Poulki

Aïe, désolé c'est trop tard, j'avais désinfecté la chose le vendredi matin déjà. J'y penserai la prochaine fois que je tombe sur quelque chose (en espérant que ce ne sera pas de si tôt).

Bonjour, Alors j'ai passé le Dr.Web CureIt qui a réussit à le dégager, parcontre j'ai du interrompre le scan complet, je le relancerai ce soir en partant du boulot pour vérifier qu'il n'en reste plus rien. En tout cas ce matin j'ai plus eu de message de l'antivirus qui détectait quelque chose avant. Sinon oui, pour l'antivirus c'est pas terrible effectivement, on me l'avait conseillé à l'époque quand j'en cherchais un pour notre petite structure au boulot. En tout cas merci beaucoup de ton aide, ça m'a bien rendu service, j'étais à 2 doigts de tout reformatter et tout réinstaller.

Résultat du scan avec SDFix, il ne m'a rien enlevé et il est toujours détecté après le redémarrage de windows. SDFix: Version 1.234 Run by Administrateur on 10.10.2008 at 09:52 Microsoft Windows XP [version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-10 10:14:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "p0"="C:\Program Files\Alcohol Soft\Alcohol 120\" "h0"=dword:00000000 "ujdew"=hex:f8,b7,3e,9a,41,d6,e7,24,8b,60,d9,75,28,05,65,f6,3e,b8,e2,e7,54,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "p0"="C:\Program Files\Alcohol Soft\Alcohol 120\" "h0"=dword:00000000 "ujdew"=hex:f8,b7,3e,9a,41,d6,e7,24,8b,60,d9,75,28,05,65,f6,3e,b8,e2,e7,54,.. scanning hidden registry entries ... [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E178A9FB-9FE3-47A7-0423-3DEF69862686}] "oapmndmoaagjkgknddkbencmjpaofk"=hex:6a,61,6a,63,63,61,6a,69,63,6a,6d,66,65,62,64,6d,64,6a,61,6b,00,.. "pafmhclpcigihmmcanebjnjeplelompp"=hex:6a,61,6b,63,67,6b,6f,6d,63,62,61,64,69,66,6e,62,64,6d,62,70,00,.. scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Fichiers communs\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Program Files\\Fichiers communs\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server" "C:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"="C:\\Program Files\\CA\\eTrustITM\\InoRpc.exe:*:Enabled:eTrust ITM - RPC Service" "C:\\Program Files\\CA\\eTrustITM\\Realmon.exe"="C:\\Program Files\\CA\\eTrustITM\\Realmon.exe:*:Enabled:eTrust ITM - Realtime monitor" "C:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"="C:\\Program Files\\CA\\eTrustITM\\Shellscn.exe:*:Enabled:eTrust ITM - Shell Scanner" "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger" "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook" "C:\\Program Files\\Pando Networks\\Pando\\pando.exe"="C:\\Program Files\\Pando Networks\\Pando\\pando.exe:*:Enabled:Pando Application" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" Remaining Files : Files with Hidden Attributes : Thu 19 Aug 2004 24,448 A.SHR --- "C:\NTBOOTDD.SYS" Mon 14 Apr 2008 933,888 ..SHR --- "C:\WINDOWS\system32\srmhost.exe" Wed 23 Jul 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\adicarlo\Application Data\U3\temp\Launchpad Removal.exe" Finished!

