Infection Trojan : infostealer.wowcraft

tondy Messages postés 21 Statut Membre -  
g!rly Messages postés 18462 Statut Contributeur -
Bonjour,
Un collegue a moi est infecté par un virus et n'arrive pas a le supprimer
Quand on fait les scans sur son son ordi , on trouve ceci :
trojan:infostealer.wowcraft

Que peut ton faire ?
Merci de votre aide

PS : comme c'est pas sur mon ordi, sa configuration Windows XP a lui
A voir également:

18 réponses

Réponse 1 / 18
g!rly Messages postés 18462 Statut Contributeur 406
 
salut,

voila les details du trojan:

https://www.broadcom.com/support/security-center

ce que l´on va faire :

Télécharge SDFix (créé par AndyManchesta) et sauvegarde le sur ton Bureau.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
• Redémarre ton ordinateur
• Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde).
• A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
• Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
• Choisis ton compte.
Déroule la liste des instructions ci-dessous :
• Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
• Appuie sur Y pour commencer le processus de nettoyage.
• Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
• Appuie sur une touche pour redémarrer le PC.
• Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
• Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
• Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
• Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
• Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum

hijack this :

Télécharge HijackThis ici :

-> https://www.zebulon.fr/telechargements/securite/systeme/hijackthis.html

Tutoriel d´installation (images) :

-> http://pchelpbordeaux.free.fr/tuto.html

Tutoriel d´utilisation (video) :

-> http://pageperso.aol.fr/balltrap34/demohijack.htm

Post le rapport généré ici stp...
0
Grimette
 
je sais pastrop si ça a marché vu que je ne suis pas sur que c'était la solun à mon problème.
Voilà mon rapport

[b]SDFix: Version 1.231 [/b]
Run by Lecuyer on 05/10/2008 at 10:51

Microsoft Windows XP [version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\WINDOWS\system32\lphcrdbj0e9m5.exe - Deleted
C:\WINDOWS\system32\yayaARIA.dll - Deleted
C:\WINDOWS\system32\phcrdbj0e9m5.bmp - Deleted
C:\Documents and Settings\Lecuyer\Application Data\Adobe\crc.dat - Deleted
C:\Documents and Settings\Lecuyer\Application Data\Adobe\Player.exe - Deleted
C:\Documents and Settings\Lecuyer\Application Data\Adobe\Player.exe.bak - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt1.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttF5.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttF9.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttE5.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttE9.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt10E.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt133.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttFE.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt100.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttFC.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt102.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt104.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt106.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt2.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt6.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt3.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttEB.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttED.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttF3.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt4.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttEE.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttF2.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt5.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttF0.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\pwrmgr.exe.bat - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\smchk.exe.bat - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\windfr.exe.bat - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\sft_ver1.1454.0.exe - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\removalfile.bat - Deleted





Removing Temp Files

[b]ADS Check [/b]:



[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-05 11:12:57
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"D:\\Program Files\\Office12\\OUTLOOK.EXE"="D:\\Program Files\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"D:\\Program Files\\Office12\\GROOVE.EXE"="D:\\Program Files\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"D:\\Program Files\\Office12\\ONENOTE.EXE"="D:\\Program Files\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Sat 19 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"
Sat 19 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMP3.dll"
Sat 19 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Sat 19 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIFCD3.dll"
Sat 19 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIBUN4.dll"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Thu 24 Jul 2008 6,104,632 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Fri 25 Jan 2008 51,200 ...H. --- "C:\Documents and Settings\All Users\Documents\~WRL2205.tmp"
Thu 29 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Lecuyer\Application Data\U3\temp\Launchpad Removal.exe"
Mon 16 Apr 2007 303,616 A..H. --- "C:\Documents and Settings\Lecuyer\Mes documents\INTRAWEST P2P\P2P du bureau\Releases\FINAL\~WRL0031.tmp"
Mon 16 Apr 2007 306,176 A..H. --- "C:\Documents and Settings\Lecuyer\Mes documents\INTRAWEST P2P\P2P du bureau\Releases\FINAL\~WRL1799.tmp"
Mon 16 Apr 2007 300,544 A..H. --- "C:\Documents and Settings\Lecuyer\Mes documents\INTRAWEST P2P\P2P du bureau\Releases\FINAL\~WRL2998.tmp"
Mon 16 Apr 2007 304,640 A..H. --- "C:\Documents and Settings\Lecuyer\Mes documents\INTRAWEST P2P\P2P du bureau\Releases\References\~WRL0442.tmp"
Mon 16 Apr 2007 305,152 A..H. --- "C:\Documents and Settings\Lecuyer\Mes documents\INTRAWEST P2P\P2P du bureau\Releases\References\~WRL3471.tmp"

