Probleme mail spam server
edennet
Messages postés
2
Statut
Membre
-
SD -
SD -
Bonjour,
je viens solliciter votre aide car j'ai un gros soucis, un de mes clients dispose d'un server qui a l'air d être infecté de virus,avec whireshark j'ai repérer des trames dns bizarre
La cellule Abuse de orange m'a affirmé que le server envoie des spams en longueur de journée...
je vous poste le rapport hijackthis si quelqu'un pourrait m'aider:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:39:31, on 25/01/2012
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Documents and Settings\Administrateur.SERVEUR.000\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\Program Files\CA\ARCserve Backup\DBENG.exe
C:\Program Files\CA\SharedComponents\ARCserve Backup\CADS\casdscsvc.exe
C:\Program Files\CA\ARCserve Backup\jobeng.exe
C:\Program Files\CA\ARCserve Backup\msgeng.exe
C:\Program Files\CA\ARCserve Backup\MgmtSvc\casmgmtsvc.exe
C:\Program Files\CA\SharedComponents\ARCserve Backup\ASPortMapper\Catirpc.exe
C:\Program Files\CA\ARCserve Backup\caserved.exe
C:\Program Files\CA\SharedComponents\Jre\1.4.2_16\bin\java.exe
C:\Program Files\CA\ARCserve Backup\tapeeng.exe
C:\Program Files\CA\ARCserve Backup\cadiscovd.exe
C:\Program Files\CA\SharedComponents\ARCserve Backup\UniAgent\UnivAgent.exe
C:\Program Files\HP\Cissesrv\cissesrv.exe
C:\WINDOWS\system32\cpqrcmc.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ESET\ESET Remote Administrator\Server\era.exe
C:\Program Files\CA\ARCserve Backup\caauthd.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\EIC\Firebird_2_1_3\bin\fbguard.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98Service.exe
C:\Program Files\CA\ARCserve Backup\LQServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\sysdown.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINDOWS\system32\dllcache\TapiSru.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\WINDOWS\system32\lserver.exe
C:\WINDOWS\system32\winddfonts.exe
C:\WINDOWS\msmsg.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Program Files\EIC\Firebird_2_1_3\bin\fbserver.exe
C:\Program Files\CA\ARCserve Backup\LDBServer.exe
C:\Program Files\CA\ARCserve Backup\cdbmergelog.exe
C:\Program Files\CA\ARCserve Backup\Mediasvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CardDetector\ICON225\CardDetector.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Donnees2\Applis\CDWPrg\Exe\CDWServeurTrf.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 1.1.1.1:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s
O4 - HKLM\..\Run: [CardDetector] C:\Program Files\CardDetector\ICON225\CardDetector.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Serveur de liaison des dossiers.lnk = CDWPrg\Exe\CDWServeurTrf.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrateur.serveur.000\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: https://www.eic.fr/
O15 - ESC Trusted Zone: https://www.google.fr/?gws_rd=ssl
O15 - ESC Trusted Zone: https://www.java.com/en/
O15 - ESC Trusted Zone: http://www.suiteexpert.fr
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - http://fichiers.touslesdrivers.com/fichiers/hardwaredetection/hardwaredetection_3_1_0_4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DOMTP.WANADOO.FR
O17 - HKLM\Software\..\Telephony: DomainName = DOMTP.WANADOO.FR
O17 - HKLM\System\CCS\Services\Tcpip\..\{06C617E4-AA8E-45AA-9AE0-D9E9BF2DA221}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DOMTP.WANADOO.FR
O17 - HKLM\System\CS1\Services\Tcpip\..\{06C617E4-AA8E-45AA-9AE0-D9E9BF2DA221}: NameServer = 127.0.0.1
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\Documents and Settings\Administrateur.SERVEUR.000\WINDOWS\system32\browseui.dll (file missing)
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Documents and Settings\Administrateur.SERVEUR.000\WINDOWS\system32\browseui.dll (file missing)
O23 - Service: Alert Notification Server - CA, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: CA ARCserve Database Engine (CASDBEngine) - CA - C:\Program Files\CA\ARCserve Backup\DBENG.exe
O23 - Service: Service de détection CA ARCserve (CASDiscovery) - CA - C:\Program Files\CA\SharedComponents\ARCserve Backup\CADS\casdscsvc.exe