Bonjour, voici le résultat de chez virus total, c'est bien infecté : Fichier srmhost.exe reçu le 2008.10.10 09:29:08 (CET) Antivirus Version Dernière mise à jour Résultat AhnLab-V3 2008.10.10.1 2008.10.10 - AntiVir 7.8.1.34 2008.10.10 Worm/Rbot.933888.31 Authentium 5.1.0.4 2008.10.10 W32/Backdoor2.CUVJ Avast 4.8.1248.0 2008.10.09 Win32:SdBot-gen AVG 8.0.0.161 2008.10.09 BackDoor.RBot.AS BitDefender 7.2 2008.10.10 Backdoor.SDBot.DFVV CAT-QuickHeal 9.50 2008.10.10 Backdoor.SdBot.fwc ClamAV 0.93.1 2008.10.10 - DrWeb 4.44.0.09170 2008.10.10 BackDoor.IRC.Sdbot.2158 eSafe 7.0.17.0 2008.10.08 - eTrust-Vet 31.6.6139 2008.10.09 - Ewido 4.0 2008.10.09 - F-Prot 4.4.4.56 2008.10.10 W32/Backdoor2.CUVJ F-Secure 8.0.14332.0 2008.10.10 Backdoor.Win32.SdBot.hhq Fortinet 3.113.0.0 2008.10.10 PossibleThreat GData 19 2008.10.10 Backdoor.SDBot.DFVV Ikarus T3.1.1.34.0 2008.10.10 Backdoor.SdBot.DFVV K7AntiVirus 7.10.489 2008.10.09 Backdoor.Win32.SdBot.fwc Kaspersky 7.0.0.125 2008.10.10 Backdoor.Win32.SdBot.hhq McAfee 5402 2008.10.09 W32/Sdbot.worm Microsoft 1.4005 2008.10.10 Backdoor:Win32/Rbot.JE NOD32 3510 2008.10.10 probably a variant of Win32/SdBot Norman 5.80.02 2008.10.09 - Panda 9.0.0.4 2008.10.10 Generic Malware PCTools 4.4.2.0 2008.10.09 - Prevx1 V2 2008.10.10 Suspicious Rising 20.65.41.00 2008.10.10 Backdoor.Win32.Bot.d SecureWeb-Gateway 6.7.6 2008.10.10 Worm.Rbot.933888.31 Sophos 4.34.0 2008.10.10 Mal/Generic-A Sunbelt 3.1.1708.1 2008.10.10 Backdoor.Win32.Xhaker.i Symantec 10 2008.10.10 - TheHacker 6.3.1.0.105 2008.10.10 Backdoor/SdBot.hhq TrendMicro 8.700.0.1004 2008.10.10 - VBA32 3.12.8.6 2008.10.09 Backdoor.Win32.SdBot.hhq ViRobot 2008.10.10.1415 2008.10.10 - VirusBuster 4.5.11.0 2008.10.09 - Information additionnelle File size: 933888 bytes MD5...: 2db5452bd7f16d63937710dc479fac7c SHA1..: d1f6e10eb655650a342e2cf3f440c78468461d0a SHA256: c18e4bcabd2bb98e73ba75c8f75c507776dbab3b49461d873f1dac9cc27cb5a0 SHA512: d469a9c6a5cb13db4c8a5addc51edcc4ee8fd5250e564913e542eaa2055e3f2a<br>bee939c0517a232117abab96b94431aeae89baf8d1679643e40e7cc86525547a PEiD..: - TrID..: File type identification<br>Generic Win/DOS Executable (49.9%)<br>DOS Executable Generic (49.8%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%) PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x4a7000<br>timedatestamp.....: 0x48c19a13 (Fri Sep 05 20:44:03 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 8 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x26d66 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rdata 0x28000 0xd982 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.data 0x36000 0x30a20 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.text1 0x67000 0x40000 0x3d000 7.97 bebe79d8bea55e105d9467bac2538868<br>.adata 0xa7000 0x10000 0xd000 7.01 fbc79b76d6bc6c773eaf71a0a262aad1<br>.data1 0xb7000 0x20000 0xc000 4.78 e6aea1667919b16f95341f84ddaa32fa<br>.pdata 0xd7000 0x90000 0x8c000 8.00 dd4141b266958c1285fb3d3a5186dbd1<br>.rsrc 0x167000 0x5b000 0x1000 0.50 e47f498acf8cab8626d9425cc6295af1<br><br>( 3 imports ) <br>> KERNEL32.dll: CreateThread, GlobalUnlock, GlobalLock, GlobalAlloc, GetTickCount, WideCharToMultiByte, IsBadReadPtr, GlobalAddAtomA, GlobalAddAtomW, GetModuleHandleA, GlobalFree, GlobalGetAtomNameA, GlobalDeleteAtom, GlobalGetAtomNameW, FreeConsole, GetEnvironmentVariableA, VirtualProtect, VirtualAlloc, GetProcAddress, GetLastError, LoadLibraryA, SetLastError, SetThreadPriority, GetCurrentThread, CreateProcessA, GetCommandLineA, GetStartupInfoA, SetEnvironmentVariableA, ReleaseMutex, WaitForSingleObject, CreateMutexA, OpenMutexA, SetErrorMode, GetCurrentThreadId, CreateFileA, FindClose, FindFirstFileA, FindFirstFileW, VirtualQueryEx, GetExitCodeProcess, ReadProcessMemory, VirtualProtectEx, UnmapViewOfFile, ContinueDebugEvent, SetThreadContext, GetThreadContext, WaitForDebugEvent, SuspendThread, DebugActiveProcess, ResumeThread, CreateProcessW, CloseHandle, GetStartupInfoW, MapViewOfFile, DuplicateHandle, GetCurrentProcess, CreateFileMappingA, WriteProcessMemory, ExitProcess, FlushFileBuffers, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetConsoleMode, GetConsoleCP, SetFilePointer, GetLocaleInfoA, GetStringTypeW, GetStringTypeA, LCMapStringW, MultiByteToWideChar, LCMapStringA, HeapSize, HeapReAlloc, QueryPerformanceCounter, VirtualFree, HeapCreate, HeapDestroy, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, RtlUnwind, DeleteCriticalSection, GetStdHandle, WriteFile, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, Sleep, EnterCriticalSection, LeaveCriticalSection, GetVersionExA, InitializeCriticalSection, GetCurrentProcessId, GetModuleFileNameW, GetShortPathNameW, GetModuleFileNameA, GetCommandLineW, GetShortPathNameA, GetSystemTimeAsFileTime, HeapFree, HeapAlloc, GetProcessHeap, RaiseException, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage<br>> USER32.dll: GetDesktopWindow, MoveWindow, SetPropA, EnumThreadWindows, GetPropA, GetMessageA, GetSystemMetrics, SetTimer, GetAsyncKeyState, KillTimer, BeginPaint, EndPaint, SetWindowTextA, GetDlgItem, CreateDialogIndirectParamA, ShowWindow, UpdateWindow, LoadStringA, LoadStringW, FindWindowA, WaitForInputIdle, MessageBoxA, InSendMessage, UnpackDDElParam, FreeDDElParam, DefWindowProcA, LoadCursorA, RegisterClassW, CreateWindowExW, RegisterClassA, CreateWindowExA, GetWindowThreadProcessId, SendMessageW, SendMessageA, PeekMessageA, TranslateMessage, DispatchMessageA, EnumWindows, IsWindowUnicode, PackDDElParam, PostMessageW, PostMessageA, IsWindow, DestroyWindow<br>> GDI32.dll: CreateDCA, CreateDIBitmap, CreateCompatibleDC, SelectObject, SelectPalette, RealizePalette, BitBlt, DeleteDC, DeleteObject, CreatePalette<br><br>( 0 exports ) <br> Prevx info: http://info.prevx.com/aboutprogramtext.asp...EF9F10081047777 packers (Avast): Armadillo Antivirus Version Dernière mise à jour Résultat AhnLab-V3 2008.10.10.1 2008.10.10 - AntiVir 7.8.1.34 2008.10.10 Worm/Rbot.933888.31 Authentium 5.1.0.4 2008.10.10 W32/Backdoor2.CUVJ Avast 4.8.1248.0 2008.10.09 Win32:SdBot-gen AVG 8.0.0.161 2008.10.09 BackDoor.RBot.AS BitDefender 7.2 2008.10.10 Backdoor.SDBot.DFVV CAT-QuickHeal 9.50 2008.10.10 