Tony501x

Voilà, j'ai effectué la procédure d'analyse préléminaire, antivir m'a débarrassé de 7 fichiers (3 trojans-drop et 4 compressés "bizarrement") voici le rapport s'il peut vous etre util: Report file date: mercredi 1 février 2006 16:57 Jobname: 'Manual Selection' Scanning for 284303 virus strains and unwanted programs. Licensed to: AntiVir PersonalEdition Classic Serialnumber: 0000149996-WURGE-0001 Platform: Windows XP Windowsversion: () [5.1.2600] Username: CMEP Computername: XP Versioninformations: AVSCAN.EXE : 7.0.0.19 524328 23/01/2006 15:35:48 AVSCAN.DLL : 7.0.0.19 42536 23/01/2006 15:35:48 LUKE.DLL : 7.0.0.19 114728 23/01/2006 15:35:48 LUKERES.DLL : 7.0.0.19 27688 23/01/2006 15:35:48 ANTIVIR0.VDF : 6.32.0.60 4323840 06/12/2005 10:47:34 ANTIVIR1.VDF : 6.33.0.97 675328 18/01/2006 14:31:52 ANTIVIR2.VDF : 6.33.0.131 122880 18/01/2006 14:31:52 ANTIVIR3.VDF : 6.33.0.139 28160 18/01/2006 14:31:52 AVEWIN32.DLL : 6.33.0.30 1016320 20/01/2006 11:42:50 AVPREF.DLL : 6.34.0.0 38440 18/01/2006 12:06:02 AVREP.DLL : 6.33.0.106 2301992 10/01/2006 10:10:46 AVPACK32.DLL : 6.33.0.6 331816 09/01/2006 09:03:38 AVREG.DLL : 6.31.0.90 27688 28/07/2005 10:06:36 NETNT.DLL : 6.32.0.0 6696 27/09/2005 07:56:50 NETNW.DLL : 6.32.0.0 9768 27/09/2005 07:56:50 Start of the scan: mercredi 1 février 2006 16:57 Start scanning boot sectors: Boot sector 'C:' [NOTE] No virus was found! Boot sector 'D:' [NOTE] No virus was found! Starting to scan the registry. C:\WINDOWS\system32\wuasrv32.exe [DETECTION] File has been compressed with an unusual runtime compression tool (PCK/Morphine). Please verify the origin of the file C:\WINDOWS\system32\wuasrv32.exe [DETECTION] File has been compressed with an unusual runtime compression tool (PCK/Morphine). Please verify the origin of the file C:\WINDOWS\system32\MSconfig.exe [DETECTION] File has been compressed with an unusual runtime compression tool (PCK/Morphine). Please verify the origin of the file C:\WINDOWS\system32\MSconfig.exe [DETECTION] File has been compressed with an unusual runtime compression tool (PCK/Morphine). Please verify the origin of the file C:\WINDOWS\system32\wuasrv32.exe [WARNING] The file could not be opened! C:\WINDOWS\system32\MSconfig.exe [WARNING] The file could not be opened! C:\WINDOWS\system32\wuasrv32.exe [WARNING] The file could not be opened! C:\Program Files\etws\rrus.exe [DETECTION] Is the Trojan horse TR/Dldr.PurityScan.BE.2 C:\Program Files\etws\rrus.exe [DETECTION] Is the Trojan horse TR/Dldr.PurityScan.BE.2 The registry was scanned ( 28 files ). Starting the file scan: C:\pagefile.sys [WARNING] The file could not be opened! C:\Documents and Settings\CMEP\NTUSER.DAT [WARNING] The file could not be opened! C:\Documents and Settings\CMEP\ntuser.dat.LOG [WARNING] The file could not be opened! C:\Documents and Settings\CMEP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [WARNING] The file could not be opened! C:\Documents and Settings\CMEP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [WARNING] The file could not be opened! C:\RECYCLER\S-1-5-21-1482476501-1957994488-725345543-500\Df2.exe [DETECTION] File has been compressed with an unusual runtime compression tool (PCK/Morphine). Please verify the origin of the file C:\RECYCLER\S-1-5-21-1482476501-1957994488-725345543-500\Df3.exe [DETECTION] Is the Trojan horse TR/Drop.VB.kk.1 C:\RECYCLER\S-1-5-21-1482476501-1957994488-725345543-500\Df1\Sudoku.exe [DETECTION] Is the Trojan horse TR/Drop.VB.KK C:\WINDOWS\system32\config\default [WARNING] The file could not be opened! C:\WINDOWS\system32\config\default.LOG [WARNING] The file could not be opened! C:\WINDOWS\system32\config\SAM [WARNING] The file could not be opened! C:\WINDOWS\system32\config\SAM.LOG [WARNING] The file could not be opened! C:\WINDOWS\system32\config\SECURITY [WARNING] The file could not be opened! C:\WINDOWS\system32\config\SECURITY.LOG [WARNING] The file could not be opened! C:\WINDOWS\system32\config\software [WARNING] The file could not be opened! C:\WINDOWS\system32\config\software.LOG [WARNING] The file could not be opened! C:\WINDOWS\system32\config\system [WARNING] The file could not be opened! C:\WINDOWS\system32\config\system.LOG [WARNING] The file could not be opened! D:\Program Files\Trend Micro\PC-cillin 9\QUARANTINE\Temp\3.tmp [DETECTION] File has been compressed with an unusual runtime compression tool (PCK/Morphine). Please verify the origin of the file End of the scan: mercredi 1 février 2006 18:14 Used time: 1:16:49 min The scan has been done completely. 3591 Scanning directories 176286 Files were scanned 7 viruses and/or unwanted programs was found 0 files were deleted 0 files were repaired 7 files were moved to quarantine 0 files were renamed 2182 Archives were scanned 36 Warnings 15 Notes Voici donc le nouveau rapport hijack, apperemment mon ordi n'est pas encore clean....... Logfile of HijackThis v1.99.1 Scan saved at 18:26:01, on 01/02/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\PC-cillin 9\pccguide.exe C:\Program Files\Trend Micro\PC-cillin 9\PCCClient.exe C:\Program Files\Trend Micro\PC-cillin 9\Pop3trap.exe C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\PC-cillin 9\PCCPFW.exe C:\Program Files\etws\rrus.exe C:\WINDOWS\system32\n?lookup.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.neuf.fr R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.neuf.fr R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens R3 - URLSearchHook: (no name) - {EE7C7BC5-CA50-C6A9-2CEF-B69EFF4405C2} - C:\WINDOWS\System32\mciokf.dll R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {EE7C7BC5-CA50-C6A9-2CEF-B69EFF4405C2} - C:\WINDOWS\System32\mciokf.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 9\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCClient.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 9\Pop3trap.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Monitor] Systemwk32.exe O4 - HKLM\..\RunServices: [Monitor] Systemwk32.exe O4 - HKLM\..\RunServices: [Windows Plug and Play] wuasrv32.exe O4 - HKLM\..\RunServices: [MSconfig] MSconfig.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Windows Plug and Play] wuasrv32.exe O4 - HKCU\..\Run: [Kty] C:\WINDOWS\System32\n?lookup.exe O4 - HKCU\..\Run: [Arrm] "C:\Program Files\etws\rrus.exe" -vt ndrv O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 9\PCCPFW.exe O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 9\Tmntsrv.exe Où sont les probs et que faire????? (apperrement antivir n'a pas détecté le trojan lowzones.ey) Merci de votre aide

