Virus Trojan : Besoin d'aide

Fermé

Jejenet - 25 sept. 2007 à 15:25
philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 - 26 sept. 2007 à 21:35

Bonjour,

J'ai besoin de votre aide pour éradiquer un (plusieurs ?) virus/trojan présent sur ma machine (Windows XP, IE 6.0).
Dimanche, j'ai laissé mon pc allumé toute la journée. En rentrant le soir, j'ai découvert une page IE non sollicitée en turc sur mon écran.
J'ai lancé AVG Anti-spyware pour voir s'il n'y avait pas de tentative d'intrusion, je n'ai eu aucune détection.
J'ai fait une recherche sur mon pc pour voir s'il y avait des modifications sur mon pc, et dans l'apres-midi (où je n'étais pas présent), je remarque certaines modifications sur MSN, PCHealth, et Prefetch.

J'ai téléchargé AntiVir via Malekal et fait un premier scan. Voici le rapport :

AntiVir PersonalEdition Classic
Report file date: lundi 24 septembre 2007 00:56

Scanning for 1079119 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: JEREMY
Computer name: JEREMY

Version information:
BUILD.DAT : 268 15604 Bytes 31/08/2007 13:04:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/09/2007 22:55:31
AVSCAN.DLL : 7.0.6.0 49192 Bytes 23/09/2007 22:55:31
LUKE.DLL : 7.0.5.3 147496 Bytes 23/09/2007 22:55:31
LUKERES.DLL : 7.0.6.1 10280 Bytes 23/09/2007 22:55:31
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 31/05/2006 13:08:58
ANTIVIR1.VDF : 6.39.0.129 7251968 Bytes 10/07/2007 22:55:34
ANTIVIR2.VDF : 6.39.1.120 1918464 Bytes 12/09/2007 22:55:35
ANTIVIR3.VDF : 6.39.1.165 227840 Bytes 23/09/2007 22:55:35
AVEWIN32.DLL : 7.6.0.15 2806272 Bytes 23/09/2007 22:55:36
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 09:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 23/09/2007 22:55:31
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 12:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 23/09/2007 22:55:36
AVREG.DLL : 7.0.1.6 30760 Bytes 23/09/2007 22:55:31
AVARKT.DLL : 1.0.0.20 278568 Bytes 23/09/2007 22:55:31
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 23/09/2007 22:55:31
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 10:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 23/09/2007 22:54:58
RCTEXT.DLL : 7.0.62.0 86056 Bytes 23/09/2007 22:54:58
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/09/2007 22:55:31

Configuration settings for the scan:
Jobname..........................: Local Hard Disks
Configuration file...............: c:\program files\antivir personaledition classic\alldiscs.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: lundi 24 septembre 2007 00:56

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'icrgnkizljya.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'avgas.exe' - '1' Module(s) have been scanned
Scan process 'usnsvc.exe' - '1' Module(s) have been scanned
Scan process 'OCRAWR32.EXE' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ntvdm.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process '.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\.exe'
Scan process 'soundman.exe' - '1' Module(s) have been scanned
Scan process 'xlash.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process '.exe' has been terminated
C:\WINDOWS\system32\.exe
[DETECTION] Contains detection pattern of the worm WORM/Rbot.Gen
[INFO] WORM/Rbot.Gen:[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]:<CTFMON.EXE>=sz:.exe
[INFO] WORM/Rbot.Gen:[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]:<SoundMan>=sz:.exe
[INFO] WORM/Rbot.Gen:[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]:<TechWayLayer>=sz:.exe
[INFO] WORM/Rbot.Gen:[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES]:<Microsoft>=sz:.exe
[INFO] WORM/Rbot.Gen:[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES]:<TechWayLayer>=sz:.exe
[INFO] The file was moved to '475bf050.qua'!

32 processes with 31 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.

The registry was scanned ( '26' files ).

