68 c:\windows\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP2QFE\services.exe
[7] 2009-02-09 11:23 111104 C3FB1D70CB88722267949694BA51759E c:\windows\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP3GDR\services.exe
[7] 2009-02-09 11:16 111104 62789101F9C2401ED598AA2CDE7450C0 c:\windows\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP3QFE\services.exe
[-] 2009-02-09 11:23 113152 12CFE1F7C37E6D9A9B522D6E24D0F611 c:\windows\system32\services.exe

[7] 2004-08-05 03:00 13312 9F3744A5C6F49291A7A685040A013399 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2008-04-14 02:34 13312 91E6024D6D4DCDECDB36C43ECF9BBECB c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 02:34 14848 6E46C46311B6A5D56C4245F50F4B7F15 c:\windows\system32\lsass.exe

[7] 2004-08-05 03:00 57856 B4EF928E4FAD79364A80ACBA6D999934 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2008-04-14 02:34 57856 460E4CE148BD07218DA0B6A3D31885A9 c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 02:34 58880 DD54714243A8525F6B9130E766E0356A c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="c:\program files\Bell\Gestionnaire de securite\IdxClnR.exe" [2008-03-10 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSA.exe"="c:\program files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 2061816]
"Gestionnaire de sécurité Sympatico"="c:\program files\Bell\Gestionnaire de securite\Rps.exe" [2008-03-10 311024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"-FreedomNeedsReboot"="c:\program files\Bell\Gestionnaire de securite\ZkRunOnceR.exe" [2008-03-10 13552]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-07-29 2551808]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-11-4 45056]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\[u]0/uautocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Propriétaire^Menu Démarrer^Programmes^Démarrage^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\HP_Propriétaire\Menu Démarrer\Programmes\Démarrage\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Propriétaire^Menu Démarrer^Programmes^Démarrage^Xfire.lnk]
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\River Past\\Crazi Video\\CraziVideo.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56260:TCP"= 56260:TCP:Pando Media Booster
"56260:UDP"= 56260:UDP:Pando Media Booster
"58121:TCP"= 58121:TCP:Pando Media Booster
"58121:UDP"= 58121:UDP:Pando Media Booster

R2 VaultClientUpgrade;Personal Vault Upgrade Service;c:\program files\Personal Vault\VaultClientUpgrade.exe [2008-03-07 53248]
R3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [2008-12-19 195752]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-03-16 2849844]
R3 Radialpoint Security Services;Gestionnaire de sécurité Sympatico;c:\program files\Bell\Gestionnaire de securite\RpsSecurityAware.exe [2008-03-10 67824]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contenu du dossier 'Tâches planifiées'

2009-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHELINS SUPPRIMES - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Examen supplémentaire -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Propriétaire\Application Data\Mozilla\Firefox\Profiles\[u]0/uiyl6nys.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 15:40
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'explorer.exe'(1864)
c:\windows\system32\ieframe.dll
c:\windows\system32\eappprxy.dll
.
Heure de fin: 2009-05-02 15:44 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-05-02 19:44

Avant-CF: 117 828 673 536 octets libres
Après-CF: 118 108 454 912 octets libres

257 --- E O F --- 2009-05-02 07:00


Voici mon nouveau rapport HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:50:50, on 2009-05-02
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Gestionnaire de securite\Rps.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Personal Vault\VaultClientUpgrade.exe
C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Gestionnaire de securite\pkR.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [Gestionnaire de sécurité Sympatico] "C:\Program Files\Bell\Gestionnaire de securite\Rps.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Gestionnaire de securite\ZkRunOnceR.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Ma-Config Service (maconfservice) - CybelSoft - C:\Program Files\ma-config.com\maconfservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de sécurité Sympatico (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Gestionnaire de securite\RpsSecurityAware.exe
O23 - Service: Service de mise-à-jour pour le Gestionnaire de sécurité Sympatico (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
O23 - Service: Gestionnaire de sécurité Sympatico Coupe-feu (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
O23 - Service: Spouleur d'impression (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe
0
Réponse 6 / 19
anthony5151 Messages postés 10573 Date d'inscription vendredi 27 juin 2008 Statut Contributeur sécurité Dernière intervention 2 mars 2015 790
3 mai 2009 à 02:18
/!\ ATTENTION /!\ Le script qui suit a été écrit spécialement pour Kimboo, il n'est pas transposable sur un autre ordinateur !

• Télécharge ce dossier Kimboo.zip
• Fais un clic-droit dessus --> Extraire tout --> choisis le Bureau comme destination
• Un autre dossier va apparaitre, prends le fichier CFScript.txt qui se trouve à l'intérieur et place le sur le Bureau.

• Désactive tes logiciels de protection
• Fais un glisser/déposer de ce fichier CFScript.txt sur le fichier Combofix.exe

• Patiente le temps du scan. Le Bureau va disparaître à plusieurs reprises : c'est normal ! Ne touche à rien tant que le scan n'est pas terminé.
• Une fois le scan achevé, un rapport va s'afficher: poste son contenu.
• Si le fichier ne s'ouvre pas, il se trouve ici → C:\ComboFix.txt

0
Réponse 7 / 19
Kimboo Messages postés 49 Date d'inscription jeudi 14 août 2008 Statut Membre Dernière intervention 18 mai 2009
4 mai 2009 à 04:33
Rapport ComboFix

ComboFix 09-05-03.1 - HP_Propriétaire 2009-05-03 22:21.6 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.2.1036.18.503.230 [GMT -4:00]
Lancé depuis: c:\documents and settings\HP_Propriétaire\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\HP_Propriétaire\Bureau\CFScript.txt
AV: Gestionnaire de sécurité Sympatico Antivirus *On-access scanning disabled* (Updated)
FW: Gestionnaire de sécurité Sympatico Coupe-feu *disabled*

FILE ::
c:\windows\system32\[u]0/u9wutili.sys
c:\windows\system32\GameMon.des
c:\windows\system32\qgceqgj0e33a .exe
c:\windows\system32\sgcaqgj0e33a.dll
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\DAEMON Tools Toolbar
c:\windows\system32\[u]0/u9wutili.sys
c:\windows\system32\GameMon.des
c:\windows\system32\qgceqgj0e33a .exe
c:\windows\system32\sgcaqgj0e33a.dll

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_npggsvc


((((((((((((((((((((((((((((( Fichiers créés du 2009-04-04 au 2009-05-04 ))))))))))))))))))))))))))))))))))))
.

