Redirection vers Gomeo et autres sites

Dynamit -  
Smart91 Messages postés 30146 Statut Contributeur sécurité -
Bonjour,

Voila comme beaucoup de monde je vois, je me fais redirigé vers d'autres pages lorsque je navigue sur Firefox (du style Gomeo, Coll truc, etc...)

Je voulais savoir si quelqu'un sachant résoudre ce problème pouvait me contacter, car je commence a en avoir plus qu'assez !

Merci de votre compréhension et des vos futures réponses.

16 réponses

  1. Smart91 Messages postés 30146 Statut Contributeur sécurité 2 331
     
    Bonjour,

    On va faire une ananlyse de ton PC:
    Télécharge ZHPDiag (de Nicolas Coolman) sur ton bureau
    https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html

    Une fois le téléchargement achevé, double clique sur ZHPDiag.exe et suis les instructions.

    /!\Utilisateurs de Vista et Windows 7 : Clique droit sur le logo de ZHPDiag.exe, « exécuter en tant qu'Administrateur »

    N'oublie pas de cocher la case qui permet de mettre un raccourci sur le Bureau.
    - Double clique sur le raccourci ZHPDiag sur ton Bureau pour le lancer.
    (/!\L'outil a créé 2 icônes ZHPDiag et ZHPFix)
    - Clique sur la loupe pour lancer l'analyse.
    - Laisse l'outil travailler, il peut être assez long.
    - Ferme ZHPDiag en fin d'analyse.
    - Pour transmettre le rapport clique sur ce lien : http://www.cijoint.fr/
    - Clique sur Parcourir et cherche le répertoire où est installé ZHPDiag (en général C:\Program Files\ZHPDiag).
    - Sélectionne le fichier ZHPDiag.txt.
    - Clique sur "Cliquez ici pour déposer le fichier".
    - Un lien de cette forme : http://www.cijoint.fr/cjlink.php?file=cj200905/cijSKAP5fU.txt est ajouté dans la page.
    - Copie ce lien dans ta réponse.

    Smart
    "Si tu n'as pas d'ambitions, tu t'installes au bord de la chute" (Kundera)
    0
  2. Dynamit
     
    http://www.cijoint.fr/cjlink.php?file=cj201011/cijpI7IssK.txt

    Voila le lien, ai-je bien effectué les manoeuvres?

    Que faut-il faire ensuite?
    0
  3. Smart91 Messages postés 30146 Statut Contributeur sécurité 2 331
     
    Tu vas faire ceci: (Je te conseille d'imprimer pour bien suivre la procédure)

    Lances ZHPFix depuis le raccourci du Bureau (en mode administrateur si Vista/W7),
    Cliques sur le bouton 'HostFix' situé dans la partie droite de l'écran,
    Cliques sur 'Non' au message qui s'affiche à l'écran,
    Laisses travailler l'outil,
    A la fin du traitement, un rapport s'affiche
    Copie ce rapport et transmets le au helper du forum qui t'assiste.
    Redémarre ta station pour prendre en compte les modifications.

    Ensuite
    * Télécharge sur le bureau RogueKiller (par Tigzy)
    * Quitte tous tes programmes en cours
    * Sous Vista/Seven , clique droit -> lancer en tant qu'administrateur
    * Sinon lance simplement RogueKiller.exe
    * Lorsque demandé, tape 1 et valide
    * Un rapport (RKreport.txt) a dû se créer à côté de l'exécutable, poste le dans ta réponse
    * Si le programme a été bloqué, ne pas hésiter a essayer plusieurs fois.

    ** Si une clé de registre a été détectée, si vous êtes sûr qu'elle appartient au Rogue, passer le mode 2. Si vous ne savez pas, faites vous aider. Dans tous les cas, les processus infectieux a été tué, vous pouvez désinfecter tranquillement
    ** Si le programme demande pour supprimer le proxy, tapez 1 si vous êtes sûr que ce n'est pas vous qui l'avez mis, sinon taper 2

    Ensuite:
    - Télécharge Malwarebytes
    - Tu auras un tutoriel à ta disposition pour l'installer et l'utiliser correctement.
    - Fais la mise à jour du logiciel, c'est très important (elle se fait normalement à l'installation)
    - Lance une analyse complète en cliquant sur "Exécuter un examen complet"
    - Sélectionne les disques que tu veux analyser et clique sur "Lancer l'examen"
    - L'analyse peut durer un bon moment.....
    - Une fois l'analyse terminée, clique sur "OK" puis sur "Afficher les résultats"
    - Vérifie que tout est bien coché et clique sur "Supprimer la sélection" => et ensuite sur "OK"
    - Un rapport va s'ouvrir dans le bloc note... Fais un copié/collé du rapport dans ta prochaine réponse sur le forum

