[Virus] Suis-je infecté?

Tony1234 Messages postés 2 Statut Membre -  
Tony1234 Messages postés 2 Statut Membre -
Salut,
J'ai changé d'antivirus il y a 2 semaine, passant d'AVG à Kaspersky, qui m'a trouvé le Trojan que je cherchais, mais il detecte des "suspicious activity", ce qui ne me plait guère.
Etant encore débutant en informatique, je me tourne vers vos lumières.
Kapersky me dit notamment:

detected: riskware Invader (loader) Running process: C:\WINDOWS\system32\rundll32.exe

02/01/2007 16:51:00 C:\WINDOWS\system32\svchost.exe Attempt to run process as a child of C:\WINDOWS\system32\services.exe (PID: 784).
02/01/2007 16:51:01 C:\WINDOWS\system32\alg.exe Attempt to run process as a child of C:\WINDOWS\system32\services.exe (PID: 784).
02/01/2007 16:51:46 C:\WINDOWS\system32\wuauclt.exe Attempt to run process as a child of C:\WINDOWS\System32\svchost.exe (PID: 1116).
02/01/2007 16:52:11 C:\WINDOWS\system32\rundll32.exe Attempt to run process as a child of C:\WINDOWS\system32\nvsvc32.exe (PID: 1980).
02/01/2007 16:52:15 C:\WINDOWS\system32\userinit.exe Attempt to run process as a child of \\?\C:\WINDOWS\system32\winlogon.exe (PID: 584).
02/01/2007 16:52:15 C:\WINDOWS\explorer.exe Attempt to run process as a child of C:\WINDOWS\system32\userinit.exe (PID: 608).
02/01/2007 16:52:18 C:\WINDOWS\system32\rundll32.exe Attempt to run process as a child of C:\WINDOWS\system32\nwiz.exe (PID: 1728).
02/01/2007 16:52:18 C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\WINDOWS\system32\keystone.exe into process.
02/01/2007 16:52:18 C:\WINDOWS\system32\rundll32.exe Action blocked.
02/01/2007 16:52:18 C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\WINDOWS\system32\keystone.exe into process.
02/01/2007 16:52:18 C:\WINDOWS\system32\rundll32.exe Action blocked.
02/01/2007 16:52:27 C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\WINDOWS\system32\keystone.exe into process.
02/01/2007 16:52:27 C:\WINDOWS\system32\rundll32.exe Action blocked.

cette dernière action étant répétée à de nombreuses reprises.

puis:

02/01/2007 16:52:27 C:\WINDOWS\system32\rundll32.exe Process is trying to inject module C:\WINDOWS\system32\nview.dll into all processes. This behaviour is typical of some malicious programs.
02/01/2007 16:52:27 C:\WINDOWS\system32\rundll32.exe Action blocked.
02/01/2007 16:52:30 C:\WINDOWS\explorer.exe Attempt to load a new or modified module C:\Program Files\MediaKey\VerRes.dll into process.
02/01/2007 16:52:30 C:\WINDOWS\explorer.exe Action blocked.
02/01/2007 16:52:31 C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\WINDOWS\system32\keystone.exe into process.
02/01/2007 16:52:31 C:\WINDOWS\system32\rundll32.exe Action blocked.

ensuite:

02/01/2007 16:53:27 C:\Program Files\MSN Messenger\msnmsgr.exe Attempt to load a new or modified module C:\Program Files\MSN Messenger\abssm.dll into process.
02/01/2007 16:53:27 C:\Program Files\MSN Messenger\msnmsgr.exe Action blocked.
02/01/2007 16:53:27 C:\Program Files\MSN Messenger\msnmsgr.exe Attempt to load a new or modified module C:\Program Files\MSN Messenger\abssm.dll into process.
02/01/2007 16:53:27 C:\Program Files\MSN Messenger\msnmsgr.exe Action blocked.
02/01/2007 16:56:09 C:\Program Files\Internet Explorer\iexplore.exe Attempt to load a new or modified module C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\msvcr71.dll into process.
02/01/2007 16:56:09 C:\Program Files\Internet Explorer\iexplore.exe Action blocked.
02/01/2007 16:56:09 C:\Program Files\Internet Explorer\iexplore.exe Attempt to load a new or modified module C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll into process.
02/01/2007 16:56:09 C:\Program Files\Internet Explorer\iexplore.exe Action blocked.
02/01/2007 16:56:09 C:\Program Files\Internet Explorer\iexplore.exe Attempt to load a new or modified module C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll into process.
02/01/2007 16:56:09 C:\Program Files\Internet Explorer\iexplore.exe Action blocked.
02/01/2007 17:05:47 C:\WINDOWS\system32\rundll32.exe Attempt to run process as a child of C:\WINDOWS\System32\svchost.exe (PID: 1116).
02/01/2007 17:06:56 C:\WINDOWS\explorer.exe Attempt to load a new or modified module C:\Documents and Settings\Administrateur\Bureau\securité\a2FreeSetup.exe into process.
02/01/2007 17:06:56 C:\WINDOWS\explorer.exe Action blocked.
02/01/2007 17:07:05 C:\WINDOWS\explorer.exe Attempt to load a new or modified module C:\Documents and Settings\Administrateur\Bureau\securité\a2FreeSetup.exe into process.
02/01/2007 17:07:05 C:\WINDOWS\explorer.exe Action blocked.
02/01/2007 17:07:39 C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\WINDOWS\system32\keystone.exe into process.
02/01/2007 17:07:39 C:\WINDOWS\system32\rundll32.exe Action blocked.
02/01/2007 17:07:39 C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\WINDOWS\system32\keystone.exe into process.
02/01/2007 17:07:39 C:\WINDOWS\system32\rundll32.exe Action blocked.
02/01/2007 17:07:48 C:\WINDOWS\system32\wuauclt.exe Attempt to run process as a child of C:\WINDOWS\System32\svchost.exe (PID: 1116).

et enfin:

02/01/2007 16:52:19 C:\WINDOWS\system32\dumprep.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KernelFaultCheck %systemroot%\system32\dumprep 0 -k Unicode null-terminated string (with environment variable references) Delete detected
02/01/2007 16:52:19 C:\WINDOWS\system32\dumprep.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KernelFaultCheck %systemroot%\system32\dumprep 0 -k Unicode null-terminated string (with environment variable references) Delete allowed
02/01/2007 16:52:30 C:\WINDOWS\system32\services.exe HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PCANDIS5 ImagePath \??\C:\WINDOWS\system32\PCANDIS5.SYS Unicode null-terminated string (with environment variable references) Create detected
02/01/2007 16:52:30 C:\WINDOWS\system32\services.exe HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PCANDIS5 ImagePath \??\C:\WINDOWS\system32\PCANDIS5.SYS Unicode null-terminated string (with environment variable references) Create blocked
02/01/2007 16:52:30 C:\WINDOWS\system32\services.exe HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PCANDIS5 ImagePath \??\C:\WINDOWS\system32\PCANDIS5.SYS Unicode null-terminated string (with environment variable references) Create detected
02/01/2007 16:52:30 C:\WINDOWS\system32\services.exe HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PCANDIS5 ImagePath \??\C:\WINDOWS\system32\PCANDIS5.SYS Unicode null-terminated string (with environment variable references) Create blocked

ce dernier message étant répété 2 fois par seconde!!

tout cela ne me dit rien qui vaille mais je ne trouve rien avec Kaspersky.

Merci de votre aide!

Configuration: Windows XP
Internet Explorer 7.0

1 réponse

  1. Tony1234 Messages postés 2 Statut Membre
     
    je vous rajoute mon rapport hijackthis

    Logfile of HijackThis v1.99.1
    Scan saved at 21:29:13, on 02/01/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\SAGEM Wi-Fi USB 802.11g\WLANUTL.exe
    C:\Program Files\MediaKey\Versato.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\MediaKey\MePlayer.exe
    C:\Program Files\MediaKey\OSD.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrateur\Bureau\securité\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Sagem - Utilitaire réseau pour Clé USB Wi-Fi 802.11g.lnk = ?
    O4 - Global Startup: Versato.lnk = C:\Program Files\MediaKey\Versato.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
    O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: https://www.france.tv/france-5/
    O15 - Trusted Zone: https://www.pagesjaunes.fr/
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
    O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} (HardwareDetection Control) - http://charon777.free.fr/plugins/hardwaredetection.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8A3145BE-B57A-4E86-ACBE-77AA2077239C}: NameServer = 85.255.116.104,85.255.112.229
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9711BC05-AC72-4DCF-921A-0E3D53E221DC}: NameServer = 85.255.116.104,85.255.112.229
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FF6F3504-95C4-4B39-BDF4-D329F455885F}: NameServer = 85.255.116.104,85.255.112.229
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.104 85.255.112.229
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.104 85.255.112.229
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.104 85.255.112.229
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    0