2009-04-30 18:31 . 2009-04-30 18:46 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-28 15:52 . 2009-04-29 00:11 -------- d-----w c:\documents and settings\All Users\Application Data\PMB Files
2009-04-27 19:54 . 2009-04-28 03:45 85 ----a-w c:\windows\system\hpsysdrv .DAT
2009-04-27 19:53 . 2009-04-27 19:53 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\documents and settings\All Users\Application Data\Raxco
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\program files\Raxco
2009-04-25 01:09 . 2009-04-25 01:09 -------- d-----w c:\program files\Personal Vault
2009-04-25 01:09 . 2009-04-25 02:18 53192 ----a-w c:\windows\system32\drivers\rp_skt32.sys
2009-04-25 01:08 . 2007-04-19 15:36 48384 ----a-w c:\windows\system32\drivers\rp_pkt32.sys
2009-04-25 01:08 . 2009-04-25 01:08 -------- d-----w c:\program files\Fichiers communs\Authentium
2009-04-25 01:08 . 2009-04-25 01:08 -------- d-----w c:\program files\CA
2009-04-25 01:08 . 2009-04-25 01:13 -------- d-----w c:\program files\Fichiers communs\Scanner
2009-04-25 00:09 . 2009-04-25 00:09 164816 ----a-w c:\windows\Crazi Video Uninstaller.exe
2009-04-25 00:09 . 2009-04-25 00:09 -------- d-----w c:\program files\Fichiers communs\River Past
2009-04-25 00:09 . 2009-04-25 00:09 -------- d-----w c:\program files\River Past
2009-04-24 19:32 . 2009-04-24 19:32 -------- d-----w c:\program files\DAEMON Tools Lite
2009-04-21 19:36 . 2009-04-15 20:25 9336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-04-21 19:36 . 2009-04-15 20:25 9464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-04-21 19:36 . 2009-04-15 20:25 129784 ------w c:\windows\system32\pxafs.dll
2009-04-21 19:35 . 2009-04-21 19:36 -------- d-----w c:\program files\Fichiers communs\DivX Shared
2009-04-21 19:35 . 2009-04-21 19:37 -------- d-----w c:\program files\DivX
2009-04-16 07:03 . 2009-04-16 07:03 -------- d-sh--w c:\documents and settings\Default User\IETldCache
2009-04-16 04:21 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 04:20 . 2009-03-06 14:20 286720 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 04:20 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 04:20 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 04:20 . 2009-02-09 10:53 685568 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 04:20 . 2009-02-09 10:53 735744 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 04:20 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 04:20 . 2009-02-09 10:53 739840 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 04:20 . 2008-12-16 12:31 354304 -c----w c:\windows\system32\dllcache\winhttp.dll
2009-04-16 04:20 . 2008-04-21 21:15 219136 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w c:\windows\system32\DivX.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-04-11 00:33 . 2009-04-24 18:10 -------- d-----w c:\program files\Dofus
2009-04-10 07:32 . 2009-04-10 07:32 -------- d-----w c:\program files\iPod
2009-04-10 07:32 . 2009-04-10 07:33 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-10 07:32 . 2009-04-10 07:33 -------- d-----w c:\program files\iTunes
2009-04-09 20:49 . 2009-04-25 01:07 -------- d-----w c:\program files\Bell
2009-04-08 20:00 . 2009-04-08 20:00 -------- d-----w c:\program files\Subagames
2009-04-08 19:40 . 2009-04-28 15:51 -------- d-----w c:\program files\Pando Networks

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 02:25 . 2004-11-05 00:52 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-01 21:58 . 2008-12-25 21:56 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-05-01 16:00 . 2009-03-07 01:39 -------- d-----w c:\program files\EternityRO
2009-04-30 19:08 . 2009-01-18 18:18 -------- d-----w c:\program files\DNA
2009-04-25 01:06 . 2004-11-05 03:36 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-24 19:27 . 2008-12-26 00:19 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-16 07:22 . 2004-11-05 02:29 514960 ----a-w c:\windows\system32\perfh00C.dat
2009-04-16 07:22 . 2004-11-05 02:29 86478 ----a-w c:\windows\system32\perfc00C.dat
2009-04-15 20:25 . 2004-11-05 03:18 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-04-15 20:25 . 2004-11-05 03:18 118520 ------w c:\windows\system32\pxinsi64.exe
2009-04-15 20:25 . 2004-07-13 14:03 43528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-04-10 07:32 . 2008-12-25 21:56 -------- d-----w c:\program files\Fichiers communs\Apple
2009-04-10 07:21 . 2008-12-25 22:11 -------- d-----w c:\program files\Notepad++
2009-04-10 01:54 . 2008-12-29 21:28 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-08 20:05 . 2009-01-02 02:08 -------- d-----w c:\program files\Common Files
2009-04-06 19:32 . 2008-12-29 21:28 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-12-29 21:28 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 05:29 . 2009-04-02 05:29 -------- d-----w c:\program files\Xilisoft
2009-03-29 23:53 . 2008-12-25 22:47 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-29 23:26 . 2008-12-26 00:23 -------- d-----w c:\program files\CDBurnerXP
2009-03-29 23:19 . 2009-03-29 23:19 -------- d-----w c:\program files\Fichiers communs\xing shared
2009-03-29 23:18 . 2004-11-05 03:22 -------- d-----w c:\program files\Fichiers communs\Real
2009-03-29 23:08 . 2008-12-25 19:21 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-29 23:08 . 2004-11-05 02:05 -------- d-----w c:\program files\Java
2009-03-29 23:02 . 2009-03-29 23:01 -------- d-----w c:\program files\Fichiers communs\Adobe
2009-03-29 03:59 . 2009-03-29 03:59 -------- d-----w c:\program files\Veoh Networks
2009-03-25 19:56 . 2004-11-05 03:56 -------- d-----w c:\program files\Easy Internet signup
2009-03-19 20:32 . 2004-04-06 05:42 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 04:38 . 2009-03-18 04:37 -------- d-----w c:\program files\Safari
2009-03-14 01:03 . 2009-03-14 00:51 -------- d-----w c:\program files\mIRC
2009-03-13 21:38 . 2009-03-13 21:38 -------- d-----w c:\program files\Gravity
2009-03-08 08:34 . 2004-11-05 02:29 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2004-11-05 02:28 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2004-11-05 02:28 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2004-11-05 02:29 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2004-11-05 02:28 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2004-11-05 02:28 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2004-11-05 02:28 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2004-11-05 02:28 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2004-11-05 02:28 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2008-12-24 22:28 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:20 . 2004-11-05 02:28 286720 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-18 04:54 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2008-12-25 21:59 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-01 01:06 . 2009-03-01 01:06 43520 ----a-w c:\windows\system32\CmdLineExt03.dll
2009-02-21 21:02 . 2009-02-21 21:02 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-02-17 17:11 . 2009-02-17 17:11 24232 ----a-w c:\windows\system32\drivers\ElbyCDIO.sys
2009-02-17 13:33 . 2009-02-17 13:33 89256 ----a-w c:\windows\system32\ElbyCDIO.dll
2009-02-10 23:06 . 2004-08-04 07:48 2068096 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 14:05 . 2004-11-05 02:29 1846912 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:24 . 2004-11-05 02:28 2191104 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:23 . 2004-11-05 02:29 113152 ----a-w c:\windows\system32\services.exe
2009-02-09 10:53 . 2004-11-05 02:28 735744 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:53 . 2004-11-05 02:29 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:53 . 2004-11-05 02:28 739840 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:53 . 2004-11-05 02:28 685568 ----a-w c:\windows\system32\advapi32.dll
2009-02-06 23:52 . 2009-02-06 23:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 10:39 . 2008-12-24 22:29 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:58 . 2004-11-05 02:29 56832 ----a-w c:\windows\system32\secur32.dll
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2004-08-05 03:00 14336 1BD6C2F707A275CB7C16FD99FE0F31CA c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-14 02:34 14336 E4BDF223CD75478BF44567B4D5C2634D c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 02:34 17408 432006FAC7181684AA4793B500814498 c:\windows\system32\svchost.exe