O23 - Service: CA ARCserve Job Engine (CASJobEngine) - CA - C:\Program Files\CA\ARCserve Backup\jobeng.exe
O23 - Service: Moteur de messages CA ARCserve Backup (CASMessageEngine) - CA - C:\Program Files\CA\ARCserve Backup\msgeng.exe
O23 - Service: Service de gestion CA ARCserve (CASMgmtSvc) - Unknown owner - C:\Program Files\CA\ARCserve Backup\MgmtSvc\casmgmtsvc.exe
O23 - Service: Mappeur de ports CA ARCserve (CASportmapper) - CA - C:\Program Files\CA\SharedComponents\ARCserve Backup\ASPortMapper\Catirpc.exe
O23 - Service: CA ARCserve Service Controller (CASSvcControlSvr) - CA - C:\Program Files\CA\ARCserve Backup\caserved.exe
O23 - Service: CA ARCserve Tape Engine (CASTapeEngine) - CA - C:\Program Files\CA\ARCserve Backup\tapeeng.exe
O23 - Service: CA ARCserve Domain Server (CASUnivDomainSvr) - CA - C:\Program Files\CA\ARCserve Backup\cadiscovd.exe
O23 - Service: Agent universel CA ARCserve (CASUniversalAgent) - CA - C:\Program Files\CA\SharedComponents\ARCserve Backup\UniAgent\UnivAgent.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: HP Smart Array SAS/SATA Event Notification Service (Cissesrv) - Hewlett-Packard Company - C:\Program Files\HP\Cissesrv\cissesrv.exe
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\cpqrcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Serveur DNS (DNS) - Unknown owner - C:\WINDOWS\System32\dns.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: ESET RA HTTP Server (ERA_HTTP_SERVER) - ESET - C:\Program Files\ESET\ESET Remote Administrator\Server\EHttpSrv.exe
O23 - Service: ESET Remote Administrator Server (ERA_SERVER) - ESET - C:\Program Files\ESET\ESET Remote Administrator\Server\era.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Guardian - EIC_3051 (FirebirdGuardianEIC_3051) - Firebird Project - C:\Program Files\EIC\Firebird_2_1_3\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: Firebird Server - EIC_3051 (FirebirdServerEIC_3051) - Firebird Project - C:\Program Files\EIC\Firebird_2_1_3\bin\fbserver.exe
O23 - Service: Service Google Update (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Service Google Update (gupdatem) (gupdatem) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe
O23 - Service: Centre de distribution de clés Kerberos (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe
O23 - Service: Event Log Watch (LogWatch) - CA - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Ouverture de session réseau (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Service de réplication de fichiers (NtFrs) - Unknown owner - C:\WINDOWS\system32\ntfrs.exe
O23 - Service: Fournisseur de la prise en charge de sécurité LM NT (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Services IPSEC (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Emplacement protégé (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Fournisseur d'un jeu de stratégie résultant (RSoPProv) - Unknown owner - C:\WINDOWS\system32\RSoPProv.exe
O23 - Service: Gestionnaire de comptes de sécurité (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Service SNMP (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe
O23 - Service: Spouleur d'impression (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Hewlett-Packard Company - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephouy (TapiSru) - Unknown owner - C:\WINDOWS\system32\dllcache\TapiSru.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: Gestion de licences Terminal Server (TermServLicensing) - Unknown owner - C:\WINDOWS\system32\lserver.exe
O23 - Service: Service de disque virtuel (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WinddFontRepair (WinddFont) - FOV - C:\WINDOWS\system32\winddfonts.exe
O23 - Service: Windows Event Logger (WLE) - Unknown owner - C:\WINDOWS\msmsg.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
je viens solliciter votre aide car j'ai un gros soucis, un de mes clients dispose d'un server qui a l'air d être infecté de virus,avec whireshark j'ai repérer des trames dns bizarre
La cellule Abuse de orange m'a affirmé que le server envoie des spams en longueur de journée...
