Aller au contenu

  • Pas encore inscrit ?

    Pourquoi ne pas vous inscrire ? C'est simple, rapide et gratuit.
    Pour en savoir plus, lisez Les avantages de l'inscription... et la Charte de Zébulon.
    De plus, les messages que vous postez en tant qu'invité restent invisibles tant qu'un modérateur ne les a pas validés. Inscrivez-vous, ce sera un gain de temps pour tout le monde, vous, les helpeurs et les modérateurs ! :wink:

Problème d'infection

Breezy

Par Breezy
dans Analyses et éradication malwares

 Partager

Messages recommandés

Breezy Full Patch Member

Breezy

Posté(e)
Posté(e)

Bonjour à tous,

 

Je me tourne vers vous car je n'arrive pas à me débarrasser d'une saloperie et mon antivirus m'envoie des pop-up tous les 5 minutes pour m'indiquer que des fichiers sont infectés, des fichiers .tmp qui se trouve dans C:\WINDOWS\TEMP\. Sauf qu'il n'y a pas de fichier temporaire dans ce dossier.

Le nom du virus/spyware qu'il me donne est TSPY_ZBOT.SMB

J'ai passé un coup de MBAM mais il n'a rien trouvé et les messages continus.

 

Pouvez-vous m'aider ?

 

Voici un log Hijackthis :

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:06:46, on 24/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\SafeNet\SoftRemote\IPSecMon.exe

C:\PROGRA~1\SafeNet\SoftRemote\IreIKE.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\FICHIE~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\Program Files\OCS Inventory Agent\ocsservice.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\WINDOWS\TEMP\FO33F0.EXE

C:\Program Files\Citrix\Client ICA\ssonsvr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\RamBoost XP\rambxpfr.exe

C:\Program Files\SafeNet\SoftRemote\SafeCfg.exe

C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\PhotoJoy\bin\PjApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\alebreton\Bureau\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://marteau-net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://marteau-net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer fourni par MARTEAU-SA

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PhotoJoy] C:\Program Files\PhotoJoy\bin\PhotoJoy.exe /c

O4 - HKCU\..\Run: [RamBoostXp] C:\Program Files\RamBoost XP\rambxpfr.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')

O4 - Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe

O4 - Global Startup: SoftRemote.lnk = C:\Program Files\SafeNet\SoftRemote\SafeCfg.exe

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://marteau-net

O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://marteau-1:4343/officescan/console/h...ll/WinNTChk.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://marteau-1:4343/officescan/console/h...stall/setup.cab

O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://marteau-1:4343/officescan/console/h...root/AtxEnc.cab

O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://marteau-1:4343/officescan/console/h.../RemoveCtrl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1226581078596

O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - https://marteau-1:4343/officescan/console/h...root/AtxPie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DOMAINE.local

O17 - HKLM\Software\..\Telephony: DomainName = domaine.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DOMAINE.local

O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom SA - C:\PROGRA~1\FICHIE~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\PROGRA~1\SafeNet\SoftRemote\IPSecMon.exe

O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\PROGRA~1\SafeNet\SoftRemote\IreIKE.exe

O23 - Service: Scan en temps réel d'OfficeScanNT (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://ocsinventory.sourceforge.net - C:\Program Files\OCS Inventory Agent\ocsservice.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: ServiceOMC - Alcatel - C:\WINDOWS\system32\ServiceOMC.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: Service d'écoute d'OfficeScan NT (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

--

End of file - 8455 bytes

 

C'est un PC professionnel avec Windows XP SP3.

 

++

Breezy Full Patch Member

Breezy

Posté(e)
  • Auteur
Posté(e)

Re,

 

J'ai des nouvelles et pas des bonnes pour moi...

 

J'ai redémarrer mon PC car il devenait utilisable, des processus se lançaient par dizaine...

Au démarrage de ma session, je n'ai plus rien : Ecran noir avec seulement mon menu démarrer, plus d'icônes sur le bureau. J'ai Security Tool qui c'est installé tout seul au démarrage et je pense pas que ça soit bon signe...

 

++

Thanos Devil Member !

Thanos

Posté(e)
Posté(e)

salut :P

 

Est ce que tu parviens à lancer le mode sans échec avec prise en charge du réseau ?

 

Si oui poste stp ces rapports =>

 

Télécharge random's system information tool (RSIT) par random/random et sauvegarde-le sur le Bureau.

  • Double-clique sur RSIT.exe afin de lancer RSIT.
  • Clique Continue à l'écran Disclaimer.
  • Si l'outil HijackThis (version à jour) n'est pas présent ou non détecté sur l'ordinateur, RSIT le téléchargera et tu devras accepter la licence.
  • Lorsque l'analyse sera terminée, deux fichiers texte s'ouvriront. Poste le contenu de log.txt (<<qui sera affiché)
    ainsi que de info.txt (<<qui sera réduit dans la Barre des Tâches).
  • Si tu ne vois pas ces deux rapports, tu les trouveras dans le dossier C:\rsit

J'imagine que tu as un autre pc sous la main ? Ne connecte pas le pc infecté tant qu'il n'est pas nettoyé.

Breezy Full Patch Member

Breezy

Posté(e)
  • Auteur
Posté(e)

Salut Thanos et merci de prendre de ton temps,

 

Alors j'ai des nouvelles depuis hier car comme tu l'imagines c'est mon outil de travail et je ne pouvais pas rester comme ça hier après midi...

Je reprends donc où j'en était avec mon écran noir et Security Tool. A ce moment là, j'ai débranché mon PC du réseau et lancer une nouvelle analyse MBAM et apparemment j'ai bien fait, je te poste mon rapport :

 

 

Malwarebytes' Anti-Malware 1.41

Version de la base de données: 3217

Windows 5.1.2600 Service Pack 3

 

24/11/2009 14:46:28

mbam-log-2009-11-24 (14-46-28).txt

 

Type de recherche: Examen rapide

Eléments examinés: 119539

Temps écoulé: 8 minute(s), 2 second(s)

 

Processus mémoire infecté(s): 5

Module(s) mémoire infecté(s): 2

Clé(s) du Registre infectée(s): 4

Valeur(s) du Registre infectée(s): 18

Elément(s) de données du Registre infecté(s): 7

Dossier(s) infecté(s): 4

Fichier(s) infecté(s): 56

 

Processus mémoire infecté(s):

C:\Documents and Settings\All Users\Application Data\00510208\00510208.exe (Rogue.Multiple.H) -> Unloaded process successfully.

