Demande d'analyse d'un log HijackThisFermé

Question

Bonjour,Je suis victime de la malveillance "ByteVerify Exploit"... En effet, la page d'accueil d'I.E est forcée par défault à http://oqmkzf.t.muxa.cc/%68%2E%70%68%70?%61%69%64=35J'ai suivi des conseils trouvés sur le Net et ai utilisé le freeware HijackThis dont voici le log : Logfile of HijackThis v1.97.7Scan saved at 01:09:08, on 17/03/2004Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\system32\drivers\dcfssvc.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\hidserv.exeC:\Program Files\Norton AntiVirus
avapsvc.exeC:\Program Files\Norton Utilities\NPROTECT.EXEC:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exeC:\WINNT\system32egsvc.exeC:\WINNT\system32\MSTask.exeC:\Program Files\Speed Disk
opdb.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\MsPMSPSv.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\atiptaxx.exeC:\WINNT\Mixer.exeC:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exeC:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exeC:\PROGRA~1\Wanadoo\TaskbarIcon.exeC:\PROGRA~1\NORTON~3
avapw32.exeC:\WINNT\system32\internat.exeC:\WINNT\DvzCommon\DvzMsgr.exeC:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exeC:\Program Files\Norton Utilities\SYSDOC32.EXEC:\Palm\HOTSYNC.EXEC:\WINNT\System32\svchost.exeC:\RECYCLER\NPROTECT\00023443.EXEC:\Documents and Settings\Sébastien Joubert.JOUBI\Mes documents\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://oqmkzf.t.muxa.cc/s.php?aid=35 (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://oqmkzf.t.muxa.cc/s.php?aid=35 (obfuscated)R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oqmkzf.t.muxa.cc/h.php?aid=35 (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://oqmkzf.t.muxa.cc/s.php?aid=35 (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://oqmkzf.t.muxa.cc/h.php?aid=35 (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://oqmkzf.t.muxa.cc/s.php?aid=35 (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://oqmkzf.t.muxa.cc/s.php?aid=35 (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://oqmkzf.t.muxa.cc/s.php?aid=35 (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = WanadooR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostR1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://oqmkzf.t.muxa.cc/h.php?aid=35 (obfuscated)R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = LiensR3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLLO2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - (no file)O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: @msdxmLC.dll,-1@1036,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [AtiPTA] atiptaxx.exeO4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startupO4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exeO4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exeO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /iconO4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exeO4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exeO4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3
avapw32.exeO4 - HKLM\..\Run: [sys] regedit -s sys.regO4 - HKCU\..\Run: [internat.exe] internat.exeO4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXEO4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exeO4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXEO9 - Extra 'Tools' menuitem: Block This Page (HKLM)O9 - Extra button: ICQ (HKLM)O9 - Extra 'Tools' menuitem: ICQ (HKLM)O9 - Extra button: Related (HKLM)O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)O9 - Extra button: Wanadoo (HKCU)O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS
pqtplugin3.dllO16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://www.mayeticvillage.fr/qp2.cabO16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38061.6066319444O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rhp.rez-gif.supelec.frO17 - HKLM\System\CCS\Services\Tcpip\..\{46F34D6B-10A7-435A-AED0-AF83FE025587}: NameServer = 160.228.92.1O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rhp.rez-gif.supelec.frO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rhp.rez-gif.supelec.frMerci à quiquonque de m'indiquer ce que je dois supprimer !En effet, j'ai fait un test en supprimant toutes les lignes comprenant "http://oqmkzf.t.muxa.cc/s.php?aid=35 (obfuscated)" mais ça ne suffit pas pour éradiquer la malveillance.Quand je redémarre mon ordinateur, l'URL par défaut est à nouveau modifiée....Merci de votre aide !Sébastien.

Jeff · Answer

As-tu essayé Ad-Aware et/ou SpyBot ?

Demande d'analyse d'un log HijackThis

1 réponse

Discussions similaires

Newsletters