Aller au contenu

  • Pas encore inscrit ?

    Pourquoi ne pas vous inscrire ? C'est simple, rapide et gratuit.
    Pour en savoir plus, lisez Les avantages de l'inscription... et la Charte de Zébulon.
    De plus, les messages que vous postez en tant qu'invité restent invisibles tant qu'un modérateur ne les a pas validés. Inscrivez-vous, ce sera un gain de temps pour tout le monde, vous, les helpeurs et les modérateurs ! :wink:

[Résolu] Fenêtres Intempestives

Breezy

Par Breezy
dans Analyses et éradication malwares

 Partager

Messages recommandés

Breezy Full Patch Member

Breezy

Posté(e)
Posté(e) (modifié)

Bonjour à tous,

 

Je viens solliciter votre aide sur un PC que j'ai récupérer. Des fenêtres publicitaires s'affichent pendant et même hors navigation...

Je me tourne vers vous pour analyser ce premier rapport HijackThis, et me guider dans une éventuelle procédure de désinfection :

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:20:34, on 23/04/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\basfipm.exe

c:\har\sys\DVAgentDiva.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\Program Files\OCS Inventory Agent\ocsservice.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

c:\har\sys\xmu.exe

c:\har\sys\xservices.exe

C:\WINDOWS\TEMP\DV83CA.EXE

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\Program Files\Citrix\Client ICA\ssonsvr.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\fxsteller.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Citrix\Client ICA\pnagent.exe

C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe

C:\WINDOWS\SYSTEM32\rundll32.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\jlesavoureux\Bureau\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://marteau-net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://marteau-net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://marteau-net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1036

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer fourni par MARTEAU-SA

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O1 - Hosts: 82.98.231.89 url.adtrgt.com

O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net

O1 - Hosts: scanner.info

O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com

O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com

O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com

O1 - Hosts: 82.98.231.89 onlinenotifyq.net

O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com

O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {37B4A90A-3508-C148-08FD-00FA6AFC2B34} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {804eb704-6443-494c-802f-4628851b352b} - C:\WINDOWS\system32\wutilowu.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [Windows UDP Control Center] fxsteller.exe

O4 - HKLM\..\Run: [legekurayo] Rundll32.exe "C:\WINDOWS\system32\bihomojo.dll",s

O4 - HKLM\..\Run: [ecd6bc64] rundll32.exe "C:\WINDOWS\system32\nifisito.dll",b

O4 - HKLM\..\Run: [CPMefe58ff8] Rundll32.exe "c:\windows\system32\lezaromo.dll",a

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: .protected

O4 - Global Startup: Agent Program Neighborhood.lnk = C:\Program Files\Citrix\Client ICA\pnagent.exe

O4 - Global Startup: Instant Update Reminder.lnk = ?

O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Notification de signal d'appel U.S. Robotics.lnk = ?

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DOMAINE.local

O17 - HKLM\Software\..\Telephony: DomainName = DOMAINE.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DOMAINE.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DOMAINE.local

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - AppInit_DLLs: C:\WINDOWS\system32\kataliwo.dll c:\windows\system32\lezaromo.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lezaromo.dll

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lezaromo.dll

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Divalto Agent Diva (DVAgentDiva) - Unknown owner - c:\har\sys\DVAgentDiva.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: Scan en temps réel d'OfficeScanNT (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - PJ Naughter - C:\Program Files\OCS Inventory Agent\ocsservice.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: Service d'écoute d'OfficeScan NT (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

O23 - Service: Divalto XMU Version 5.6a (xmu) - Interlogiciel - c:\har\sys\xmu.exe

O23 - Service: Divalto services Diva (xservices) - Interlogiciel - c:\har\sys\xservices.exe

 

--

End of file - 9482 bytes

 

Les O1 m'ont l'air bien suspects, mais je vous laisse le plaisir de m'orienter :P

 

++

Modifié par Breezy

Falkra Devil Member !

