Sujet Précédent Sujet Suivant

TrojanClicker.Agent.NDQ

Fermé
cesare.pavese - 18 juil. 2008 à 18:04
jlpjlp Messages postés 51580 Date d'inscription vendredi 18 mai 2007 Statut Contributeur sécurité Dernière intervention 3 mai 2022 - 20 juil. 2008 à 19:36
Bonjour,

Tout d'abord, merci infiniment pour le travail bénévole que vous accomplissez sur ce forum en aidant des internautes pas toujours très reconnaissant.
Je vous contacte en raison de virus et trojans persistants : il y a peu, des fenêtres publicitaires ont commencé à apparaître inopinément et mon pc s'est mis à ralentir avec des symptômes tel que firefox qui se ferme tout seul ou encore des infos bulles windows "pas assez de mémoire virtuelle", des programes impossibles à ouvrir etc...
J'ai donc désinstallé Avast qui apparemment n'avait rien détecté et j'ai fait un scan en ligne avec kaspersky. Résulta : ce fameux TrojanClicker.Agent.NDQ ainsi que wuauclt.exe qui normalement correspond aux updates microsoft mais qui d'après mes recherches, peut être également un trojan. J'ai ensuite installé Nod32 Antivirus Business Edition version 3.0.657.0 et fait un scan. Etrangement, il ne m'as pas détecté wuauclt.exe comme étant un trojan mais à par contre détecté plusieurs autres virus dont TrojanClicker.Agent.NDQ. Après un redémarrage, il se trouve que Nod32 à tout mis en quarantaine et apparemment, il lui est impossible de supprimer les trojans lui même. Je m'en remet donc à vous pour enfin éradiquer ces trojans sans avoir à formater mon disque dur. Voici le logdes "Detected Threats" :