Backdoor.SdBot.fwc ClamAV 0.93.1 2008.10.10 - DrWeb 4.44.0.09170 2008.10.10 BackDoor.IRC.Sdbot.2158 eSafe 7.0.17.0 2008.10.08 - eTrust-Vet 31.6.6139 2008.10.09 - Ewido 4.0 2008.10.09 - F-Prot 4.4.4.56 2008.10.10 W32/Backdoor2.CUVJ F-Secure 8.0.14332.0 2008.10.10 Backdoor.Win32.SdBot.hhq Fortinet 3.113.0.0 2008.10.10 PossibleThreat GData 19 2008.10.10 Backdoor.SDBot.DFVV Ikarus T3.1.1.34.0 2008.10.10 Backdoor.SdBot.DFVV K7AntiVirus 7.10.489 2008.10.09 Backdoor.Win32.SdBot.fwc Kaspersky 7.0.0.125 2008.10.10 Backdoor.Win32.SdBot.hhq McAfee 5402 2008.10.09 W32/Sdbot.worm Microsoft 1.4005 2008.10.10 Backdoor:Win32/Rbot.JE NOD32 3510 2008.10.10 probably a variant of Win32/SdBot Norman 5.80.02 2008.10.09 - Panda 9.0.0.4 2008.10.10 Generic Malware PCTools 4.4.2.0 2008.10.09 - Prevx1 V2 2008.10.10 Suspicious Rising 20.65.41.00 2008.10.10 Backdoor.Win32.Bot.d SecureWeb-Gateway 6.7.6 2008.10.10 Worm.Rbot.933888.31 Sophos 4.34.0 2008.10.10 Mal/Generic-A Sunbelt 3.1.1708.1 2008.10.10 Backdoor.Win32.Xhaker.i Symantec 10 2008.10.10 - TheHacker 6.3.1.0.105 2008.10.10 Backdoor/SdBot.hhq TrendMicro 8.700.0.1004 2008.10.10 - VBA32 3.12.8.6 2008.10.09 Backdoor.Win32.SdBot.hhq ViRobot 2008.10.10.1415 2008.10.10 - VirusBuster 4.5.11.0 2008.10.09 - Information additionnelle File size: 933888 bytes MD5...: 2db5452bd7f16d63937710dc479fac7c SHA1..: d1f6e10eb655650a342e2cf3f440c78468461d0a SHA256: c18e4bcabd2bb98e73ba75c8f75c507776dbab3b49461d873f1dac9cc27cb5a0 SHA512: d469a9c6a5cb13db4c8a5addc51edcc4ee8fd5250e564913e542eaa2055e3f2a<br>bee939c0517a232117abab96b94431aeae89baf8d1679643e40e7cc86525547a PEiD..: - TrID..: File type identification<br>Generic Win/DOS Executable (49.9%)<br>DOS Executable Generic (49.8%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%) PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x4a7000<br>timedatestamp.....: 0x48c19a13 (Fri Sep 05 20:44:03 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 8 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x26d66 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rdata 0x28000 0xd982 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.data 0x36000 0x30a20 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.text1 0x67000 0x40000 0x3d000 7.97 bebe79d8bea55e105d9467bac2538868<br>.adata 0xa7000 0x10000 0xd000 7.01 fbc79b76d6bc6c773eaf71a0a262aad1<br>.data1 0xb7000 0x20000 0xc000 4.78 e6aea1667919b16f95341f84ddaa32fa<br>.pdata 0xd7000 0x90000 0x8c000 8.00 dd4141b266958c1285fb3d3a5186dbd1<br>.rsrc 0x167000 0x5b000 0x1000 0.50 e47f498acf8cab8626d9425cc6295af1<br><br>( 3 imports ) <br>> KERNEL32.dll: CreateThread, GlobalUnlock, GlobalLock, GlobalAlloc, GetTickCount, WideCharToMultiByte, IsBadReadPtr, GlobalAddAtomA, GlobalAddAtomW, GetModuleHandleA, GlobalFree, GlobalGetAtomNameA, GlobalDeleteAtom, GlobalGetAtomNameW, FreeConsole, GetEnvironmentVariableA, VirtualProtect, VirtualAlloc, GetProcAddress, GetLastError, LoadLibraryA, SetLastError, SetThreadPriority, GetCurrentThread, CreateProcessA, GetCommandLineA, GetStartupInfoA, SetEnvironmentVariableA, ReleaseMutex, WaitForSingleObject, CreateMutexA, OpenMutexA, SetErrorMode, GetCurrentThreadId, CreateFileA, FindClose, FindFirstFileA, FindFirstFileW, VirtualQueryEx, GetExitCodeProcess, ReadProcessMemory, VirtualProtectEx, UnmapViewOfFile, ContinueDebugEvent, SetThreadContext, GetThreadContext, WaitForDebugEvent, SuspendThread, DebugActiveProcess, ResumeThread, CreateProcessW, CloseHandle, GetStartupInfoW, MapViewOfFile, DuplicateHandle, GetCurrentProcess, CreateFileMappingA, WriteProcessMemory, ExitProcess, FlushFileBuffers, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetConsoleMode, GetConsoleCP, SetFilePointer, GetLocaleInfoA, GetStringTypeW, GetStringTypeA, LCMapStringW, MultiByteToWideChar, LCMapStringA, HeapSize, HeapReAlloc, QueryPerformanceCounter, VirtualFree, HeapCreate, HeapDestroy, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, RtlUnwind, DeleteCriticalSection, GetStdHandle, WriteFile, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, Sleep, EnterCriticalSection, LeaveCriticalSection, GetVersionExA, InitializeCriticalSection, GetCurrentProcessId, GetModuleFileNameW, GetShortPathNameW, GetModuleFileNameA, GetCommandLineW, GetShortPathNameA, GetSystemTimeAsFileTime, HeapFree, HeapAlloc, GetProcessHeap, RaiseException, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage<br>> USER32.dll: GetDesktopWindow, MoveWindow, SetPropA, EnumThreadWindows, GetPropA, GetMessageA, GetSystemMetrics, SetTimer, GetAsyncKeyState, KillTimer, BeginPaint, EndPaint, SetWindowTextA, GetDlgItem, CreateDialogIndirectParamA, ShowWindow, UpdateWindow, LoadStringA, LoadStringW, FindWindowA, WaitForInputIdle, MessageBoxA, InSendMessage, UnpackDDElParam, FreeDDElParam, DefWindowProcA, LoadCursorA, RegisterClassW, CreateWindowExW, RegisterClassA, CreateWindowExA, GetWindowThreadProcessId, SendMessageW, SendMessageA, PeekMessageA, TranslateMessage, DispatchMessageA, EnumWindows, IsWindowUnicode, PackDDElParam, PostMessageW, PostMessageA, IsWindow, DestroyWindow<br>> GDI32.dll: CreateDCA, CreateDIBitmap, CreateCompatibleDC, SelectObject, SelectPalette, RealizePalette, BitBlt, DeleteDC, DeleteObject, CreatePalette<br><br>( 0 exports ) <br> Prevx info: http://info.prevx.com/aboutprogramtext.asp...EF9F10081047777 packers (Avast): Armadillo

Bonjour, Alors après le scan j'ai viré les cookies ewido anti-spyware online scanner http://www.ewido.net __________________________________________________ Name: TrackingCookie.2o7 Path: C:\Documents and Settings\poulki\Cookies\poulki@2o7[1].txt Risk: Medium Name: TrackingCookie.Yieldmanager Path: C:\Documents and Settings\poulki\Cookies\poulki@ad.yieldmanager[2].txt Risk: Medium Name: TrackingCookie.Adrevolver Path: C:\Documents and Settings\poulki\Cookies\poulki@adrevolver[2].txt Risk: Medium Name: TrackingCookie.Adtech Path: C:\Documents and Settings\poulki\Cookies\poulki@adtech[1].txt Risk: Medium Name: TrackingCookie.Advertising Path: C:\Documents and Settings\poulki\Cookies\poulki@advertising[1].txt Risk: Medium Name: TrackingCookie.Adviva Path: C:\Documents and Settings\poulki\Cookies\poulki@adviva[1].txt