[b]Finished![/b]
0
g!rly Messages postés 18462 Statut Contributeur 406 > Grimette
 
Salut grimette,

sdfix a supprimé pas mal d´infections :)

Télécharge HijackThis ici :

-> http://www.commentcamarche.net/telecharger/telecharger 159 hijackthis

Tutoriel d´instalation : (Merci a Balltrap34 pour cette réalisation)

-> http://pageperso.aol.fr/balltrap34/Hijenr.gif

Tutoriel d´utilisation (video) : (Merci a Balltrap34 pour cette réalisation)

-> http://perso.orange.fr/rginformatique/section%20virus/demohijack.htm

Post le rapport généré ici stp...

@+
0
Grimette
 
je sais pastrop si ça a marché vu que je ne suis pas sur que c'était la solun à mon problème.
Voilà mon rapport

[b]SDFix: Version 1.231 [/b]
Run by Lecuyer on 05/10/2008 at 10:51

Microsoft Windows XP [version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\WINDOWS\system32\lphcrdbj0e9m5.exe - Deleted
C:\WINDOWS\system32\yayaARIA.dll - Deleted
C:\WINDOWS\system32\phcrdbj0e9m5.bmp - Deleted
C:\Documents and Settings\Lecuyer\Application Data\Adobe\crc.dat - Deleted
C:\Documents and Settings\Lecuyer\Application Data\Adobe\Player.exe - Deleted
C:\Documents and Settings\Lecuyer\Application Data\Adobe\Player.exe.bak - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt1.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttF5.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttF9.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttE5.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttE9.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt10E.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt133.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttFE.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt100.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttFC.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt102.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt104.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt106.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt2.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt6.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt3.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttEB.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttED.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttF3.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt4.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttEE.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttF2.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.tt5.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\.ttF0.tmp - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\pwrmgr.exe.bat - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\smchk.exe.bat - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\windfr.exe.bat - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\sft_ver1.1454.0.exe - Deleted
C:\DOCUME~1\Lecuyer\LOCALS~1\Temp\removalfile.bat - Deleted





Removing Temp Files

[b]ADS Check [/b]:



[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-05 11:12:57
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"D:\\Program Files\\Office12\\OUTLOOK.EXE"="D:\\Program Files\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"D:\\Program Files\\Office12\\GROOVE.EXE"="D:\\Program Files\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"D:\\Program Files\\Office12\\ONENOTE.EXE"="D:\\Program Files\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Sat 19 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"
Sat 19 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMP3.dll"
Sat 19 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Sat 19 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIFCD3.dll"
Sat 19 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIBUN4.dll"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Thu 24 Jul 2008 6,104,632 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Fri 25 Jan 2008 51,200 ...H. --- "C:\Documents and Settings\All Users\Documents\~WRL2205.tmp"
Thu 29 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Lecuyer\Application Data\U3\temp\Launchpad Removal.exe"
Mon 16 Apr 2007 303,616 A..H. --- "C:\Documents and Settings\Lecuyer\Mes documents\INTRAWEST P2P\P2P du bureau\Releases\FINAL\~WRL0031.tmp"
Mon 16 Apr 2007 306,176 A..H. --- "C:\Documents and Settings\Lecuyer\Mes documents\INTRAWEST P2P\P2P du bureau\Releases\FINAL\~WRL1799.tmp"
Mon 16 Apr 2007 300,544 A..H. --- "C:\Documents and Settings\Lecuyer\Mes documents\INTRAWEST P2P\P2P du bureau\Releases\FINAL\~WRL2998.tmp"
Mon 16 Apr 2007 304,640 A..H. --- "C:\Documents and Settings\Lecuyer\Mes documents\INTRAWEST P2P\P2P du bureau\Releases\References\~WRL0442.tmp"
Mon 16 Apr 2007 305,152 A..H. --- "C:\Documents and Settings\Lecuyer\Mes documents\INTRAWEST P2P\P2P du bureau\Releases\References\~WRL3471.tmp"

[b]Finished![/b]
0
Réponse 2 / 18
tondy Messages postés 21 Statut Membre 1
 
La manip est terminée, je viens de refaire un scan et ai tjs un virus, bit defender me dit : "infecté par : Generic.PWS.Games.3.F87F1436

Que dois-je faire ?

