titi44
-
Compteur de contenus
3 -
Inscription
-
Dernière visite
titi44's Achievements
Junior Member (3/12)
0
Réputation sur la communauté
-
Analyse rapport HijackThis, Demande d'analyse rapport HijackThis
titi44 a répondu à un(e) sujet de titi44 dans Analyses et éradication malwares
Bonjour, absent en début de semaine , je m'y remet a donf , petite erreur pour avancer , j'avais continué a supprimer les applications non souhaitée et telecharger les utilaires genre acrobet winrar incredimail .. résultat maintenant , j'ai plein de fenetre internet explorer qui s'ouvre avec entre autres des sites pas tres catholique, pour papy et mamy, ca risque de faire desordre. Donc j'arrete de mettre a jour , j'ai repris la manip depuis le début et je poste les diffirents Log dans l'ordre et j'attend ... SDFIX EWIDO et Hijackhis Merci d'avance SDFix: Version 1.115 Run by test on 28/11/2007 at 12:58 Microsoft Windows XP [version 5.1.2600] Running From: C:\sdfix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\Documents and Settings\test\Application Data\tmp10.tmp.exe - Deleted C:\Documents and Settings\test\Application Data\tmp1B.tmp.exe - Deleted C:\Documents and Settings\test\Application Data\tmp1D.tmp.exe - Deleted C:\Documents and Settings\test\Application Data\tmp1F.tmp.exe - Deleted C:\Documents and Settings\test\Application Data\tmpE.tmp.exe - Deleted C:\Documents and Settings\test\Application Data\tmpF.tmp.exe - Deleted C:\WINDOWS\system32\tmp10.tmp.dll - Deleted Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-28 13:10:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS\\system32\\logon.exe"="C:\\WINDOWS\\system32\\logon.exe:*:Enabled:logon" "C:\\WINDOWS\\system32\\xcrdtm.exe"="C:\\WINDOWS\\system32\\xcrdtm.exe:*:Enabled:xcrdtm" "C:\\WINDOWS\\system32\\fpfoadia.exe"="C:\\WINDOWS\\system32\\fpfoadia.exe:*:Enabled:fpfoadia" "C:\\WINDOWS\\system32\\ozclmui.exe"="C:\\WINDOWS\\system32\\ozclmui.exe:*:Enabled:ozclmui" "C:\\WINDOWS\\system32\\rddtewuc.exe"="C:\\WINDOWS\\system32\\rdd" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" "C:\\Chargement\\incredimail_install.exe"="C:\\Chargement\\incredimail_install.exe:*:Enabled:IncrediMail Installer" "C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"="C:\\Program Files\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail" "C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail" "C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" Remaining Files: --------------- File Backups: - C:\sdfix\backups\backups.zip Files with Hidden Attributes: Thu 19 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe" Wed 28 Nov 2007 251,635 ..SH. --- "C:\WINDOWS\system32\pqtwa.tmp" Wed 28 Nov 2007 252,895 ..SH. --- "C:\WINDOWS\system32\pqtwa.bak2" Wed 19 Jan 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Wed 19 Jan 2005 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak" Fri 23 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Sun 16 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Downloadd73c5f11656cfb2872f8f4bb0b3a716\BIT15.tmp" Wed 24 Oct 2007 826,704 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\39966a42f96cc9ad6ccb51af2492b18b\BIT1A.tmp" Wed 24 Oct 2007 577,776 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4eeab5e9badabf8752919b7df37ed651\BIT17.tmp" Wed 24 Oct 2007 493,880 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\867d0e7fac53908bde593cf04384324a\BIT1B.tmp" Mon 26 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ad213d081e2675ef87a62c73b8abf209\BITD.tmp" Fri 23 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cc102203f99c8c6ebf1523556f8411b6\BIT3.tmp" Wed 24 Oct 2007 576,336 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d197838ea2d2bcacd578dd8187e9778a\BIT19.tmp" Wed 24 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d20174378a49939f5f8825cfb630e979\BIT27.tmp" Wed 24 Oct 2007 993,544 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ef6fc5596a288b3d8c382c11203f44d4\BIT12.tmp" Thu 8 Mar 2007 49,152 ...H. --- "C:\Documents and Settings\test\Application Data\Microsoft\ModŠles\~WRL2154.tmp" Sat 12 May 2007 19,456 ...H. --- "C:\Documents and Settings\test\Application