    * Il se pourrait que certains fichiers devront être supprimés au redémarrage du PC... Fais le en cliquant sur "oui" à la question posée

    Ensuite je voudrais que tu vérifies ces fichiers par un scan en ligne:
    Va sur ce site https://www.virustotal.com/gui/
    - Clique sur parcourir
    - Dans nom du fichier colle ce fichier : C:\Windows\Explorer.exe
    - Clique sur Send File
    - Le Fichier est mis en file d'attente. Attends la fin du scan et poste le lien vers le rapport.
    Et tu fais la même chose pour ces fichiers:
    C:\Windows\System32\Winlogon.exe
    C:\WINDOWS\system32\userinit.exe


    Voilà cela fait plusieurs rapports à poster

    Smart
    "Si tu n'as pas d'ambitions, tu t'installes au bord de la chute" (Kundera)
    0
  4. Dynamit
     
    Voila le rapport après avoir fait le Host fix avec ZHP Fix:

    Rapport de ZHPFix 1.12.3218 par Nicolas Coolman, Update du 16/11/2010
    Fichier d'export Registre :
    Run by Propriétaire at 17/11/2010 14:36:55
    Web site : http://www.premiumorange.com/zeb-help-process/zhpfix.html
    Contact : nicolascoolman@yahoo.fr

    ========== Fichier HOSTS ==========
    127.0.0.1188.165.196.52 l2testauthd.lineage2.com #L2 Harmonie => Domaine Supprimé
    127.0.0.1188.165.196.52 l2authd.lineage2.com #L2 Harmonie => Domaine Supprimé
    Le fichier Hosts est sain

    ========== Récapitulatif ==========
    3 : Fichier HOSTS

    End of the scan
    0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. Dynamit
     
    Le rapport avec Roguekiller:

    RogueKiller V3.0.1 by Tigzy
    contact at www.sur-la-toile.com
    mail: tigzy44<at>hotmail<dot>fr
    Feedback: https://www.luanagames.com/index.fr.html

    Operating System: Windows XP (5.1.2600 Service Pack 3) version 32 bits
    Mode: Scan -- Time : 17/11/2010 14:44:24

    Bad processes:

    Found:

    Finished
    0
  7. i
     
    J'ai fait l'analyse avec Malware, seulement j'ai zappé de copier le rapport... Il est vraiment indispensable?

    Je continuerai les analyses en fin de soirée !

    Merci de m'aider encore!
    0
  8. Smart91 Messages postés 30146 Statut Contributeur sécurité 2 331
     
    "J'ai fait l'analyse avec Malware, seulement j'ai zappé de copier le rapport... Il est vraiment indispensable? "

    Ah OUI, j'ai besoin de savoir quelles infections on été éradiquées
    Le rapport trouve sous l'onglet rapport/log

    Smart
    0
  9. i
     
    Okay, le voila, je lance l'analyse virale en ligne de suite !

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Version de la base de données: 5134

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    17/11/2010 16:00:20
    mbam-log-2010-11-17 (16-00-20).txt

    Type d'examen: Examen complet (C:\|)
    Elément(s) analysé(s): 296792
    Temps écoulé: 1 heure(s), 10 minute(s), 2 seconde(s)

    Processus mémoire infecté(s): 0
    Module(s) mémoire infecté(s): 0
    Clé(s) du Registre infectée(s): 6
    Valeur(s) du Registre infectée(s): 1
    Elément(s) de données du Registre infecté(s): 0
    Dossier(s) infecté(s): 7
    Fichier(s) infecté(s): 24

    Processus mémoire infecté(s):
    (Aucun élément nuisible détecté)

    Module(s) mémoire infecté(s):
    (Aucun élément nuisible détecté)

    Clé(s) du Registre infectée(s):
    HKEY_CLASSES_ROOT\CLSID\{fc0d62c2-9640-4aeb-a5d5-cf25df11fa8c} (PUP.OfferBox) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fc0d62c2-9640-4aeb-a5d5-cf25df11fa8c} (PUP.OfferBox) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc0d62c2-9640-4aeb-a5d5-cf25df11fa8c} (PUP.OfferBox) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{ed85aebe-f834-4088-b5d3-97eb2478a6cd} (PUP.OfferBox) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{6612afdd-34ad-4b89-a236-7e6d07c3fdcd} (PUP.OfferBox) -> Quarantined and deleted successfully.

    Valeur(s) du Registre infectée(s):
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\OfferBox\OfferBox.exe (PUP.OfferBox) -> Quarantined and deleted successfully.