18/07/2008 17:12:59 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE5F4DGe.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe.
18/07/2008 15:12:43 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\O7A3fNjp.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe.
18/07/2008 14:29:11 Real-time file system protection file C:\DOCUME~1\NETWOR~1\LOCALS~1\Temp\Y11bChUq.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe.
18/07/2008 12:12:58 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ff4Q8OGq.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe.
18/07/2008 10:12:37 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HaG0r76C.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\PROGRA~1\MESSAG~1\StartMessager.exe.
18/07/2008 08:12:15 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7Q0tq0t3.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe.
18/07/2008 06:12:01 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\027820v2.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\PROGRA~1\MESSAG~1\StartMessager.exe.
18/07/2008 04:11:44 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5CfspNA0.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Soulseek-Test\slsk.exe.
18/07/2008 02:14:45 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\00Omk2c4.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe.
18/07/2008 01:27:25 Real-time file system protection file C:\System Volume Information\_restore{63C98D16-88DA-4B39-B3A8-6026B80E4816}\RP1059\A0338041.dll Win32/BHO.EME trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.
18/07/2008 00:37:22 Real-time file system protection file C:\System Volume Information\_restore{63C98D16-88DA-4B39-B3A8-6026B80E4816}\RP1059\A0338038.exe Win32/Toolbar.AskSBar application cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.
18/07/2008 00:14:34 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Wa8Na483.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe.
17/07/2008 22:14:22 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Agh78UK5.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
17/07/2008 20:35:38 Real-time file system protection file C:\System Volume Information\_restore{63C98D16-88DA-4B39-B3A8-6026B80E4816}\RP1059\A0338035.dll Win32/Adware.Toolbar.Shopper application cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.
17/07/2008 20:14:09 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NDgNA041.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
17/07/2008 19:25:35 Real-time file system protection file C:\System Volume Information\_restore{63C98D16-88DA-4B39-B3A8-6026B80E4816}\RP1059\A0338034.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.
17/07/2008 18:13:55 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Y4CQ1x6F.exe Win32/BHO.EME trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
17/07/2008 18:13:55 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wEPx4qSI.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
17/07/2008 16:11:48 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6JgmuXnf.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Fichiers communs\Nero\Lib\NMBgMonitor.exe.
17/07/2008 15:14:06 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\y7HaxpHt.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe.
17/07/2008 13:13:44 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\77K3F1P3.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe.
17/07/2008 11:13:22 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3vk2uNVH.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe.
17/07/2008 09:13:02 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lIbpWA64.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Fichiers communs\Nero\Lib\NMBgMonitor.exe.
17/07/2008 07:12:23 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VQvIT0tP.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\PROGRA~1\MESSAG~1\StartMessager.exe.
17/07/2008 05:11:45 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ob5fMhWQ.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\PROGRA~1\MESSAG~1\StartMessager.exe.
17/07/2008 03:11:18 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\77t0TAFx.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\PROGRA~1\MOZILL~1\FIREFOX.EXE.
17/07/2008 01:58:15 Real-time file system protection file C:\System Volume Information\_restore{63C98D16-88DA-4B39-B3A8-6026B80E4816}\RP1057\A0337906.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.
17/07/2008 01:10:54 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6pJO210G.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\PROGRA~1\MESSAG~1\StartMessager.exe.
17/07/2008 00:46:02 Real-time file system protection file C:\WINDOWS\TEMP\NODA3D.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:45:53 Real-time file system protection file C:\WINDOWS\TEMP\NODA3D.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:44:21 Real-time file system protection file C:\WINDOWS\TEMP\NODA3D.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:43:49 Real-time file system protection file C:\WINDOWS\TEMP\NODA3D.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:41:13 Real-time file system protection file C:\WINDOWS\TEMP\NODA3D.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:40:41 Real-time file system protection file C:\WINDOWS\TEMP\NODA3D.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:36:09 Real-time file system protection file C:\WINDOWS\TEMP\NODA3D.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:30:17 Real-time file system protection file C:\WINDOWS\TEMP\NODA3D.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:30:01 Real-time file system protection file C:\WINDOWS\TEMP\NODA3D.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:29:39 Real-time file system protection file C:\WINDOWS\TEMP\NODA3D.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:25:47 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:23:21 Real-time file system protection file C:\WINDOWS\system32\XxJQn02t.dll Win32/BHO.EME trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
17/07/2008 00:22:35 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:22:18 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:20:02 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:19:01 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:18:20 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:16:55 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:10:57 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:08:19 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
17/07/2008 00:00:28 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:59:26 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:58:45 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:58:24 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:56:57 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:55:17 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:53:02 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:51:52 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:44:16 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:43:00 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:42:34 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:38:38 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:38:22 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:36:21 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:33:14 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:31:22 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:30:15 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:28:00 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6uyyQjcQ.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\mIRC\mirc.exe.
16/07/2008 23:27:51 Real-time file system protection file C:\WINDOWS\TEMP\NODB2.tmp Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting (after the next restart) - quarantined AUTORITE NT\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\CcNUr02x.exe.
16/07/2008 23:26:47 Startup scanner file C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll Win32/Adware.Toolbar.Shopper application cleaned by deleting (after the next restart) - quarantined
16/07/2008 23:26:27 Startup scanner file C:\WINDOWS\system32\CcNUr02x.exe probably unknown NewHeur_PE virus deleted (after the next restart) - quarantined TEST-KKE4J5FQLS\Administrateur

Merci d'avance.

10 réponses

Réponse 1 / 10
jlpjlp Messages postés 51580 Date d'inscription vendredi 18 mai 2007 Statut Contributeur sécurité Dernière intervention 3 mai 2022 5 040
18 juil. 2008 à 18:09
slt nettoie les fichiers temporaires avec ccleaner:

https://www.malekal.com/tutoriel-ccleaner/

________________

scan avec malwarebyte's antimalware et colle le rapport:

https://www.malekal.com/tutoriel-malwarebyte-anti-malware/

__________________


colle un rapport hijackthis


http://www.trendsecure.com/portal/en-US/tools/security_tools­/hijackthis/download

manuel :https://leblogdeclaude.blogspot.com/2006/10/informatique-section-hijackthis.html

Je conseille de renomer Hijackthis, pour contrer une éventuelle infection de Vundo.

ex:Renomme le fichier HijackThis.exe en eden.exe pour cela, fais un clic droit sur le fichier HijackThis.exe et choisis renommer dans la liste