je vous poste le rapport hijackthis si quelqu'un pourrait m'aider:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:39:31, on 25/01/2012
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Documents and Settings\Administrateur.SERVEUR.000\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\Program Files\CA\ARCserve Backup\DBENG.exe
C:\Program Files\CA\SharedComponents\ARCserve Backup\CADS\casdscsvc.exe
C:\Program Files\CA\ARCserve Backup\jobeng.exe
C:\Program Files\CA\ARCserve Backup\msgeng.exe
C:\Program Files\CA\ARCserve Backup\MgmtSvc\casmgmtsvc.exe
C:\Program Files\CA\SharedComponents\ARCserve Backup\ASPortMapper\Catirpc.exe
C:\Program Files\CA\ARCserve Backup\caserved.exe
C:\Program Files\CA\SharedComponents\Jre\1.4.2_16\bin\java.exe
C:\Program Files\CA\ARCserve Backup\tapeeng.exe
C:\Program Files\CA\ARCserve Backup\cadiscovd.exe
C:\Program Files\CA\SharedComponents\ARCserve Backup\UniAgent\UnivAgent.exe
C:\Program Files\HP\Cissesrv\cissesrv.exe
C:\WINDOWS\system32\cpqrcmc.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ESET\ESET Remote Administrator\Server\era.exe
C:\Program Files\CA\ARCserve Backup\caauthd.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\EIC\Firebird_2_1_3\bin\fbguard.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98Service.exe
C:\Program Files\CA\ARCserve Backup\LQServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\sysdown.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINDOWS\system32\dllcache\TapiSru.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\WINDOWS\system32\lserver.exe
C:\WINDOWS\system32\winddfonts.exe
C:\WINDOWS\msmsg.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Program Files\EIC\Firebird_2_1_3\bin\fbserver.exe
C:\Program Files\CA\ARCserve Backup\LDBServer.exe
C:\Program Files\CA\ARCserve Backup\cdbmergelog.exe
C:\Program Files\CA\ARCserve Backup\Mediasvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CardDetector\ICON225\CardDetector.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Donnees2\Applis\CDWPrg\Exe\CDWServeurTrf.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 1.1.1.1:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s
O4 - HKLM\..\Run: [CardDetector] C:\Program Files\CardDetector\ICON225\CardDetector.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Serveur de liaison des dossiers.lnk = CDWPrg\Exe\CDWServeurTrf.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrateur.serveur.000\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: https://www.eic.fr/
O15 - ESC Trusted Zone: https://www.google.fr/?gws_rd=ssl
O15 - ESC Trusted Zone: https://www.java.com/en/
O15 - ESC Trusted Zone: http://www.suiteexpert.fr
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - http://fichiers.touslesdrivers.com/fichiers/hardwaredetection/hardwaredetection_3_1_0_4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DOMTP.WANADOO.FR
O17 - HKLM\Software\..\Telephony: DomainName = DOMTP.WANADOO.FR
O17 - HKLM\System\CCS\Services\Tcpip\..\{06C617E4-AA8E-45AA-9AE0-D9E9BF2DA221}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DOMTP.WANADOO.FR
O17 - HKLM\System\CS1\Services\Tcpip\..\{06C617E4-AA8E-45AA-9AE0-D9E9BF2DA221}: NameServer = 127.0.0.1
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\Documents and Settings\Administrateur.SERVEUR.000\WINDOWS\system32\browseui.dll (file missing)
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Documents and Settings\Administrateur.SERVEUR.000\WINDOWS\system32\browseui.dll (file missing)
O23 - Service: Alert Notification Server - CA, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: CA ARCserve Database Engine (CASDBEngine) - CA - C:\Program Files\CA\ARCserve Backup\DBENG.exe
O23 - Service: Service de détection CA ARCserve (CASDiscovery) - CA - C:\Program Files\CA\SharedComponents\ARCserve Backup\CADS\casdscsvc.exe
O23 - Service: CA ARCserve Job Engine (CASJobEngine) - CA - C:\Program Files\CA\ARCserve Backup\jobeng.exe
O23 - Service: Moteur de messages CA ARCserve Backup (CASMessageEngine) - CA - C:\Program Files\CA\ARCserve Backup\msgeng.exe
O23 - Service: Service de gestion CA ARCserve (CASMgmtSvc) - Unknown owner - C:\Program Files\CA\ARCserve Backup\MgmtSvc\casmgmtsvc.exe
O23 - Service: Mappeur de ports CA ARCserve (CASportmapper) - CA - C:\Program Files\CA\SharedComponents\ARCserve Backup\ASPortMapper\Catirpc.exe