Je pense pourtant avoir fait les manip correctement...
0
Réponse 3 / 18
g!rly Messages postés 18462 Statut Contributeur 406
 
peux tu m´envoyer le rapport de hijack this et celui de sdfix stp
0
Réponse 4 / 18
tondy Messages postés 21 Statut Membre 1
 
Voila les rapports.... illisible pour moi ... lol

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 11:06:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0




SDFix: Version 1.115

Run by Mathieu MENDEGRIS on 28/11/2007 at 11:00

Microsoft Windows XP [version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 11:06:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"="C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Sensormatic\\NetworkClient\\Bin\\NetworkClient.exe"="C:\\Program Files\\Sensormatic\\NetworkClient\\Bin\\NetworkClient.exe:*:Enabled:Network Client Application"
"C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"="C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe:*:Enabled:winvnc4.exe"
"C:\\transfert\\Transfert.exe"="C:\\transfert\\Transfert.exe:*:Enabled:Transfert.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"="C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------


Files with Hidden Attributes:

Tue 8 Aug 2006 211 A.SHR --- "C:\BOOT.BAK"
Mon 8 Oct 2007 5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Wed 6 Jun 2007 8 ..SHR --- "C:\WINDOWS\system32\4CACD3FDD8.sys"
Wed 6 Jun 2007 2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Mon 25 Jun 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 26 Nov 2007 615,936 ...H. --- "C:\Documents and Settings\Mathieu MENDEGRIS\Bureau\NEWREST_Cubes_Octave\~WRL0002.tmp"
Tue 13 Nov 2007 614,912 ...H. --- "C:\Documents and Settings\Mathieu MENDEGRIS\Bureau\NEWREST_Cubes_Octave\~WRL0003.tmp"
Mon 12 Nov 2007 73,728 ...H. --- "C:\Documents and Settings\Mathieu MENDEGRIS\Bureau\NEWREST_Cubes_Octave\~WRL0005.tmp"
Mon 12 Nov 2007 73,216 ...H. --- "C:\Documents and Settings\Mathieu MENDEGRIS\Bureau\NEWREST_Cubes_Octave\~WRL0679.tmp"
Mon 12 Nov 2007 73,216 ...H. --- "C:\Documents and Settings\Mathieu MENDEGRIS\Bureau\NEWREST_Cubes_Octave\~WRL0717.tmp"
Mon 12 Nov 2007 73,728 ...H. --- "C:\Documents and Settings\Mathieu MENDEGRIS\Bureau\NEWREST_Cubes_Octave\~WRL1951.tmp"
Mon 12 Nov 2007 897,536 ...H. --- "C:\Documents and Settings\Mathieu MENDEGRIS\Bureau\NEWREST_Cubes_Octave\~WRL1968.tmp"
Mon 12 Nov 2007 73,216 ...H. --- "C:\Documents and Settings\Mathieu MENDEGRIS\Bureau\NEWREST_Cubes_Octave\~WRL2671.tmp"
Mon 12 Nov 2007 73,728 ...H. --- "C:\Documents and Settings\Mathieu MENDEGRIS\Bureau\NEWREST_Cubes_Octave\~WRL3956.tmp"

Finished!
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 5 / 18
tondy Messages postés 21 Statut Membre 1
 
je vais manger et reviens...
0
Réponse 6 / 18
g!rly Messages postés 18462 Statut Contributeur 406
 
bonne appetit ;-)

post le rapport hijack this

Télécharge HijackThis ici :

-> https://www.zebulon.fr/telechargements/securite/systeme/hijackthis.html

Tutoriel d´installation (images) :

-> http://pchelpbordeaux.free.fr/tuto.html

Tutoriel d´utilisation (video) :

-> http://pageperso.aol.fr/balltrap34/demohijack.htm

Post le rapport généré ici stp...

