Sujet Précédent Sujet Suivant

Entrée HijackThis : japknah.dll

Alain -  
Alain038 Messages postés 25 Statut Membre -
Bonjour,

Connaissez-vous cette dll, qui apparaît en O20 dans ce rapport ?
Il y a eu une grosse infection sur ce PC...

Merci
Alain

Logfile of HijackThis v1.99.1
Scan saved at 11:26:27, on 02/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\FTRTSVC.exe
c:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Controle Parental\bin\optproxy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\mail.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\SysMonitor.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Wanadoo\TaskBarIcon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\mmc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://fr.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Orange
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\GestMaj.exe TaskBarIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {104B0A37-AB99-4F06-8032-8BBDC3B77DDB} (Telechargement Control) - http://www.photoweb.fr/moncompte/Account/LogOn?ReturnUrl=%2ftransfert
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: japknah - C:\WINDOWS\SYSTEM32\japknah.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Control Parental (OPTENET_FILTER) - Contrôle Parental - C:\Program Files\Controle Parental\bin\optproxy.exe
O23 - Service: windows mail service - Unknown owner - C:\WINDOWS\mail.exe

65 réponses

Précédent
Réponse 61 / 65
Alain038 Messages postés 25 Statut Membre 1
 
Suite des infos
Bon, alors voilà, analyse avec AntiVir.
Il y a 2 rapports, car la première analyse a été interrompue...

Premier rapport

AntiVir PersonalEdition Classic
Report file date: mercredi 6 février 2008 15:50

Scanning for 1094707 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Tata
Computer name: ACER-DC6C4D74B4

Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 14:37:55
ANTIVIR2.VDF : 7.0.2.49 1339904 Bytes 25/01/2008 14:37:55
ANTIVIR3.VDF : 7.0.2.100 330752 Bytes 06/02/2008 14:37:55
AVEWIN32.DLL : 7.6.0.62 3240448 Bytes 06/02/2008 14:37:56
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 06/02/2008 14:37:56
AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: mercredi 6 février 2008 15:50

Starting search for hidden objects.
The driver could not be initialized.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
11 processes with 11 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '42' files ).

Starting the file scan:

Begin scan in 'C:\' <ACER>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\upload_moi_ACER-DC6C4D74B4.tar.gz
[0] Archive type: GZ
--> upload_moi.tar
[1] Archive type: TAR (tape archiver)
--> qoobox/Quarantine/C/Documents and Settings/All Users/Application Data/zyhmrwfk.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
--> WINDOWS/System32/12520437l.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
--> WINDOWS/System32/acodep.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '4815c9e0.qua'!
C:\Documents and Settings\Toto\Bureau\catchme.zip
[0] Archive type: ZIP
--> symavc32.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> YIL48.sys
[DETECTION] Contains detection pattern of the worm WORM/Ntech.Z.4
--> fvelwow.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> jecsst.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> ztx86.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> astq.tga
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> srtwe.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '481dcba8.qua'!

End of the scan: mercredi 6 février 2008 16:12
Used time: 22:04 min

The scan has been canceled!

2072 Scanning directories
37747 Files were scanned
10 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
2 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
37737 Files not concerned
2623 Archives were scanned
1 Warnings
0 Notes

Deuxième rapport

AntiVir PersonalEdition Classic
Report file date: mercredi 6 février 2008 16:21

Scanning for 1094707 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Tata
Computer name: ACER-DC6C4D74B4

Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 14:37:55
ANTIVIR2.VDF : 7.0.2.49 1339904 Bytes 25/01/2008 14:37:55
ANTIVIR3.VDF : 7.0.2.100 330752 Bytes 06/02/2008 14:37:55
AVEWIN32.DLL : 7.6.0.62 3240448 Bytes 06/02/2008 14:37:56
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 06/02/2008 14:37:56
AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Local Hard Disks
Configuration file...............: c:\program files\avira\antivir personaledition classic\alldiscs.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: mercredi 6 février 2008 16:21

Starting search for hidden objects.
The driver could not be initialized.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avnotify.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
13 processes with 13 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '42' files ).