Starting the file scan:

Begin scan in 'C:\' <SYSTEME>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\neoo.exe
[DETECTION] Contains detection pattern of the worm WORM/Rbot.Gen
[INFO] The file was moved to '4765f0a2.qua'!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\INFECTED\4765f0a2.qua
[DETECTION] Contains detection pattern of the worm WORM/Rbot.Gen
[INFO] The file was moved to '472cf085.qua'!
C:\WINDOWS\system32\mswinsvcr.exe
[DETECTION] Contains detection pattern of the worm WORM/IrcBot.uxm
[INFO] The file was moved to '476df441.qua'!
C:\WINDOWS\system32\q8b6qYbI.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4758f40e.qua'!
Begin scan in 'D:\' <DATA>

End of the scan: lundi 24 septembre 2007 01:18
Used time: 21:25 min

The scan has been done completely.

3101 Scanning directories
90529 Files were scanned
6 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
5 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
90523 Files not concerned
540 Archives were scanned
2 Warnings
0 Notes

Certains virus ou trojans semblent avoir été détectés ou mis en quarantaine, mais des problèmes persistent, et le pare-feu Windows m'alerte encore au redémarrage.

D'autres scans réalisés ensuite, et en mode sans échec, m'informe que mon pc est encore loin d'etre sain. Voici les deux autres rapports faisant état de virus :

AntiVir PersonalEdition Classic
Report file date: lundi 24 septembre 2007 12:20

Scanning for 1079119 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: JEREMY

Version information:
BUILD.DAT : 268 15604 Bytes 31/08/2007 13:04:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/09/2007 22:55:31
AVSCAN.DLL : 7.0.6.0 49192 Bytes 23/09/2007 22:55:31
LUKE.DLL : 7.0.5.3 147496 Bytes 23/09/2007 22:55:31
LUKERES.DLL : 7.0.6.1 10280 Bytes 23/09/2007 22:55:31
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 31/05/2006 13:08:58
ANTIVIR1.VDF : 6.39.0.129 7251968 Bytes 10/07/2007 22:55:34
ANTIVIR2.VDF : 6.39.1.120 1918464 Bytes 12/09/2007 22:55:35
ANTIVIR3.VDF : 6.39.1.165 227840 Bytes 23/09/2007 22:55:35
AVEWIN32.DLL : 7.6.0.15 2806272 Bytes 23/09/2007 22:55:36
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 09:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 23/09/2007 22:55:31
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 12:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 23/09/2007 22:55:36
AVREG.DLL : 7.0.1.6 30760 Bytes 23/09/2007 22:55:31
AVARKT.DLL : 1.0.0.20 278568 Bytes 23/09/2007 22:55:31
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 23/09/2007 22:55:31
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 10:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 23/09/2007 22:54:58
RCTEXT.DLL : 7.0.62.0 86056 Bytes 23/09/2007 22:54:58
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/09/2007 22:55:31

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: lundi 24 septembre 2007 12:20

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'OCRAWR32.EXE' - '1' Module(s) have been scanned
Scan process 'icrgnkizljya.exe' - '1' Module(s) have been scanned
Scan process 'ntvdm.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
24 processes with 24 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '21' files ).

Starting the file scan:

Begin scan in 'C:\' <SYSTEME>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{8C16EA5C-C499-4766-A24A-2E01D69CFE5F}\RP282\A0035377.exe
[DETECTION] Contains detection pattern of the worm WORM/Rbot.Gen
[INFO] The file was moved to '472792a0.qua'!
C:\System Volume Information\_restore{8C16EA5C-C499-4766-A24A-2E01D69CFE5F}\RP282\A0035378.exe
[DETECTION] Contains detection pattern of the worm WORM/Rbot.Gen
[INFO] The file was moved to '472792a5.qua'!
C:\System Volume Information\_restore{8C16EA5C-C499-4766-A24A-2E01D69CFE5F}\RP282\A0035379.exe
[DETECTION] Contains detection pattern of the worm WORM/IrcBot.uxm
[INFO] The file was moved to '472792a7.qua'!
C:\System Volume Information\_restore{8C16EA5C-C499-4766-A24A-2E01D69CFE5F}\RP282\A0035380.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '472792ac.qua'!
Begin scan in 'D:\' <DATA>

End of the scan: lundi 24 septembre 2007 12:38
Used time: 18:09 min

The scan has been done completely.