Falkra

Posté(e)
Posté(e)

Bonjour Breezy, :P

 

la machine est passablement infectée, en effet (c'est plein de choses). :P

 

Utilise Rhosts de S!ri pour restaurer ton fichier hosts :

http://siri.urz.free.fr/RHosts.php

 

Télécharge Malwarebytes' Anti-Malware (MBAM)

 

  • Double clique sur le fichier téléchargé pour lancer le processus d'installation.
  • Dans l'onglet "Mise à jour", clique sur le bouton "Recherche de mise à jour": si le pare-feu demande l'autorisation à MBAM de se connecter, accepte.
  • Une fois la mise à jour terminée, rends-toi dans l'onglet "Recherche".
  • Sélectionne "Exécuter un examen rapide"
  • Clique sur "Rechercher"
  • L'analyse démarre.
  • A la fin de l'analyse (mais ce n'est pas fini), un message s'affiche :
    L'examen s'est terminé normalement. Clique sur 'Afficher les résultats' pour afficher tous les objets trouvés.
    Clique sur "Ok" pour poursuivre. Si MBAM n'a rien trouvé, il te le dira aussi. N'oublie pas la suite. :P
  • Ferme tes navigateurs.
  • Si des malwares ont été détectés, clique sur Afficher les résultats.
    Sélectionne tout (ou laisse coché) et clique sur Supprimer la sélection, MBAM va détruire les fichiers et clés de registre et en mettre une copie dans la quarantaine.
  • MBAM va ouvrir le Bloc-notes et y copier le rapport d'analyse. Copie-colle ce rapport et poste-le dans ta prochaine réponse.

 

NB : Si MBAM te demande à redémarrer, fais-le.

Breezy Full Patch Member

Breezy

Posté(e)
  • Auteur
Posté(e)

Bonjour Falkra et merci de prendre de ton temps,

 

J'ai restaurer le fichier Hosts à l'aide de S!ri :P

 

Maintenant voici le rapport MBAM :

 

Malwarebytes' Anti-Malware 1.36

Version de la base de données: 2035

Windows 5.1.2600 Service Pack 3

 

24/04/2009 09:23:40

mbam-log-2009-04-24 (09-23-40).txt

 

Type de recherche: Examen rapide

Eléments examinés: 166245

Temps écoulé: 16 minute(s), 29 second(s)

 

Processus mémoire infecté(s): 1

Module(s) mémoire infecté(s): 5

Clé(s) du Registre infectée(s): 7

Valeur(s) du Registre infectée(s): 6

Elément(s) de données du Registre infecté(s): 6

Dossier(s) infecté(s): 5

Fichier(s) infecté(s): 126

 

Processus mémoire infecté(s):

C:\WINDOWS\fxsteller.exe (Backdoor.Bot) -> Unloaded process successfully.

 

Module(s) mémoire infecté(s):

C:\WINDOWS\system32\nifisito.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\wutilowu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\bihomojo.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\lezaromo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\kataliwo.dll (Trojan.Vundo.H) -> Delete on reboot.

 

Clé(s) du Registre infectée(s):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{804eb704-6443-494c-802f-4628851b352b} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{804eb704-6443-494c-802f-4628851b352b} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{804eb704-6443-494c-802f-4628851b352b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Valeur(s) du Registre infectée(s):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecd6bc64 (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\legekurayo (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmefe58ff8 (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows UDP Control Center (Backdoor.Bot) -> Quarantined and deleted successfully.

 

Elément(s) de données du Registre infecté(s):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\lezaromo.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kataliwo.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\kataliwo.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Dossier(s) infecté(s):

C:\Program Files\Ultimate Cleaner (Rogue.Ultimate.Cleaner) -> Quarantined and deleted successfully.

C:\Documents and Settings\EMBL\Application Data\DriveCleaner 2006 Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Documents and Settings\EMBL\Application Data\DriveCleaner 2006 Free\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Pro (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Application Data\AntiSpyware Pro (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.

 

Fichier(s) infecté(s):

C:\WINDOWS\system32\fesumuye.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\eyumusef.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\gigohefo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ofehogig.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nifisito.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\otisifin.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pomijemo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\omejimop.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yujuhase.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\esahujuy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zizesabo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\obaseziz.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bihomojo.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\lezaromo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\wutilowu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\kataliwo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\fxsteller.exe (Backdoor.Bot) -> Delete on reboot.

C:\WINDOWS\winslogon.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\iexploore.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wuleluzu.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hejukuhe.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\krbclick1.exe (Trojan.Proxy) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tikupeve.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\damameni.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\damozibu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dejegima.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ftp_non_crp.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\legidonu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rugahojo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\taniduva.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winsetupgl.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\gakejuha.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\gakejuha.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\giviminu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sizawiru.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nigedafa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hukunalo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ovfsthejbdyedsuqbvtmkxtakoldvbkfdjtdog.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ovfsthsntdxjyxewnkvfowhgdudbmpvljuydad.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\betinuni.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\betinuni.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\ovfsth.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\Drivers\278d165b.sys (Backdoor.Rustock) -> Quarantined and deleted successfully.