    Elément(s) de données du Registre infecté(s):
    (Aucun élément nuisible détecté)

    Dossier(s) infecté(s):
    C:\Program Files\OfferBox (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\offerboxffx@offerbox.com (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\offerboxffx@offerbox.com\chrome (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\offerboxffx@offerbox.com\chrome\content (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\offerboxffx@offerbox.com\components (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\res (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Propriétaire\Application Data\OfferBox (PUP.OfferBox) -> Quarantined and deleted successfully.

    Fichier(s) infecté(s):
    C:\Program Files\OfferBox\OfferBoxBHO.dll (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Propriétaire\Bureau\Autre\RenameMe.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Propriétaire\Bureau\CoD MW2\RenameMe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Propriétaire\Mes documents\Téléchargements\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\Call of Duty 4\crack\rzr-cod4.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
    C:\Program Files\Call of Duty 4\Patchs CoD-4\55 hack\EasyAccount.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
    C:\Program Files\Call of Duty 4\sinject\CoD 2.exe (Backdoor.IRCBot) -> Quarantined and deleted successfully.
    C:\Program Files\Ubisoft\Ubisoft Game Launcher\ubiorbitapi_r2.dll (Trojan.Agent.CK) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{DFCDBA70-243A-44F3-91DE-C72D39012FA1}\RP9\A0001099.exe (Risktool.Crack) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{DFCDBA70-243A-44F3-91DE-C72D39012FA1}\RP9\A0001427.exe (Adware.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\OfferBox.exe (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\OfferBoxChromeExtension.crx (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\OfferBoxEngine.dll (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\OfferBoxLauncher.exe (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\offerboxffx@offerbox.com\chrome.manifest (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\offerboxffx@offerbox.com\install.rdf (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\offerboxffx@offerbox.com\chrome\content\events.js (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\offerboxffx@offerbox.com\chrome\content\overlay.xul (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\offerboxffx@offerbox.com\components\OfferBoxXpCom.dll (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\offerboxffx@offerbox.com\components\OfferBoxXpCom.xpt (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\res\Language.xml (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Program Files\OfferBox\res\loader.gif (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Propriétaire\Application Data\OfferBox\config.dat (PUP.OfferBox) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Propriétaire\Application Data\OfferBox\config.xml (PUP.OfferBox) -> Quarantined and deleted successfully.
    0
  10. i
     
