je me fais sans cese attaquer par des trojans Résolu/Fermé

Question

Bonjour,je me fais sans cesse des attack d'internet trojans et autres.
j'ai besoin d'aides au secour
voici un log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:06:25, on 08/12/2007
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\WindowsUpdater.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\atievxx.exe
C:\RECYCLER\S-1-5-21-484763869-1614574334-18083462561-100\csrss.exe
C:\RECYCLER\S-1-5-21-484763869-1614574334-18083462561-100\services.exe
C:\RECYCLER\S-1-5-21-484763869-1614574334-18083462561-100\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\fa\Bureau\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://account.live.com/ResetPassword.aspx?mkt=FR-FR&ru=https://login.live.com/login.srf%3flc%3d1036%26mkt%3dFR-FR%26lc%3d1036%26vv%3d1600
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WindowsUpdater] WindowsUpdater.exe
O4 - HKLM\..\RunServices: [WindowsUpdater] WindowsUpdater.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: lsass - Unknown owner - C:\RECYCLER\S-1-5-21-484763869-1614574334-18083462561-100\csrss.exe
O23 - Service: smss - Unknown owner - C:\RECYCLER\S-1-5-21-484763869-1614574334-18083462561-100\services.exe

Sofia37 · Answer

Bonsoir,

est-ce que tu as un pare-feu ?

clownface · Answer

Bonsoir,

ton pc a l'air très infecté
fais une sauvegarde des choses auxquelles tu tiens particulièrement.

et commences par ceci : http://forum.malekal.com/ftopic4192.php

Sofia37 · Answer

Bonsoir clownface,

Je commence a m'inquiéter, j''ais moi-même Avast et d'aprés les forums, c'était un des meilleurs gratuit; Si vous me certifiez que Antivir est mieux, je vais vite suivre vos conseils

facanna20 · Answer

je n'ai pas de pare feux ça ralenti trop mon ordi.
c'est en telechargant cette antivirus que tout va changer j'ai deja changer tellement de fois.

clownface · Answer

il va déjà falloir faire du nettoyage...
y a du travail antivir ne suffira peut etre pas... faudra voir son rapport et un nouvel hijackthis ensuite

Sofia37 · Answer

Merci de ces précieux conseils clownface, grâce a vous je vais me doter d'un meilleur Antivirus qui, en plus, a l'option AntiRookit ce qui est un plus. merci encore.

A+

clownface · Answer

N'hésites pas à poster les rapports dont je t'ai parlé message 6. afin d'etre sure que tout va bien !

facanna20 · Answer

voici les rapport

AntiVir PersonalEdition Classic
Report file date: dimanche 9 décembre 2007  22:32

Scanning for 963523 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version:  (plain)  [5.1.2600]
Username:         SYSTEM
Computer name:    VFG-JQ105N6MOY4

Version information:
BUILD.DAT    : 270           15603 Bytes  19/09/2007 13:32:00
AVSCAN.EXE   : 7.0.6.1      290856 Bytes  23/08/2007 13:16:29
AVSCAN.DLL   : 7.0.6.0       49192 Bytes  16/08/2007 12:23:51
LUKE.DLL     : 7.0.5.3      147496 Bytes  14/08/2007 15:32:47
LUKERES.DLL  : 7.0.6.1       10280 Bytes  21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0    11030528 Bytes  18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.0.0     1640448 Bytes  13/09/2007 14:26:55
ANTIVIR2.VDF : 7.0.1.30    1575424 Bytes  30/11/2007 21:27:31
ANTIVIR3.VDF : 7.0.1.60     112128 Bytes  07/12/2007 21:27:31
AVEWIN32.DLL : 7.6.0.40    3064320 Bytes  09/12/2007 21:27:36
AVWINLL.DLL  : 1.0.0.7       14376 Bytes  26/02/2007 10:36:26
AVPREF.DLL   : 7.0.2.2       25640 Bytes  18/07/2007 07:39:17
AVREP.DLL    : 7.0.0.1      155688 Bytes  16/04/2007 13:16:24
AVPACK32.DLL : 7.3.0.15     360488 Bytes  03/08/2007 08:46:00
AVREG.DLL    : 7.0.1.6       30760 Bytes  18/07/2007 07:17:06
AVARKT.DLL   : 1.0.0.20     278568 Bytes  28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20      86056 Bytes  18/07/2007 07:10:18
NETNT.DLL    : 7.0.0.0        7720 Bytes  08/03/2007 11:09:42
RCIMAGE.DLL  : 7.0.1.30    2342952 Bytes  07/08/2007 12:38:13
RCTEXT.DLL   : 7.0.62.0      86056 Bytes  21/08/2007 12:50:37
SQLITE3.DLL  : 3.3.17.1     339968 Bytes  23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:, 
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: dimanche 9 décembre 2007  22:32

Starting search for hidden objects.
'21869' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'atievxx.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'WindowsUpdater.exe' - '1' Module(s) have been scanned
  Module is infected -> 'C:\WINDOWS\System32\WindowsUpdater.exe'
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'WindowsUpdater.exe' has been terminated
C:\WINDOWS\System32\WindowsUpdater.exe
      [DETECTION] Contains detection pattern of the worm WORM/SdBot.449536.2
      [INFO]      The file was moved to '47ca5fbe.qua'!