Risk: Medium Name: TrackingCookie.Atdmt Path: C:\Documents and Settings\poulki\Cookies\poulki@atdmt[2].txt Risk: Medium Name: TrackingCookie.Bluestreak Path: C:\Documents and Settings\poulki\Cookies\poulki@bluestreak[1].txt Risk: Medium Name: TrackingCookie.Burstnet Path: C:\Documents and Settings\poulki\Cookies\poulki@burstnet[2].txt Risk: Medium Name: TrackingCookie.Casalemedia Path: C:\Documents and Settings\poulki\Cookies\poulki@casalemedia[2].txt Risk: Medium Name: TrackingCookie.Weborama Path: C:\Documents and Settings\poulki\Cookies\poulki@clinique.solution.weborama[2].txt Risk: Medium Name: TrackingCookie.Doubleclick Path: C:\Documents and Settings\poulki\Cookies\poulki@doubleclick[1].txt Risk: Medium Name: TrackingCookie.Estat Path: C:\Documents and Settings\poulki\Cookies\poulki@estat[1].txt Risk: Medium Name: TrackingCookie.Fastclick Path: C:\Documents and Settings\poulki\Cookies\poulki@fastclick[1].txt Risk: Medium Name: TrackingCookie.Webtrends Path: C:\Documents and Settings\poulki\Cookies\poulki@m.webtrends[1].txt Risk: Medium Name: TrackingCookie.Adrevolver Path: C:\Documents and Settings\poulki\Cookies\poulki@media.adrevolver[1].txt Risk: Medium Name: TrackingCookie.2o7 Path: C:\Documents and Settings\poulki\Cookies\poulki@msnportal.112.2o7[1].txt Risk: Medium Name: TrackingCookie.Weborama Path: C:\Documents and Settings\poulki\Cookies\poulki@pierrefabre.solution.weborama[2].txt Risk: Medium Name: TrackingCookie.Realmedia Path: C:\Documents and Settings\poulki\Cookies\poulki@realmedia[1].txt Risk: Medium Name: TrackingCookie.Revsci Path: C:\Documents and Settings\poulki\Cookies\poulki@revsci[2].txt Risk: Medium Name: TrackingCookie.Msn Path: C:\Documents and Settings\poulki\Cookies\poulki@search.msn[2].txt Risk: Medium Name: TrackingCookie.Smartadserver Path: C:\Documents and Settings\poulki\Cookies\poulki@smartadserver[2].txt Risk: Medium Name: TrackingCookie.Tacoda Path: C:\Documents and Settings\poulki\Cookies\poulki@tacoda[2].txt Risk: Medium Name: TrackingCookie.Tribalfusion Path: C:\Documents and Settings\poulki\Cookies\poulki@tribalfusion[1].txt Risk: Medium Name: TrackingCookie.Weborama Path: C:\Documents and Settings\poulki\Cookies\poulki@weborama[1].txt Risk: Medium Name: TrackingCookie.Zedo Path: C:\Documents and Settings\poulki\Cookies\poulki@zedo[2].txt Risk: Medium

Hello, alors voici ce qu'a trouvé Kasper après un scan sur ma machine : -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Thursday, October 9, 2008 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Wednesday, October 08, 2008 16:01:37 Records in database: 1299961 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ K:\ M:\ P:\ T:\ U:\ W:\ Y:\ Scan statistics: Files scanned: 493977 Threat name: 2 Infected objects: 2 Suspicious objects: 0 Duration of the scan: 10:18:43 File name / Threat name / Threats count C:\WINDOWS\system32\srmhost.exe/C:\WINDOWS\system32\srmhost.exe Infected: Backdoor.Win32.SdBot.hhq 1 C:\WINDOWS\system32\srmhost.exe Infected: Backdoor.Win32.SdBot.hhq 1 The selected area was scanned.