    Voila le rapport pour le fichier explorer.exe

    Antivirus Version Last Update Result
    AhnLab-V3 2010.09.21.01 2010.09.21 Trojan/Win32.Patched
    AntiVir 8.2.4.58 2010.09.21 TR/Spy.1037824.7
    Antiy-AVL 2.0.3.7 2010.09.21 -
    Authentium 5.2.0.5 2010.09.21 -
    Avast 4.8.1351.0 2010.09.21 Win32:Patched-RP
    Avast5 5.0.594.0 2010.09.21 Win32:Patched-RP
    AVG 9.0.0.851 2010.09.21 -
    BitDefender 7.2 2010.09.21 Gen:Trojan.Heur.TP.@q0@bKgooAe
    CAT-QuickHeal 11.00 2010.09.21 -
    ClamAV 0.96.2.0-git 2010.09.21 -
    Comodo 6153 2010.09.21 -
    DrWeb 5.0.2.03300 2010.09.21 Win32.Dat.4
    Emsisoft 5.0.0.37 2010.09.21 Virus.Win32.Patched.RP!IK
    eSafe 7.0.17.0 2010.09.21 Win32.TRSpy
    eTrust-Vet 36.1.7868 2010.09.21 Win32/Patcher.M
    F-Prot 4.6.2.117 2010.09.21 -
    F-Secure 9.0.15370.0 2010.09.21 Gen:Trojan.Heur.TP.@q0@bKgooAe
    Fortinet 4.1.143.0 2010.09.21 W32/Patched.POR!tr
    GData 21 2010.09.21 Gen:Trojan.Heur.TP.@q0@bKgooAe
    Ikarus T3.1.1.88.0 2010.09.21 Virus.Win32.Patched.RP
    Jiangmin 13.0.900 2010.09.21 -
    K7AntiVirus 9.63.2561 2010.09.20 Riskware
    Kaspersky 7.0.0.125 2010.09.21 -
    McAfee 5.400.0.1158 2010.09.21 Artemis!32FEC39137F7
    McAfee-GW-Edition 2010.1C 2010.09.21 Artemis!32FEC39137F7
    Microsoft 1.6201 2010.09.21 -
    NOD32 5467 2010.09.21 -
    Norman 6.06.06 2010.09.21 -
    nProtect 2010-09-21.02 2010.09.21 -
    Panda 10.0.2.7 2010.09.21 Suspicious file
    PCTools 7.0.3.5 2010.09.21 Trojan.Bamital
    Prevx 3.0 2010.09.21 -
    Rising 22.66.00.07 2010.09.21 Trojan.Win32.Generic.5231D3DB
    Sophos 4.57.0 2010.09.21 Troj/Patched-O
    Sunbelt 6904 2010.09.21 Trojan.Win32.Generic!BT
    SUPERAntiSpyware 4.40.0.1006 2010.09.21 -
    Symantec 20101.1.1.7 2010.09.21 Trojan.Bamital!inf
    TheHacker 6.7.0.0.025 2010.09.20 -
    TrendMicro 9.120.0.1004 2010.09.21 -
    TrendMicro-HouseCall 9.120.0.1004 2010.09.21 -
    VBA32 3.12.14.1 2010.09.21 -
    ViRobot 2010.9.8.4031 2010.09.21 -
    VirusBuster 12.65.17.0 2010.09.21 -
    Additional information
    Show all
    MD5 : 32fec39137f78bc536d4a3233bd274bf
    SHA1 : 0886b961d688e900354a11a14892e01e0226095d
    SHA256: 2435b457e7c76d3fce1d76475068c790e879b24873891813db229852a156b9a4
    ssdeep: 12288:5HmcoCUyjtwAvAs4wTCyrPTylvGVa/oXqoJpaz/g/J/v1C:9mftyZwAvN7lrGlvGEoXJa
    z/g/J/t
    File size : 1037824 bytes
    First seen: 2010-09-13 23:25:07
    Last seen : 2010-09-21 15:32:18
    Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    TrID:
    Win32 Executable Generic (42.3%)
    Win32 Dynamic Link Library (generic) (37.6%)
    Generic Win/DOS Executable (9.9%)
    DOS Executable Generic (9.9%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    sigcheck:
    publisher....: Microsoft Corporation
    copyright....: (c) Microsoft Corporation. Tous droits r_serv_s.
    product......: Syst_me d_exploitation Microsoft_ Windows_
    description..: Explorateur Windows
    original name: EXPLORER.EXE
    internal name: explorer
    file version.: 6.00.2900.5512 (xpsp.080413-2105)
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
    PEiD: -
    PEInfo: PE structure information