22 processes with 21 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
      [NOTE]      No virus was found!

Starting to scan the registry.

The registry was scanned ( '20' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
      [WARNING]   The file could not be opened!
C:\pagefile.sys
      [WARNING]   The file could not be opened!
C:\System Volume Information\_restore{44A52C53-17A1-40D7-B89E-D18D074BC082}\RP2\A0000031.exe
  [0] Archive type: RAR SFX (self extracting)
  --> svchost.exe
      [DETECTION] Is the Trojan horse TR/Servu.HR.2
      [INFO]      The file was moved to '478c602e.qua'!
C:\System Volume Information\_restore{44A52C53-17A1-40D7-B89E-D18D074BC082}\RP2\A0000032.exe
  [0] Archive type: RAR SFX (self extracting)
  --> svchost.exe
      [DETECTION] Is the Trojan horse TR/Servu.HR.2
      [INFO]      The file was moved to '478c603c.qua'!
C:\System Volume Information\_restore{44A52C53-17A1-40D7-B89E-D18D074BC082}\RP3\A0000155.exe
      [DETECTION] Is the Trojan horse TR/Servu.HR.2
      [INFO]      The file was moved to '478c604b.qua'!
C:\System Volume Information\_restore{44A52C53-17A1-40D7-B89E-D18D074BC082}\RP3\A0000239.exe
      [DETECTION] Contains detection pattern of the worm WORM/SdBot.449536.2
      [INFO]      The file was moved to '478c6057.qua'!


End of the scan: dimanche 9 décembre 2007  22:40
Used time: 08:39 min

The scan has been canceled!

    460 Scanning directories
  16942 Files were scanned
      6 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
      5 files were moved to quarantine
      0 files were renamed
      2 Files cannot be scanned
  16936 Files not concerned
    252 Archives were scanned
      2 Warnings
      0 Notes
  21869 Objects were scanned with rootkit scan
      0 Hidden objects were found

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:46:25, on 09/12/2007
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\atievxx.exe
C:\RECYCLER\S-1-5-21-484763869-1614574334-18083462561-100\csrss.exe
C:\RECYCLER\S-1-5-21-484763869-1614574334-18083462561-100\services.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\WINDOWS\system32
otepad.exe
C:\Documents and Settings\fa\Bureau\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://account.live.com/ResetPassword.aspx?mkt=FR-FR&ru=https://login.live.com/login.srf%3flc%3d1036%26mkt%3dFR-FR%26lc%3d1036%26vv%3d1600
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WindowsUpdater] WindowsUpdater.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [WindowsUpdater] WindowsUpdater.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: lsass - Unknown owner - C:\RECYCLER\S-1-5-21-484763869-1614574334-18083462561-100\csrss.exe
O23 - Service: smss - Unknown owner - C:\RECYCLER\S-1-5-21-484763869-1614574334-18083462561-100\services.exe

clownface · Answer

effectivement, il en reste....

je te conseille de suivre cette procédure telle qu'elle est décrite (dans l'ordre) : https://www.malekal.com/supprimer-virus-desinfecter-pc/#mozTocId865449
postes ensuite un nouvel hijackthis (conserve les rapports escan, sdfix, combofix.. selon le resultat il se pourrait que je te les demande)

facanna20 · Answer

bonjour oui j'avais arreter le scan sans faire exprès je m'en suis rendu compte alors je l'ai réactiver après le messag et il n'a rien signaler d'autre,j'ai fais tout ce qui etait décrit sur le topic et voici mon nouveau hijackthis : 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:53, on 10/12/2007
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\atievxx.exe
C:\Documents and Settings\fa\Bureau\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://account.live.com/ResetPassword.aspx?mkt=FR-FR&ru=https://login.live.com/login.srf%3flc%3d1036%26mkt%3dFR-FR%26lc%3d1036%26vv%3d1600
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

clownface · Answer

bonjour,

il semblerait que tout va bien...
tu devrais peut etre faire quelques mises à jour de windows 

et ton pc que dit-il ?

facanna20 · Answer

mon pc a l'air d'aller mieux les mises a jour de windows sont est nécéssaire  parce que j'ai peur quelle ralentise mon pc qui n'est pas tout jeune. un grand merci pour votre aide.

clownface · Answer

tout ce que je peux te dire c'est que tu es mieux protégé si ton systeme est à jour...
après le coté technique par rapport à ta configuration je ne sais pas, tu devais peut etre demander sur le forum windows

facanna20 · Answer

ok merci de votre action a biento

Je me fais sans cese attaquer par des trojans

14 réponses

Discussions similaires

Newsletters