PC infesté par un trojan

Fermé
Monptitcoco Messages postés 3 Date d'inscription vendredi 9 mars 2018 Statut Membre Dernière intervention 9 mars 2018 - 9 mars 2018 à 13:19
Malekal_morte- Messages postés 180304 Date d'inscription mercredi 17 mai 2006 Statut Modérateur, Contributeur sécurité Dernière intervention 15 décembre 2020 - 9 mars 2018 à 19:02
Bonjour, mon pc a été infesté par un trojan.
Voici mon rapport ZHPdiag:
Pouvez-vous m'aider svp ?
Cordialement.

https://www.cjoint.com/c/HCjmrgOQDd0
Par ailleurs Adwcleaner bloque sur une erreur "caught unhandled unknown exception terminating"
A voir également:

3 réponses

Malekal_morte- Messages postés 180304 Date d'inscription mercredi 17 mai 2006 Statut Modérateur, Contributeur sécurité Dernière intervention 15 décembre 2020 24 660
9 mars 2018 à 13:23
Salut,

Télécharge et installe MBAM. La version gratuite permet de nettoyer ( décoche bien la proposition d'essai de la version Premium à la fin de l'installation ) :

Mettre à jour MBAM à jour puis lancer une analyse.
A la fin du scan, clique sur "Mettre en quarantaine" en bas à droite.
Redémarrer l'ordinateur si nécessaire puis relancer Malwarebytes.

Vas chercher le rapport dans l'onglet "Compte-Rendus".
A gauche "Compte Rendus d'analyses", double-clique sur l'examen dans la liste.
Puis en bas "Exporter fichier texte", enregistre sur le bureau.
Va sur https://pjjoint.malekal.com/, clic sur Parcourir, vas chercher le rapprot Malwarebytes engistré.
Clique sur "Envoyer". Dans un nouveau message ici en réponse, donne le lien pjjoint afin de pouvoir consulter le rapport.


puis :


Suis le tutoriel FRST. ( prends le temps de lire attentivement - tout y est bien expliqué ).

Télécharge et lance le scan FRST,
Attendre la fin du scan, un message indique que l'analyse est terminée.

Trois rapports FRST seront générés :
  • FRST.txt
  • Shortcut.txt
  • Additionnal.txt


Envoie ces 3 rapports sur le site https://pjjoint.malekal.com/ afin de les partager.
En retour donne les 3 liens pjjoint qui mènent aux rapports ici dans une nouvelle réponse afin que l'on puisse les consulter.


0
Monptitcoco Messages postés 3 Date d'inscription vendredi 9 mars 2018 Statut Membre Dernière intervention 9 mars 2018
9 mars 2018 à 14:11
0
Monptitcoco Messages postés 3 Date d'inscription vendredi 9 mars 2018 Statut Membre Dernière intervention 9 mars 2018
9 mars 2018 à 14:38
0
Malekal_morte- Messages postés 180304 Date d'inscription mercredi 17 mai 2006 Statut Modérateur, Contributeur sécurité Dernière intervention 15 décembre 2020 24 660
9 mars 2018 à 15:13
Voici la correction à effectuer avec FRST. Tu peux t'aider de cette note explicative avec des captures d'écran.

Ouvre le bloc-notes : Touche Windows + R,
Dans le champs "Exécuter", saisir notepad et OK.
Copie/Colle dedans ce qui suit :