[7] 2004-08-05 03:00 506368 D2DE785AEAB0BB8CA4C14A8A199DBE4E c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 02:34 512000 DD73D6B9F6B4CB630CF35B438B540174 c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 02:34 516096 B00A21F741FE97ACB1ABADC807FEF738 c:\windows\system32\winlogon.exe

[-] 2008-04-14 02:34 1040384 2802CEB675BD478CFDBC1D076518EDCE c:\windows\explorer.exe
[7] 2004-08-05 03:00 1036288 4C33E5B9A6197B6ED215F6CFBA0A2DAA c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-14 02:34 1037824 F2317622D29F9FF0F88AEECD5F60F0DD c:\windows\ServicePackFiles\i386\explorer.exe

[7] 2009-02-09 11:16 111104 62789101F9C2401ED598AA2CDE7450C0 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2004-08-05 03:00 108544 732E0B1ABAACE15D80EC19056B0A2AF9 c:\windows\$NtServicePackUninstall$\services.exe
[7] 2008-04-14 02:34 109056 54CB50058851D95E56EC70D09F70857F c:\windows\ServicePackFiles\i386\services.exe
[7] 2009-02-09 10:08 111104 9D6BF82FE50D55F20F8E10E0F6653886 c:\windows\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP2GDR\services.exe
[7] 2009-02-09 09:53 111104 51A24094F076961A7FF73E5F7E991D68 c:\windows\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP2QFE\services.exe
[7] 2009-02-09 11:23 111104 C3FB1D70CB88722267949694BA51759E c:\windows\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP3GDR\services.exe
[7] 2009-02-09 11:16 111104 62789101F9C2401ED598AA2CDE7450C0 c:\windows\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP3QFE\services.exe
[-] 2009-02-09 11:23 113152 12CFE1F7C37E6D9A9B522D6E24D0F611 c:\windows\system32\services.exe

[7] 2004-08-05 03:00 13312 9F3744A5C6F49291A7A685040A013399 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2008-04-14 02:34 13312 91E6024D6D4DCDECDB36C43ECF9BBECB c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 02:34 14848 6E46C46311B6A5D56C4245F50F4B7F15 c:\windows\system32\lsass.exe

[7] 2004-08-05 03:00 57856 B4EF928E4FAD79364A80ACBA6D999934 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2008-04-14 02:34 57856 460E4CE148BD07218DA0B6A3D31885A9 c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 02:34 58880 DD54714243A8525F6B9130E766E0356A c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-05-02_19.40.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-04 02:25 . 2009-05-04 02:25 16384 c:\windows\temp\Perflib_Perfdata_2e8.dat
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="c:\program files\Bell\Gestionnaire de securite\IdxClnR.exe" [2008-03-10 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSA.exe"="c:\program files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 2061816]
"Gestionnaire de sécurité Sympatico"="c:\program files\Bell\Gestionnaire de securite\Rps.exe" [2008-03-10 311024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"-FreedomNeedsReboot"="c:\program files\Bell\Gestionnaire de securite\ZkRunOnceR.exe" [2008-03-10 13552]
"TkBellExe"="c:\program files\Fichiers communs\Real\Update_OB\realsched.exe" [2009-03-29 198160]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-07-29 2551808]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="c:\program files\Bell\Gestionnaire de securite\IdxClnR.exe" [2008-03-10 61168]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-11-4 45056]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\[u]0/uautocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Propriétaire^Menu Démarrer^Programmes^Démarrage^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\HP_Propriétaire\Menu Démarrer\Programmes\Démarrage\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Propriétaire^Menu Démarrer^Programmes^Démarrage^Xfire.lnk]
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\River Past\\Crazi Video\\CraziVideo.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56260:TCP"= 56260:TCP:Pando Media Booster
"56260:UDP"= 56260:UDP:Pando Media Booster
"58121:TCP"= 58121:TCP:Pando Media Booster
"58121:UDP"= 58121:UDP:Pando Media Booster

R3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [2008-12-19 195752]
R3 Radialpoint Security Services;Gestionnaire de sécurité Sympatico;c:\program files\Bell\Gestionnaire de securite\RpsSecurityAware.exe [2008-03-10 67824]
S2 VaultClientUpgrade;Personal Vault Upgrade Service;c:\program files\Personal Vault\VaultClientUpgrade.exe [2008-03-07 53248]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contenu du dossier 'Tâches planifiées'

2009-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Examen supplémentaire -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Propriétaire\Application Data\Mozilla\Firefox\Profiles\[u]0/uiyl6nys.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 22:25
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'explorer.exe'(4036)
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
c:\docume~1\HP_PRO~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\Bell\Gestionnaire de securite\Fws.exe
c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\windows\system32\wscntfy.exe
c:\program files\Bell\Gestionnaire de securite\rpsupdaterR.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Heure de fin: 2009-05-04 22:28 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-05-04 02:28
ComboFix2.txt 2009-05-02 23:05
ComboFix3.txt 2009-05-02 19:44

Avant-CF: 116 639 961 088 octets libres
Après-CF: 116 682 543 104 octets libres

300 --- E O F --- 2009-05-03 07:00


Toujours suivi de mon nouveau rapport HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:32:12, on 2009-05-03
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Personal Vault\VaultClientUpgrade.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Bell\Gestionnaire de securite\RPS.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Gestionnaire de securite\pkR.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [Gestionnaire de sécurité Sympatico] "C:\Program Files\Bell\Gestionnaire de securite\Rps.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Gestionnaire de securite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Ma-Config Service (maconfservice) - CybelSoft - C:\Program Files\ma-config.com\maconfservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de sécurité Sympatico (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Gestionnaire de securite\RpsSecurityAware.exe
O23 - Service: Service de mise-à-jour pour le Gestionnaire de sécurité Sympatico (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
O23 - Service: Gestionnaire de sécurité Sympatico Coupe-feu (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
O23 - Service: Spouleur d'impression (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe
0
Réponse 8 / 19
Lyonnais92 Messages postés 25159 Date d'inscription vendredi 23 juin 2006 Statut Contributeur sécurité Dernière intervention 16 septembre 2016 1 536
4 mai 2009 à 08:21
Bonjour,

je m'incruste 30 sec.