Alors après 1h43 de scan complet avec Malwarebytes, il n'a rien trouvé. Voici le log Malwarebytes' Anti-Malware 1.28 Version de la base de données: 1239 Windows 5.1.2600 Service Pack 3 07.10.2008 17:09:54 mbam-log-2008-10-07 (17-09-54).txt Type de recherche: Examen complet (C:\|) Eléments examinés: 338751 Temps écoulé: 1 hour(s), 43 minute(s), 55 second(s) Processus mémoire infecté(s): 0 Module(s) mémoire infecté(s): 0 Clé(s) du Registre infectée(s): 0 Valeur(s) du Registre infectée(s): 0 Elément(s) de données du Registre infecté(s): 0 Dossier(s) infecté(s): 0 Fichier(s) infecté(s): 0 Processus mémoire infecté(s): (Aucun élément nuisible détecté) Module(s) mémoire infecté(s): (Aucun élément nuisible détecté) Clé(s) du Registre infectée(s): (Aucun élément nuisible détecté) Valeur(s) du Registre infectée(s): (Aucun élément nuisible détecté) Elément(s) de données du Registre infecté(s): (Aucun élément nuisible détecté) Dossier(s) infecté(s): (Aucun élément nuisible détecté) Fichier(s) infecté(s): (Aucun élément nuisible détecté)

Bonjour, depuis 2 jours mon antivirus etrust me dit : Win32/Hostblock a été détecté dans C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOST. Après un scan complet je ne trouve rien. J'ai tenté de comprendre le résultat mais sans succès, et je n'ose enlever des choses de peur de planter mon système. Avez-vous une idée ? merci d'avance. Le log de Hijack : _______________________________________________________________________ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:24:08, on 07.10.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\etlisrv.exe C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe C:\Program Files\CA\eTrustITM\InoRpc.exe C:\Program Files\CA\eTrustITM\InoRT.exe C:\Program Files\CA\eTrustITM\InoTask.exe C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE C:\oracle\product\10.2.0\client_1\bin\omtsreco.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\CA\eTrustITM\realmon.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\srmhost.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\WINDOWS\system32\etlitr50.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe C:\Program Files\Alcatel_PIMphony\aocphone.exe C:\Program Files\Fichiers communs\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Download\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll O4 - HKLM\..\Run: [ATIPTA] "C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\FICHIE~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [sound System] srmhost.exe O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\RunServices: [sound System] srmhost.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DeskSpace] C:\Program Files\DeskSpace\deskspace.exe O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S O4 - Startup: PIMphony.lnk = C:\Program Files\Alcatel_PIMphony\aocphone.exe O4 - Global Startup: Entrust.lnk = C:\WINDOWS\system32\etlitr50.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: SnagIt 9.lnk = C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: Ajouter au fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Barre RoboForm - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Convertir en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convertir la cible du lien en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convertir la cible du lien en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convertir la sélection en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convertir la sélection en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convertir les liens sélectionnés en fichier Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convertir les liens sélectionnés en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Enregistrer le formulaire - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O8 - Extra context menu item: Personnaliser le menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: Remplir le formulaire - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Remplir - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Remplir le formulaire - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Enregistrer - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Enregistrer le formulaire - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: Barre RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: Barre RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1215699433301 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mda.ch O17 - HKLM\Software\..\Telephony: DomainName = mda.ch O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mda.ch O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O23 - Service: Adobe Version Cue CS3 {fr_FR} (Adobe Version Cue CS3) - Adobe Systems Incorporated - C:\Program Files\Fichiers communs\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Entrust Login Interface (ELIService) - Entrust® - C:\WINDOWS\etlisrv.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe O23 - Service: Service RPC eTrust ITM (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe O23 - Service: Service en temps réel eTrust ITM (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe O23 - Service: Service des jobs eTrust ITM (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Fichiers communs\Logitech\Bluetooth\LBTServ.exe O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\product\10.2.0\client_1\bin\omtsreco.exe O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O24 - Desktop Component 1: Aqua Real 2 - AD0FABD2-7EAE-40B8-8F44-6FCFE6C883CD -- End of file - 13191 bytes