3435 Scanning directories
96188 Files were scanned
4 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
4 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
96184 Files not concerned
538 Archives were scanned
2 Warnings
0 Notes

et :

AntiVir PersonalEdition Classic
Report file date: mardi 25 septembre 2007 14:44

Scanning for 848873 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: JEREMY

Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/09/2007 22:55:31
AVSCAN.DLL : 7.0.6.0 49192 Bytes 23/09/2007 22:55:31
LUKE.DLL : 7.0.5.3 147496 Bytes 23/09/2007 22:55:31
LUKERES.DLL : 7.0.6.1 10280 Bytes 23/09/2007 22:55:31
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 22:52:14
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 13/09/2007 22:52:14
ANTIVIR2.VDF : 7.0.0.4 174592 Bytes 24/09/2007 22:52:14
ANTIVIR3.VDF : 7.0.0.8 18432 Bytes 24/09/2007 22:52:15
AVEWIN32.DLL : 7.6.0.15 2806272 Bytes 23/09/2007 22:55:36
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 09:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 23/09/2007 22:55:31
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 12:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 23/09/2007 22:55:36
AVREG.DLL : 7.0.1.6 30760 Bytes 23/09/2007 22:55:31
AVARKT.DLL : 1.0.0.20 278568 Bytes 23/09/2007 22:55:31
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 23/09/2007 22:55:31
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 10:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 23/09/2007 22:54:58
RCTEXT.DLL : 7.0.62.0 86056 Bytes 23/09/2007 22:54:58
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/09/2007 22:55:31

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: mardi 25 septembre 2007 14:44

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'OCRAWR32.EXE' - '1' Module(s) have been scanned
Scan process 'icrgnkizljya.exe' - '1' Module(s) have been scanned
Scan process 'ntvdm.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
24 processes with 24 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '21' files ).

Starting the file scan:

Begin scan in 'C:\' <SYSTEME>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\xlash.exe
[DETECTION] Is the Trojan horse TR/Dldr.Banload.bpn.131
[INFO] The file was moved to '475a0604.qua'!
Begin scan in 'D:\' <DATA>

End of the scan: mardi 25 septembre 2007 15:01
Used time: 17:34 min

The scan has been done completely.

3452 Scanning directories
98482 Files were scanned
1 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
98481 Files not concerned
545 Archives were scanned
2 Warnings
0 Notes

A partir de là, je suis impuissant.
Quelle est la marche à suivre pour me débarrasser définitivement de ces intrusions ???

Merci par avance pour votre aide.

Jeremy

A voir également:

Virus Trojan : Besoin d'aide
Trojan remover - Télécharger - Antivirus & Antimalwares
Message virus iphone site adulte - Forum iPhone
Trojan wacatac ✓ - Forum Virus
Youtu.be virus - Accueil - Guide virus
Svchost.exe virus - Guide

35 réponses

Réponse 21 / 35

philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
25 sept. 2007 à 22:45

apparemment il serait encore dans le registre

* télécharge ERUNT
http://www.zebulon.fr/articles/base-de-registre-3.php#sauve

par précaution avant de bidouiller dans le registre
si tu as un doute, reviens demander avec une capture d'écran par exemple c'est souvent plus parlant.