Rends toi sur ce site :

https://www.virustotal.com/gui/

Clique sur parcourir et cherche ce fichier : c:\windows\system32\winlogon.exe

Clique sur Send File.

Un rapport va s'élaborer ligne à ligne.

Attends la fin. Il doit comprendre la taille du fichier envoyé.

Sauvegarde le rapport avec le bloc-note.

Copie le dans ta réponse.

Si VirusTotal indique que le fichier a déjà été analysé, cliquer sur le bouton Reanalyse le fichier maintenant
0
Réponse 9 / 19
Kimboo Messages postés 49 Date d'inscription jeudi 14 août 2008 Statut Membre Dernière intervention 18 mai 2009
5 mai 2009 à 03:59
Voila le rapport demander de plus après ton rapport j'ai refais un scan avec mon antivirus (Gestionnaire de sécurité sympatico) et il y a 2 fichiers qui sont en quarantaine et même après les avoir supprimer et redémarrer l'ordinateur ils reviennent en quarantaine. Les fichiers sont:
- C:\WINDOWS\SYSTEM32\SERVICES.EXE
- C:\WINDOWS\SYSTEM32\spoolsv.exe


Antivirus Version Dernière mise à jour Résultat
a-squared 4.0.0.101 2009.05.05 Trojan.Win32.Patched!IK
AhnLab-V3 5.0.0.2 2009.05.04 Win32/Liger
AntiVir 7.9.0.160 2009.05.04 TR/Patched.AA.716
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.04 W32/Patched.D.gen!Eldorado
Avast 4.8.1335.0 2009.05.04 Win32:Patched-CK
AVG 8.5.0.327 2009.05.04 Win32/PEPatch.AO
BitDefender 7.2 2009.05.04 Trojan.Patched.U
CAT-QuickHeal 10.00 2009.05.04 Trojan.Patched.AA
ClamAV 0.94.1 2009.05.04 Trojan.Agent-5069
Comodo 1149 2009.05.03 -
DrWeb 4.44.0.09170 2009.05.05 Trojan.Starter.384
eSafe 7.0.17.0 2009.05.03 -
eTrust-Vet 31.6.6489 2009.05.05 -
F-Prot 4.4.4.56 2009.05.04 W32/Patched.D.gen!Eldorado
F-Secure 8.0.14470.0 2009.05.04 Trojan.Win32.Patched.aa
Fortinet 3.117.0.0 2009.05.04 W32/Patched.CX
GData 19 2009.05.05 Trojan.Patched.U
Ikarus T3.1.1.49.0 2009.05.05 Trojan.Win32.Patched
K7AntiVirus 7.10.723 2009.05.04 -
Kaspersky 7.0.0.125 2009.05.05 Trojan.Win32.Patched.aa
McAfee 5605 2009.05.04 W32/PEPatcher.c
McAfee+Artemis 5605 2009.05.04 W32/PEPatcher.c
McAfee-GW-Edition 6.7.6 2009.05.04 Trojan.Patched.AA.716
Microsoft 1.4602 2009.05.04 TrojanDownloader:Win32/Donise.C!patched
NOD32 4052 2009.05.04 Win32/TrojanProxy.Agent.NCI
Norman 6.01.05 2009.05.04 W32/Patched.A
nProtect 2009.1.8.0 2009.05.04 Virus/W32.Patched.G
Panda 10.0.0.14 2009.05.04 -
PCTools 4.4.2.0 2009.05.03 Win32.Agent.IMP
Prevx1 3.0 2009.05.05 -
Prevx1 V2 2009.05.05 -
Rising 21.28.04.00 2009.05.04 Trojan.Win32.Patched.aa
Sophos 4.41.0 2009.05.05 W32/Liger-A
Sunbelt 3.2.1858.2 2009.05.04 -
Symantec 1.4.4.12 2009.05.05 Trojan.Patchep!inf
TheHacker 6.3.4.1.318 2009.05.04 W32/PEPatcher.gen
TrendMicro 8.950.0.1092 2009.05.04 PE_PATCHEP.A
VBA32 3.12.10.4 2009.05.04 -
ViRobot 2009.5.4.1719 2009.05.04 Win32.Patched.C
VirusBuster 4.6.5.0 2009.05.04 Win32.Agent.IMP
Information additionnelle
File size: 516096 bytes
MD5...: b00a21f741fe97acb1abadc807fef738
SHA1..: c337129642d30df0ca9bdfb3d7bb1bfcb865688e
SHA256: eaf2f2a04f3dcbc53904ae836acb483272a0785e6a904e796b4e961da09a26c8
SHA512: 93409eefc4dacc14cb03b2ae33e78476aa019db907500bcb09f2616ab5b43da8
3e21d7c4b2c4324d7ee4147e94ddfd3bf72f27f11bac96618ebb535f056160ea
ssdeep: 6144:qNZlxEdL5RvGlcHF37newMLao6nMnKHOD13XRnCfOVSePfLtisgZYl:Fdz+
lcDKao6nSKHsRqOMgxZg
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x82000
timedatestamp.....: 0x48027549 (Sun Apr 13 21:04:09 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x70991 0x70a00 6.82 82b1e7e83279c56e34dc6c6e8c33f81d
.data 0x72000 0x4e70 0x2000 6.28 44bd27282514b5e3a27b570106930d8d
.rsrc 0x77000 0xc000 0xb200 3.49 a16a665aea68fe1c7e91d01de8e72898