@+
0
Réponse 7 / 18
tondy Messages postés 21 Statut Membre 1
 
Me revoilà, qu'est ce que je peux faire ?
0
Réponse 8 / 18
tondy Messages postés 21 Statut Membre 1
 
Qd je vais sur His Jack, je dois télécharger : "antispyware domnload ?" ou version gratuite IE 7
0
Réponse 9 / 18
g!rly Messages postés 18462 Statut Contributeur 406
 
je ne comprends pas?

tu click ici pour telecharger hijack this : -> https://www.zebulon.fr/telechargements/securite/systeme/hijackthis.html

puis tu l´instale en regardant le tutorial en image -> http://pchelpbordeaux.free.fr/tuto.html

et voici comment generer un rapport -> http://pageperso.aol.fr/balltrap34/demohijack.htm

@+
0
Réponse 10 / 18
tondy Messages postés 21 Statut Membre 1
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:50:02, on 28/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sensormatic\NetworkClient\Bin\NtlxEventHandler.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\MATHIE~1\LOCALS~1\Temp\Répertoire temporaire 1 pour HiJackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://fr.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://fr.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://fr.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer fourni par Yahoo! France
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\secpol.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Intellex Event Handler.lnk = C:\Program Files\Sensormatic\NetworkClient\Bin\NtlxEventHandler.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.inoculer.com/antivirus/Msie/bitdefender.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A68A3EF8-CDB5-4680-93F9-57F80EFC9563}: NameServer = 192.168.10.1
O20 - Winlogon Notify: fsmgmt - C:\WINDOWS\SYSTEM32\fsmgmt.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
O23 - Service: McAfee Total Protection Agent Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
0
Réponse 11 / 18
g!rly Messages postés 18462 Statut Contributeur 406
 
re,

tu as deux antivirus = ca ne sert a rien

desinstale avast et garde mcafee

tu n´as pas de par feu , celui de windows ne sert a rien

instale : zone alarm compatible vista

https://www.generation-nt.com/zonealarm-vista-checkpoint-firewall-telecharger-actualite-42256.html

ta version de java n´est pas a jour :

appuie simultanement sur la touche windows a droit de la barre d´espace (drapeau windows) et sur "e" ->une fois dans le post de travail click sur le disk c > program files >java ouvre le fichier java et click sur le fichier jre1.5.0_09 pour l´ouvrir puis ouvre le fichier bin et dedans tu recherche ceci : jucheck.exe tu double click dessus et effectue la mise a jour de java> tu veux la version 1.6.0_03
une fois la mise a jour effectuée tu va dans ajoute/suppression de program et tu supprime toutes les autres update de java, il ne doit te rester que celle que tu viens de faire : 1.6.0_03

puis

ton infection :

O20 - Winlogon Notify: fsmgmt - C:\WINDOWS\SYSTEM32\fsmgmt.dll

Télécharge VundoFix.exe (par Atribune) sur ton Bureau. si il n´est pas compatible vista on ferra autrement
http://www.atribune.org/ccount/click.php?id=4
* Double-clique VundoFix.exe afin de le lancer
* Clique sur le bouton Scan for Vundo
* Lorsque le scan est complété, clique sur le bouton Remove Vundo
* Une invite te demandera si tu veux supprimer les fichiers, clique YES
* Après avoir cliqué "Yes", le Bureau disparaîtra un moment lors de la suppression des fichiers
* Tu verras une invite qui t'annonce que ton PC va redémarrer; clique OK
* Copie/colle le contenu du rapport situé dans C:\vundofix.txt ainsi qu'un nouveau rapport HijackThis! dans ta prochaine réponse

Note: Il est possible que VundoFix soit confronté à un fichier qu'il ne peut supprimer. Si tel est le cas, l'outil se lancera au prochain redémarrage; il faut simplement suivre les instructions ci-haut, à partir de "clique sur le bouton Scan for Vundo".

et repost un log hijackthis ,

@+
0
Réponse 12 / 18
snake47
 
Merci pour toutes ces infos, je viens de rentrer. Je fais tout ça et poste les rapports...
Merci encore
0
Réponse 13 / 18
snake47
 