C:\paret2.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\paretx2.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\paretz2.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\syszx.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\xdrer.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\ovfsthtmcxgjeetr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\ovfsthygotpheunw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP000.TMP\hiddenx.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP001.TMP\hidd3nx.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP002.TMP\hidd1.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP003.TMP\hidd1.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP004.TMP\hidd1.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP005.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP006.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP007.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP008.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP009.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP010.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP011.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP012.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP013.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP014.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP015.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP016.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP036.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP017.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP018.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP019.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP020.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP021.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP022.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP023.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP024.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP025.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP026.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP027.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP028.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP029.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP030.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP031.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP032.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP033.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP034.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP035.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP037.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP038.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP039.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP040.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP041.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP042.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\IXP043.TMP\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\1A.tmp (Backdoor.Rustock) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\ms1239147009.exe (Trojan.Proxy) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\_A00FC237B03.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temporary Internet Files\Content.IE5\3OUDJLE5\d[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temporary Internet Files\Content.IE5\46TW971S\x[1].exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temporary Internet Files\Content.IE5\7AF8KT75\gg[1].jpg (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temporary Internet Files\Content.IE5\7AF8KT75\gg[2].jpg (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temporary Internet Files\Content.IE5\7C67PKNR\Web-MediaPlayer_setup[1].exe (Adware.Navipromo) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temporary Internet Files\Content.IE5\7C67PKNR\f[1].jpg (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temporary Internet Files\Content.IE5\7C67PKNR\f[2].jpg (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temporary Internet Files\Content.IE5\8WWCGVH2\srm_free_setup[1].exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temporary Internet Files\Content.IE5\DKO8CJSL\d[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temporary Internet Files\Content.IE5\OAI6UQJM\srm_free_setup[1].exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temporary Internet Files\Content.IE5\QIV1BRL6\gtg[1].jpg (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temporary Internet Files\Content.IE5\YJAGNCSC\hidd3nx[1].exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temporary Internet Files\Content.IE5\YJAGNCSC\bla[1].jpg (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Bureau\srm_free_setup.exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.

C:\Documents and Settings\EMBL\Application Data\DriveCleaner 2006 Free\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Pro\AntiSpyware Pro.db (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Pro\AntiSpywarePro.pkg (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Pro\prg.info (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Application Data\AntiSpyware Pro\conf.xml (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Application Data\AntiSpyware Pro\Sites.black (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ovfsthumofjpewdektarginyloclpksundqqhg.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ovfsthlwqltiqulvrqqgylvpbwbecxnmqbiofn.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ovfsthtjsylpjjcxoihujlaiclafwlswwmsgig.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c009E56F.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wibakihi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hajutuki.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\etc\.protected (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\.protected (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\jlesavoureux\Local Settings\Temp\ovfsthypeqvcxngb.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

 

++

Falkra Devil Member !

Falkra

Posté(e)
Posté(e)

La vache, ça c'est une récolte ! :P

 

Redémarre la machine, si pas déjà fait, et purge les caches avec ATF-cleaner, comme suit :

 

Télécharge ATF Cleaner (clique) par Atribune.

  • Double-clique sur ATF-Cleaner.exe pour lancer le programme.
    Sous l'onglet Main, choisis : Select All
    Clique sur le bouton Empty Selected

Si tu utilises le navigateur Firefox :

  • Clique sur Firefox en haut et choisis : Select All
    Clique le bouton Empty Selected
    NOTE : Si tu veux conserver tes mots de passe sauvegardés, clique sur No à l'invite.

Si tu utilises le navigateur Opera :

  • Clique Opera en haut et choisis : Select All
    Clique sur le bouton Empty Selected
    NOTE : Si tu veux conserver tes mots de passe sauvegardés, clique No à l'invite.

Clique sur Exit, dans le menu principal, pour quitter le programme.