( 20 imports )
> ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA
> AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle
> CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx
> GDI32.dll: RemoveFontResourceW, AddFontResourceW
> KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, ExpandEnvironmentStringsW, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, GetVersionExA, DuplicateHandle, OpenProcess, GetOverlappedResult, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, TlsGetValue, DeleteCriticalSection, TlsAlloc, VirtualFree, TlsFree
> msvcrt.dll: wcslen, _vsnwprintf, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp
> NDdeApi.dll: -, -, -, -
> ntdll.dll: RtlSubAuthoritySid, RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtSetInformationProcess, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlInitString, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlGetNtProductType, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtOpenDirectoryObject
> PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW
> PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW
> REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery
> RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate
> Secur32.dll: LsaCallAuthenticationPackage, GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess
> SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
> USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, GetMessageTime, SetTimer, SetLogonNotifyWindow, UnlockWindowStation, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, RegisterClassW, SetCursor, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, KillTimer, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, DefWindowProcW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW
> USERENV.dll: -, WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, -, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, GetUserProfileDirectoryW
> VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
> WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, _WinStationNotifyLogoff, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon
> WINTRUST.dll: CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext
> WS2_32.dll: -, -, getaddrinfo

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
0
Réponse 10 / 19
anthony5151 Messages postés 10573 Date d'inscription vendredi 27 juin 2008 Statut Contributeur sécurité Dernière intervention 2 mars 2015 790
6 mai 2009 à 15:20
Re,


Excuse moi pour le délai de réponse, je ne suis pas venu sur le forum hier.

Tu as un problème : certains fichiers systèmes de ton ordinateur sont infectés... Merci à Lyonnais92 d'avoir mis le doigt sur ce problème :)
As-tu un CD de Windows ?

0
Réponse 11 / 19
Kimboo Messages postés 49 Date d'inscription jeudi 14 août 2008 Statut Membre Dernière intervention 18 mai 2009
7 mai 2009 à 07:41
oui j'ai le CD de Windows XP Famillial, qui est venu avec mon ordinateur HP. Il est diviser en 8 CDs mais c'est belle et bien des CD Windows. Que dois-je faire avec?
0
Réponse 12 / 19
Kimboo Messages postés 49 Date d'inscription jeudi 14 août 2008 Statut Membre Dernière intervention 18 mai 2009
10 mai 2009 à 00:12
Quelqu'un peut me dire quoi faire avec les CDs si je peux faire quoi que se soit avec ?
0
Réponse 13 / 19
anthony5151 Messages postés 10573 Date d'inscription vendredi 27 juin 2008 Statut Contributeur sécurité Dernière intervention 2 mars 2015 790
10 mai 2009 à 21:01
Ce sont probablement des CD de réinitialisation, et pas des CD d'installation de Windows


On va voir si on peut faire sans... Pour ça, il faudrait que tu analyses à nouveau un fichier sur VirusTotal :

• Rends toi sur le site https://www.virustotal.com/gui/
• Clique sur Parcourir, et navigue jusqu'au fichier suivant et valide : c:\windows\ServicePackFiles\i386\winlogon.exe
• Clique sur "Envoyer le fichier" : s'il a déjà été analysé, demande une nouvelle analyse.
• Fais un copier/coller du rapport sur le forum.

Si tu ne trouves pas le fichier, fais ceci :
• Menu Démarrer --> Panneau de configuration --> Options des dossiers --> Affichage
• Coche "Afficher les fichiers et dossiers cachés", décoche "Masquer les extensions de fichiers connus", décoche "Masquer les fichiers protégés du Système", puis valide.
• Tu pourras à nouveau masquer les fichiers cachés une fois la manipulation terminée, si tu le souhaites.

0
Réponse 14 / 19
Kimboo Messages postés 49 Date d'inscription jeudi 14 août 2008 Statut Membre Dernière intervention 18 mai 2009
11 mai 2009 à 01:21
Antivirus Version Dernière mise à jour Résultat
a-squared 4.0.0.101 2009.05.10 -
AhnLab-V3 5.0.0.2 2009.05.09 -
AntiVir 7.9.0.166 2009.05.10 -
Antiy-AVL 2.0.3.1 2009.05.08 -
Authentium 5.1.2.4 2009.05.10 -
Avast 4.8.1335.0 2009.05.10 -
AVG 8.5.0.327 2009.05.10 -
BitDefender 7.2 2009.05.11 -
CAT-QuickHeal 10.00 2009.05.09 -
ClamAV 0.94.1 2009.05.10 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.10 -
eSafe 7.0.17.0 2009.05.10 -
eTrust-Vet 31.6.6497 2009.05.08 -
F-Prot 4.4.4.56 2009.05.10 -
F-Secure 8.0.14470.0 2009.05.11 -
Fortinet 3.117.0.0 2009.05.10 -
GData 19 2009.05.11 -
Ikarus T3.1.1.49.0 2009.05.10 -
K7AntiVirus 7.10.729 2009.05.08 -
Kaspersky 7.0.0.125 2009.05.10 -
McAfee 5611 2009.05.10 -
McAfee+Artemis 5611 2009.05.10 -
McAfee-GW-Edition 6.7.6 2009.05.10 -
Microsoft 1.4602 2009.05.10 -
NOD32 4063 2009.05.08 -
Norman 6.01.05 2009.05.08 -
nProtect 2009.1.8.0 2009.05.10 -
Panda 10.0.0.14 2009.05.10 -
PCTools 4.4.2.0 2009.05.07 -
Prevx 3.0 2009.05.11 -
Rising 21.28.62.00 2009.05.10 -
Sophos 4.41.0 2009.05.10 -
Sunbelt 3.2.1858.2 2009.05.09 -
Symantec 1.4.4.12 2009.05.11 -
TheHacker 6.3.4.1.324 2009.05.09 -
TrendMicro 8.950.0.1092 2009.05.08 -
VBA32 3.12.10.4 2009.05.09 -
ViRobot 2009.5.9.1727 2009.05.09 -
VirusBuster 4.6.5.0 2009.05.10 -
Information additionnelle
File size: 512000 bytes
MD5...: dd73d6b9f6b4cb630cf35b438b540174
SHA1..: 2904328b7e27f004042d4f83440c50659d64018b
SHA256: ecef5a07dbc72e99adcb82af4dab143f5a2bad3812ccbfa87ea5e82e29e133fa
SHA512: 4a748522b3b31dc5e7e47aec2456a0ed069b6ca3f05d20b25b5177975b62eaf8
c5fab40aee5b798b0f05250611ba9ee1d2f71d2eb1a64bf1a49484855705a321
ssdeep: 6144:SNZlxEdL5RvGlcHF37newMLao6nMnKHOD13XRnCfOVSePfLtisgZYlg:tdz
+lcDKao6nSKHsRqOMgxZgp
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3e5e1
timedatestamp.....: 0x48027549 (Sun Apr 13 21:04:09 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x70991 0x70a00 6.82 82b1e7e83279c56e34dc6c6e8c33f81d
.data 0x72000 0x4e70 0x2000 6.28 44bd27282514b5e3a27b570106930d8d
.rsrc 0x77000 0xa18c 0xa200 3.69 2de1a63c2a7883cf163c3699bb614883