    [[ basic data ]]
    entrypointaddress: 0x1A55F
    timedatestamp....: 0x48025C30 (Sun Apr 13 19:17:04 2008)
    machinetype......: 0x14C (Intel I386)

    [[ 4 section(s) ]]
    name, viradd, virsiz, rawdsiz, ntropy, md5
    .text, 0x1000, 0x44D20, 0x44E00, 6.39, fa9268c00fbb4453a22a07c0f7d66cad
    .data, 0x46000, 0x1DB4, 0x1800, 1.3, 983f35021232560eaaa99fcbc1b7d359
    .rsrc, 0x48000, 0xB3280, 0xB3400, 6.63, e73694f42fb4ef5e9b8ea017fcf60103
    .reloc, 0xFC000, 0x374C, 0x3800, 6.79, b825e2d06eed705a6581f0c84ea608ea

    [[ 13 import(s) ]]
    advapi32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
    browseui.dll: -, -, -, -
    gdi32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
    kernel32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject
    msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
    ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
    ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
    oleaut32.dll: -, -
    shdocvw.dll: -, -, -
    shell32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
    shlwapi.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -
    user32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
    uxtheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed
    0
  11. i
     
    Voila pour le winlogon.exe

    Antivirus Version Last Update Result
    AhnLab-V3 2010.11.17.01 2010.11.17 -
    AntiVir 7.10.14.32 2010.11.17 TR/Bamital.CB
    Antiy-AVL 2.0.3.7 2010.11.17 Trojan/Win32.Small.gen
    Avast 4.8.1351.0 2010.11.17 Win32:Patched-RP
    Avast5 5.0.594.0 2010.11.17 Win32:Patched-RP
    AVG 9.0.0.851 2010.11.17 Win32/Patched
    BitDefender 7.2 2010.11.17 Win32.Loader.T
    CAT-QuickHeal 11.00 2010.11.09 -
    ClamAV 0.96.4.0 2010.11.17 Trojan.Patched-155
    Command 5.2.11.5 2010.11.17 W32/Bamital.A
    Comodo 6749 2010.11.17 TrojWare.Win32.Patched.kl
    DrWeb 5.0.2.03300 2010.11.17 Win32.Dat.4
    Emsisoft 5.0.0.50 2010.11.17 -
    eSafe 7.0.17.0 2010.11.16 -
    eTrust-Vet 36.1.7982 2010.11.17 Win32/Patcher.M
    F-Prot 4.6.2.117 2010.11.17 W32/Bamital.A
    F-Secure 9.0.16160.0 2010.11.17 Win32.Loader.T
    Fortinet 4.2.254.0 2010.11.17 W32/Patched.POR!tr
    GData 21 2010.11.17 Win32.Loader.T
    Ikarus T3.1.1.90.0 2010.11.17 -
    Jiangmin 13.0.900 2010.11.17 -
    K7AntiVirus 9.68.3011 2010.11.17 Virus
    Kaspersky 7.0.0.125 2010.11.17 Trojan.Win32.Patched.kl
    McAfee 5.400.0.1158 2010.11.17 W32/Bamital.a
    McAfee-GW-Edition 2010.1C 2010.11.17 W32/Bamital.a
    Microsoft 1.6402 2010.11.17 Virus:Win32/Bamital.D
    NOD32 5627 2010.11.17 Win32/Bamital.EC
    Norman 6.06.10 2010.11.17 W32/Patched.X
    nProtect 2010-11-17.01 2010.11.17 Trojan-Downloader/W32.Small.512000.B
    Panda 10.0.2.7 2010.11.17 W32/Patched.AC
    PCTools 7.0.3.5 2010.11.17 Trojan.Bamital
    Prevx 3.0 2010.11.17 -
    Rising 22.74.02.03 2010.11.17 Trojan.Win32.Generic.5231CD76
    Sophos 4.59.0 2010.11.17 Troj/Patched-O
    SUPERAntiSpyware 4.40.0.1006 2010.11.17 -
    Symantec 20101.2.0.161 2010.11.17 Trojan.Bamital!inf
    TheHacker 6.7.0.1.086 2010.11.17 -
    TrendMicro 9.120.0.1004 2010.11.17 PTCH_BAMITAL.SM
    TrendMicro-HouseCall 9.120.0.1004 2010.11.17 PTCH_BAMITAL.SM
    VBA32 3.12.14.2 2010.11.17 -
    VIPRE 7333 2010.11.17 Virus.Win32.Bamital.c (v)
    ViRobot 2010.11.17.4153 2010.11.17 Win32.Patched.AF.B
    VirusBuster 12.76.3.0 2010.11.16 Trojan.Bamital.Gen.3
    Additional information
    Show all
    MD5 : f5e4ace7e452d0b8f29594b54917f610
    SHA1 : 242016bd1e6828e4f42caeb18a1e1d281c9dff19
    SHA256: fa1288d4a6c33a511c484c240a5cb96f70d05f74750cdb9c20e4a23e8e3a8210
    ssdeep: 6144:2NZlxEdL5RvGlcHF37newMLao6n3nKHOD13XRnCfOVSePfLtisgZYlg:xdz+lcDKao6nXK
    HsRqOMgxZgp
    File size : 512000 bytes
    First seen: 2010-11-17 17:03:07
    Last seen : 2010-11-17 17:03:07
    TrID:
    Win64 Executable Generic (80.9%)
    Win32 Executable Generic (8.0%)
    Win32 Dynamic Link Library (generic) (7.1%)
    Generic Win/DOS Executable (1.8%)
    DOS Executable Generic (1.8%)
    sigcheck:
    publisher....: Microsoft Corporation
    copyright....: (c) Microsoft Corporation. Tous droits r_serv_s.
    product......: Syst_me d_exploitation Microsoft_ Windows_
    description..: Application d_ouverture de session Windows NT
    original name: WINLOGON.EXE
    internal name: winlogon
    file version.: 5.1.2600.5512 (xpsp.080413-2113)
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
    PEInfo: PE structure information

    [[ basic data ]]
    entrypointaddress: 0x3E5E1
    timedatestamp....: 0x48027549 (Sun Apr 13 21:04:09 2008)
    machinetype......: 0x14c (I386)

    [[ 3 section(s) ]]
    name, viradd, virsiz, rawdsiz, ntropy, md5
    .text, 0x1000, 0x70991, 0x70A00, 6.83, 3434859713a93987a4f40590effa9acf
    .data, 0x72000, 0x4E70, 0x2000, 6.28, 44bd27282514b5e3a27b570106930d8d
    .rsrc, 0x77000, 0xA18C, 0xA200, 3.69, 2de1a63c2a7883cf163c3699bb614883