 

Ensuite, poste un nouveau rapport HiajckThis stp, ça doit aller mieux, remarque, côté pub. :P

Breezy Full Patch Member

Breezy

Posté(e)
  • Auteur
Posté(e)

Oui, il y avait ce qu'il fallait en petite bêbête :P

 

Voici un nouveau rapport HijackThis après le passage d'ATF-Cleaner :

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:13:58, on 24/04/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\basfipm.exe

c:\har\sys\DVAgentDiva.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\Program Files\OCS Inventory Agent\ocsservice.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

c:\har\sys\xmu.exe

c:\har\sys\xservices.exe

C:\WINDOWS\TEMP\AJ4CD3.EXE

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\Program Files\Citrix\Client ICA\ssonsvr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Citrix\Client ICA\pnagent.exe

C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\jlesavoureux\Bureau\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://marteau-net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://marteau-net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://marteau-net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1036

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer fourni par MARTEAU-SA

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {37B4A90A-3508-C148-08FD-00FA6AFC2B34} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: .protected

O4 - Global Startup: Agent Program Neighborhood.lnk = C:\Program Files\Citrix\Client ICA\pnagent.exe

O4 - Global Startup: Instant Update Reminder.lnk = ?

O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Notification de signal d'appel U.S. Robotics.lnk = ?

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DOMAINE.local

O17 - HKLM\Software\..\Telephony: DomainName = domaine.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DOMAINE.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DOMAINE.local

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - AppInit_DLLs: ,

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Divalto Agent Diva (DVAgentDiva) - Unknown owner - c:\har\sys\DVAgentDiva.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Scan en temps réel d'OfficeScanNT (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - PJ Naughter - C:\Program Files\OCS Inventory Agent\ocsservice.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: Service d'écoute d'OfficeScan NT (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

O23 - Service: Divalto XMU Version 5.6a (xmu) - Interlogiciel - c:\har\sys\xmu.exe

O23 - Service: Divalto services Diva (xservices) - Interlogiciel - c:\har\sys\xservices.exe

 

--

End of file - 8259 bytes

 

++

Falkra Devil Member !

Falkra

Posté(e)
Posté(e)

L'avantage d'ATF cleaner c'est qu'il n'y a pas de rapports ! :P

 

Ca va mieux dis, et ça se voit. :P

 

Nettoyage de restes et petit allègement, au passage ! Relance HijackThis, clique sur "Do a system scan only" puis coche ceci et clique sur le bouton "Fix checked", en bas à gauche :

O2 - BHO: (no name) - {37B4A90A-3508-C148-08FD-00FA6AFC2B34} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Global Startup: .protected

O4 - Global Startup: Instant Update Reminder.lnk = ?

O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

 

 

Je ne vois pas d'Antivirus ? C'est mal. :P

 

Je te conseille d'installer Antivir gratuit (disponible en français maintenant) et bien efficace, en restant léger.

Pour Antivir voici un lien de téléchargement direct (version en français) :

http://dl1.avgate.net/down/windows/antivir...n_winu_fr_h.exe

Tuto Fr sur la version 8 française : http://www.libellules.ch/tuto_antivir.php

La v9 en anglais est là aussi :

http://www.free-av.com/en/download/download_servers.php

 

Après ça, refuse le scan complet proposé, on en fera un nous-mêmes, je te posterai les infos. :P

 

On a presque fini. :P

Breezy Full Patch Member

Breezy

Posté(e)
  • Auteur
Posté(e)

Oui ca va mieux.

 

Si il y un Antivirus : Trend Micro Officescan.

 

Voici un nouveau rapport :

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:47:12, on 24/04/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\basfipm.exe

c:\har\sys\DVAgentDiva.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\Program Files\OCS Inventory Agent\ocsservice.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

c:\har\sys\xmu.exe

c:\har\sys\xservices.exe

C:\WINDOWS\TEMP\AJ4CD3.EXE

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\Program Files\Citrix\Client ICA\ssonsvr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Citrix\Client ICA\pnagent.exe

C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe

C:\Documents and Settings\jlesavoureux\Bureau\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://marteau-net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://marteau-net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://marteau-net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1036

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer fourni par MARTEAU-SA

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Agent Program Neighborhood.lnk = C:\Program Files\Citrix\Client ICA\pnagent.exe

O4 - Global Startup: Notification de signal d'appel U.S. Robotics.lnk = ?