CreateRestorePoint:
CloseProcesses:()
2018-03-09 19:43 - 2017-10-02 10:40 - 000000000 ____D C:\Program Files (x86)\Tencent
2018-03-09 19:23 - 2017-08-09 19:59 - 000000000 ____D C:\Users\VULCAN\AppData\Local\ZHP
C:\Program Files (x86)\Tencent
C:\Program Files (x86)\Thunder Network
2018-03-03 13:49 - 2016-10-12 21:57 - 000000000 _RSHD C:\360SANDBOX
2018-02-23 21:44 - 2017-12-09 08:58 - 000000000 ____D C:\Users\VULCAN\AppData\Roaming\Badoo
2017-10-03 22:19 - 2017-10-03 22:19 - 000000000 _____ () C:\Users\VULCAN\AppData\Local\{459E095F-500C-4345-96CA-A22D05E119DE}
C:\Users\VULCAN\AppData\Roaming\baidu
ContextMenuHandlers6-x32: [QQShellExt] -> {53D2405C-48AB-4C8A-8F59-CE0610F13BBC} => C:\Program Files (x86)\Tencent\QQ\ShellExt\QQShellExt.dll -> No File
ContextMenuHandlers6-x32: [UnlockerShellExtension] -> {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} => C:\Program Files\Unlocker\UnlockerCOM.dll [2010-07-15] ()
ContextMenuHandlers4: [YunShellExt] -> {6D85624F-305A-491d-8848-C1927AA0D790} => C:\Users\VULCAN\AppData\Roaming\baidu\BaiduNetdisk\YunShellExt64.dll [2017-10-15] ()
HKLM-x32\...\Run: [kwWallpaper] => E:\Program Files (x86)\kuwo\kuwomusic\8.7.2.0_BDS1\bin\KwWallpaper.exe [254448 2017-07-05] ()
HKU\S-1-5-21-3795826015-3801581077-2544062959-1001\...\Run: [Thunder] => C:\Program Files (x86)\Thunder Network\Thunder9\Program\Thunder.exe -silent -StartType:AutoRun
HKU\S-1-5-21-3795826015-3801581077-2544062959-1001\...\Run: [BaiduYunDetect] => "C:\Users\VULCAN\AppData\Roaming\baidu\BaiduNetdisk\YunDetectService.exe"
HKU\S-1-5-21-3795826015-3801581077-2544062959-1001\...\Run: [XMP] => "C:\Users\Public\THUNDE~1\xmp5\V540~1.608\Program\XMP.exe" /embedding /sstartfrom Startup103
R2 XLNXService; C:\Users\VULCAN\AppData\Roaming\XLGameBox\ServicePlatform\XLNX.dll [151488 2017-12-07] (深圳市迅雷网络技术有限公司)
R2 XLServicePlatform; C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLSP.dll [164184 2017-12-07] (深圳市迅雷网络技术有限公司)
R1 XLGuard; C:\WINDOWS\System32\drivers\XLGuard.sys [36112 2017-11-29] (深圳市迅雷网络技术有限公司)
R2 XLWFP; C:\WINDOWS\System32\drivers\xlwfp.sys [59664 2016-03-29] (深圳市迅雷网络技术有限公司)
S1 bbnetdriver; C:\WINDOWS\System32\drivers\bbnetdriver.sys [126056 2017-02-04] (百度在线网络技术(北京)有限公司)
R1 360Box64; C:\WINDOWS\System32\DRIVERS\360Box64.sys [321616 2015-10-16] (360.cn)
S1 BAPIDRV; C:\WINDOWS\System32\DRIVERS\BAPIDRV64.sys [181328 2015-12-01] (360.cn)
2018-03-09 20:36 - 2018-01-18 08:03 - 000076200 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2018-03-09 19:38 - 2018-03-09 19:44 - 000051321 _____ C:\Users\VULCAN\Desktop\ZHPCleaner.html
2018-03-09 19:38 - 2018-03-09 19:44 - 000025640 _____ C:\Users\VULCAN\Desktop\ZHPCleaner.txt
2018-03-09 19:25 - 2018-03-09 19:28 - 000000919 _____ C:\Users\VULCAN\Desktop\ZHPCleaner.lnk
2018-03-09 08:26 - 2018-03-09 19:48 - 000324740 _____ C:\Users\VULCAN\Desktop\ZHPDiag.html
2018-03-09 08:21 - 2018-03-09 08:22 - 000000909 _____ C:\Users\VULCAN\Desktop\ZHPDiag.lnk
2018-03-06 20:24 - 2018-03-09 21:08 - 000000000 ____D C:\Program Files (x86)\Free
2018-03-03 14:42 - 2018-03-06 20:23 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2018-02-24 08:05 - 2018-02-24 08:05 - 000000000 ____D C:\Users\VULCAN\AppData\Local\CrashRpt
2018-02-23 07:40 - 2018-02-23 07:40 - 000000222 _____ C:\Users\VULCAN\Desktop\Hunt Showdown.url
2018-02-22 22:11 - 2018-02-22 22:11 - 000159424 _____ (Tencent) C:\ProgramData\8P9KSUkiF.aO6
R2 UPSecurityInputService; C:\WINDOWS\SysWoW64\UPEditNew\UPService.exe [361240 2016-05-07] (中国银联股份有限公司)
C:\ProgramData\kuwodata
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\igame.lnk [2017-08-12]
ShortcutTarget: igame.lnk -> G:\Program Files (x86)\leyoubox\igame.exe (昆山百诺信息科技有限公司)
Startup: C:\Users\VULCAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KwGBDeamon.lnk [2016-10-14]
ShortcutTarget: KwGBDeamon.lnk -> C:\ProgramData\KWGameBox\KwGameBox\bin\KwGBDeamon.exe (酷我科技)
Hosts:
EmptyTemp:
RemoveProxy:
Reboot:


Une fois, le texte collé dans le Bloc-notes,
Menu "Fichier" puis "Enregistrer sous",
A gauche, place toi sur le Bureau,
Dans le champs en bas, nom du fichier mets : fixlist.txt
Clique sur "Enregistrer", cela va créer fixlist.txt sur le Bureau.

Relance FRST et clique sur le bouton "Corriger / Fix"
Un redémarrage sera peut-être nécessaire ( pas obligatoire )
Un fichier texte apparaît, copie/colle le contenu ici dans un nouveau message.

Redémarre l'ordinateur.


2°)
Réinitialise/Répare les navigateurs WEB concernés par les problèmes :


3°)
Refais un scan FRST et donne les nouveaux rapports.

0
Xkazart Messages postés 3 Date d'inscription samedi 17 janvier 2015 Statut Membre Dernière intervention 9 mars 2018
9 mars 2018 à 15:57
0
Xkazart Messages postés 3 Date d'inscription samedi 17 janvier 2015 Statut Membre Dernière intervention 9 mars 2018
9 mars 2018 à 15:40
Fix result of Farbar Recovery Scan Tool (x64) Version: 04.03.2018
Ran by VULCAN (09-03-2018 22:25:40) Run:1
Running from C:\Users\VULCAN\Desktop
Loaded Profiles: VULCAN (Available Profiles: VULCAN)
Boot Mode: Normal
==============================================

fixlist content:

CreateRestorePoint:
CloseProcesses:()
2018-03-09 19:43 - 2017-10-02 10:40 - 000000000 ____D C:\Program Files (x86)\Tencent
2018-03-09 19:23 - 2017-08-09 19:59 - 000000000 ____D C:\Users\VULCAN\AppData\Local\ZHP
C:\Program Files (x86)\Tencent
C:\Program Files (x86)\Thunder Network
2018-03-03 13:49 - 2016-10-12 21:57 - 000000000 _RSHD C:\360SANDBOX
2018-02-23 21:44 - 2017-12-09 08:58 - 000000000 ____D C:\Users\VULCAN\AppData\Roaming\Badoo
2017-10-03 22:19 - 2017-10-03 22:19 - 000000000 _____ () C:\Users\VULCAN\AppData\Local\{459E095F-500C-4345-96CA-A22D05E119DE}
C:\Users\VULCAN\AppData\Roaming\baidu
ContextMenuHandlers6-x32: [QQShellExt] -> {53D2405C-48AB-4C8A-8F59-CE0610F13BBC} => C:\Program Files (x86)\Tencent\QQ\ShellExt\QQShellExt.dll -> No File
ContextMenuHandlers6-x32: [UnlockerShellExtension] -> {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} => C:\Program Files\Unlocker\UnlockerCOM.dll [2010-07-15] ()
ContextMenuHandlers4: [YunShellExt] -> {6D85624F-305A-491d-8848-C1927AA0D790} => C:\Users\VULCAN\AppData\Roaming\baidu\BaiduNetdisk\YunShellExt64.dll [2017-10-15] ()
HKLM-x32\...\Run: [kwWallpaper] => E:\Program Files (x86)\kuwo\kuwomusic\8.7.2.0_BDS1\bin\KwWallpaper.exe [254448 2017-07-05] ()
HKU\S-1-5-21-3795826015-3801581077-2544062959-1001\...\Run: [Thunder] => C:\Program Files (x86)\Thunder Network\Thunder9\Program\Thunder.exe -silent -StartType:AutoRun
HKU\S-1-5-21-3795826015-3801581077-2544062959-1001\...\Run: [BaiduYunDetect] => "C:\Users\VULCAN\AppData\Roaming\baidu\BaiduNetdisk\YunDetectService.exe"
HKU\S-1-5-21-3795826015-3801581077-2544062959-1001\...\Run: [XMP] => "C:\Users\Public\THUNDE~1\xmp5\V540~1.608\Program\XMP.exe" /embedding /sstartfrom Startup103
R2 XLNXService; C:\Users\VULCAN\AppData\Roaming\XLGameBox\ServicePlatform\XLNX.dll [151488 2017-12-07] (������Ѹ�����缼�����޹�˾)
R2 XLServicePlatform; C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLSP.dll [164184 2017-12-07] (������Ѹ�����缼�����޹�˾)
R1 XLGuard; C:\WINDOWS\System32\drivers\XLGuard.sys [36112 2017-11-29] (������Ѹ�����缼�����޹�˾)
R2 XLWFP; C:\WINDOWS\System32\drivers\xlwfp.sys [59664 2016-03-29] (������Ѹ�����缼�����޹�˾)
S1 bbnetdriver; C:\WINDOWS\System32\drivers\bbnetdriver.sys [126056 2017-02-04] (�ٶ��������缼�������������޹�˾)
R1 360Box64; C:\WINDOWS\System32\DRIVERS\360Box64.sys [321616 2015-10-16] (360.cn)
S1 BAPIDRV; C:\WINDOWS\System32\DRIVERS\BAPIDRV64.sys [181328 2015-12-01] (360.cn)
2018-03-09 20:36 - 2018-01-18 08:03 - 000076200 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2018-03-09 19:38 - 2018-03-09 19:44 - 000051321 _____ C:\Users\VULCAN\Desktop\ZHPCleaner.html
2018-03-09 19:38 - 2018-03-09 19:44 - 000025640 _____ C:\Users\VULCAN\Desktop\ZHPCleaner.txt
2018-03-09 19:25 - 2018-03-09 19:28 - 000000919 _____ C:\Users\VULCAN\Desktop\ZHPCleaner.lnk
2018-03-09 08:26 - 2018-03-09 19:48 - 000324740 _____ C:\Users\VULCAN\Desktop\ZHPDiag.html
2018-03-09 08:21 - 2018-03-09 08:22 - 000000909 _____ C:\Users\VULCAN\Desktop\ZHPDiag.lnk
2018-03-06 20:24 - 2018-03-09 21:08 - 000000000 ____D C:\Program Files (x86)\Free
2018-03-03 14:42 - 2018-03-06 20:23 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2018-02-24 08:05 - 2018-02-24 08:05 - 000000000 ____D C:\Users\VULCAN\AppData\Local\CrashRpt
2018-02-23 07:40 - 2018-02-23 07:40 - 000000222 _____ C:\Users\VULCAN\Desktop\Hunt Showdown.url
2018-02-22 22:11 - 2018-02-22 22:11 - 000159424 _____ (Tencent) C:\ProgramData\8P9KSUkiF.aO6
R2 UPSecurityInputService; C:\WINDOWS\SysWoW64\UPEditNew\UPService.exe [361240 2016-05-07] (�й������ɷ����޹�˾)
C:\ProgramData\kuwodata
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\igame.lnk [2017-08-12]
ShortcutTarget: igame.lnk -> G:\Program Files (x86)\leyoubox\igame.exe (��ɽ��ŵ��Ϣ�Ƽ����޹�˾)
Startup: C:\Users\VULCAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KwGBDeamon.lnk [2016-10-14]
ShortcutTarget: KwGBDeamon.lnk -> C:\ProgramData\KWGameBox\KwGameBox\bin\KwGBDeamon.exe (���ҿƼ�)
Hosts:
EmptyTemp:
RemoveProxy:
Reboot:


Error: (0) Failed to create a restore point.
Processes closed successfully.
C:\Program Files (x86)\Tencent => moved successfully
C:\Users\VULCAN\AppData\Local\ZHP => moved successfully
"C:\Program Files (x86)\Tencent" => not found
C:\Program Files (x86)\Thunder Network => moved successfully

"C:\360SANDBOX" folder move:

Could not move "C:\360SANDBOX" => Scheduled to move on reboot.