tu vas aller voir manuellement pour le supprimer

démarrer----------exécuter-------------tu tapes regedit puis ok

tu navigues jusqu'aux clés ci dessous et tu supprimes si tu vois ton exe

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\icrgnkizljya.exe"="C:\\WINDOWS\\system32\\icrgnkizljya.exe:*:Disabled:icrgnkizljya"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\icrgnkizljya.exe"="C:\\WINDOWS\\system32\\icrgnkizljya.exe:*:Disabled:icrgnkizljya"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\icrgnkizljya.exe"="icrgnkizljya"

[HKEY_USERS\S-1-5-21-842925246-813497703-854245398-1004\Software\Microsoft\OLE]
"TechWayLayer"="icrgnkizljya.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\icrgnkizljya.exe"="icrgnkizljya"

Réponse 22 / 35

Jejenet
25 sept. 2007 à 23:10

Oui, je sais que c'est toujours délicat de toucher aux clés.

J'ai fait la sauvegarde avec ERUNT.

J'ai trouvé le premier :
Image : http://img146.imageshack.us/img146/2278/keysqg2.jpg (je ne sais pas si on peut insérer une image ici, en tout cas, je n'y suis pas arrivé.)
D'ailleurs, dans ce sous-groupe, les 3 derniers me semblent suspects.
Qu'en penses-tu ?

Réponse 23 / 35

philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
25 sept. 2007 à 23:14

oui c'est bien ça, les 3 sont à supprimer.

d'ailleurs le .exe tout seul était dans ton 1er rapport hijackthis

tu feras une recherche ensuite avec ces 2 là et OAD

Réponse 24 / 35

Jejenet
25 sept. 2007 à 23:28

Oui, je m'en souvenais aussi.
Bon, j'ai déjà supprimé les 3 dans ce 1er sous-groupe, avec le ".exe", le "icrgnkizljya.exe" et "mswinsvcr.exe"

J'ai lancé OAD avec ".exe". le pb, c'est qu'il me sort un peu tout ce qui a .exe au bout, alors le rapport est trèèèèèès long.
Je l'ai fait aussi avec "mswinsvcr.exe", le rapport est plus court, je te le mets en 1er.
Tu veux l'analyse avec ".exe" aussi ??

25/09/2007 ---- 23:24:48,56

----------------------------------
§§§§§§ [mswinsvcr.exe] §§§§§§
----------------------------------
[X] Registre

-------------- [ ] rapide
-- Fichier --- [ ] disque systeme
------------- [X] complete

********************
[Registre]
********************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\mswinsvcr.exe"="C:\\WINDOWS\\system32\\mswinsvcr.exe:*:Disabled:mswinsvcr"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\mswinsvcr.exe"="mswinsvcr"

[HKEY_USERS\S-1-5-21-842925246-813497703-854245398-1004\Software\ASProtect]
"Microsoft"="mswinsvcr.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\mswinsvcr.exe"="mswinsvcr"

*******************
[Fichier]
*******************

*********************
[Même date]
*********************

Aucun fichier créé à la même date détecté

Outil Aide Diagnostic By !aur3n7 Version 1.1
----------------------------------
§§§§§ Fin Rapport §§§§§
----------------------------------

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question

Réponse 25 / 35

philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
25 sept. 2007 à 23:31

pour celui là mswinsvcr.exe
tu peux faire la même chose virer

pour le .exe, ca va être difficile effectivement. Y a peut être une solution, faut que j'aille chercher de plus amples renseignements.

je te tiens au courant

Réponse 26 / 35

Jejenet
25 sept. 2007 à 23:40

Bon, je repars sur la piste des " icrgnkizljya.exe" et "mswinsvcr.exe".

Tu me diras pour ".exe"
(Sinon, ça se lit, hein ! Mais c'est très long et indigeste. Et comme c'est pas non plus clairement défini que ce sont les ".exe" que l'on trouve qui sont ceux que l'on cherche, faudrait pas non plus faire une boulette en éliminant de mauvaises clés)

Réponse 27 / 35

philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
25 sept. 2007 à 23:43

c'est bien pour ça que je n'en veux pas du rapport, je n'ai pas envie de te faire faire des boulettes....

j'ai posé ma question je pense que j'aurais une réponse bientôt demain peut être car il est déjà tard.