Ensuite avec Explorer créer un dossier c:\hijackthis
Décompresser Hijackthis dans ce dossier.
C'est important pour les sauvegardes."
__________________
et recolle un nouveau rapport kaspersky pour voir
0
Réponse 2 / 10
cesare.pavese
18 juil. 2008 à 18:20
Ok ça marche, je fait tout ça d'ici un petit quart d'heure, merci pour la rapidité de ta réponse.
0
Réponse 3 / 10
cesare.pavese
19 juil. 2008 à 01:44
Voilà, j'ai fait ce que tu m'as demandé :

1) j'ai nettoyé les fichiers temporaires avec CCleaner

2) j'ai installé malwarebyte's antimalware, scanné, et supprimé les fichiers infectieux, voici le rapport après suppression

Malwarebytes' Anti-Malware 1.20
Version de la base de données: 964
Windows 5.1.2600 Service Pack 2

21:32:59 18/07/2008
mbam-log-7-18-2008 (21-32-48).txt

Type de recherche: Examen complet (C:\|)
Eléments examinés: 124155
Temps écoulé: 55 minute(s), 45 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 28
Valeur(s) du Registre infectée(s): 3
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 16
Fichier(s) infecté(s): 17

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.Shopping.Report) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shoppingreport (Adware.Shopping.Report) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> No action taken.

Valeur(s) du Registre infectée(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootStera (Rogue.WinAntivirus) -> No action taken.

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\res2 (Adware.Shopping.Report) -> No action taken.
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> No action taken.
C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> No action taken.
C:\Program Files\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006 (Rogue.WinAntivirus) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> No action taken.

Fichier(s) infecté(s):
C:\Program Files\QuickTime Alternative\quicktime_browser_plugin.exe (Rogue.Installer) -> No action taken.
C:\RECYCLER\S-1-5-21-1004336348-152049171-1801674531-500\Dc2.exe (Trojan.Agent) -> No action taken.
C:\Sauvegarde\aawsepersonal.exe (Adware.Agent) -> No action taken.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\res2\WhiteList.dbs (Adware.Shopping.Report) -> No action taken.
C:\Program Files\ShoppingReport\Uninst.exe (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> No action taken.
C:\WINDOWS\system32\stera.job (Rogue.WinAntivirus) -> No action taken.

3) Voici le rapport après un scan avec Hijackthis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:34:34, on 19/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MESSAG~1\StartMessager.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://fr.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://fr.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*https://fr.search.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://fr.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MessagerStarter Wanadoo] C:\PROGRA~1\MESSAG~1\StartMessager.exe Messager Wanadoo
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WebBulle] C:\Program Files\WebBulle\webbulle.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Nero\Lib\NMBgMonitor.exe"
O4 - HKLM\..\Policies\Explorer\Run: [homepage.monitor.exe] C:\Program Files\IntCodec\isamonitor.exe
O4 - HKLM\..\Policies\Explorer\Run: [pmsngr.exe] C:\Program Files\IntCodec\pmsngr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: S'abonner avec RSS Bandit - C:\Documents and Settings\Administrateur\Application Data\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesfr.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesfr.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file)
O22 - SharedTaskScheduler: {874443fe-aa33-4ebf-a6ac-73208787e62d} - bestreak - (no file)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
0
Réponse 4 / 10
cesare.pavese
19 juil. 2008 à 01:51
Petite erreur de ma part, le scan après suppression des malwares (avec malwarebyte's antimalware) est le suivant :

Malwarebytes' Anti-Malware 1.20
Version de la base de données: 964
Windows 5.1.2600 Service Pack 2

21:33:44 18/07/2008
mbam-log-7-18-2008 (21-33-44).txt

Type de recherche: Examen complet (C:\|)
Eléments examinés: 124155
Temps écoulé: 55 minute(s), 45 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 28
Valeur(s) du Registre infectée(s): 3
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 16
Fichier(s) infecté(s): 17

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shoppingreport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootStera (Rogue.WinAntivirus) -> Quarantined and deleted successfully.