C:\Documents and Settings\alebreton\Local Settings\Temp\wstes.exe (Trojan.Dropper) -> Unloaded process successfully.

C:\Documents and Settings\alebreton\Local Settings\Temp\m4bvm0.exe (Trojan.Dropper) -> Unloaded process successfully.

C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\system32\photo_id.exe (Backdoor.Bot) -> Unloaded process successfully.

 

Module(s) mémoire infecté(s):

C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\b407g.dll (Trojan.Downloader) -> Delete on reboot.

 

Clé(s) du Registre infectée(s):

HKEY_CLASSES_ROOT\CLSID\{b45a4b16-23f2-41ad-f4e4-00aac39c0004} (Trojan.Zlob.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b45a4b16-23f2-41ad-f4e4-00aac39c0004} (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b45a4b16-23f2-41ad-f4e4-00aac39c0004} (Trojan.Downloader) -> Delete on reboot.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wsnpoem.sys (Trojan.Agent) -> Quarantined and deleted successfully.

 

Valeur(s) du Registre infectée(s):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b45a4b16-23f2-41ad-f4e4-00aac39c0004} (Trojan.Zlob.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\photo_id (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\67135123 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00510208 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg214-k641-12sf-n85p (Worm.Autorun.B) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Spyware.Passwords) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup (Worm.Palevo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup (Worm.Palevo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsdefrag (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\photo_id (Backdoor.Bot) -> Delete on reboot.

 

Elément(s) de données du Registre infecté(s):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: c:\windows\system32\rdolib.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: system32\rdolib.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Buzus) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Buzus) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\wsnpoema.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\wsnpoema.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wsnpoema.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

 

Dossier(s) infecté(s):

C:\Documents and Settings\All Users\Application Data\00510208 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\67135123 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wsnpoema (Trojan.Agent) -> Delete on reboot.

C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811 (Trojan.Agent) -> Quarantined and deleted successfully.

 

Fichier(s) infecté(s):

C:\WINDOWS\system32\b407g.dll (Trojan.Zlob.H) -> Delete on reboot.

C:\WINDOWS\system32\photo_id.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

C:\DOCUME~1\ALLUSE~1\APPLIC~1\67135123\67135123.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\00510208\00510208.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\alebreton\Local Settings\Temp\wstes.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Local Settings\Temp\m4bvm0.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.

C:\WINDOWS\TEMP\zon56h408.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\jqwqov.exe (Worm.Kolab) -> Quarantined and deleted successfully.

C:\tprd.exe (Worm.Kolab) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-3750038947-7591327235-823829694-1748\wnzip32.exe (Worm.Autorun.B) -> Delete on reboot.

C:\Documents and Settings\alebreton\Menu Démarrer\Programmes\Démarrage\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\djhig904.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rdolib.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mscert.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\m6ljou0k.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\SystemProfile\ntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\Drivers\wsnpoem.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\ie244.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\lp5hpnp0.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rundll32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Local Settings\Temp\lddzzfyd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Local Settings\Temp\rundll32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Local Settings\Temp\238.exe (Worm.Kolab) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Local Settings\Temp\730.exe (Worm.Kolab) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Local Settings\Temp\g7ai7ie.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\ntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\ntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\NetworkService\ntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Local Settings\Temporary Internet Files\Content.IE5\1GU76S36\loaderadv563[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Local Settings\Temporary Internet Files\Content.IE5\1GU76S36\pr3xy[1].exe (Worm.Kolab) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Local Settings\Temporary Internet Files\Content.IE5\47XQ1J32\dktqrriwfx[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Local Settings\Temporary Internet Files\Content.IE5\47XQ1J32\hjgguqee[1].htm (Worm.Kolab) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Local Settings\Temporary Internet Files\Content.IE5\QGEM1H2O\atdnabbc[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Local Settings\Temporary Internet Files\Content.IE5\QGEM1H2O\jcmjwxthui[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wsnpoema\audio.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\wsnpoema\video.dll (Trojan.Agent) -> Delete on reboot.

C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Bureau\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Menu Démarrer\Programmes\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Menu Démarrer\Programmes\Démarrage\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wsnpoema.exe (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\alebreton\Local Settings\Temp\BN12.tmp (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\alebreton\Local Settings\Temp\BN8.tmp (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\alebreton\Local Settings\Temp\BN9.tmp (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\alebreton\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\ccdrive32.exe (Worm.Palevo) -> Delete on reboot.

C:\WINDOWS\Temp\ie241.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Local Settings\Temp\habnf88jkefh87ifiks.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\Local Settings\Temp\pskfo83wijf89uwuhal8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\alebreton\photo_id.exe (Backdoor.Bot) -> Delete on reboot.

 

Une fois mon PC redémarrer, plus rien. Tout est rentré dans l'ordre. Par prudence, j'ai relancé une analyse MBAM et il n'a rien trouvé. Je ne sais pas si tout est vraiment désinfecté, donc j'attends tes conseils pour la suite.

 

Une dernière chose, quand je surfe sur Firefox, j'ai de temps un nouvel onglet de pub qui s'ouvre. Est ce lié ?

 

++

Thanos Devil Member !

Thanos

Posté(e)
Posté(e)

salut :P

 

Cette infection est particulièrement coriace....On va quand même scanner ton pc avec un autre outil car il faut être certain qu'elle ait bien été supprimée. Surtout fais ce scan et je te déconseille de brancher ton pc au réseau tant qu'on est pas sûr!