OK, j'ai fait comme inscrit dans la procédure, mais il ne trouve pas le virus ....
Donc remove n'a rien fait...
Voici le dernier rapport Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 12:15:14, on 03/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sensormatic\NetworkClient\Bin\NtlxEventHandler.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\DOCUME~1\MATHIE~1\LOCALS~1\Temp\Répertoire temporaire 2 pour hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://fr.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://fr.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://fr.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer fourni par Yahoo! France
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\secpol.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Intellex Event Handler.lnk = C:\Program Files\Sensormatic\NetworkClient\Bin\NtlxEventHandler.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.inoculer.com/antivirus/Msie/bitdefender.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A68A3EF8-CDB5-4680-93F9-57F80EFC9563}: NameServer = 192.168.10.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt4.0.0.358.dll
O20 - Winlogon Notify: fsmgmt - C:\WINDOWS\SYSTEM32\fsmgmt.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
O23 - Service: McAfee Total Protection Agent Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Que dois-je faire maintenant?
0
Réponse 14 / 18
g!rly Messages postés 18462 Statut Contributeur 406
 
salut snake47,

Télécharge combofix.exe (par sUBs) sur ton Bureau.

-> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

-> Double clique combofix.exe.
-> Tape sur la touche 1 (Yes) pour démarrer le scan.
-> Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse.

NOTE : Le rapport se trouve également ici : C:\Combofix.txt

@+
0
Réponse 15 / 18
snake47
 
voili voilou le rapport..... que dois je faire maintenant ?


ComboFix 07-12-02.6 - Mathieu MENDEGRIS 2007-12-03 15:26:36.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.462 [GMT 1:00]
Running from: C:\Documents and Settings\Mathieu MENDEGRIS\Bureau\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((( Fichiers créés 2007-11-03 to 2007-12-03 ))))))))))))))))))))))))))))))))))))
.

2007-12-03 11:54 . 2007-12-03 11:54 <REP> d-------- C:\VundoFix Backups
2007-12-03 10:15 . 2007-12-03 10:15 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-03 10:15 . 2007-12-03 10:15 <REP> d-------- C:\WINDOWS\LastGood
2007-12-03 10:15 . 2007-12-03 10:15 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-28 10:59 . 2007-11-28 11:00 <REP> d-------- C:\WINDOWS\ERUNT
2007-11-27 17:48 . 2007-11-27 17:48 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-27 17:39 . 2007-11-27 17:39 <REP> d-------- C:\WINDOWS\avxoscan
2007-11-27 14:47 . 2007-12-03 10:24 <REP> d-------- C:\WINDOWS\BDOSCAN8

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 10:07 --------- d-----w C:\Program Files\Dl_cats
2007-11-15 10:55 18,944 ----a-w C:\WINDOWS\system32\fsmgmt.dll
2007-11-14 12:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-08 16:53 --------- d-----w C:\Program Files\Picasa2
2007-06-06 16:13 8 -csh--r C:\WINDOWS\system32\4CACD3FDD8.sys
2007-06-06 16:13 2,516 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 13:31]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 13:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Gadwin PrintScreen 3.5"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2006-07-08 09:57]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 13:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 13:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 13:00]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 20:42 C:\WINDOWS\SOUNDMAN.EXE]
"SiSPower"="Rundll32.exe" [2004-08-05 13:00 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe" [2006-05-02 13:11]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2006-05-02 13:27]
"DLCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 18:40]
"dlcjmon.exe"="C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 21:47]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 15:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 06:32]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-31 06:16]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 13:00]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 02:17]

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Intellex Event Handler.lnk - C:\Program Files\Sensormatic\NetworkClient\Bin\NtlxEventHandler.exe [2007-03-21 12:37:03]
Lancement rapide d'Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2006-08-08 16:40:21]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsmgmt]
fsmgmt.dll 2007-11-15 11:55 18944 C:\WINDOWS\system32\fsmgmt.dll

R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys
R2 myAgtSvc;McAfee Total Protection Agent Service;C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe /ServiceStart
R3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys
R3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S0 SiSRaid;SiSRaid;C:\WINDOWS\system32\DRIVERS\SiSRaid.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01b892e8-8245-11dc-aba1-00173167aa9f}]
\Shell\Auto\command - F:\UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47d714b9-4327-11db-aad8-00173167aa9f}]
\Shell\Auto\command - F:\UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b868ec90-110b-11dc-ab98-00173167aa9f}]
\Shell\Auto\command - F:\UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2007-10-22 04:02:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 15:27:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCJCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 15:28:41
.
--- E O F ---
0
Réponse 16 / 18
g!rly Messages postés 18462 Statut Contributeur 406
 
re,

lance hijack this et coche et fix les lignes suivantes

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\secpol.exe,
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.inoculer.com/antivirus/Msie/bitdefender.cab
O20 - Winlogon Notify: fsmgmt - C:\WINDOWS\SYSTEM32\fsmgmt.dll



Copie le texte ci-dessous :

File::
C:\WINDOWS\SYSTEM32\fsmgmt.dll
C:\WINDOWS\system32\secpol.exe

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsmgmt]


Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.

Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :

http://serveur1.archive-host.com/membres/up/1366464061/CFScript.gif

Cela va relancer Combofix,


Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.

S'il n'y a pas de rédémarrage, poste quand même les rapports.

puis fais analyser ceci

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll
C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
F:\UFO.exe

ici

http://virusscan.jotti.org/de/

et copie/colle le resultat ici

@+
0
Réponse 17 / 18
snake47
 
Alors, tout s'est fait, il y a eu le redémarrage et voilà les rapports :

ComboFix 07-12-02.6 - Mathieu MENDEGRIS 2007-12-03 18:59:08.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.481 [GMT 1:00]
Running from: C:\Documents and Settings\Mathieu MENDEGRIS\Bureau\pb_PC_infostealer_wowcraft\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mathieu MENDEGRIS\Bureau\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\SYSTEM32\fsmgmt.dll
C:\WINDOWS\system32\secpol.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\SYSTEM32\fsmgmt.dll

.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-11-03 to 2007-12-03 ))))))))))))))))))))))))))))))))))))
.

2007-12-03 10:15 . 2007-12-03 10:15 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-03 10:15 . 2007-12-03 10:15 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-28 10:59 . 2007-11-28 11:00 <REP> d-------- C:\WINDOWS\ERUNT
2007-11-27 17:48 . 2007-11-27 17:48 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-27 17:39 . 2007-11-27 17:39 <REP> d-------- C:\WINDOWS\avxoscan
2007-11-27 14:47 . 2007-12-03 16:43 <REP> d-------- C:\WINDOWS\BDOSCAN8

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 10:07 --------- d-----w C:\Program Files\Dl_cats
2007-11-14 12:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-08 16:53 --------- d-----w C:\Program Files\Picasa2
2007-06-06 16:13 8 -csh--r C:\WINDOWS\system32\4CACD3FDD8.sys
2007-06-06 16:13 2,516 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-03_15.28.04,35 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-28 10:05:16 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-03 14:40:55 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-28 10:05:16 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
+ 2007-12-03 14:40:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
- 2007-11-28 10:05:16 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-03 14:40:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 13:31]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 13:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Gadwin PrintScreen 3.5"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2006-07-08 09:57]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 13:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 13:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 13:00]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 20:42 C:\WINDOWS\SOUNDMAN.EXE]
"SiSPower"="Rundll32.exe" [2004-08-05 13:00 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe" [2006-05-02 13:11]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2006-05-02 13:27]
"DLCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 18:40]
"dlcjmon.exe"="C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 21:47]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 15:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 06:32]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-31 06:16]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 13:00]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 02:17]

R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys
R2 myAgtSvc;McAfee Total Protection Agent Service;C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe /ServiceStart
R3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys
R3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S0 SiSRaid;SiSRaid;C:\WINDOWS\system32\DRIVERS\SiSRaid.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01b892e8-8245-11dc-aba1-00173167aa9f}]
\Shell\Auto\command - F:\UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47d714b9-4327-11db-aad8-00173167aa9f}]
\Shell\Auto\command - F:\UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b868ec90-110b-11dc-ab98-00173167aa9f}]
\Shell\Auto\command - F:\UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2007-10-22 04:02:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 19:04:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 19:06:03 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-03 15:28
.
--- E O F ---

Datei: DLCJtime.dll_
Auslastung: 0% 100%

Status: ERGEBNISLOS (scan dauert an)
Entdeckte Packprogramme: Bitte warten...
Bit9 rapportiert: No threat detected (more info)

A-Squared Keine Viren gefunden
AntiVir Keine Viren gefunden
ArcaVir Keine Viren gefunden
Avast Keine Viren gefunden
AVG Antivirus Scanning, bitte warten...
BitDefender Scanning, bitte warten...
ClamAV Scanning, bitte warten...
CPsecure Scanning, bitte warten...
Dr.Web Scanning, bitte warten...
F-Prot Antivirus Scanning, bitte warten...
F-Secure Anti-Virus Scanning, bitte warten...
Fortinet Scanning, bitte warten...
Ikarus Scanning, bitte warten...
Kaspersky Anti-Virus Scanning, bitte warten...
NOD32 Scanning, bitte warten...
Norman Virus Control Scanning, bitte warten...
Panda Antivirus Scanning, bitte warten...
Rising Antivirus Scanning, bitte warten...
Sophos Antivirus Scanning, bitte warten...
VirusBuster Scanning, bitte warten...
VBA32 Scanning, bitte warten...