Data\Microsoft\Word\~WRL1266.tmp" Sat 12 May 2007 19,456 ...H. --- "C:\Documents and Settings\test\Application Data\Microsoft\Word\~WRL1607.tmp" Sat 12 May 2007 19,456 ...H. --- "C:\Documents and Settings\test\Application Data\Microsoft\Word\~WRL3884.tmp" Finished! ************************************************************************************ __________________________________________________ ewido anti-spyware online scanner http://www.ewido.net __________________________________________________ Name: TrackingCookie.Yieldmanager Path: C:\Documents and Settings\test\Cookies\test@ad.yieldmanager[2].txt Risk: Medium Name: TrackingCookie.Pointroll Path: C:\Documents and Settings\test\Cookies\test@ads.pointroll[2].txt Risk: Medium Name: TrackingCookie.Doubleclick Path: C:\Documents and Settings\test\Cookies\test@doubleclick[2].txt Risk: Medium Name: TrackingCookie.Overture Path: C:\Documents and Settings\test\Cookies\test@overture[1].txt Risk: Medium Name: TrackingCookie.Smartadserver Path: C:\Documents and Settings\test\Cookies\test@smartadserver[2].txt Risk: Medium Name: TrackingCookie.Netflame Path: C:\Documents and Settings\test\Cookies\test@ssl-hints.netflame[2].txt Risk: Medium Name: TrackingCookie.Zedo Path: C:\Documents and Settings\test\Cookies\test@zedo[1].txt Risk: Medium Name: Downloader.ConHook.hl Path: [500] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [568] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [780] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [880] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [960] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [1048] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [1248] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [1256] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [1404] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [1956] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [124] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [408] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [380] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [1332] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [1600] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [700] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [2104] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [2256] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.ConHook.hl Path: [3356] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: Downloader.Tiny.id Path: [3784] C:\Documents and Settings\test\Application Data\tmp16.tmp.exe Risk: High Name: Downloader.ConHook.hl Path: [3976] C:\WINDOWS\system32\__c00E1FF4.dat Risk: High Name: TrackingCookie.Bluestreak Path: :mozilla.10:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\i4sk4sre.default\cookies.txt Risk: Medium Name: TrackingCookie.Smartadserver Path: :mozilla.11:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\i4sk4sre.default\cookies.txt Risk: Medium Name: TrackingCookie.Smartadserver Path: :mozilla.12:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\i4sk4sre.default\cookies.txt Risk: Medium Name: TrackingCookie.Smartadserver Path: :mozilla.13:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\i4sk4sre.default\cookies.txt Risk: Medium Name: TrackingCookie.Smartadserver Path: :mozilla.14:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\i4sk4sre.default\cookies.txt Risk: Medium Name: TrackingCookie.Doubleclick Path: :mozilla.15:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\i4sk4sre.default\cookies.txt Risk: Medium Name: TrackingCookie.Tradedoubler Path: :mozilla.16:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\i4sk4sre.default\cookies.txt Risk: Medium Name: TrackingCookie.Advertising Path: :mozilla.19:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\i4sk4sre.default\cookies.txt Risk: Medium Name: TrackingCookie.Advertising Path: :mozilla.20:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\i4sk4sre.default\cookies.txt Risk: Medium Name: TrackingCookie.Adviva Path: :mozilla.26:C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\i4sk4sre.default\cookies.txt Risk: Medium Name: Downloader.Tiny.id Path: C:\Documents and Settings\test\Application Data\tmp16.tmp.exe Risk: High Name: Downloader.Tiny.id Path: C:\Documents and Settings\test\Local Settings\Temporary Internet Files\Content.IE5\LZ5IBIJ3\kcehc_eicooc20070702[1] Risk: High Name: Downloader.ConHook.hl Path: C:\Documents and Settings\test\Local Settings\Temporary Internet Files\Content.IE5\LZ5IBIJ3\mosx1024[1] Risk: High Name: Downloader.Tiny.id Path: C:\Documents and Settings\test\Local Settings\Temporary Internet Files\Content.IE5\LZ5IBIJ3\poiu[1] Risk: High Name: Downloader.ConHook.hl Path: C:\WINDOWS\system32\ciochdoc.dll Risk: High Name: Downloader.Tiny.id Path: C:\WINDOWS\system32\gpjtfrav.exe Risk: High Name: Downloader.Tiny.id Path: C:\WINDOWS\system32\jxfcnrjy.exe Risk: High Name: Downloader.ConHook.hl Path: C:\WINDOWS\system32\__c00E1FF4.dat Risk: High ******************************************************************* Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:25:22, on 28/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\program files\quicktime\qttask.exe C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\WINDOWS\system32\ntvdm.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [003d4957] rundll32.exe "C:\WINDOWS\qoppnn.dll",b O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195843694437 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6D9FE285-075D-4A33-8981-5D0AEA8DE4ED}: NameServer = 192.168.0.1 O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00E1FF4.dat O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rddtewuc.exe (file missing) O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Control Parental (OPTENET_FILTER) - Unknown owner - C:\Program Files\Controle Parental\bin\optproxy.exe (file missing) O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe O24 - Desktop Component 1: PC-Aquarium Deluxe - 7db39a0d-580f-4be9-9195-8bfcd226f6c2 -- End of file - 5351 bytes Merci d'avance @+ -
Analyse rapport HijackThis, Demande d'analyse rapport HijackThis
titi44 a répondu à un(e) sujet de titi44 dans Analyses et éradication malwares
bonjour et déjà Merci pour le coup de main, oui pour le pc infecté , je crois que c'est clair , c'est un pc que j'ai acheté d'occasion pour faire un cadeau, je ne voudrais pas que ce soit un cadeau empoisonné, et je m'efforce de le nettoyer !!! voila les CR SDFix: Version 1.115 Run by test on 25/11/2007 at 10:29 Microsoft Windows XP [version 5.1.2600] Running From: C:\sdfix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\_NIM4711.TMP - Deleted C:\Documents and Settings\test\Application Data\tmp10.tmp.exe - Deleted C:\Documents and Settings\test\Application Data\tmp10D.tmp.exe - Deleted C:\Documents and Settings\test\Application Data\tmp111.tmp.exe - Deleted C:\Documents and Settings\test\Application Data\tmp11C.tmp.exe - Deleted C:\Documents and Settings\test\Application Data\tmp11D.tmp.exe - Deleted C:\Documents and Settings\test\Application Data\tmpF.tmp.exe - Deleted C:\WINDOWS\system32\tmp11D.tmp.dll - Deleted Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-25 10:38:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 65536 bytes scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 1 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS\\system32\\logon.exe"="C:\\WINDOWS\\system32\\logon.exe:*:Enabled:logon" "C:\\WINDOWS\\system32\\xcrdtm.exe"="C:\\WINDOWS\\system32\\xcrdtm.exe:*:Enabled:xcrdtm" "C:\\WINDOWS\\system32\\fpfoadia.exe"="C:\\WINDOWS\\system32\\fpfoadia.exe:*:Enabled:fpfoadia" "C:\\WINDOWS\\system32\\ozclmui.exe"="C:\\WINDOWS\\system32\\ozclmui.exe:*:Enabled:ozclmui" "C:\\WINDOWS\\system32\\rddtewuc.exe"="C:\\WINDOWS\\system32\\rdd" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" "C:\\Chargement\\incredimail_install.exe"="C:\\Chargement\\incredimail_install.exe:*:Enabled:IncrediMail Installer" "C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"="C:\\Program Files\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail" "C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail" "C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" Remaining Files: --------------- File Backups: - C:\sdfix\backups\backups.zip Files with