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\res2 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Fichier(s) infecté(s):
C:\Program Files\QuickTime Alternative\quicktime_browser_plugin.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1004336348-152049171-1801674531-500\Dc2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Sauvegarde\aawsepersonal.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrateur\Application Data\ShoppingReport\cs\res2\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Uninst.exe (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\stera.job (Rogue.WinAntivirus) -> Quarantined and deleted successfully.

Merci d'avance.
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 5 / 10
cesare.pavese
19 juil. 2008 à 03:51
A noter que je puex le supprimer avec Nod32 mais chaque fois, une infobulle m'informe 10 minutes après que TrojanClicker.Agent.NDQ a été mis en quarantaine donc le problème est toujours là, le virus revient indéfiniment.

PS : désolé pour le triple-post.
0
Réponse 6 / 10
jlpjlp Messages postés 51580 Date d'inscription vendredi 18 mai 2007 Statut Contributeur sécurité Dernière intervention 3 mai 2022 5 040
19 juil. 2008 à 13:24
analyse ces fichiers sur virus total et colle les rapports: https://www.virustotal.com/gui/

C:\Program Files\WebBulle\webbulle.exe
C:\Program Files\IntCodec\isamonitor.exe
C:\Program Files\IntCodec\pmsngr.exe

_____________



smitfraud fix
http://siri.urz.free.fr/Fix/SmitfraudFix.php

double clique sur smitfraudfix. puis sélectionne 1 et appuyer sur entrée afin de créer le rapport des infection présentes. une fois le rapport colle le dans ton prochain message
0
Réponse 7 / 10
cesare.pavese
19 juil. 2008 à 13:54
webbulle.exe n'y est plus, je l'ai supprimé manuellement hier (programme RSS dont je ne me servait pas)

C:\Program Files\IntCodec\isamonitor.exe
C:\Program Files\IntCodec\pmsngr.exe

Ces 2 chemins d'accès n'existent pas (plus ?). Ils ne sont pas non plus en fichiers cachés.

Edit : je viens de refaire un scan avec HijackThis et surprise, il détecte encore ces fichiers (alors qu'ils n'y sont pas, du moins je n'y ai pas accès). Décidemment, c'est à n'y rien comprendre.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:51:54, on 19/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MESSAG~1\StartMessager.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://fr.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://fr.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*https://fr.search.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://fr.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MessagerStarter Wanadoo] C:\PROGRA~1\MESSAG~1\StartMessager.exe Messager Wanadoo
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WebBulle] C:\Program Files\WebBulle\webbulle.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Nero\Lib\NMBgMonitor.exe"
O4 - HKLM\..\Policies\Explorer\Run: [homepage.monitor.exe] C:\Program Files\IntCodec\isamonitor.exe
O4 - HKLM\..\Policies\Explorer\Run: [pmsngr.exe] C:\Program Files\IntCodec\pmsngr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: Easy-WebPrint Ajouter à la liste d'impressions - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Impression rapide - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Imprimer - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Prévisualiser - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: S'abonner avec RSS Bandit - C:\Documents and Settings\Administrateur\Application Data\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesfr.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesfr.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file)
O22 - SharedTaskScheduler: {874443fe-aa33-4ebf-a6ac-73208787e62d} - bestreak - (no file)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
0
Réponse 8 / 10
jlpjlp Messages postés 51580 Date d'inscription vendredi 18 mai 2007 Statut Contributeur sécurité Dernière intervention 3 mai 2022 5 040
19 juil. 2008 à 15:42
relance hijackhtis fais do a system scan only et fix ces lignes (fix cheked)


R3 - URLSearchHook: (no name) - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WebBulle] C:\Program Files\WebBulle\webbulle.exe

O4 - HKLM\..\Policies\Explorer\Run: [homepage.monitor.exe] C:\Program Files\IntCodec\isamonitor.exe
O4 - HKLM\..\Policies\Explorer\Run: [pmsngr.exe] C:\Program Files\IntCodec\pmsngr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file)
O22 - SharedTaskScheduler: {874443fe-aa33-4ebf-a6ac-73208787e62d} - bestreak - (no file)


_________________

télécharge OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe (de Old_Timer) sur ton Bureau.
double-clique sur OTMoveIt.exe pour le lancer.
copie la liste qui se trouve en citation ci-dessous,
et colle-la dans le cadre de gauche de OTMoveIt :Paste List of Files/Folders to be moved.