Starting the file scan:

Begin scan in 'C:\' <ACER>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Program Files\HijackThis1\backups\backup-20080130-221033-848.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '480cd719.qua'!
C:\Program Files\Panda Security\NanoScan\Engine\psnflg.dll
[DETECTION] Is the Trojan horse TR/Agent.bux.1
[INFO] The file was moved to '4817db4c.qua'!
C:\Program Files\Panda Security\TotalScan\pskavs.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[INFO] The file was moved to '4814db50.qua'!
C:\QooBox\Quarantine\catchme2008-02-06_134341.23.zip
[0] Archive type: ZIP
--> ixyisxnz.dat
[DETECTION] Contains detection pattern of the rootkit RKIT/Agent.KA
--> unolaivy.dat
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '481ddbff.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\zyhmrwfk.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4811dc17.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Toto\hupqkh.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4819dc14.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Toto\iwmdlt.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4816dc16.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Toto\ulyrqt.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4822dc0b.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Toto\ziqpmm.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '481adc08.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Toto\zovsuz.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '481fdc0f.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\aezlll.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4823dc05.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\catyrs.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '481ddc01.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\ddpgki.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4819dc04.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\elppep.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4819dc0d.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\fzyeru.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4822dc1b.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\gchnly.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4811dc04.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\iinvip.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4817dc0a.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\lppdge.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4819dc12.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\mfpfsw.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4819dc08.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\naked0453.com.vir
[DETECTION] Is the Trojan horse TR/Agent.dwd.4
[INFO] The file was moved to '4814dc03.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\npxqif.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4821dc12.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\nygfyb.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4810dc1c.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\qguevw.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '481edc0a.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\tugawl.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4810dc18.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\urufwd.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '481edc15.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\ywsrlh.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '481cdc1b.qua'!
C:\QooBox\Quarantine\C\Documents and Settings\Tata\Mes documents\PToto\zltsym.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '481ddc10.qua'!
C:\QooBox\Quarantine\C\WINDOWS\fmjqlgfe.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '4813dc11.qua'!
C:\QooBox\Quarantine\C\WINDOWS\gterupgp.dll.vir
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '480edc19.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\12520437l.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '47dedbd7.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\acodep.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '4818dc08.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\lolol.hta.vir
[DETECTION] Contains suspicious code HEUR/Exploit.HTML
[INFO] The file was moved to '4815dc15.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ixyisxnz.dat.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '4822dc1e.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\unolaivy.dat.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '4818dc14.qua'!
C:\SDFix\SDFix\backups\backups.zip
[0] Archive type: ZIP
--> backups/mrofinu1148.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
--> backups/Yil48.sys
[DETECTION] Contains detection pattern of the worm WORM/Ntech.Z.4
[INFO] The file was moved to '480cdc0c.qua'!
C:\System Volume Information\_restore{54887473-E0E8-4E40-8CB4-34743021C726}\RP2\A0000187.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47d9dbea.qua'!
C:\System Volume Information\_restore{54887473-E0E8-4E40-8CB4-34743021C726}\RP2\A0000188.dll
[DETECTION] Is the Trojan horse TR/Agent.bux.1
[INFO] The file was moved to '46a7bd93.qua'!
C:\System Volume Information\_restore{54887473-E0E8-4E40-8CB4-34743021C726}\RP2\A0000189.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[INFO] The file was moved to '47d9dbeb.qua'!
Begin scan in 'D:\' <ACERDATA>

End of the scan: mercredi 6 février 2008 17:35
Used time: 1:13:52 min

The scan has been done completely.

6873 Scanning directories
259299 Files were scanned
39 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
0 files were deleted
0 files were repaired
38 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
259260 Files not concerned
8035 Archives were scanned
1 Warnings
0 Notes

Merci
0
Réponse 62 / 65
afideg Messages postés 10970 Statut Contributeur sécurité 602
 
Re,

Bien, il y avait des sauvegardes relatives aux outils utilisés.

1°- C'est surprenant de lire que Antivir trouve des infections dans PANDA ==> PANDA les gardait en mémoire, mais je ne trouve pas trace de sa poubelle/backup :

C:\Program Files\Panda Security\NanoScan\Engine\psnflg.dll
[DETECTION] Is the Trojan horse TR/Agent.bux.1
[INFO] The file was moved to '4817db4c.qua'!
C:\Program Files\Panda Security\TotalScan\pskavs.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[INFO] The file was moved to '4814db50.qua'!