Réponse 28 / 35

Jejenet
26 sept. 2007 à 00:01

Bah en fait, j'en ai trouvé des ".exe" en regardant les autres.
Je te fais le récap :
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\icrgnkizljya.exe"="C:\\WINDOWS\\system32\\icrgnkizljya.exe:*:Disabled:icrgnkizljya"
--> le 1er que je t'avais fait en imprim ecran, j'ai retiré les 3 valeurs.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\icrgnkizljya.exe"="C:\\WINDOWS\\system32\\icrgnkizljya.exe:*:Disabled:icrgnkizljya"
--> Pas trouvé. Enfin, non présent, plutôt.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\icrgnkizljya.exe"="icrgnkizljya"
--> ici, j'ai trouvé les 3 valeurs.

[HKEY_USERS\S-1-5-21-842925246-813497703-854245398-1004\Software\Microsoft\OLE]
"TechWayLayer"="icrgnkizljya.exe"
--> Trouvé.

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\icrgnkizljya.exe"="icrgnkizljya"
--> Non présent.

********************
[Registre]
********************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\mswinsvcr.exe"="C:\\WINDOWS\\system32\\mswinsvcr.exe:*:Disabled:mswinsvcr"
--> J'ai trouvé les 2 restants, à savoir le "mswinsvcr.exe" et le ".exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\mswinsvcr.exe"="mswinsvcr"
--> Déjà éliminé (voir plus haut, pdt ma recherche icrgnkizljya)

[HKEY_USERS\S-1-5-21-842925246-813497703-854245398-1004\Software\ASProtect]
"Microsoft"="mswinsvcr.exe"
--> trouvé.

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\mswinsvcr.exe"="mswinsvcr"
--> pas trouvé.

Voila.

Réponse 29 / 35

philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
26 sept. 2007 à 00:05

bon, on avance, tu as bien bossé

essaie maintenant de relancer OAD histoire de voir si il ressort qq chose (ceux que tu n'as pas trouvé certainement.)

Réponse 30 / 35

Jejenet
26 sept. 2007 à 00:18

Bonne nouvelle, il ne ressort plus rien sur les 2 facilement identifiables !
(Il y avait peut etre des clés à tiroirs, qui agissaient sur d'autres ?)

Sur le ".exe", j'ai refait aussi OAD, j'ai dépouillé la fin du doc autour de [HKEY_USERS\S-1-5-21-842925246-813497703-854245398-1004\Software\etc...], je n'ai rien trouvé non plus, mais bon, là c'est moins fiable, il était ptet pas caché par là non plus.

Réponse 31 / 35

philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
26 sept. 2007 à 00:22

ok,

comment se comporte le pc actuellement ? tu as encore des problèmes ou pas ?

Réponse 32 / 35

Jejenet
26 sept. 2007 à 00:28

Bah jusque là, je n'ai jamais eu trop de probleme pour surfer par exemple, même si c'est un peu plus confortable qu'au début.
Maintenant, depuis le début, je n'ai pas osé me connecter à un email ou même MSN (non réouvert depuis la 1ere alerte) de peur d'être identifié ou spammé.
Tu veux que je retente un AntiVir ? ou un ActiveScan ?

Réponse 33 / 35

philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
26 sept. 2007 à 00:37

tu peux refaire avec antivir

Réponse 34 / 35

Jejenet
26 sept. 2007 à 01:10

hum... Il y a un Trojan qui réapparait. (les deux autres alertes semblent être des réactions au PandaScan), je l'ai mis en quarantaine.
Est-ce que cette opération suffit ??