C:\Users\VULCAN\AppData\Roaming\Badoo => moved successfully
C:\Users\VULCAN\AppData\Local\{459E095F-500C-4345-96CA-A22D05E119DE} => moved successfully
C:\Users\VULCAN\AppData\Roaming\baidu => moved successfully
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\QQShellExt" => removed successfully
"HKLM\Software\Wow6432Node\Classes\CLSID\{53D2405C-48AB-4C8A-8F59-CE0610F13BBC}" => removed successfully
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\UnlockerShellExtension" => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} => not found
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\YunShellExt" => removed successfully
"HKLM\Software\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}" => removed successfully
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\kwWallpaper" => removed successfully
"HKU\S-1-5-21-3795826015-3801581077-2544062959-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Thunder" => removed successfully
"HKU\S-1-5-21-3795826015-3801581077-2544062959-1001\Software\Microsoft\Windows\CurrentVersion\Run\\BaiduYunDetect" => removed successfully
"HKU\S-1-5-21-3795826015-3801581077-2544062959-1001\Software\Microsoft\Windows\CurrentVersion\Run\\XMP" => removed successfully
"HKLM\System\CurrentControlSet\Services\XLNXService" => removed successfully
XLNXService => service removed successfully
"HKLM\System\CurrentControlSet\Services\XLServicePlatform" => removed successfully
XLServicePlatform => service removed successfully
XLGuard => Unable to stop service.
"HKLM\System\CurrentControlSet\Services\XLGuard" => removed successfully
XLGuard => service removed successfully
XLWFP => Unable to stop service.
"HKLM\System\CurrentControlSet\Services\XLWFP" => removed successfully
XLWFP => service removed successfully
"HKLM\System\CurrentControlSet\Services\bbnetdriver" => removed successfully
bbnetdriver => service removed successfully
360Box64 => Unable to stop service.
"HKLM\System\CurrentControlSet\Services\360Box64" => removed successfully
360Box64 => service removed successfully
"HKLM\System\CurrentControlSet\Services\BAPIDRV" => removed successfully
BAPIDRV => service removed successfully
C:\WINDOWS\system32\Drivers\mbae64.sys => moved successfully
C:\Users\VULCAN\Desktop\ZHPCleaner.html => moved successfully
C:\Users\VULCAN\Desktop\ZHPCleaner.txt => moved successfully
C:\Users\VULCAN\Desktop\ZHPCleaner.lnk => moved successfully
C:\Users\VULCAN\Desktop\ZHPDiag.html => moved successfully
C:\Users\VULCAN\Desktop\ZHPDiag.lnk => moved successfully
C:\Program Files (x86)\Free => moved successfully
C:\WINDOWS\system32\Drivers\wd => moved successfully
C:\Users\VULCAN\AppData\Local\CrashRpt => moved successfully
C:\Users\VULCAN\Desktop\Hunt Showdown.url => moved successfully
C:\ProgramData\8P9KSUkiF.aO6 => moved successfully
"HKLM\System\CurrentControlSet\Services\UPSecurityInputService" => removed successfully
UPSecurityInputService => service removed successfully
C:\ProgramData\kuwodata => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\igame.lnk => moved successfully
"G:\Program Files" => not found
C:\Users\VULCAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KwGBDeamon.lnk => moved successfully
C:\ProgramData\KWGameBox\KwGameBox\bin\KwGBDeamon.exe => moved successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

========= RemoveProxy: =========

"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => removed successfully
"HKU\S-1-5-21-3795826015-3801581077-2544062959-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => removed successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
"HKU\S-1-5-21-3795826015-3801581077-2544062959-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\S-1-5-21-3795826015-3801581077-2544062959-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully


========= End of RemoveProxy: =========


=========== EmptyTemp: ==========

BITS transfer queue => 9723904 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 28395401 B
Java, Flash, Steam htmlcache => 492901489 B
Windows/system/drivers => 2731751 B
Edge => 8674288 B
Chrome => 340392548 B
Firefox => 444957757 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 32121 B
LocalService => 0 B
NetworkService => 378724 B
VULCAN => 1484211612 B

RecycleBin => 0 B
EmptyTemp: => 2.6 GB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 09-03-2018 22:29:00)

C:\360SANDBOX => Is moved successfully

End of Fixlog 22:29:00

0
Malekal_morte- Messages postés 180304 Date d'inscription mercredi 17 mai 2006 Statut Modérateur, Contributeur sécurité Dernière intervention 15 décembre 2020 24 660
9 mars 2018 à 19:02
ok passe le 2) et 3)
0