    [[ 20 import(s) ]]
    ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA
    AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle
    CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx
    GDI32.dll: RemoveFontResourceW, AddFontResourceW
    KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, ExpandEnvironmentStringsW, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, GetVersionExA, DuplicateHandle, OpenProcess, GetOverlappedResult, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, TlsGetValue, DeleteCriticalSection, TlsAlloc, VirtualFree, TlsFree
    msvcrt.dll: wcslen, _vsnwprintf, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp
    NDdeApi.dll: -, -, -, -
    ntdll.dll: RtlSubAuthoritySid, RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtSetInformationProcess, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlInitString, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlGetNtProductType, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtOpenDirectoryObject
    PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW
    PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW
    REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery
    RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate
    Secur32.dll: LsaCallAuthenticationPackage, GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess
    SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
    USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, GetMessageTime, SetTimer, SetLogonNotifyWindow, UnlockWindowStation, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, RegisterClassW, SetCursor, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, KillTimer, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, DefWindowProcW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW
    USERENV.dll: -, WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, -, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, GetUserProfileDirectoryW
    VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
    WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, _WinStationNotifyLogoff, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon
    WINTRUST.dll: CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext
    WS2_32.dll: -, -, getaddrinfo
    ExifTool:
    file metadata
    CharacterSet: Unicode
    CodeSize: 461312
    CompanyName: Microsoft Corporation
    EntryPoint: 0x3e5e1
    FileDescription: Application d'ouverture de session Windows NT
    FileFlagsMask: 0x003f
    FileOS: Windows NT 32-bit
    FileSize: 500 kB
    FileSubtype: 0
    FileType: Win32 EXE
    FileVersion: 5.1.2600.5512 (xpsp.080413-2113)
    FileVersionNumber: 5.1.2600.5512
    ImageVersion: 21315.20512
    InitializedDataSize: 49664
    InternalName: winlogon
    LanguageCode: French
    LegalCopyright: Microsoft Corporation. Tous droits r serv s.
    LinkerVersion: 187.7
    MIMEType: application/octet-stream
    MachineType: Intel 386 or later, and compatibles
    OSVersion: 5.1
    ObjectFileType: Executable application
    OriginalFilename: WINLOGON.EXE
    PEType: PE32
    ProductName: Syst me d'exploitation Microsoft Windows
    ProductVersion: 5.1.2600.5512
    ProductVersionNumber: 5.1.2600.5512
    Subsystem: Windows GUI
    SubsystemVersion: 4.0
    TimeStamp: 2008:04:13 23:04:09+02:00
    UninitializedDataSize: 0
    Warning: Possibly corrupt Version resource
    0
  12. i
     
    Pour le userinit:

    Antivirus Version Last Update Result
    AhnLab-V3 2010.11.17.01 2010.11.17 -
    AntiVir 7.10.14.30 2010.11.17 -
    Antiy-AVL 2.0.3.7 2010.11.17 -
    Avast 4.8.1351.0 2010.11.17 -
    Avast5 5.0.594.0 2010.11.17 -
    AVG 9.0.0.851 2010.11.17 -
    BitDefender 7.2 2010.11.17 -
    CAT-QuickHeal 11.00 2010.11.09 -
    ClamAV 0.96.4.0 2010.11.17 -
    Command 5.2.11.5 2010.11.17 -
    Comodo 6746 2010.11.16 -
    DrWeb 5.0.2.03300 2010.11.17 -
    Emsisoft 5.0.0.50 2010.11.17 -
    eSafe 7.0.17.0 2010.11.16 -
    eTrust-Vet 36.1.7982 2010.11.17 -
    F-Prot 4.6.2.117 2010.11.17 -
    F-Secure 9.0.16160.0 2010.11.17 -
    Fortinet 4.2.254.0 2010.11.17 -
    GData 21 2010.11.17 -
    Ikarus T3.1.1.90.0 2010.11.17 -
    Jiangmin 13.0.900 2010.11.17 -
    K7AntiVirus 9.67.3003 2010.11.17 -
    Kaspersky 7.0.0.125 2010.11.17 -
    McAfee 5.400.0.1158 2010.11.17 -
    McAfee-GW-Edition 2010.1C 2010.11.17 -
    Microsoft 1.6402 2010.11.17 -
    NOD32 5626 2010.11.17 -
    Norman 6.06.10 2010.11.17 -
    nProtect 2010-11-17.01 2010.11.17 -
    PCTools 7.0.3.5 2010.11.17 -
    Prevx 3.0 2010.11.17 -
    Rising 22.74.02.03 2010.11.17 -
    Sophos 4.59.0 2010.11.17 -
    SUPERAntiSpyware 4.40.0.1006 2010.11.17 -
    Symantec 20101.2.0.161 2010.11.17 -
    TheHacker 6.7.0.1.086 2010.11.17 -
    TrendMicro 9.120.0.1004 2010.11.17 -
    TrendMicro-HouseCall 9.120.0.1004 2010.11.17 -
    VBA32 3.12.14.2 2010.11.16 -
    VIPRE 7331 2010.11.17 -
    ViRobot 2010.11.17.4153 2010.11.17 -
    VirusBuster 12.76.3.0 2010.11.16 -
    Additional information
    Show all
    MD5 : e74ddb12188c2ff57a78624dbf7332fc
    SHA1 : 37514e0296ac819c1f5b304bd9087ef52c12a652
    SHA256: 22362cab11561d7bbae99bff4a8811fa33920b48f2027e736e1bdccb9b617cbd
    ssdeep: 768:RioJi8jDLIDSAaQFxfftjaLacmkLGKyGo:R/JbDMDSA7FxffJaLaSLGxGo
    File size : 26624 bytes
    First seen: 2009-02-13 09:46:26
    Last seen : 2010-11-17 13:10:25
    Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    TrID:
    Win32 Executable MS Visual C++ (generic) (65.2%)
    Win32 Executable Generic (14.7%)
    Win32 Dynamic Link Library (generic) (13.1%)
    Generic Win/DOS Executable (3.4%)
    DOS Executable Generic (3.4%)
    sigcheck:
    publisher....: Microsoft Corporation
    copyright....: (c) Microsoft Corporation. Tous droits r_serv_s.
    product......: Syst_me d_exploitation Microsoft_ Windows_
    description..: Application d_ouverture de session Userinit
    original name: USERINIT.EXE
    internal name: userinit
    file version.: 5.1.2600.5512 (xpsp.080413-2113)
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
    PEiD: -
    PEInfo: PE structure information