( 20 imports )
> ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA
> AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle
> CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx
> GDI32.dll: RemoveFontResourceW, AddFontResourceW
> KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, ExpandEnvironmentStringsW, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, GetVersionExA, DuplicateHandle, OpenProcess, GetOverlappedResult, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, TlsGetValue, DeleteCriticalSection, TlsAlloc, VirtualFree, TlsFree
> msvcrt.dll: wcslen, _vsnwprintf, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp
> NDdeApi.dll: -, -, -, -
> ntdll.dll: RtlSubAuthoritySid, RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtSetInformationProcess, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlInitString, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlGetNtProductType, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtOpenDirectoryObject
> PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW
> PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW
> REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery
> RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate
> Secur32.dll: LsaCallAuthenticationPackage, GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess
> SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
> USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, GetMessageTime, SetTimer, SetLogonNotifyWindow, UnlockWindowStation, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, RegisterClassW, SetCursor, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, KillTimer, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, DefWindowProcW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW
> USERENV.dll: -, WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, -, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, GetUserProfileDirectoryW
> VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
> WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, _WinStationNotifyLogoff, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon
> WINTRUST.dll: CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext
> WS2_32.dll: -, -, getaddrinfo

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=dd73d6b9f6b4cb630cf35b438b540174' target='_blank'>http://research.sunbelt-software.com/...
0
Réponse 15 / 19
anthony5151 Messages postés 10573 Date d'inscription vendredi 27 juin 2008 Statut Contributeur sécurité Dernière intervention 2 mars 2015 790
11 mai 2009 à 17:12
On va devoir utiliser la console de récupération pour remplacer le fichier winlogon infecté par celui que je viens de te faire analyser.

Mais avant, je voudrais que tu analyses ces trois là avec VirusTotal, pour voir s'ils ne sont pas également infectés...
c:\windows\system32\svchost.exe
c:\windows\explorer.exe
c:\windows\system32\lsass.exe

S'il le faut, on les remplacera aussi par des fichiers sains.

0
Réponse 16 / 19
Kimboo Messages postés 49 Date d'inscription jeudi 14 août 2008 Statut Membre Dernière intervention 18 mai 2009
13 mai 2009 à 03:24
c:\windows\system32\svchost.exe

Antivirus Version Dernière mise à jour Résultat
a-squared 4.0.0.101 2009.05.13 Trojan.Win32.Patched!IK
AhnLab-V3 5.0.0.2 2009.05.12 Win32/Liger
AntiVir 7.9.0.166 2009.05.12 HEUR/Malware
Antiy-AVL 2.0.3.1 2009.05.12 -
Authentium 5.1.2.4 2009.05.13 W32/Patched.D.gen!Eldorado
Avast 4.8.1335.0 2009.05.12 Win32:Patched-CK
AVG 8.5.0.327 2009.05.12 Win32/PEPatch.AO
BitDefender 7.2 2009.05.13 Trojan.Patched.U
CAT-QuickHeal 10.00 2009.05.12 Trojan.Patched.AA
ClamAV 0.94.1 2009.05.13 Trojan.Agent-5069
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.13 Trojan.Starter.384
eSafe 7.0.17.0 2009.05.12 -
eTrust-Vet 31.6.6502 2009.05.12 -
F-Prot 4.4.4.56 2009.05.13 W32/Patched.D.gen!Eldorado
F-Secure 8.0.14470.0 2009.05.13 Trojan.Win32.Patched.aa
Fortinet 3.117.0.0 2009.05.12 W32/Patched.CX
GData 19 2009.05.13 Trojan.Patched.U
Ikarus T3.1.1.49.0 2009.05.13 Trojan.Win32.Patched
K7AntiVirus 7.10.732 2009.05.11 -
Kaspersky 7.0.0.125 2009.05.12 Trojan.Win32.Patched.aa
McAfee 5613 2009.05.12 W32/PEPatcher.c
McAfee+Artemis 5613 2009.05.12 W32/PEPatcher.c
McAfee-GW-Edition 6.7.6 2009.05.12 Heuristic.Malware
Microsoft 1.4602 2009.05.12 TrojanDownloader:Win32/Donise.C!patched
NOD32 4068 2009.05.12 Win32/TrojanProxy.Agent.NCI
Norman 6.01.05 2009.05.12 W32/Patched.A
nProtect 2009.1.8.0 2009.05.13 Virus/W32.Patched.G
Panda 10.0.0.14 2009.05.12 W32/Patchlog.D
PCTools 4.4.2.0 2009.05.07 Win32.Agent.IMP
Prevx 3.0 2009.05.13 -
Rising 21.29.14.00 2009.05.12 Trojan.Win32.Patched.aa
Sophos 4.41.0 2009.05.12 W32/Liger-A
Sunbelt 3.2.1858.2 2009.05.12 -
Symantec 1.4.4.12 2009.05.13 Trojan.Patchep!inf
TheHacker 6.3.4.1.325 2009.05.12 W32/PEPatcher.gen
TrendMicro 8.950.0.1092 2009.05.12 PE_PATCHEP.A
VBA32 3.12.10.5 2009.05.13 -
ViRobot 2009.5.12.1731 2009.05.12 Win32.Patched.C
VirusBuster 4.6.5.0 2009.05.12 Win32.Agent.IMP
Information additionnelle
File size: 17408 bytes
MD5...: 432006fac7181684aa4793b500814498
SHA1..: 91aaf3a910aa2efab880238d0f8d45c3c2930365
SHA256: 2b7147428fcd95f0bf7cba057800fd17d2cb63ff80a556177596139fba5ab000
SHA512: d96f61342342cc1b3743ad29ba9e7f0c4145940533fbdd12873c21059b29788f
dc9067189a9986c31abf853eece04b04d62f153004c4bcb4e24ce29895c971e1
ssdeep: 384:bdi+JmG6yqlCRaJt4RHS5LutGJae7g9VJnpWCNJbW:zcG6xlCRaJKGOA7SHJ
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x6000
timedatestamp.....: 0x48025bc0 (Sun Apr 13 19:15:12 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2c00 0x2c00 6.29 48331595af9d9d52b478844a07357653
.data 0x4000 0x210 0x200 1.62 cbd504e46c836e09e8faabdcfbabaec2
.rsrc 0x5000 0x2000 0x1200 1.54 73dc25eb35d0cd8ca20186dd6a344e96