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DOMAINE.local

O17 - HKLM\Software\..\Telephony: DomainName = domaine.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DOMAINE.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DOMAINE.local

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - AppInit_DLLs: ,

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Divalto Agent Diva (DVAgentDiva) - Unknown owner - c:\har\sys\DVAgentDiva.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Scan en temps réel d'OfficeScanNT (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - PJ Naughter - C:\Program Files\OCS Inventory Agent\ocsservice.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: Service d'écoute d'OfficeScan NT (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

O23 - Service: Divalto XMU Version 5.6a (xmu) - Interlogiciel - c:\har\sys\xmu.exe

O23 - Service: Divalto services Diva (xservices) - Interlogiciel - c:\har\sys\xservices.exe

 

--

End of file - 7430 bytes

 

++

Falkra Devil Member !

Falkra

Posté(e)
Posté(e)
Si il y un Antivirus : Trend Micro Officescan.
J'ai lu un peu vite. Bon, pas génial comme antivirus, cela dit. :P

 

Tout ça est clean là. Plus de symptômes visibles, de ton côté ?

Breezy Full Patch Member

Breezy

Posté(e)
  • Auteur
Posté(e)

C'est un Antivirus en réseau qui plus est, toutes les machines de mon parc son équipé de cet Antivirus (c'était là quand je suis arrivé :P ).

 

Sinon plus de symptômes visibles, le PC à retrouver un peu de vitalité, il est plus rapide. Même chose plus de fenêtre publicitaires.

 

J'ai désinstaller Google Toolbar (je n'ai pas confiance en ça), et alléger un peu le démarrage.

 

Un GRAND merci à toi Falkra ! On peut toujours compter sur votre équipé Sécu :P

 

Bonne fin de journée et Bon W-E !

 

++

 

Je passe le post en "Résolu".

Falkra Devil Member !

Falkra

Posté(e)
Posté(e)

Ok, bah laisse-le alors, tu as bien fait de me préciser ça (la partie réseau). :P

 

Parfait, pour googletoolbar. Est-ce que cette version de l'antvirus incorpore un pare-feu, ou il y en a un via le réseau/routeur ?

 

Tu peux garder ATf-Cleaner, si tu veux. Tu peux garder MBAM, il t'a été très utile sur cette machine, et c'est un outil tout public, contrairement à certains utilisés pour nettoyer les machines. Le module résident (qui tourne à l'arrière plan) est payant, mais le programme fonctionne en mode gratuit, ce module ne s'active simplement pas. Du coup dans sa version gratuite il cohabite avec tout, en tant que scanneur à la demande. Il ne gênera pas l'antivirus ou un autre programme. :P

 

Tu peux passer à IE8, si ce n'est pas à paramétrer par un admin réseau :

http://www.microsoft.com/windows/internet-...er/default.aspx

 

Il faut bien garder ton système et les logiciels à jour pour éviter les vulnérabilités.

PSI de Secunia peut t'y aider. https://psi.secunia.com/

JavaRa peut t'y aider pour Java : http://raproducts.org/

Tuto JavaRa : http://www.libellules.ch/tuto_javara.php

 

Rends toi sur cette page de configuration du plugin Flash.

Coche la case "M'avertir de la disponibilité d'une mise à jour de Adobe Flash Player", et règle l'intervalle de recherche sur le minimum, ici 7 jours.

Ferme le navigateur et retourne sur la page pour confirmer la prise en compte du réglage.

Voici un peu de lecture, une compilation de conseils pour éviter une réinfection et sécuriser la machine.

 

Un petit point sur les risques du P2P en matière de sécurité logicielle (par Ogu) :

img-103332veltm.jpg (clique sur l'image).

 

N'hésite pas à poser des questions, cette partie est aussi importante que la désinfection.

Tu as déjà marqué résolu. :P

Rejoindre la conversation

Vous pouvez publier maintenant et vous inscrire plus tard. Si vous avez un compte, connectez-vous maintenant pour publier avec votre compte.
Remarque : votre message nécessitera l’approbation d’un modérateur avant de pouvoir être visible.

Invité
Répondre à ce sujet…

×   Collé en tant que texte enrichi.   Coller en tant que texte brut à la place

  Seulement 75 émoticônes maximum sont autorisées.

×   Votre lien a été automatiquement intégré.   Afficher plutôt comme un lien

×   Votre contenu précédent a été rétabli.   Vider l’éditeur

×   Vous ne pouvez pas directement coller des images. Envoyez-les depuis votre ordinateur ou insérez-les depuis une URL.

×
 Partager
Aller sur la liste des sujets

  • En ligne récemment   0 membre est en ligne

    • Aucun utilisateur enregistré regarde cette page.
×
×
  • Créer...