    [[ basic data ]]
    entrypointaddress: 0x54AD
    timedatestamp....: 0x480251A8 (Sun Apr 13 18:32:08 2008)
    machinetype......: 0x14C (Intel I386)

    [[ 3 section(s) ]]
    name, viradd, virsiz, rawdsiz, ntropy, md5
    .text, 0x1000, 0x520E, 0x5400, 5.95, ff337745ae690578fb9ef2b2b041b87b
    .data, 0x7000, 0x14C, 0x200, 1.86, 0bb948f267e82975313a03d8c0e8a1cf
    .rsrc, 0x8000, 0xD64, 0xE00, 3.64, 73a99b08ab227beece0410fedc594efd
    ThreatExpert:
    https://www.symantec.com?md5=e74ddb12188c2ff57a78624dbf7332fc
    ExifTool:
    file metadata
    CharacterSet: Unicode
    CodeSize: 21504
    CompanyName: Microsoft Corporation
    EntryPoint: 0x54ad
    FileDescription: Application d'ouverture de session Userinit
    FileFlagsMask: 0x003f
    FileOS: Windows NT 32-bit
    FileSize: 26 kB
    FileSubtype: 0
    FileType: Win32 EXE
    FileVersion: 5.1.2600.5512 (xpsp.080413-2113)
    FileVersionNumber: 5.1.2600.5512
    ImageVersion: 5.1
    InitializedDataSize: 4096
    InternalName: userinit
    LanguageCode: French
    LegalCopyright: Microsoft Corporation. Tous droits r serv s.
    LinkerVersion: 7.1
    MIMEType: application/octet-stream
    MachineType: Intel 386 or later, and compatibles
    OSVersion: 5.1
    ObjectFileType: Executable application
    OriginalFilename: USERINIT.EXE
    PEType: PE32
    ProductName: Syst me d'exploitation Microsoft Windows
    ProductVersion: 5.1.2600.5512
    ProductVersionNumber: 5.1.2600.5512
    Subsystem: Windows GUI
    SubsystemVersion: 4.0
    TimeStamp: 2008:04:13 20:32:08+02:00
    UninitializedDataSize: 0
    0
  13. Smart91 Messages postés 30146 Statut Contributeur sécurité 2 331
     
    OK c'est bien ce que je pensais. Tu as une infection batimal.
    Assez difficile à enlever, car elle infecte les fichiers systèmes et même si on replace ces fichiers corrompus par des fichiers sains, elle les réinfecte ensuite.
    Il faut donc pour cela démarrer ton PC avec le CD Windows si tu l'as ou alors en créer un.
    Est-ce que tu as le CD windows ? Est-ce qu tu as un graveur de CD ?

    Mais avant je voudais que tu fasses ceci:
    Lance ZHPdiag et clique sur bouton Jumelles pour lancer ZHPSearch
    - Sélectionner "Trojan.Batimal" dans la liste déroulante située en bas à droite
    - Cliquer sur le bouton "Loupe" pour lancer la recherche
    - En fin de recherche, cliquer sur le bouton "Afficher le rapport"
    - Poster le rapport

    Smart
    0
  14. i
     
    Voila le rapport:

    Rapport de ZHPSearch 1.23.06 par Nicolas Coolman, Update du 14/11/2010
    Run by Propriétaire at 17/11/2010 19:22:46
    Windows XP Home Edition Service Pack 3 (Build 2600)