( 4 imports )
> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
> RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-







c:\windows\explorer.exe

Antivirus Version Dernière mise à jour Résultat
a-squared 4.0.0.101 2009.05.13 Trojan.Win32.Patched!IK
AhnLab-V3 5.0.0.2 2009.05.12 Win32/Liger
AntiVir 7.9.0.166 2009.05.12 TR/Patched.AA.689
Antiy-AVL 2.0.3.1 2009.05.12 Trojan/Win32.Patched
Authentium 5.1.2.4 2009.05.13 W32/Patched.D.gen!Eldorado
Avast 4.8.1335.0 2009.05.12 Win32:Patched-CK
AVG 8.5.0.327 2009.05.12 Win32/PEPatch.AO
BitDefender 7.2 2009.05.13 Trojan.Patched.U
CAT-QuickHeal 10.00 2009.05.12 Trojan.Patched.AA
ClamAV 0.94.1 2009.05.13 Trojan.Agent-5069
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.13 Trojan.Starter.384
eSafe 7.0.17.0 2009.05.12 -
eTrust-Vet 31.6.6502 2009.05.12 -
F-Prot 4.4.4.56 2009.05.13 W32/Patched.D.gen!Eldorado
F-Secure 8.0.14470.0 2009.05.13 Trojan.Win32.Patched.aa
Fortinet 3.117.0.0 2009.05.12 W32/Patched.CX
GData 19 2009.05.13 Trojan.Patched.U
Ikarus T3.1.1.49.0 2009.05.13 Trojan.Win32.Patched
K7AntiVirus 7.10.732 2009.05.11 -
Kaspersky 7.0.0.125 2009.05.12 Trojan.Win32.Patched.aa
McAfee 5613 2009.05.12 W32/PEPatcher.c
McAfee+Artemis 5613 2009.05.12 W32/PEPatcher.c
McAfee-GW-Edition 6.7.6 2009.05.12 Trojan.Patched.AA.689
Microsoft 1.4602 2009.05.12 TrojanDownloader:Win32/Donise.C!patched
NOD32 4068 2009.05.12 Win32/TrojanProxy.Agent.NCI
Norman 6.01.05 2009.05.12 W32/Patched.A
nProtect 2009.1.8.0 2009.05.13 Virus/W32.Patched.G
Panda 10.0.0.14 2009.05.12 W32/PatchLog.gen
PCTools 4.4.2.0 2009.05.07 Win32.Agent.IMP
Prevx 3.0 2009.05.13 -
Rising 21.29.14.00 2009.05.12 Trojan.Win32.Patched.aa
Sophos 4.41.0 2009.05.12 W32/Liger-A
Sunbelt 3.2.1858.2 2009.05.12 -
Symantec 1.4.4.12 2009.05.13 Trojan.Patchep!inf
TheHacker 6.3.4.1.325 2009.05.12 W32/PEPatcher.gen
TrendMicro 8.950.0.1092 2009.05.12 PE_PATCHEP.A
VBA32 3.12.10.5 2009.05.13 -
ViRobot 2009.5.12.1731 2009.05.12 Win32.Patched.C
VirusBuster 4.6.5.0 2009.05.12 Win32.Agent.IMP
Information additionnelle
File size: 1040384 bytes
MD5...: 2802ceb675bd478cfdbc1d076518edce
SHA1..: 7453fa61c8ab831ac875487cd4fbcd4fd1f8a7a2
SHA256: 3e49bc5838a44e1c40ad89b2f1319143c9588ea3564f967f248676463293fdcc
SHA512: 0d3e5f91a5f4259a7019363d067d4e3effdfd2817eb33384971ad0e4101ce8d6
653a290539a282b814369d91ded3507c8c8c7e4fc537950d73f93a9c5c272428
ssdeep: 12288:zHmcoCUyZtwAvAs4wTCyrPT7lvGVa/oXqoJpaz/g/J/v1S:rmfty/wAvN7
lrPlvGEoXJaz/g/J/t
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x100000
timedatestamp.....: 0x48025c30 (Sun Apr 13 19:17:04 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x44c09 0x44e00 6.38 013207a9f70ec52b78392db51f333ff0
.data 0x46000 0x1db4 0x1800 1.30 983f35021232560eaaa99fcbc1b7d359
.rsrc 0x48000 0xb3280 0xb3400 6.63 e73694f42fb4ef5e9b8ea017fcf60103
.reloc 0xfc000 0x5000 0x4200 6.32 bc122286e7d50db960ddbd0a23b3b085

( 13 imports )
> ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
> BROWSEUI.dll: -, -, -, -
> GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
> KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject
> msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
> ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
> ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
> OLEAUT32.dll: -, -
> SHDOCVW.dll: -, -, -
> SHELL32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
> SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -
> USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
> UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-







c:\windows\system32\lsass.exe

Antivirus Version Dernière mise à jour Résultat
a-squared 4.0.0.101 2009.05.13 Trojan.Win32.Patched!IK
AhnLab-V3 5.0.0.2 2009.05.12 Win32/Liger
AntiVir 7.9.0.166 2009.05.12 HEUR/Malware
Antiy-AVL 2.0.3.1 2009.05.12 -
Authentium 5.1.2.4 2009.05.13 W32/Patched.D.gen!Eldorado
Avast 4.8.1335.0 2009.05.12 Win32:Patched-CK
AVG 8.5.0.327 2009.05.12 Win32/PEPatch.AO
BitDefender 7.2 2009.05.13 Trojan.Patched.U
CAT-QuickHeal 10.00 2009.05.12 Trojan.Patched.AA
ClamAV 0.94.1 2009.05.13 Trojan.Agent-5069
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.13 Trojan.Starter.384
eSafe 7.0.17.0 2009.05.12 -
eTrust-Vet 31.6.6502 2009.05.12 -
F-Prot 4.4.4.56 2009.05.13 W32/Patched.D.gen!Eldorado
F-Secure 8.0.14470.0 2009.05.13 Trojan.Win32.Patched.aa
Fortinet 3.117.0.0 2009.05.12 W32/Patched.CX
GData 19 2009.05.13 Trojan.Patched.U
Ikarus T3.1.1.49.0 2009.05.13 Trojan.Win32.Patched
K7AntiVirus 7.10.732 2009.05.11 -
Kaspersky 7.0.0.125 2009.05.12 Trojan.Win32.Patched.aa
McAfee 5613 2009.05.12 W32/PEPatcher.c
McAfee+Artemis 5613 2009.05.12 W32/PEPatcher.c
McAfee-GW-Edition 6.7.6 2009.05.12 Heuristic.Malware
Microsoft 1.4602 2009.05.12 TrojanDownloader:Win32/Donise.C!patched
NOD32 4068 2009.05.12 Win32/TrojanProxy.Agent.NCI
Norman 6.01.05 2009.05.12 W32/Patched.A
nProtect 2009.1.8.0 2009.05.13 Virus/W32.Patched.G
Panda 10.0.0.14 2009.05.12 W32/PatchLog.gen
PCTools 4.4.2.0 2009.05.07 Win32.Agent.IMP
Prevx 3.0 2009.05.13 -
Rising 21.29.14.00 2009.05.12 Trojan.Win32.Patched.aa
Sophos 4.41.0 2009.05.12 W32/Liger-A
Sunbelt 3.2.1858.2 2009.05.12 -
Symantec 1.4.4.12 2009.05.13 Trojan.Patchep!inf
TheHacker 6.3.4.1.325 2009.05.12 W32/PEPatcher.gen
TrendMicro 8.950.0.1092 2009.05.12 PE_PATCHEP.A
VBA32 3.12.10.5 2009.05.13 -
ViRobot 2009.5.12.1731 2009.05.12 Win32.Patched.C
VirusBuster 4.6.5.0 2009.05.12 Win32.Agent.IMP
Information additionnelle
File size: 14848 bytes
MD5...: 6e46c46311b6a5d56c4245f50f4b7f15
SHA1..: 272f3bcc107f7f6336be1a129fb4ab3efe49e215
SHA256: cbd711adc193e484ebed5681448d0b712c749fc144dd96029bd4b0dcea83f61b
SHA512: 30c61eebd3f99d26f2f5f908b82902d16b6df3dd75d51bfa99fb4df69d50cac5
fd302474abc5da5d60d907f88f661f59899f3d849749e20627407106b7490050
ssdeep: 384:ygHUJZXmtGDWkzLWT4a8WfMptsN0BhgO49:138z4zRfMpy0BF4
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x6000
timedatestamp.....: 0x48025186 (Sun Apr 13 18:31:34 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x10d0 0x1200 6.01 5501ba358fe3bca3fd6ff8d9d0ddcb45
.data 0x3000 0x6c 0x200 0.20 86a789a893c60d5e207d053188cdc250
.rsrc 0x4000 0x3000 0x2200 6.46 92743c36eab44cfae94e919ceec96a1b