2°- Celles-ci, tu les reconnais :

C:\upload_moi_ACER-DC6C4D74B4.tar.gz
C:\Program Files\HijackThis1\backups
C:\QooBox\Quarantine
C:\SDFix\SDFix\backups

3°- Celles-ci montrent que l'infection a atteint "Restauration système" :

C:\System Volume Information\_restore

CONCLUSION:

A)•- OK, vide la QUARANTINE de ANTIVIR en faisant : "clic-droit sur antivir" > "start antivir" > "quarantine" > selectionne ce qui s'y trouve via clic-droit > puis "delete" (ce pour chacun).

B)•- Ensuite renouveler la restauration comme ceci (on en profite pour supprimer les outils utilisés):
•- Clique sur "Démarrer" - Clic droit sur le "Poste de Travail" > dans "Propriétés" > onglet "Restauration du système" - Cocher la case "Désactiver la restauration du système" et cliquer sur "Appliquer".
•- Télécharger _OTMoveIt sur ton bureau > < http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe >
•- Lance OTMoveIt.exe par double-clic
[*]Clique sur CleanUp! (le programme va télécharger un fichier texte qui servira à nettoyer les programmes que l'on a téléchargés).
NOTE : Normalement, ton Firewall (parefeu) devrait te demander si _OTMoveIt peut accéder à Internet. Autorise-le.
[*]Une liste apparaît dans la partie gauche d' _OTMoveIt.
[*]Un message apparaît pour confirmer le nettoyage. Confirme
Ce programme supprime les outils utilisés ainsi que les quarantaines éventuelles.
La manoeuvre nécessitera un reboot (=redémarrage) initié par le programme. (sinon, le redémarrer toi-même)
•- Clique sur "Démarrer" - Clic droit sur le "Poste de Travail" > dans "Propriétés" > onglet "Restauration du système" - Décocher la case "Désactiver la restauration du système" et cliquer sur "Appliquer".

Bonne soirée
Al.

0
Réponse 63 / 65
Alain038 Messages postés 25 Statut Membre 1
 
Merci encore pour l'efficacité et aussi (surtout ?) les explications données.

Tout semble correct.

Puis-je me permettre une question ? Faut-il passer à IE7 ? Dans ton profil, il est indiqué IE6...

Alain
0
Réponse 64 / 65
afideg Messages postés 10970 Statut Contributeur sécurité 602
 
Re,

Bonne question.

Je ne vois absolument pas l'intérêt de passer à IE7 quand IE6 me comble de bonheur.
Je ne me laisse pas non plus tenter par la "promotion" de Microsoft de permettre l'installation de IE7 sur des Windows "de vendeurs peu scrupuleux qui font payer aux clients des copies de copies au prix fort".
Tout cela, n'est destiné (principalement) qu'à autoriser Microsoft de visiter régulièrement tes activités.
Et quand tout le monde aura cédé à la tentation IE7, ils commenceront à avoir des surprises désagréables.
Il faut bien donner du travail aux "dépanneurs" professionnels !

Bonne nuit
Reviens quand tu veux si problème nouveau il y a .
Merci pour ta patience

Al.
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 65 / 65
Alain038 Messages postés 25 Statut Membre 1
 
Merci pour cette réponse

Je demandais juste ça parce que sur le site de Malekal, il est conseillé de toujours avoir ses logiciels mis à jour avec les dernières versions...

Sinon, pour clore, c'est plutôt moi qui dois te (vous) remercier pour ta (votre) patience !

Alain
0

Discussions similaires

Processus Expérience d'entrée Windows 11
zendeur37 -
certys29 -

28 réponses
Prestataires des livraisons
placido -
Xileh -

4 réponses
colis à Roissy Courrier International Pic
Pepimousse59 -
Ben314 -

11 réponses
Teste afpa niveau 3
Vulcainessonne -
Raymond PENTIER -

3 réponses
Que signifie ''Votre colis est arrivé sur son site de distribution'' ?
jouhry113 -
georges97 -

27 réponses