Citation :

C:\Program Files\IntCodec\isamonitor.exe
C:\Program Files\IntCodec\pmsngr.exe

clique sur MoveIt! pour lancer la suppression.
le résultat apparaitra dans le cadre "Results".
clique sur Exit pour fermer.
poste le rapport situé dans C:\_OTMoveIt\MovedFiles.

il te sera peut-être demander de redémarrer le pc pour achever la suppression.si c'est le cas accepte par Yes.

_____________________________

désactive ta restauration puis redemarre ton ordi puis réactive la:

http://service1.symantec.com/SUPPORT/INTER/tsgeninfointl.nsf/fdocid/20020830101856924

__________________________

mets a jour adobe, java , internet explorer

https://www.malekal.com/maintenir-java-adobe-reader-et-le-player-flash-a-jour/
https://www.01net.com/telecharger/windows/Internet/navigateur/fiches/33081.html

__________________________

nod 32 trouve encore des infections? colle le rapport ou un rapport de scan en ligne


a plus
0
Réponse 9 / 10
cesare.pavese
20 juil. 2008 à 02:19
1) scan et fix effectués avec Hijackthis

2) File/Folder C:\Program Files\IntCodec\isamonitor.exe not found.
File/Folder C:\Program Files\IntCodec\pmsngr.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07192008_225411

3) restauration désactivée et réactivée après redémarrage

4) adobe flash et java mis à jours après avoir supprimé les anciennes versions présentes sur le pc. pour explorer, non seulement je n'ai pas la license windows mais j'utilise firefix donc pas d'update.

5) Après avoir effectué toutes ces manipulations et après plusieurs redémarrages, j'ai lancé un scan avec nod32 qui n'a rien détecté... et à peine quelques minutes plus tard, une infobulle qui apparait, et toujours ce satané virus qui revient inexorablement... j'ai donc effectué un scan avec malwarebytes anti-malware et supprimés les fichiers incriminés, voici le rapport :

Malwarebytes' Anti-Malware 1.21
Database version: 967
Windows 5.1.2600 Service Pack 2

01:21:16 20/07/2008
mbam-log-7-20-2008 (01-21-16).txt

Scan type: Quick Scan
Objects scanned: 39171
Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Bien évidemment comme tu t'en doutes, le virus revient encore et encore (accompagné d'un autre trojan cette fois-ci d'ailleurs). Voici le log de quarantaine de nod32 :

20/07/2008 00:55:50 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5Nh2dtiU.exe Win32/BHO.EME trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe.
20/07/2008 00:55:49 Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\V8Yw615J.exe Win32/TrojanClicker.Agent.NDQ trojan cleaned by deleting - quarantined AUTORITE NT\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe.

Désolé de prendre de ton temps, surtout que j'ai l'impression qu'on a à faire à un problème insoluble.
0
Réponse 10 / 10
jlpjlp Messages postés 51580 Date d'inscription vendredi 18 mai 2007 Statut Contributeur sécurité Dernière intervention 3 mai 2022 5 040
20 juil. 2008 à 19:36
lance ccleaner et nettoie tes traces: (surtout les fichiers temporaires)
https://www.malekal.com/tutoriel-ccleaner/

_________________

télécharge OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe (de Old_Timer) sur ton Bureau.
double-clique sur OTMoveIt.exe pour le lancer.
copie la liste qui se trouve en citation ci-dessous,
et colle-la dans le cadre de gauche de OTMoveIt :Paste List of Files/Folders to be moved.

Citation :

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5Nh2dtiU.­exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\V8Yw615J.­exe


clique sur MoveIt! pour lancer la suppression.
le résultat apparaitra dans le cadre "Results".
clique sur Exit pour fermer.
poste le rapport situé dans C:\_OTMoveIt\MovedFiles.

________________

vire ce qui est dans mevod file en allant dans poste de travail puis c puis otmovit

_________________
encore des soucis?
il te sera peut-être demander de redémarrer le pc pour achever la suppression.si c'est le cas accepte par Yes.

_____________________________
0