Datei: dlcjmon.exe_
Auslastung: 0% 100%

Status: ERGEBNISLOS (scan dauert an)
Entdeckte Packprogramme: Bitte warten...
Bit9 rapportiert: File not found

A-Squared Keine Viren gefunden
AntiVir Keine Viren gefunden
ArcaVir Keine Viren gefunden
Avast Scanning, bitte warten...
AVG Antivirus Scanning, bitte warten...
BitDefender Scanning, bitte warten...
ClamAV Scanning, bitte warten...
CPsecure Scanning, bitte warten...
Dr.Web Scanning, bitte warten...
F-Prot Antivirus Scanning, bitte warten...
F-Secure Anti-Virus Scanning, bitte warten...
Fortinet Scanning, bitte warten...
Ikarus Scanning, bitte warten...
Kaspersky Anti-Virus Scanning, bitte warten...
NOD32 Scanning, bitte warten...
Norman Virus Control Scanning, bitte warten...
Panda Antivirus Scanning, bitte warten...
Rising Antivirus Scanning, bitte warten...
Sophos Antivirus Scanning, bitte warten...
VirusBuster Scanning, bitte warten...
VBA32 Scanning, bitte warten...

Pour F:\UFO.exe :
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Maintenant ?
0
Réponse 18 / 18
g!rly Messages postés 18462 Statut Contributeur 406
 
re,

- Avec F branché , télécharge kill_autorun_vbs.dat

http://www.monwebperso.info/modules.php?name=Downloads&d_op=getit&lid=16

Décompresse-le ensuite double-click sur kill_autorun_vbs.bat
Redémarre le PC
S'il y a des observations rapporte-les.

ouvre le bloc note et copie colle les commandes en gras :

@echo on
taskkill /im explorer.exe /f
taskkill /im wscript.exe
start reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\EXplorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 1 /f
start reg import kill.reg
del c:\autorun.* /f /q /as
del %SYSTEMROOT%\system32\autorun.* /f /q /as
del d:\autorun.* /f /q /as
del e:\autorun.* /f /q /as
del f:\autorun.* /f /q /as
del g:\autorun.* /f /q /as
del h:\autorun.* /f /q /as
del i:\autorun.* /f /q /as
del j:\autorun.* /f /q /as
del k:\autorun.* /f /q /as
del l:\autorun.* /f /q /as
start explorer.exe

ferme le bloc et enregistre le sur le bureau sous le nom de kill_autorun_vbs.bat


va sur le bureau et double clik sur kill_autorun_vbs.bat et laisse le faire son boulot


- Débranche le disque externe F , et télécharge ensuite l'outil Flash_Disinfector de sUBs:
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Utilisation :
Téléchargez et enregistrez Flash_Disinfector.exe sur votre bureau.
Double cliquez sur Flash_Disinfector.exe pour le lancer.
Quand le message : "Plug in yours flash drive & clic Ok to begin disinfection" apparaitra :
Connectez votre clé USB et périphériques USB externes susceptibles d'avoir été infectés.
Puis cliquez sur Ok
Les icônes sur le bureau vont disparaitre jusqu'à l'apparition du message: "Done!!"
Appuyez sur "Ok", pour faire réapparaitre le bureau.

Redémarre le PC
S'il y a des observations rapporte-les.

et repost un combofix

@+
0

Discussions similaires

Menace détectée TrojanSMS-PA sur Google Huawei/Android
Outmost -
bazfile -

6 réponses
Comment supprimer le virus Trojan
vitsou -
vitsou -

18 réponses
Aide pour un virus
cerise92700 -
MisteryBean -

41 réponses
cheval de troie trojan
idnoder -
idnoder -

42 réponses
Trojan impossible à supprimer!
Gridouu -
Malekal_morte- -

12 réponses