Sujet Précédent Sujet Suivant

Infection majeure!!!

Gwinoo -  
balltrap34 Messages postés 16241 Statut Contributeur sécurité -
Bonjour,
Quelqu'un peut analyser ce ACTIVESCAN? merci...

Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\WINDOWS\FT*_GEPFAH.EXE
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\newmsrdk
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/WUpd No disinfected Windows Registry
Adware:Adware/SBSoft No disinfected C:\WINDOWS\Downloaded Program Files\webdlg32.inf
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINDOWS\inst
Virus:Eicar.Mod No disinfected C:\data1.cab[eicar.html]
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Julie Rivard\Application Data\eumn.exe
Spyware:Spyware/AdClicker No disinfected C:\Documents and Settings\Julie Rivard\Application Data\taskmon.exe
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[aOaamon.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[bkowsewm.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[d8j02i1mg8.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[dLdpmesh.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[dn0401dqe.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[donlobby.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[fp4603hse.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[gp4ml3h11.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[gp4ol3h31.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[gppol3731.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[jtru0799e.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[k2pm0c71ef.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[kddgae.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[kidsf.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[ksdusr.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[ljpsd11n.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[lmtga11n.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[m046lahs1d46.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[mgxml3.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[mjls31.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[mpcshext.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[mrc42u.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[mrjint35.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[nbtapi32.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[nplanui2.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[o8660ijse8o60.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[o8lu0i39e8.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[p8n8li5u18.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[ptdgen.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[qrv.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[rppwsx.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[rtnd.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[rUsrad.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[sclogcfg.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[scrio800.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[serrun.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[skeio.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[suardssp.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[tlappcmp.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[wcnsrv.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[wjpui.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[wmnsrv.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[wqsdmod.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Julie Rivard\Bureau\l2mfix\backup.zip[guard.tmp]
Adware:Adware/IGuard No disinfected C:\Hijackthis\backups\backup-20050427-104532-814.dll
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.inf
Adware:Adware/SBSoft No disinfected C:\WINDOWS\Downloaded Program Files\webdlg32.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\FT2_0_0_629_GEPFAH.EXE
Adware:Adware/nCase No disinfected C:\WINDOWS\icont.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\iconu.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\ceres.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInst.exe
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\MIEXEC~1.EXE
Virus:W32/Sdbot.DEL.worm Disinfected C:\WINDOWS\system32\scvvhost.exe
Virus:Trj/Multidropper.AAR No disinfected C:\winhelp.chm[d_tony1.exe]

18 réponses

Réponse 1 / 18
BmV Messages postés 98721 Date d'inscription   Statut Modérateur Dernière intervention   4 895
 
Salut.

Beaucoup de troyens/adwares/etc.
Pas excessivement grave, mais faut nettoyer ça avec un anti-spy genre "spybotS&D" ou Pestpatrol ....

Voir ici => http://assiste.free.fr/index.html , rubrique "trojans"

Et tout de suite après le nettoyage => http://sebsauvage.net/safehex.html

A+
0
Réponse 2 / 18
Gwinoo
 
Spybot et Adaware..ne voient rien?!?
Voici un RavAntivirus..

Scan started at 2005-05-18 09:14:13

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINDOWS\crt32_v2.dll - TrojanClicker:Win32/Small.AU -> Infected

Scanned
============================
Objects: 34117
Directories: 2464
Archives: 6728
Size(Kb): 1935149
Infected files: 1

Found
============================
Viruses found: 1
Suspicious files: 0
Disinfected files: 0
Mail files: 292
0
Réponse 3 / 18
Gwinoo
 
Voici mon Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 10:46:21, on 2005-05-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bob] C:\DOCUME~1\JULIER~1\LOCALS~1\Temp\RarSFX6\WINDOWS\bob.exe
O16 - DPF: {2FB97B3F-B903-5CB6-4D03-482F29F81485} - http://69.50.182.94/1/rdgCA1735.exe
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

----------------------------------------------------

O4 - HKLM\..\Run: [bob] C:\DOCUME~1\JULIER~1\LOCALS~1\Temp\RarSFX6\WINDOWS\bob.exe
O16 - DPF: {2FB97B3F-B903-5CB6-4D03-482F29F81485} - http://69.50.182.94/1/rdgCA1735.exe

Ces 2 là m'inquiètent...vous connaissez?
0
Réponse 4 / 18
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
salut
pour le premier utilise ceci
http://pageperso.aol.fr/Balltrap34/CleanUp312.exe

et pour les 016 tu peut les fixer sans soucis avec hijack
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 5 / 18
jeanphicool Messages postés 450 Statut Membre 30
 
et si jamais visite ce site:

http://aplusvirus.free.fr/
0
Réponse 6 / 18
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
c est bien de donner un lien mais
si tu ne dit pas quoi prendre ou faire cela sert pas a grand chose lol
0
Réponse 7 / 18
Gwinoo Messages postés 21 Statut Membre
 
Pestpatrol est pas capable de rien effacer et trouve pas grand chose....
cleanup,lui, efface pas bob.exe...

