Analyse hijackthis

leblou -  
 gen-hackman -
Bonjour,j'aimerais savoir ci je suis infecté par un cheval de troie ou autres virus et de me dire quoi faire ci je suis infecté merci de votre aides ;)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:54:03, on 2009-10-12
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/en-ca?checklang=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.update.microsoft.com/windowsupdate/v6/default.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: avgui.lnk = C:\Program Files\AVG\AVG8\avgui.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5792 bytes
Configuration: Windows XP
Firefox 3.5.3

2 réponses

  1. gen-hackman
     
    salut :

    Desactive ton antivirus le temps de la manip ainsi que ton parefeu si présent

    ▶ Télécharge List&Kill'em et enregistre le sur ton bureau

    Il ne necessite pas d'installation

    ▶double clic (clic droit "executer en tant qu'administrateur" pour Vista) pour lancer le scan

    choisis la langue puis choisis l'option 1 = Mode Recherche

    ▶laisse travailler l'outil

    le rapport va s'afficher , une fois le scan fini

    ▶colle le contenu dans ta prochaine réponse
    0
    1. leblou
       
      List'em by g3n-h@ckm@n 1.0.4.2

      updated on 09.10.2009 ::::: 14.30

      Windows_NT

      Microsoft Windows XP [version 5.1.2600]


      2009-10-12 20:24:00,42

      ======================
      Cles de demarrage "Run"
      ======================
      Windows Registry Editor Version 5.00

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "msnmsgr"="\"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe\" /background"
      "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
      "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
      @=""

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
      "Installed"="1"
      @=""

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
      "NoChange"="1"
      "Installed"="1"
      @=""

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
      "Installed"="1"
      @=""

      =====================
      cles additionnelles
      =====================
      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
      "dontdisplaylastusername"=dword:00000000
      "legalnoticecaption"=""
      "legalnoticetext"=""
      "shutdownwithoutlogon"=dword:00000001
      "undockwithoutlogon"=dword:00000001

      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
      "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
      "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
      "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
      "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
      "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer]
      @=dword:00000001

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
      @="AcroIEHelperStub"
      "NoExplorer"=dword:00000001

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
      @="WormRadar.com IESiteBlocker.NavFilter"

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}]
      @="XML module"

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
      @=""

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
      "NoExplorer"=dword:00000001

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
      @="JQSIEStartDetectorImpl"
      "NoExplorer"=dword:00000001

      ===============
      Path : C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;;C:\Program Files\QuickTime\QTSystem\
      ===============
      ¤¤¤¤¤¤¤¤¤¤ Fichiers et dossiers presents :

      "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat"
      "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat"
      "C:\program files\WinPCap"
      "C:\WINDOWS\system32\drivers\npf.sys"
      "C:\WINDOWS\system32\Packet.dll"
      "C:\WINDOWS\system32\pthreadVC.dll"
      "C:\WINDOWS\system32\WanPacket.dll"
      "C:\WINDOWS\system32\wpcap.dll"

      ¤¤¤¤¤¤¤¤¤¤ Clés de registre Presentes :

      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb}
      HKCU\SOFTWARE\NordBull
      HKCU\SOFTWARE\XML
      HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NPF
      HKLM\SYSTEM\ControlSet001\Services\npf
      HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NPF
      HKLM\SYSTEM\ControlSet003\Services\npf
      HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF
      HKLM\SYSTEM\CurrentControlSet\Services\npf

      ¤¤¤¤¤¤¤¤¤¤ C:\WINDOWS\Prefetch :