Merci je ne peut malheureusement faire ces manips avant quelques jours mais je vous tiendrai au courant.... PS je me doute bien que shareaza est la racine de mon prob, désinstallation programmée...

Tout d'abord bonjour, depuis quelques jours impossible de naviguer sur le web (via IE ou Mozilla), pourtant ma connexion est opérationnel...cela m'a amené a faire des analises précises de mon PC. Mon antivirus détecte le Trojan lowzones (TROJ_LOWZONES.EY) mais ne peut l'éradiquer, j'ai donc fait des scans avec mon antivirus PC Cillin (à jour), Ad-Aware, Spybot, l'antivirus en ligne de Secuser.com et un autre scan en ligne pour les trojans. J'ai pu effacer un tas de truc mais aucun changement: toujours pas de connexion, et lowzones continue de créer des fichiers en C:\ (test.exe ou dos.exe ou encore PHI.exe...) Voici mon log HiJack, j'ai essayé de 'interprété via le tuto mais c'est pas toujours évident....bref, j'apprécierais un peu d'aide pour détecter les lignes "malveillantes": Logfile of HijackThis v1.99.1 Scan saved at 16:49:48, on 28/01/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\PC-cillin 9\Tmntsrv.exe C:\Program Files\Trend Micro\PC-cillin 9\PCCPFW.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\PC-cillin 9\pccguide.exe C:\Program Files\Trend Micro\PC-cillin 9\PCCClient.exe C:\Program Files\Trend Micro\PC-cillin 9\Pop3trap.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe C:\WINDOWS\System32\wuasrv32.exe C:\WINDOWS\System32\MSconfig.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\etws\rrus.exe C:\WINDOWS\System32\n?lookup.exe C:\Program Files\Shareaza\Shareaza.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\Disque D\DocTony\Nouveauté\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.neuf.fr R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.neuf.fr R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens R3 - URLSearchHook: (no name) - {30847143-9B82-CD70-F315-EC2B54EDDFCE} - C:\WINDOWS\System32\xubtaw.dll R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {30847143-9B82-CD70-F315-EC2B54EDDFCE} - C:\WINDOWS\System32\xubtaw.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 9\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCClient.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 9\Pop3trap.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Monitor] Systemwk32.exe O4 - HKLM\..\Run: [Windows Plug and Play] wuasrv32.exe O4 - HKLM\..\Run: [MSconfig] MSconfig.exe O4 - HKLM\..\RunServices: [Monitor] Systemwk32.exe O4 - HKLM\..\RunServices: [Windows Plug and Play] wuasrv32.exe O4 - HKLM\..\RunServices: [MSconfig] MSconfig.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Windows Plug and Play] wuasrv32.exe O4 - HKCU\..\Run: [Arrm] "C:\Program Files\etws\rrus.exe" -vt yazr O4 - HKCU\..\Run: [Kty] C:\WINDOWS\System32\n?lookup.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 9\PCCPFW.exe O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 9\Tmntsrv.exe J'ai déjà corrigé la ligne "O4 - HKLM\..\Run: [nwiz] nwiz.exe /install" mais pour certaines j'ai aucne idée de ce que c'est ([Arrm], [Kty]....entre autres). Merci beaucoup pour votre aide PS: mon disque est également passé de 80 GO à 29.3 GO????!!!!! je ne sais pas si il y a un lien avec le reste....