Logfile of HijackThis v1.99.1
Scan saved at 11:11:31, on 2005-05-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [TkBellExe]
0
Réponse 8 / 18
Utilisateur anonyme
 
ou sont passer les 023 ?
0
Réponse 9 / 18
Gwinoo Messages postés 21 Statut Membre
 
Logfile of HijackThis v1.99.1
Scan saved at 11:15:00, on 2005-05-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bob] C:\DOCUME~1\JULIER~1\LOCALS~1\Temp\RarSFX6\WINDOWS\bob.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
0
Réponse 10 / 18
Gwinoo Messages postés 21 Statut Membre
 
Et alors????

Qqu'un peut m'aider?
0
Réponse 11 / 18
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
t impatiente pas lol
demarre en mode sans echec
relance hijack coche et fix cette ligne
O4 - HKLM\..\Run: [bob] C:\DOCUME~1\JULIER~1\LOCALS~1\Temp\RarSFX6\WINDOWS\bob.exe

ensuite recherche et suppr ceci
bob.exe
0
Réponse 12 / 18
Gwinoo Messages postés 21 Statut Membre
 
Ça semble aller pour Bob.exe...

Mais mon ordi est lent et certains sites dans mes favoris ne s'affichent plus!?!

Seraient-ils toujours infectés???
0
Réponse 13 / 18
Gwinoo
 
L2Mfix 1.03

Running From:
C:\Documents and Settings\Julie Rivard\Bureau\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrateurs
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Julie Rivard\Bureau\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Julie Rivard\Bureau\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1248 'explorer.exe'
Killing PID 1248 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (104 bytes security) (deflated 2%)
adding: echo.reg (104 bytes security) (deflated 10%)
adding: direct.txt (104 bytes security) (stored 0%)
adding: lo2.txt (104 bytes security) (deflated 73%)
adding: log.txt (104 bytes security) (deflated 79%)
adding: readme.txt (104 bytes security) (deflated 49%)
adding: report.txt (104 bytes security) (deflated 62%)
adding: test.txt (104 bytes security) (stored 0%)
adding: test2.txt (104 bytes security) (stored 0%)
adding: test3.txt (104 bytes security) (stored 0%)
adding: test5.txt (104 bytes security) (stored 0%)
adding: backregs/65A6D3A1-301A-4136-9765-7E12B444C89A.reg (104 bytes security) (deflated 70%)
adding: backregs/D1BC54FF-E6FE-4520-AEB8-7D82C6FFE573.reg (104 bytes security) (deflated 71%)
adding: backregs/shell.reg (104 bytes security) (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
0
Réponse 14 / 18
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
je t ai pas demander un l2mfix
il faut pas faire n importe quoi sinon ont vas pas s en sortir
met moi un hijack

--la chasse et le balltrap ma vrai passion
voir site perso dans profil
0
Réponse 15 / 18
Gwinoo
 
Désolé Balltrap...

Logfile of HijackThis v1.99.1
Scan saved at 18:36:25, on 2005-05-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
0
Réponse 16 / 18
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
relance hijack coche et fix seulement
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

il ni a rien de mechant dans ton log
je t ai fait virer ces lignes j uste pour que les prog ne se lance pas au demarrage

ensuite fait un scan rav pour verif
Faite scan en ligne et coller le rapport ici sur le post
utiliser l'antivirus en ligne suivant :
http://www.ravantivirus.com/scan/
Cliquer sur "To continue without subscribing click here" et attendre quelques minutes.

Lorsque "Ready" est affiché dans "status", cocher la case "Autoclean" puis cliquer sur "Scan my PC"
A la fin de l'analyse, copier/coller le rapport ici.
0
Réponse 17 / 18
gwinoo
 
J'ai oublié de faire un rapport balltrap?!?!

Désolé, mais il n'a rien trouvé...alors je crois que c'est résolu!

Mon ordinateur semble avoir retrouvé sa vigueur!

Merci à tous!
0
Réponse 18 / 18
balltrap34 Messages postés 16241 Statut Contributeur sécurité 332
 
content pour toi
a++
0

Discussions similaires

infection
gladiator1952 -
gladiator1952 -

6 réponses
Infection pc
Nanie24 -
Nanie24 -

22 réponses
[pnkbstra]infection
swazolie -
billou631 -

9 réponses
infection virus
Utilisateur anonyme -
Utilisateur anonyme -

3 réponses
Infection ad.doubleclick.net
93 -
93 -

66 réponses