      ADOBE_UPDATER.EXE-32E1E9B7.pf
      AGENTSVR.EXE-002E45AB.pf
      ALG.EXE-0F138680.pf
      APPLEMOBILEBACKUP.EXE-0C747D1B.pf
      APPLEMOBILEDEVICEHELPER.EXE-26E2CD91.pf
      APPLEMOBILEDEVICESERVICE.EXE-2220AFA1.pf
      AUTOCHK.EXE-2F8C59C3.pf
      AVGAM.EXE-1C82112E.pf
      AVGCMGR.EXE-1D29CBA8.pf
      AVGCSRVX.EXE-2F45B5C7.pf
      AVGEMC.EXE-008A9DEE.pf
      AVGNSX.EXE-3B2A5A79.pf
      AVGRSX.EXE-1893543C.pf
      AVGSCANX.EXE-006AF2EC.pf
      AVGUI.EXE-388E181A.pf
      AVGUPD.EXE-388A6FCA.pf
      AVGWDSVC.EXE-1AC4BEE6.pf
      AVS4YOUSOFTWARENAVIGATOR.EXE-2E4C213B.pf
      AVSVIDEOCONVERTER.EXE-2DA57741.pf
      CALC.EXE-02CD573A.pf
      CCLEANER.EXE-0BCE437C.pf
      CGUARD.EXE-1889187A.pf
      CMD.EXE-087B4001.pf
      CSRSS.EXE-12B63473.pf
      CTFMON.EXE-0E17969B.pf
      CVHELPER.EXE-278151C4.pf
      DEFRAG.EXE-273F131E.pf
      DFRGNTFS.EXE-269967DF.pf
      DIFXINSTALL32.EXE-2C1A388E.pf
      DISTNOTED.EXE-02950815.pf
      DLLHOST.EXE-205D880D.pf
      DRWTSN32.EXE-2B4B52AC.pf
      DWWIN.EXE-30875ADC.pf
      EXPLORER.EXE-082F38A9.pf
      FFMPEG.EXE-09FA24C9.pf
      FIREFOX.EXE-28641590.pf
      FIXCFG.EXE-293DC071.pf
      HELPSVC.EXE-2878DDA2.pf
      HIJACKTHIS.EXE-34A0FC79.pf
      IEXPLORE.EXE-27122324.pf
      IMAPI.EXE-0BF740A4.pf
      IPODSERVICE.EXE-3192DE38.pf
      ITUNES.EXE-1A268432.pf
      ITUNESHELPER.EXE-15823303.pf
      ITUNESPHOTOPROCESSOR.EXE-24970A75.pf
      ITUNESSETUP[1].EXE-01315CBF.pf
      JQS.EXE-1D781F77.pf
      JQSNOTIFY.EXE-24AE4A36.pf
      Layout.ini
      LIMEWIRE.EXE-1944953E.pf
      LOGON.SCR-151EFAEA.pf
      LOGONUI.EXE-0AF22957.pf
      LSASS.EXE-20DB6D1B.pf
      MDCRASHREPORTTOOL.EXE-0292A659.pf
      MDNSRESPONDER.EXE-02F30C6E.pf
      MIRC.EXE-0661EC22.pf
      MIRC635.EXE-1D9C645A.pf
      MIRC635[1].EXE-03CDC7F1.pf
      MIRC635[1].EXE-0A495D81.pf
      MIRC635[1].EXE-2E1B23DC.pf
      MIRC635[1].EXE-3225E378.pf
      MIRC635[1].EXE-34B773D1.pf
      MMC.EXE-1EF9AA05.pf
      MODE.COM-31685BAE.pf
      MSFEEDSSYNC.EXE-25E13438.pf
      MSIEXEC.EXE-2F8A8CAE.pf
      MSNMSGR.EXE-030AB647.pf
      MSPAINT.EXE-11CBB631.pf
      MSVS.EXE-129B5DE4.pf
      NMBGMONITOR.EXE-241A04E8.pf
      NMINDEXSTORESVR.EXE-22A7DEEF.pf
      NOTEPAD.EXE-336351A9.pf
      NTOSBOOT-B00DFAAD.pf
      PHOTOSNAPVIEWER.EXE-2371ED62.pf
      PING.EXE-31216D26.pf
      QTTASK.EXE-342507FB.pf
      REGSVR32.EXE-25EEFE2F.pf
      RUNDLL32.EXE-12E27DD0.pf
      RUNDLL32.EXE-1B245779.pf
      RUNDLL32.EXE-1BC55A4F.pf
      RUNDLL32.EXE-24F837E7.pf
      RUNDLL32.EXE-30702CB1.pf
      RUNDLL32.EXE-31201F94.pf
      RUNDLL32.EXE-32967E11.pf
      RUNDLL32.EXE-447157F3.pf
      RUNDLL32.EXE-451FC2C0.pf
      RUNDLL32.EXE-483801BA.pf
      RUNONCE.EXE-2803F297.pf
      SERVICES.EXE-2F433351.pf
      SETUPADMIN.EXE-00E8C1A1.pf
      SETUP_WM.EXE-3135CBD6.pf
      SHOWTIME.EXE-058E333F.pf
      SMSS.EXE-22F38377.pf
      SOFTWAREUPDATE.EXE-1415D1B8.pf
      SPOOLSV.EXE-282F76A7.pf
      SVCHOST.EXE-3530F672.pf
      SYNCSERVER.EXE-2A76C6C1.pf
      TASKMGR.EXE-20256C55.pf
      TM++.EXE-1D5D5AEF.pf
      TM++.EXE-301453CE.pf
      UNINS000.EXE-05D063A4.pf
      UNINS000.EXE-2ACC00B3.pf
      UNINSTALL.EXE-0D8C4BB0.pf
      UNINSTALL.EXE-1A1A7A8B.pf
      UPDATE.EXE-34169F25.pf
      UPDATE.EXE-3A43BFC4.pf
      UPGRADEDB.EXE-14BA3B8B.pf
      USERINIT.EXE-30B18140.pf
      UTORRENT.EXE-3888D1B0.pf
      UTTB9.TMP.EXE-108ED471.pf
      VERCLSID.EXE-3667BD89.pf
      WEATHEREYE.EXE-08D1DEDD.pf
      WIAACMGR.EXE-212ED878.pf
      WINLOGON.EXE-32C57D49.pf
      WINRAR.EXE-39C6DAD9.pf
      WLCOMM.EXE-04AE9009.pf
      WLLOGINPROXY.EXE-2D4B6027.pf
      WLOOBE.EXE-022B16AF.pf
      WLSCUPLOADER.EXE-07B0EAB3.pf
      WLSETUP-CVR.EXE-1F9CAB8B.pf
      WMIAPSRV.EXE-1E2270A5.pf
      WMIPRVSE.EXE-28F301A9.pf
      WMPLAYER.EXE-18DDEF9C.pf
      WMPLAYER.EXE-18DDEFA2.pf
      WMPLAYER.EXE-18DDEFA3.pf
      WMPLAYER.EXE-18DDEFA4.pf
      WMPLAYER.EXE-18DDEFA5.pf
      WORDPAD.EXE-02314C89.pf
      WUAUCLT.EXE-399A8E72.pf
      _IU14D2N.TMP-076A33A4.pf




      ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤( EOF )¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
      0
  2. gen-hackman
     
    REDEMARRE EN MODE SANS ECHEC , puis :

    ▶ Relance List&Kill'em comme tu as fait pour l'option 1 (soit en clic droit pour vista),

    mais cette fois-ci :

    ▶ choisis l'option 2 = Mode Destruction

    laisse travailler l'outil

    apres les verifications , un rapport va s'ouvrir.

    ▶ ferme-le.

    un deuxieme rapport va s'ouvrir ,

    ▶ colle son contenu dans ta reponse
    0