( 5 imports )
> ADVAPI32.dll: FreeSid, CheckTokenMembership, AllocateAndInitializeSid, OpenThreadToken, ImpersonateSelf, RevertToSelf
> KERNEL32.dll: CloseHandle, GetCurrentThread, ExitThread, SetUnhandledExceptionFilter, SetErrorMode, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, RtlUnwind, InterlockedExchange, VirtualQuery
> ntdll.dll: NtSetInformationProcess, RtlInitUnicodeString, NtCreateEvent, NtOpenEvent, NtSetEvent, NtClose, NtRaiseHardError, RtlAdjustPrivilege, NtShutdownSystem, RtlUnhandledExceptionFilter
> LSASRV.dll: LsaISetupWasRun, LsapDsDebugInitialize, LsapAuOpenSam, LsapCheckBootMode, ServiceInit, LsapInitLsa, LsapDsInitializePromoteInterface, LsapDsInitializeDsStateInfo
> SAMSRV.dll: SamIInitialize, SampUsingDsData

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
0
Réponse 17 / 19
anthony5151 Messages postés 10573 Date d'inscription vendredi 27 juin 2008 Statut Contributeur sécurité Dernière intervention 2 mars 2015 790
13 mai 2009 à 20:44
Ok, ils sont tous infectés... Tu as installé la console de récupération quand tu as utilisé Combofix, c'est le moment de l'utiliser ;)

Au démarrage de l'ordinateur, il doit te demander brièvement sur quel système d'exploitation démarrer : choisis « Microsoft Windows Recovery Console » et appuie sur la touche "Entrée"
Patiente pendant qu'elle démarre.


# Tape « del C:\WINDOWS\system32\winlogon.exe » et appuie sur Entrée
# Tape « copy C:\WINDOWS\ServicePackFiles\i386\winlogon.exe C:\WINDOWS\system32\winlogon.exe » et appuie sur Entrée

# Tape « del C:\WINDOWS\system32\svchost.exe » et appuie sur Entrée
# Tape « copy C:\WINDOWS\ServicePackFiles\i386\svchost.exe C:\WINDOWS\system32\svchost.exe » et appuie sur Entrée

# Tape « del C:\WINDOWS\system32\explorer.exe » et appuie sur Entrée
# Tape « copy C:\WINDOWS\ServicePackFiles\i386\explorer.exe C:\WINDOWS\system32\explorer.exe » et appuie sur Entrée

# Tape « del C:\WINDOWS\system32\lsass.exe » et appuie sur Entrée
# Tape « copy C:\WINDOWS\ServicePackFiles\i386\lsass.exe C:\WINDOWS\system32\lsass.exe » et appuie sur Entrée

# Tape « del C:\WINDOWS\system32\spoolsv.exe » et appuie sur Entrée
# Tape « copy C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe C:\WINDOWS\system32\spoolsv.exe » et appuie sur Entrée

# Tape « del C:\WINDOWS\system32\services.exe » et appuie sur Entrée
# Tape « copy C:\WINDOWS\ServicePackFiles\i386\services.exe C:\WINDOWS\system32\services.exe » et appuie sur Entrée

# Tape « Exit » et appuie sur Entrée.
# L'ordinateur va redémarrer


Tu dois obligatoire avoir une confirmation à chaque fois que tu copies un fichier ("1 fichier copié")


Exemple en image : http://sd-1.archive-host.com/membres/up/7739387536519291/ConsoleRecup.png

0
Réponse 18 / 19
Kimboo Messages postés 49 Date d'inscription jeudi 14 août 2008 Statut Membre Dernière intervention 18 mai 2009
18 mai 2009 à 21:41
Après plusieurs essaies, la console de récupération ne voulait pas démarrer et les problèmes commencer à s'empirer j'ai alors sauvegarder se que je pouvais et j'ai formater mon ordinateur. Merci pour le suivi et pour toute l'aide!
0
Réponse 19 / 19
anthony5151 Messages postés 10573 Date d'inscription vendredi 27 juin 2008 Statut Contributeur sécurité Dernière intervention 2 mars 2015 790
19 mai 2009 à 05:53
Ok, désolé que ça n'ait pas suffit à régler le problème.

Bonne continuation ;)
0

Discussions similaires

Impossible d'afficher le rapport de tableau croisé dynamique sur un rapport
Utilisateur anonyme -
TomH. -

13 réponses
écrire un rapport de travail
asi -
REGINALD -

3 réponses
Trojan alerte
Titou43 -
gen-hackman -

23 réponses
impossible d'afficher le tableau dynamique sur un rapport existant
Pierre -
Adrien71 -

3 réponses
Windows defender: avertissement de sécurité
surfinia -
Tchoumi -

20 réponses