 

Fais un clic droit sur le lien suivant et choisis "Enregistrer la cible sous..." (sous FireFox >> "Enregistrer la cible du lien sous...") :

ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe

  • Lors de la sauvegarde du fichier, renomme le fichier en launch.com puis sauvegarde-le sur le Bureau
  • Double clique launch.com et ensuite clique sur Commencer le scan;
  • Clique Ok à l'invite de l'analyse rapide. Ce scan permet l'analyse des processus chargés en mémoire; s'il trouve des processus infectés, clique le bouton Oui à l'invite.
    **Note : une fenêtre s'ouvrira avec options pour "Commander" ou "50% de réduction"; vous pouvez quitter en cliquant le "X"
  • L'analyse rapide se fait en quelques minutes seulement (progression affichée au bas)
  • Lorsque l'analyse rapide sera terminée, coche/active le bouton "Analayse complète" (au haut à gauche) et clique sur le bouton avec flèche verte sur la droite et l'analyse complète débutera.
  • S'il y a détections, l'outil te proposera des choix d'actions : clique "Oui pour tout" selon l'action proposée (réparation, quarantaine ou suppression).
  • ** L'analyse complète est plutôt longue, donc il faut être patient. Il faut avoir la machine à l'oeil durant l'analyse, car l'outil stoppe sa progression lorsqu'il y a détection et attend votre choix d'action.
  • *** Si tu soupçonnes qu'une détection semble être fausse (un faux-positif), alors clique "Non pour tout" et avise le bénévole qui t'aide en lui soumettant le nom et emplacement du fichier détecté.
  • En fin d'analyse, il est possible que le bouton "Tout sélectionner" (au bas à gauche) soit disponible : ne pas cliquer dessus.
  • Va maintenant dans le menu "Fichier" (au haut à gauche) et choisis "Enregistrer le rapport"; sauvegarde-le sur le Bureau. Il sera au format .csv (accessible par Excel ou programme similaire, sinon le Bloc-notes peut être utilisé).
  • Copie/colle le contenu du rapport dans ta réponse. Ferme la fenêtre de l'outil en cliquant sur le "X". S'il y a invite "Souhaitez-vous vraiment fermer l'application ?"; clique "Oui".

Après ca déconnecte le pc puis lance le scan et poste le rapport généré

Breezy Full Patch Member

Breezy

Posté(e)
  • Auteur
Posté(e)

Re,

 

Voici le rapport :

 

Processus en mémoire: C:\WINDOWS\System32\alg.exe:336;;BackDoor.Tdss.565;Eradiqué.;

1258817088[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4D274TYV;BackDoor.Tdss.based.3;Supprimé.;

cc-4ek_setup[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8D274XMR;Trojan.DownLoad.58335;Supprimé.;

djgtguhvvf[1].htm;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G9AJWXMZ;Trojan.PWS.Panda.187;Supprimé.;

dktqrriwfx[1].htm;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G9AJWXMZ;Trojan.Inject.7351;Supprimé.;

hjgguqee[1].htm;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KX2ZG9UV;Win32.HLLW.Lime.18;Supprimé.;

jcmjwxthui[1].htm;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KX2ZG9UV;Trojan.Packed.683;Supprimé.;

scandisk.dll;C:\WINDOWS\system32\config\systemprofile\Menu Démarrer\Programmes\Démarrage;Trojan.PWS.Panda.187;Supprimé.;

15.exe;C:\WINDOWS\system32\drivers;BackDoor.IRC.Bot.157;Supprimé.;

atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1133;Désinfecté.;

506.exe;C:\DOCUME~1\ALEBRE~1\LOCALS~1\Temp;Win32.HLLW.Lime.18;Supprimé.;

chug.exe;C:\DOCUME~1\ALEBRE~1\LOCALS~1\Temp;Trojan.Packed.12453;Irréparable.Quarantaine.;

UltraVNC-102-Setup-Fr[1].exe\data014;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0TMVWPUR\UltraVNC-102-Setup-Fr[1].ex;Program.RemoteAdmin.37;;

UltraVNC-102-Setup-Fr[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0TMVWPUR;L'archive contient des éléments infectés;;

vnchooks.dll;C:\Program Files\UltraVNC;Program.RemoteAdmin.4;;

vncviewer.exe;C:\Program Files\UltraVNC;Program.RemoteAdmin.37;;

msdrv32.exe;C:\WINDOWS;BackDoor.IRC.Bot.157;Supprimé.;

Process.exe;E:\Clé USB Dane-Elec\smitfraudfix\SmitfraudFix;Tool.Prockill;;

restart.exe;E:\Clé USB Dane-Elec\smitfraudfix\SmitfraudFix;Tool.ShutDown.14;;

Breezy Full Patch Member

Breezy

Posté(e)
  • Auteur
Posté(e)

Ok.

 

Voilà le rapport :

 

Logfile of random's system information tool 1.06 (written by random/random)

Run by alebreton at 2009-11-26 11:52:21

Microsoft Windows XP Professionnel Service Pack 3

System drive C: has 10 GB (49%) free of 20 GB

Total RAM: 1014 MB (54% free)

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:52:43, on 26/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\SafeNet\SoftRemote\IPSecMon.exe

C:\PROGRA~1\SafeNet\SoftRemote\IreIKE.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\FICHIE~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\Program Files\OCS Inventory Agent\ocsservice.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\WINDOWS\TEMP\ME59BC.EXE

C:\Program Files\Citrix\Client ICA\ssonsvr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\RamBoost XP\rambxpfr.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\SafeNet\SoftRemote\SafeCfg.exe

C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\alebreton\Bureau\RSIT.exe

C:\Documents and Settings\alebreton\Bureau\alebreton.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://marteau-net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://marteau-net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer fourni par MARTEAU-SA

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [RamBoostXp] C:\Program Files\RamBoost XP\rambxpfr.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')

O4 - S-1-5-18 Startup: scandisk.lnk = ? (User 'SYSTEM')

O4 - .DEFAULT Startup: scandisk.lnk = ? (User 'Default user')

O4 - Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe

O4 - Global Startup: SoftRemote.lnk = C:\Program Files\SafeNet\SoftRemote\SafeCfg.exe

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://marteau-net

O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://marteau-1:4343/officescan/console/h...ll/WinNTChk.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://marteau-1:4343/officescan/console/h...stall/setup.cab

O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://marteau-1:4343/officescan/console/h...root/AtxEnc.cab

O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://marteau-1:4343/officescan/console/h.../RemoveCtrl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1226581078596

O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - https://marteau-1:4343/officescan/console/h...root/AtxPie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DOMAINE.local

O17 - HKLM\Software\..\Telephony: DomainName = domaine.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DOMAINE.local

O20 - Winlogon Notify: kbupdate - C:\WINDOWS\SYSTEM32\kbupdate.dll

O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom SA - C:\PROGRA~1\FICHIE~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\PROGRA~1\SafeNet\SoftRemote\IPSecMon.exe

O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\PROGRA~1\SafeNet\SoftRemote\IreIKE.exe

O23 - Service: Scan en temps réel d'OfficeScanNT (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://ocsinventory.sourceforge.net - C:\Program Files\OCS Inventory Agent\ocsservice.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: ServiceOMC - Alcatel - C:\WINDOWS\system32\ServiceOMC.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: Service d'écoute d'OfficeScan NT (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