Hidden Attributes: Thu 19 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe" Sat 24 Nov 2007 254,283 ..SH. --- "C:\WINDOWS\system32\pqtwa.bak2" Wed 19 Jan 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Wed 19 Jan 2005 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak" Fri 23 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Sun 16 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Downloadd73c5f11656cfb2872f8f4bb0b3a716\BIT15.tmp" Wed 24 Oct 2007 826,704 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\39966a42f96cc9ad6ccb51af2492b18b\BIT1A.tmp" Wed 24 Oct 2007 577,776 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4eeab5e9badabf8752919b7df37ed651\BIT17.tmp" Wed 24 Oct 2007 493,880 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\867d0e7fac53908bde593cf04384324a\BIT1B.tmp" Fri 23 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cc102203f99c8c6ebf1523556f8411b6\BIT3.tmp" Wed 24 Oct 2007 576,336 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d197838ea2d2bcacd578dd8187e9778a\BIT19.tmp" Wed 24 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d20174378a49939f5f8825cfb630e979\BIT27.tmp" Wed 24 Oct 2007 993,544 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ef6fc5596a288b3d8c382c11203f44d4\BIT12.tmp" Thu 8 Mar 2007 49,152 ...H. --- "C:\Documents and Settings\test\Application Data\Microsoft\ModŠles\~WRL2154.tmp" Sat 12 May 2007 19,456 ...H. --- "C:\Documents and Settings\test\Application Data\Microsoft\Word\~WRL1266.tmp" Sat 12 May 2007 19,456 ...H. --- "C:\Documents and Settings\test\Application Data\Microsoft\Word\~WRL1607.tmp" Sat 12 May 2007 19,456 ...H. --- "C:\Documents and Settings\test\Application Data\Microsoft\Word\~WRL3884.tmp" Finished! Pour Hijackthis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:55:42, on 25/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rddtewuc.exe C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\program files\quicktime\qttask.exe C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\WINDOWS\system32\ntvdm.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [003d4957] rundll32.exe "C:\WINDOWS\system32\cybyapqv.dll",b O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195843694437 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6D9FE285-075D-4A33-8981-5D0AEA8DE4ED}: NameServer = 192.168.0.1 O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00E2A81.dat O23 - Service: DomainService - - C:\WINDOWS\system32\rddtewuc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Control Parental (OPTENET_FILTER) - Unknown owner - C:\Program Files\Controle Parental\bin\optproxy.exe (file missing) O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe O24 - Desktop Component 1: PC-Aquarium Deluxe - 7db39a0d-580f-4be9-9195-8bfcd226f6c2 -- End of file - 5332 bytes Merci d'avance bon Dimanche @+ -
Bonjour, Ci-dessous le rapport d'analyse du PC que je viens d'acheter et pour lequel je souhaiterais avoir l'aide des spécialistes car j'ai de gros problèmes du genre page de démarrage avec hotinfolink.fr activité suspecte sur la ligne adsl ... merci de m'indiquer tous les éléments à supprimer ? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:22:30, on 23/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\program files\quicktime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\rddtewuc.exe C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [003d4957] rundll32.exe "C:\WINDOWS\system32\xiwvhfyd.dll",b O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Office Monitor Word Exel R] C:\WINDOWS\system32\u.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{6D9FE285-075D-4A33-8981-5D0AEA8DE4ED}: NameServer = 192.168.0.1 O20 - AppInit_DLLs: c:\windows\system32\mlljghe.dll O23 - Service: DomainService - - C:\WINDOWS\system32\rddtewuc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Control Parental (OPTENET_FILTER) - Unknown owner - C:\Program Files\Controle Parental\bin\optproxy.exe (file missing) O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe O24 - Desktop Component 1: PC-Aquarium Deluxe - 7db39a0d-580f-4be9-9195-8bfcd226f6c2 -- End of file - 3044 bytes Merci beaucoup par avance