    ---\\ Elément(s) de recherche
    - Trojan.Batimal

    ---\\ Liste des Fichiers & Dossiers:
    [MD5.2A7BD330924252A2FD80344FC949BB72] - (.Microsoft Corporation.) 02/03/2006 13:00:00 | ----- | -- C:\Windows\$NtServicePackUninstall$\explorer.exe [1036288] => Fichier sain
    [MD5.32FEC39137F78BC536D4A3233BD274BF] - (.Microsoft Corporation.) 14/04/2008 03:34:03 | ---A- | -- C:\Windows\explorer.exe [1037824] => Fichier inconnu
    [MD5.1F3F0033CCE422BC8757542E9E1E867F] 17/11/2010 07:45:53 | ---A- | -- C:\Windows\Prefetch\EXPLORER.EXE-082F38A9.pf [87434]
    [MD5.F2317622D29F9FF0F88AEECD5F60F0DD] - (.Microsoft Corporation.) 14/04/2008 03:34:03 | ----- | -- C:\Windows\ServicePackFiles\i386\explorer.exe [1037824] => Fichier sain
    [MD5.123EEA158F74D0F67A51DCDF065D1091] - (.Microsoft Corporation.) 02/03/2006 13:00:00 | ----- | -- C:\Windows\$NtServicePackUninstall$\winlogon.exe [506368] => Fichier sain
    [MD5.DD73D6B9F6B4CB630CF35B438B540174] - (.Microsoft Corporation.) 14/04/2008 03:34:28 | ----- | -- C:\Windows\ServicePackFiles\i386\winlogon.exe [512000] => Fichier sain
    [MD5.F5E4ACE7E452D0B8F29594B54917F610] - (.Microsoft Corporation.) 14/04/2008 03:34:28 | ---A- | -- C:\Windows\system32\winlogon.exe [512000] => Fichier inconnu
    [MD5.FB836F9E62D82904C983AD21296A5D9C] - (.Microsoft Corporation.) 14/04/2008 03:33:49 | ---A- | -- C:\Windows\System32\ws2_32.dll [82432] => Fichier inconnu
    [MD5.36A608BF354FCC64AD6C0F2B5E2B8806] - (.Microsoft Corporation.) 14/04/2008 03:33:49 | ---A- | -- C:\Windows\System32\ws2help.dll [19968]

    ---\\ Bilan de la recherche
    Mode de recherche : Fichiers, Dossiers
    Elément(s) trouvé(s) : 9
    Nombre de fichiers analysés : 81174
    Nombre de clés, valeurs ou données analysées : 0
    Mode : Recherche complète
    End of the scan (00mn 22s)

    Il faudrait que je réinstalle Windows pour en finir?.....
    0
  15. Smart91 Messages postés 30146 Statut Contributeur sécurité 2 331
     
    On va éviter le formatage est-ce que tu as le CD Windows ?
    Est-ce que tu as un graveur de CD ?

    Smart
    0
  16. Smart91 Messages postés 30146 Statut Contributeur sécurité 2 331
     
    Relance MBAM et vide la quarantaine puis fais une sauvegarde de tes documents personnels.

    Enuite Grave ce CD : https://forum.malekal.com/viewtopic.php?t=23453&start=
    Tu démarres le PC depuis le cd OTLPE.

    Ensuite fais ceci:
    - Double cliquer sur OTLPE
    - Une fenêtre s'ouvre : Do you wish to load the remote registry ; Cliquez sur YES
    - Une seconde : Do you wish to load remote user profile(s) for scanning[ ; Cliquez sur YES
    - Veillez à ce que la case Automatically Load All Remaining Users soit cochée et appuyez sur OK

    OTL se lance
    Copiez ce texte en gras
    - Coller le texte dans la partie Custom Scans/Files

    --------------------------------------------------
    :files
    C:\Windows\explorer.exe|C:\Windows\$NtServicePackUninstall$\explorer.exe /replace
    C:\Windows\System32\winlogon.exe|C:\Windows\ServicePackFiles\i386\winlogon.exe /replace

    -------------------------------------------------
    - Clique sur Run Fix en haut de la fenêtre
    - Si une fenêtre s'ouvre avec un message : No Fix has been Provided! Do you want to load it from a file ; cliquer sur YES
    - Coller le contenu du rapport dans la réponseNote : La rapport se trouve dans C:\OTL

    Ensuite tu fais un scan avec OTLPE
    Double clique sur OTLPE
    - Copie et colle les lignes en gras ci-dessous dans la partie inférieure d'OTL "Custom Scan"

    -------------------------------------------------------------------------
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    /md5stop

    -------------------------------------------------------------------------
    puis clique sur Run Scan et poste le rapport

    Smart
    "Si tu n'as pas d'ambitions, tu t'installes au bord de la chute" (Kundera)
    0