--

End of file - 8588 bytes

 

======Scheduled tasks folder======

 

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-602609370-682003330-3742.job

 

======Registry dump======

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"Apoint"=C:\Program Files\Apoint\Apoint.exe [2005-10-07 176128]

"OfficeScanNT Monitor"=C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe [2007-12-11 710000]

"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"CursorXP"=C:\Program Files\CursorXP\CursorXP.exe [2005-01-19 128000]

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

"RamBoostXp"=C:\Program Files\RamBoost XP\rambxpfr.exe [2004-03-09 1542144]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BEW-INTRANET-FR-30SessionManager]

C:\Program Files\OrangeBusinessServices\BEW\SessionManager\SessionManager.exe [2007-08-21 102400]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

bthprops.cpl,,BluetoothAuthenticationAgent []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]

C:\WINDOWS\system32\WLTRAY.exe [2005-12-19 1347584]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DudeServer]

C:\Program Files\Dude\dude.exe []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

C:\Documents and Settings\alebreton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-12 133104]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

C:\WINDOWS\system32\hkcmd.exe [2007-03-30 162584]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [2004-09-13 49152]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe [2004-09-13 172032]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

C:\WINDOWS\system32\igfxtray.exe [2007-03-30 138008]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

C:\WINDOWS\system32\igfxpers.exe [2007-03-30 138008]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoJoy]

C:\Program Files\PhotoJoy\bin\PhotoJoy.exe /c []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

C:\WINDOWS\stsystra.exe [2006-03-24 282624]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedRam2]

C:\PROGRA~1\SPEEDR~1\speedram.exe []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^alebreton^Menu Démarrer^Programmes^Démarrage^Secunia PSI (RC3).lnk]

C:\PROGRA~1\Secunia\PSI(RC~1\psi.exe [2008-06-16 663552]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Agent Program Neighborhood.lnk]

C:\PROGRA~1\Citrix\CLIENT~1\pnagent.exe [2006-05-02 233744]

 

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage

SoftRemote.lnk - C:\Program Files\SafeNet\SoftRemote\SafeCfg.exe

 

C:\Documents and Settings\alebreton\Menu Démarrer\Programmes\Démarrage

Google Calendar Sync.lnk - C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

C:\WINDOWS\system32\igfxdev.dll [2007-03-30 204800]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kbupdate]

C:\WINDOWS\system32\kbupdate.dll [2009-11-24 17408]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

"EnableLUA"=0

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=145

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"HonorAutoRunSetting"=

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\OrangeBusinessServices\BEW\Connectivity\ConnectivityManager.exe"="C:\Program Files\OrangeBusinessServices\BEW\Connectivity\ConnectivityManager.exe:*:enabled:CSS"

"C:\Program Files\UltraVNC\winvnc.exe"="C:\Program Files\UltraVNC\winvnc.exe:*:Disabled:Serveur VNC pour Win32"

"C:\Program Files\PCXTools\OMC\R600_14.1d\bin\omc.exe"="C:\Program Files\PCXTools\OMC\R600_14.1d\bin\omc.exe:*:Enabled:Configuration program for OmniPCX Office"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\Program Files\LBreakout2Portable\App\lbreakout2\lbreakout2.exe"="C:\Program Files\LBreakout2Portable\App\lbreakout2\lbreakout2.exe:*:Enabled:LBreakout2"

"E:\Utilitaires\pengupop_pengupop_2.2.3_anglais_139546.exe"="E:\Utilitaires\pengupop_pengupop_2.2.3_anglais_139546.exe:*:Enabled:pengupop_pengupop_2.2.

3_anglais_139546"

"C:\Program Files\PhotoJoy\Bin\PhotoJoy.exe"="C:\Program Files\PhotoJoy\Bin\PhotoJoy.exe:*:Enabled:PhotoJoy"

"C:\Program Files\PhotoJoy\Bin\PjApp.exe"="C:\Program Files\PhotoJoy\Bin\PjApp.exe:*:Enabled:PhotoJoy"

"C:\Documents and Settings\alebreton\Local Settings\Temp\chug.exe"="C:\Documents and Settings\alebreton\Local Settings\Temp\chug.exe:*:Enabled:bdlsnnnm"

"C:\Program Files\SafeNet\SoftRemote\IreIKE.exe"="C:\Program Files\SafeNet\SoftRemote\IreIKE.exe:*:Enabled:IreIke"

"C:\Program Files\SafeNet\SoftRemote\ViewLog.exe"="C:\Program Files\SafeNet\SoftRemote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"

"C:\Program Files\SafeNet\SoftRemote\CmonApp.exe"="C:\Program Files\SafeNet\SoftRemote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"

"C:\Program Files\SafeNet\SoftRemote\vpn.exe"="C:\Program Files\SafeNet\SoftRemote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\PCXTools\OMC\R600_14.1d\bin\omc.exe"="C:\Program Files\PCXTools\OMC\R600_14.1d\bin\omc.exe:*:Enabled:Configuration program for OmniPCX Office"

"C:\Program Files\PCXTools\OMC\R510_20.1a\bin\omc.exe"="C:\Program Files\PCXTools\OMC\R510_20.1a\bin\omc.exe:*:Enabled:Configuration program for OmniPCX Office"

"C:\Program Files\POPtm\POPtm.exe"="C:\Program Files\POPtm\POPtm.exe:*:Enabled:POPtm (Email connector)"

"C:\Program Files\OrangeBusinessServices\BEW\Connectivity\ConnectivityManager.exe"="C:\Program Files\OrangeBusinessServices\BEW\Connectivity\ConnectivityManager.exe:*:Enabled:ConnectivityManager"

"C:\Program Files\Dude\dude.exe"="C:\Program Files\Dude\dude.exe:*:Enabled:dude"

"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware"

"C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\WNt500x86\RpcSandraSrv.exe"="C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\WNt500x86\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"

"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\Program Files\PhotoJoy\Bin\PjApp.exe"="C:\Program Files\PhotoJoy\Bin\PjApp.exe:*:Enabled:PhotoJoy"

"C:\Program Files\PhotoJoy\Bin\PjImp.exe"="C:\Program Files\PhotoJoy\Bin\PjImp.exe:*:Enabled:PhotoJoy"