O23 - Service: CA ARCserve Service Controller (CASSvcControlSvr) - CA - C:\Program Files\CA\ARCserve Backup\caserved.exe
O23 - Service: CA ARCserve Tape Engine (CASTapeEngine) - CA - C:\Program Files\CA\ARCserve Backup\tapeeng.exe
O23 - Service: CA ARCserve Domain Server (CASUnivDomainSvr) - CA - C:\Program Files\CA\ARCserve Backup\cadiscovd.exe
O23 - Service: Agent universel CA ARCserve (CASUniversalAgent) - CA - C:\Program Files\CA\SharedComponents\ARCserve Backup\UniAgent\UnivAgent.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: HP Smart Array SAS/SATA Event Notification Service (Cissesrv) - Hewlett-Packard Company - C:\Program Files\HP\Cissesrv\cissesrv.exe
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\cpqrcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Serveur DNS (DNS) - Unknown owner - C:\WINDOWS\System32\dns.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: ESET RA HTTP Server (ERA_HTTP_SERVER) - ESET - C:\Program Files\ESET\ESET Remote Administrator\Server\EHttpSrv.exe
O23 - Service: ESET Remote Administrator Server (ERA_SERVER) - ESET - C:\Program Files\ESET\ESET Remote Administrator\Server\era.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Guardian - EIC_3051 (FirebirdGuardianEIC_3051) - Firebird Project - C:\Program Files\EIC\Firebird_2_1_3\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: Firebird Server - EIC_3051 (FirebirdServerEIC_3051) - Firebird Project - C:\Program Files\EIC\Firebird_2_1_3\bin\fbserver.exe
O23 - Service: Service Google Update (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Service Google Update (gupdatem) (gupdatem) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe
O23 - Service: Centre de distribution de clés Kerberos (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe
O23 - Service: Event Log Watch (LogWatch) - CA - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Ouverture de session réseau (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Service de réplication de fichiers (NtFrs) - Unknown owner - C:\WINDOWS\system32\ntfrs.exe
O23 - Service: Fournisseur de la prise en charge de sécurité LM NT (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Services IPSEC (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Emplacement protégé (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Fournisseur d'un jeu de stratégie résultant (RSoPProv) - Unknown owner - C:\WINDOWS\system32\RSoPProv.exe
O23 - Service: Gestionnaire de comptes de sécurité (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Service SNMP (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe
O23 - Service: Spouleur d'impression (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Hewlett-Packard Company - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephouy (TapiSru) - Unknown owner - C:\WINDOWS\system32\dllcache\TapiSru.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: Gestion de licences Terminal Server (TermServLicensing) - Unknown owner - C:\WINDOWS\system32\lserver.exe
O23 - Service: Service de disque virtuel (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WinddFontRepair (WinddFont) - FOV - C:\WINDOWS\system32\winddfonts.exe
O23 - Service: Windows Event Logger (WLE) - Unknown owner - C:\WINDOWS\msmsg.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
A voir également:
- Probleme mail spam server
- Spam messenger - Guide
- Windows live mail - Télécharger - Mail
- Ps3 media server - Télécharger - Divers Réseau & Wi-Fi
- Spam whatsapp - Accueil - Messagerie instantanée
- Mcafee spam - Accueil - Piratage
3 réponses
Salut,
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
T'as fait un HijackThis du serveur, mais les envoies de mails peuvent être fait par une poste client du LAN.
Ce serveur fait routeur ?
car si c'est pas le cas, tu pourras pas identifier la machine émétrice de SPAM.
Voir : https://forum.malekal.com/viewtopic.php?t=27238&start=
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
T'as fait un HijackThis du serveur, mais les envoies de mails peuvent être fait par une poste client du LAN.
Ce serveur fait routeur ?
car si c'est pas le cas, tu pourras pas identifier la machine émétrice de SPAM.
Voir : https://forum.malekal.com/viewtopic.php?t=27238&start=