AntiVir PersonalEdition Classic
Report file date: mercredi 26 septembre 2007 00:40

Scanning for 848873 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: JEREMY

Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/09/2007 22:55:31
AVSCAN.DLL : 7.0.6.0 49192 Bytes 23/09/2007 22:55:31
LUKE.DLL : 7.0.5.3 147496 Bytes 23/09/2007 22:55:31
LUKERES.DLL : 7.0.6.1 10280 Bytes 23/09/2007 22:55:31
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 22:52:14
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 13/09/2007 22:52:14
ANTIVIR2.VDF : 7.0.0.4 174592 Bytes 24/09/2007 22:52:14
ANTIVIR3.VDF : 7.0.0.8 18432 Bytes 24/09/2007 22:52:15
AVEWIN32.DLL : 7.6.0.15 2806272 Bytes 23/09/2007 22:55:36
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 09:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 23/09/2007 22:55:31
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 12:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 23/09/2007 22:55:36
AVREG.DLL : 7.0.1.6 30760 Bytes 23/09/2007 22:55:31
AVARKT.DLL : 1.0.0.20 278568 Bytes 23/09/2007 22:55:31
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 23/09/2007 22:55:31
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 10:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 23/09/2007 22:54:58
RCTEXT.DLL : 7.0.62.0 86056 Bytes 23/09/2007 22:54:58
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/09/2007 22:55:31

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: mercredi 26 septembre 2007 00:40

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'HijackThis.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'OCRAWR32.EXE' - '1' Module(s) have been scanned
Scan process 'ntvdm.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
26 processes with 26 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '15' files ).

Starting the file scan:

Begin scan in 'C:\' <SYSTEME>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Program Files\Panda Security\TotalScan\pskavs.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[INFO] The file was moved to '476491c3.qua'!
C:\System Volume Information\_restore{8C16EA5C-C499-4766-A24A-2E01D69CFE5F}\RP283\A0035398.exe
[DETECTION] Is the Trojan horse TR/Dldr.Banload.bpn.131
[INFO] The file was moved to '472992d2.qua'!
C:\WINDOWS\system32\ActiveScan\pskavs.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[INFO] The file was moved to '47649428.qua'!
Begin scan in 'D:\' <DATA>

End of the scan: mercredi 26 septembre 2007 01:04
Used time: 24:04 min

The scan has been done completely.

3471 Scanning directories
101577 Files were scanned
3 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
3 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
101574 Files not concerned
550 Archives were scanned
2 Warnings
0 Notes

Réponse 35 / 35

philae83 Messages postés 12837 Date d'inscription mercredi 3 janvier 2007 Statut Contributeur sécurité Dernière intervention 8 décembre 2009 206
26 sept. 2007 à 21:35

bonsoir,

je ne suis pas en avance aujourd'hui, désolée

hum... Il y a un Trojan qui réapparait. (les deux autres alertes semblent être des réactions au PandaScan), je l'ai mis en quarantaine.
Est-ce que cette opération suffit ??

tu parles de ceci :

C:\Program Files\Panda Security\TotalScan\pskavs.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[INFO] The file was moved to '476491c3.qua'!
C:\System Volume Information\_restore{8C16EA5C-C499-4766-A24A-2E01D69CFE5F}\RP283\A0035398.exe
[DETECTION] Is the Trojan horse TR/Dldr.Banload.bpn.131
[INFO] The file was moved to '472992d2.qua'!
C:\WINDOWS\system32\ActiveScan\pskavs.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[INFO] The file was moved to '47649428.qua'!
Begin scan in 'D:\' <DATA>

alors ce n'est rien, 2 sont dûs au scan chez Panda, et l'autre est dans la restauration système.
On va pouvoir y remédier

d'autres questions ? d'autres soucis ?

Discussions similaires

Est ce que le site tlauncher est dangereux ?

Softonic,est-ce un virus ?

Comment supprimer le virus Trojan

Aide pour un virus

Trojan impossible à supprimer!