"C:\Program Files\PhotoJoy\Bin\PhotoJoy.exe"="C:\Program Files\PhotoJoy\Bin\PhotoJoy.exe:*:Enabled:PhotoJoy"

"C:\WINDOWS\Temp\chug.exe"="C:\WINDOWS\Temp\chug.exe:*:Enabled:kgradlso"

"C:\WINDOWS\Temp\tmp24F.exe"="C:\WINDOWS\Temp\tmp24F.exe:*:Enabled:avvvuhej"

"C:\Documents and Settings\alebreton\Local Settings\Temp\chug.exe"="C:\Documents and Settings\alebreton\Local Settings\Temp\chug.exe:*:Enabled:expgsnma"

"C:\Program Files\SafeNet\SoftRemote\IreIKE.exe"="C:\Program Files\SafeNet\SoftRemote\IreIKE.exe:*:Enabled:IreIke"

"C:\Program Files\SafeNet\SoftRemote\ViewLog.exe"="C:\Program Files\SafeNet\SoftRemote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"

"C:\Program Files\SafeNet\SoftRemote\CmonApp.exe"="C:\Program Files\SafeNet\SoftRemote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"

"C:\Program Files\SafeNet\SoftRemote\vpn.exe"="C:\Program Files\SafeNet\SoftRemote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"

 

======List of files/folders created in the last 1 months======

 

2009-11-26 11:52:21 ----D---- C:\rsit

2009-11-26 09:08:43 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$

2009-11-26 09:08:20 ----HDC---- C:\WINDOWS\$NtUninstallKB969084$

2009-11-26 09:08:17 ----D---- C:\WINDOWS\LastGood

2009-11-25 15:51:13 ----A---- C:\WINDOWS\imsins.BAK

2009-11-25 15:51:03 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$

2009-11-24 14:08:33 ----A---- C:\WINDOWS\logfile32.txt

2009-11-24 14:06:57 ----A---- C:\WINDOWS\system32\kbupdate.dll

2009-11-24 14:06:54 ----A---- C:\WINDOWS\system32\kbdatat3.dll

2009-11-24 14:06:52 ----A---- C:\WINDOWS\system32\crt4.dll

2009-11-24 14:05:50 ----A---- C:\WINDOWS\system32\stu2.exe

2009-11-13 09:03:14 ----D---- C:\WINDOWS\system32\WindowsPowerShell

2009-11-13 09:03:10 ----D---- C:\WINDOWS\system32\winrm

2009-11-13 09:02:42 ----D---- C:\WINDOWS\$NtUninstallKB968930$

2009-10-28 11:31:40 ----D---- C:\Documents and Settings\alebreton\Application Data\Foxit Software

 

======List of files/folders modified in the last 1 months======

 

2009-11-26 11:03:40 ----D---- C:\WINDOWS\security

2009-11-26 10:59:42 ----D---- C:\Program Files\OCS Inventory Agent

2009-11-26 09:14:22 ----D---- C:\Program Files\Mozilla Firefox

2009-11-26 09:08:48 ----HD---- C:\WINDOWS\inf

2009-11-26 09:08:47 ----D---- C:\WINDOWS

2009-11-26 09:08:45 ----D---- C:\WINDOWS\system32

2009-11-26 09:08:27 ----RSHDC---- C:\WINDOWS\system32\dllcache

2009-11-26 09:08:24 ----D---- C:\WINDOWS\system32\fr-fr

2009-11-26 09:08:23 ----D---- C:\WINDOWS\Temp

2009-11-26 09:08:15 ----D---- C:\WINDOWS\system32\CatRoot2

2009-11-26 09:07:43 ----D---- C:\Program Files\RamBoost XP

2009-11-26 09:07:30 ----D---- C:\WINDOWS\system32\inetsrv

2009-11-26 09:06:08 ----A---- C:\WINDOWS\cfgall.ini

2009-11-26 09:04:37 ----A---- C:\WINDOWS\SchedLgU.Txt

2009-11-25 15:50:56 ----HD---- C:\WINDOWS\$hf_mig$

2009-11-25 15:50:55 ----D---- C:\WINDOWS\Prefetch

2009-11-25 15:50:44 ----SHD---- C:\WINDOWS\Installer

2009-11-25 15:50:41 ----D---- C:\WINDOWS\WinSxS

2009-11-25 14:26:26 ----D---- C:\WINDOWS\system32\drivers

2009-11-24 14:54:43 ----RD---- C:\Program Files

2009-11-24 14:53:47 ----SH---- C:\boot.ini

2009-11-24 14:53:47 ----N---- C:\WINDOWS\system.ini

2009-11-24 14:53:47 ----A---- C:\WINDOWS\win.ini

2009-11-24 14:46:27 ----SD---- C:\WINDOWS\Tasks

2009-11-24 14:23:03 ----D---- C:\WINDOWS\system32\Restore

2009-11-24 14:22:15 ----SHD---- C:\RECYCLER

2009-11-23 16:17:47 ----D---- C:\WINDOWS\Debug

2009-11-23 15:55:22 ----SHD---- C:\WINDOWS\CSC

2009-11-23 11:41:03 ----A---- C:\WINDOWS\CEGIDPGI.INI

2009-11-15 18:43:53 ----D---- C:\WINDOWS\system32\config

2009-11-13 09:07:53 ----RSD---- C:\WINDOWS\assembly

2009-11-13 09:07:53 ----D---- C:\WINDOWS\Microsoft.NET

2009-11-13 09:03:29 ----D---- C:\WINDOWS\Help

2009-11-13 09:03:10 ----D---- C:\WINDOWS\system32\wbem

2009-11-12 11:51:58 ----D---- C:\Program Files\Internet Explorer

2009-11-12 11:51:44 ----D---- C:\WINDOWS\ie8updates

2009-11-05 18:36:21 ----A---- C:\WINDOWS\system32\MRT.exe

2009-11-02 08:23:00 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

2009-10-28 16:07:15 ----N---- C:\WINDOWS\system32\tzchange.exe

 

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R1 intelppm;Pilote de processeur Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 40576]

R1 IPSECDRV;SafeNet IPSec Plugin; \??\C:\WINDOWS\system32\Drivers\IPSECDRV.sys []

R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2007-11-30 85008]

R2 Crypto;Crypto; \??\C:\WINDOWS\system32\Drivers\Crypto.sys []

R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-04 12544]

R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []

R2 TmFilter;Trend Micro Filter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys []

R2 TmPreFilter;Trend Micro PreFilter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys []

R2 vnccom;vnccom; C:\WINDOWS\System32\Drivers\vnccom.SYS [2004-06-26 6016]

R2 VSApiNt;Trend Micro VSAPI NT; \??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys []

R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2005-09-28 113847]

R3 AR5416;D-Link RangeBooster N 650 Service; C:\WINDOWS\system32\DRIVERS\ar5416.sys [2006-05-26 999808]

R3 Arp1394;Protocole client ARP 1394; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]

R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2006-08-17 44544]

R3 BthEnum;Service d'énumérateur Bluetooth; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024]

R3 BTHMODEM;Pilote de communications modem Bluetooth; C:\WINDOWS\system32\DRIVERS\bthmodem.sys [2008-04-13 37888]

R3 BthPan;Périphérique Bluetooth (réseau personnel); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120]

R3 BTHUSB;Pilote USB radio Bluetooth; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944]

R3 CmBatt;Pilote pour Batterie à méthode de contrôle ACPI Microsoft; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]

R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2005-11-22 110080]

R3 DniVap;SafeNet WAN Miniport (VA); C:\WINDOWS\system32\DRIVERS\vap.sys [2001-12-14 36188]

R3 HDAudBus;Pilote de bus Microsoft UAA pour High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]

R3 HidBth;Miniport HID Microsoft Bluetooth; C:\WINDOWS\system32\DRIVERS\hidbth.sys [2008-04-13 25856]

R3 HidUsb;Pilote de classe HID Microsoft; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]

R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-09-13 51088]

R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-09-13 16496]

R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-09-13 21744]

R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys [2005-12-01 936960]

R3 HSXHWAZL;HSXHWAZL; C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys [2005-12-01 192512]

R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-03-30 5704672]

R3 mouhid;Pilote HID de souris; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-23 12288]

R3 NIC1394;Pilote réseau 1394; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]

R3 RFCOMM;Périphérique Bluetooth (TDI protocole RFCOMM); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136]

R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2006-03-24 1156648]

R3 usbccgp;Pilote parent générique USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]

R3 usbehci;Pilote miniport de contrôleur d'hôte amélioré Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]

R3 usbhub;Pilote de concentrateur standard USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]

R3 usbprint;Classe d'imprimantes USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]

R3 usbuhci;Pilote miniport de contrôleur hôte universel USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]

R3 vncdrv;vncdrv; C:\WINDOWS\system32\DRIVERS\vncdrv.sys [2004-06-26 4736]

R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys [2005-12-01 669696]

S1 kbdhid;Pilote HID de clavier; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14720]

S3 BCM43XX;Pilote de la carte réseau local sans fil Wireless de Dell; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-11-02 424320]

S3 BTHPORT;Pilote de port Bluetooth; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-14 272768]

S3 CCDECODE;Décodeur sous-titre fermé; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]

S3 cpuz130;cpuz130; \??\C:\DOCUME~1\ALEBRE~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys []

S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []

S3 GTF32BUS;GT F32 BUS; C:\WINDOWS\system32\DRIVERS\gtf32bus.sys [2007-01-15 35200]

S3 GTPTSER;GT PT SER; C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-01-15 8064]

S3 GTSCSER;GT SC SER; C:\WINDOWS\system32\DRIVERS\gtscser.sys [2007-03-08 21248]

S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2008-10-16 101504]

S3 MSTEE;Convertisseur en T/site-à-site de répartition Microsoft; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]

S3 NABTSFEC;Codec NABTS/FEC VBI; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]

S3 NdisIP;Connection TV/vidéo Microsoft; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]

S3 nm;Pilote du Moniteur réseau; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-13 40320]

S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2008-12-23 50704]

S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\NSNDIS5.SYS []

S3 PCAMPR5;PCAMPR5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCAMPR5.SYS []

S3 PCANDIS5;PCANDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCANDIS5.SYS []

S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2008-08-26 18816]

S3 PSI;PSI; C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-06-16 7808]

S3 RimUsb;Appareil BlackBerry; C:\WINDOWS\System32\Drivers\RimUsb.sys []

S3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2006-06-30 26752]

S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-05 5888]

S3 SANDRA;SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\WNt500x86\Sandra.sys []

S3 SLIP;Détrameur décalage BDA; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]

S3 SoC PC-Camera Service;SoC PC-Camera; C:\WINDOWS\system32\DRIVERS\pfc027.sys [2003-12-08 123276]

S3 SONYPVU1;Pilote de filtrage Sony USB (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]

S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]

S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\DRIVERS\UIUSYS.SYS []

S3 USBSTOR;Pilote de stockage de masse USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

S3 W8335XP;Marvell Libertas 802.11b/g Driver for Windows XP (8335); C:\WINDOWS\system32\DRIVERS\Mrvw125.sys [2006-11-16 282240]

S3 WSTCODEC;Codec Teletext standard; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]

S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-01-18 83328]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

S4 sr;Pilote de filtre de restauration système; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73600]

 

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

R2 FTRTSVC;France Telecom Routing Table Service; C:\PROGRA~1\FICHIE~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe [2007-08-30 65536]

R2 IISADMIN;Administration IIS; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15872]

R2 IPSECMON;SafeNet Monitor Service; C:\PROGRA~1\SafeNet\SoftRemote\IPSecMon.exe [2006-05-01 65590]

R2 IreIKE;SafeNet IKE Service; C:\PROGRA~1\SafeNet\SoftRemote\IreIKE.exe [2006-05-01 405554]

R2 MSFtpsvc;Publication FTP; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15872]

R2 ntrtscan;Scan en temps réel d'OfficeScanNT; C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe [2007-12-11 779632]

R2 OCS INVENTORY;OCS INVENTORY SERVICE; C:\Program Files\OCS Inventory Agent\ocsservice.exe [2007-02-27 61440]

R2 tmlisten;Service d'écoute d'OfficeScan NT; C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe [2007-12-11 808304]

R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2005-12-19 18944]

R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

S2 spupdsvc;Windows Service Pack Installer update service; C:\WINDOWS\system32\spupdsvc.exe [2009-06-16 26144]

S3 aspnet_state;Service d'état ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]

S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]

S3 HP Port Resolver;HP Port Resolver; C:\WINDOWS\system32\hpbpro.exe [2004-09-13 77824]

S3 HP Status Server;HP Status Server; C:\WINDOWS\system32\hpboid.exe [2004-09-13 73728]

S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]

S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]

S3 ose;Office Source Engine; C:\Program Files\Fichiers communs\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-03-18 65536]

S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2008-12-23 117264]

S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2009-06-02 637952]

S3 ServiceOMC;ServiceOMC; C:\WINDOWS\system32\ServiceOMC.exe [2007-05-22 73728]

S3 SolidWorks Licensing Service;SolidWorks Licensing Service; C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe [2009-08-13 79360]

S3 TmProxy;OfficeScan NT Proxy Service; C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe [2007-11-30 558416]

S3 WinRM;Windows Remote Management (WS-Management); C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

S3 WMPNetworkSvc;Service Partage réseau du Lecteur Windows Media; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-11-03 918016]

S4 NetTcpPortSharing;Service de partage de ports Net.Tcp; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

 

-----------------EOF-----------------

 

Les pubs sur Firefox ont disparues, et pas d'autres signes d'infections, je pense qu'on est sur la bonne voie.

Thanos Devil Member !

Thanos

Posté(e)
Posté(e)

ok!

 

J'aimerai stp que tu fasses analyser un fichier pour lequel je n'ai aucune info >

 

Rend toi à cette adresse => http://www.virustotal.com/

 

Tu as une case nommée "Parcourir": tu cliques dessus et une fenêtre s'ouvre=> copie/colle ceci dans le champs à droite de "Nom du Fichier" en bas de page >> C:\WINDOWS\system32\kbupdate.dll

 

Clique maintenant sur "ouvrir" en bas de la fenêtre puis sur "Envoyer le fichier". Le scan de ce fichier va débuter. Tu n'as plus qu'à sélectionner puis copier /coller l'analyse dans ton prochain message.

Note: les fichiers uploadés sont mis en attente, car le virusscan est sollicité! patiente (un message t'indique le temps que ca prendra pour faire analyser)

 

Note: il arrive parfois que le fichier ait déjà été analysé. Si c'est le cas, clique sur le bouton Reanalyse file now

 

Fais de même avec ces fichiers stp =>

 

C:\WINDOWS\system32\kbdatat3.dll

C:\WINDOWS\system32\crt4.dll

C:\WINDOWS\system32\stu2.exe

 

Poste les rapports: il faut s'assurer qu'ils ne constituent pas une menace :P

Breezy Full Patch Member

Breezy

Posté(e)
  • Auteur
Posté(e)

Alors voilà ce que ça donne, j'espère t'avoir transmis les bonnes infos et surtout lisible :P

 

C:\WINDOWS\system32\kbupdate.dll

 

Fichier kbupdate.dll reçu le 2009.11.26 13:01:23 (UTC)

Antivirus Version Dernière mise à jour Résultat

a-squared 4.5.0.43 2009.11.26 -

AhnLab-V3 5.0.0.2 2009.11.26 -

AntiVir 7.9.1.78 2009.11.26 -

Antiy-AVL 2.0.3.7 2009.11.26 -

Authentium 5.2.0.5 2009.11.26 -

Avast 4.8.1351.0 2009.11.26 -

AVG 8.5.0.425 2009.11.26 -

BitDefender 7.2 2009.11.26 -

CAT-QuickHeal 10.00 2009.11.26 -

ClamAV 0.94.1 2009.11.26 -

Comodo 3043 2009.11.26 -

DrWeb 5.0.0.12182 2009.11.26 -

eSafe 7.0.17.0 2009.11.24 -

eTrust-Vet 35.1.7143 2009.11.26 -

F-Prot 4.5.1.85 2009.11.25 -

F-Secure 9.0.15370.0 2009.11.24 -

Fortinet 4.0.14.0 2009.11.26 -

GData 19 2009.11.26 -

Ikarus T3.1.1.74.0 2009.11.26 -

Jiangmin 11.0.800 2009.11.26 -

K7AntiVirus 7.10.905 2009.11.25 -

Kaspersky 7.0.0.125 2009.11.26 -

McAfee 5813 2009.11.25 -

McAfee+Artemis 5813 2009.11.25 -

McAfee-GW-Edition 6.8.5 2009.11.26 -

Microsoft 1.5302 2009.11.26 -

NOD32 4638 2009.11.26 -

Norman 6.03.02 2009.11.25 -

nProtect 2009.1.8.0 2009.11.26 -

Panda 10.0.2.2 2009.11.25 -

PCTools 7.0.3.5 2009.11.26 -

Prevx 3.0 2009.11.26 -

Rising 22.23.03.10 2009.11.26 -

Sophos 4.48.0 2009.11.26 -

Sunbelt 3.2.1858.2 2009.11.26 -

Symantec 1.4.4.12 2009.11.26 -

TheHacker 6.5.0.2.078 2009.11.25 -

TrendMicro 9.100.0.1001 2009.11.26 -

VBA32 3.12.12.0 2009.11.26 -

ViRobot 2009.11.26.2056 2009.11.26 -

VirusBuster 5.0.21.0 2009.11.25 -

Information additionnelle

File size: 17408 bytes

MD5...: 1d9f231c1eba100f88506592f5a6de9b

SHA1..: ffd1c86000164970c10a78d1a0ffeae01a89dfd3

SHA256: 473a0e7c113927f44a416850006668111ee40dd2ca47f00bdc759ba7c49d268e

ssdeep: 384:HRdCy/MqlWGmQm9uNG5oo8Df6bNN5AzXydZf:fCy0qlfmQ3CNNmIZ<br>

PEiD..: -

PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x4074<br>timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)<br>machinetype.......: 0x14c (I386)<br><br>( 6 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>CODE 0x1000 0x3094 0x3200 6.40 101fb77838671447150332a4c47e89dc<br>DATA 0x5000 0xc4 0x200 2.03 be1ab021123544153802017346d4ea68<br>BSS 0x6000 0x675 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.idata 0x7000 0x5a8 0x600 4.21 d07aa5fe2ff5a6a9b710484d1c07340e<br>.edata 0x8000 0x54 0x200 0.86 4ea167a9702297efe5c351bde2437193<br>.reloc 0x9000 0x3a8 0x400 6.38 1bbf87f2d56a407402d06abd92da24a5<br><br>( 7 imports ) <br>> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle<br>> user32.dll: GetKeyboardType, MessageBoxA<br>> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey<br>> kernel32.dll: TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc<br>> advapi32.dll: OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges<br>> kernel32.dll: lstrlenA, lstrcmpiA, lstrcatA, UnmapViewOfFile, Sleep, ReadFile, OpenProcess, OpenEventA, MapViewOfFile, GetSystemDirectoryA, GetProcAddress, GetModuleHandleA, GetLastError, GetFileSize, GetCurrentProcess, DisableThreadLibraryCalls, DeleteFileA, CreateFileMappingA, CreateFileA, CloseHandle<br>> user32.dll: CharUpperBuffA<br><br>( 1 exports ) <br>WinlogonStartupEvent<br>

RDS...: NSRL Reference Data Set<br>-

pdfid.: -

trid..: Win32 Executable Generic (58.3%)<br>Win16/32 Executable Delphi generic (14.1%)<br>Generic Win/DOS Executable (13.7%)<br>DOS Executable Generic (13.6%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:<br>publisher....: n/a<br>copyright....: n/a<br>product......: n/a<br>description..: n/a<br>original name: n/a<br>internal name: n/a<br>file version.: n/a<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

 

C:\WINDOWS\system32\kbdatat3.dll

 

Fichier kbdatat3.dll reçu le 2009.11.26 13:09:44 (UTC)

Antivirus Version Dernière mise à jour Résultat

a-squared 4.5.0.43 2009.11.26 Backdoor.Win32.Lukicsel!IK

AhnLab-V3 5.0.0.2 2009.11.26 -

AntiVir 7.9.1.78 2009.11.26 -

Antiy-AVL 2.0.3.7 2009.11.26 -

Authentium 5.2.0.5 2009.11.26 -

Avast 4.8.1351.0 2009.11.26 -

AVG 8.5.0.425 2009.11.26 -

BitDefender 7.2 2009.11.26 -

CAT-QuickHeal 10.00 2009.11.26 -

ClamAV 0.94.1 2009.11.26 -

Comodo 3043 2009.11.26 -

DrWeb 5.0.0.12182 2009.11.26 -

eSafe 7.0.17.0 2009.11.24 -

eTrust-Vet 35.1.7143 2009.11.26 -

F-Prot 4.5.1.85 2009.11.25 -

F-Secure 9.0.15370.0 2009.11.24 -

Fortinet 4.0.14.0 2009.11.26 -

GData 19 2009.11.26 -

Ikarus T3.1.1.74.0 2009.11.26 Backdoor.Win32.Lukicsel

Jiangmin 11.0.800 2009.11.26 -

K7AntiVirus 7.10.905 2009.11.25 -

Kaspersky 7.0.0.125 2009.11.26 -

McAfee 5813 2009.11.25 -

McAfee+Artemis 5813 2009.11.25 -

McAfee-GW-Edition 6.8.5 2009.11.26 -

Microsoft 1.5302 2009.11.26 -

NOD32 4638 2009.11.26 -

Norman 6.03.02 2009.11.25 -

nProtect 2009.1.8.0 2009.11.26 -

Panda 10.0.2.2 2009.11.25 -

PCTools 7.0.3.5 2009.11.26 -

Prevx 3.0 2009.11.26 -

Rising 22.23.03.10 2009.11.26 -

Sophos 4.48.0 2009.11.26 -

Sunbelt 3.2.1858.2 2009.11.26 -

Symantec 1.4.4.12 2009.11.26 -

TheHacker 6.5.0.2.078 2009.11.25 -

TrendMicro 9.100.0.1001 2009.11.26 -

VBA32 3.12.12.0 2009.11.26 -

ViRobot 2009.11.26.2056 2009.11.26 -

VirusBuster 5.0.21.0 2009.11.25 -

Information additionnelle

File size: 97280 bytes

MD5...: 801b51a08f0a9af84e735946d06bf94a

SHA1..: e4586a8dec2fe9598665d64f87579ffff08a32c4

SHA256: 701a2d399eb86cc1224d789d15590b986e4fc8ae56589385a31e0f316466c4ad

ssdeep: 1536:V5JDqcQDM5q12pn2wOqI2m33B3n06t5nd3D7JDykQSFVEPKeLGPbI1gOLH7<br>f4ruI:VzWga2fO1n3x3/5n9fJDykQSrEFiPc1y<br>

PEiD..: -

PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x146b8<br>timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)<br>machinetype.......: 0x14c (I386)<br><br>( 7 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>CODE 0x1000 0x136d0 0x13800 6.43 d932c64dd019ed8207e804a111f6c4dd<br>DATA 0x15000 0x598 0x600 4.00 45e3895ad5b34037525a2d16373b4151<br>BSS 0x16000 0xa31 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.idata 0x17000 0xb72 0xc00 4.57 01a2e6530ff2a223472e54efaae255f4<br>.edata 0x18000 0x72 0x200 1.19 83963df95646021d8cb520892c70d602<br>.reloc 0x19000 0x18a8 0x1a00 6.50 054b795c1b9c27ad5e89d66791ce80e9<br>.rsrc 0x1b000 0x2000 0x1200 3.31 f4acbbc402ad6607766ae661823297c9<br><br>( 11 imports ) <br>> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle<br>> user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA<br>> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey<br>> oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen<br>> kernel32.dll: TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc<br>> advapi32.dll: RegSetValueExA, RegQueryValueExA, RegCreateKeyA, RegCloseKey<br>> kernel32.dll: WriteFile, WaitForSingleObject, VirtualQuery, Sleep, SetFilePointer, SetEvent, SetEndOfFile, ResetEvent, ReadFile, LeaveCriticalSection, InitializeCriticalSection, GetVersionExA, GetThreadLocale, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCPInfo, GetACP, FormatMessageA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle<br>> user32.dll: MessageBoxA, LoadStringA, GetSystemMetrics, CharNextA, CharToOemA<br>> kernel32.dll: Sleep<br>> ws2_32.dll: __WSAFDIsSet, WSAGetLastError, WSACleanup, WSAStartup, gethostbyname, socket, shutdown, send, select, recv, inet_ntoa, inet_addr, htons, getsockopt, getsockname, ioctlsocket, connect, closesocket<br>> oleaut32.dll: SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit<br><br>( 3 exports ) <br>kbdatat3c, kbdatat3s, kbdatat3st<br>

RDS...: NSRL Reference Data Set<br>-

pdfid.: -

trid..: Win32 Executable Generic (58.3%)<br>Win16/32 Executable Delphi generic (14.1%)<br>Generic Win/DOS Executable (13.7%)<br>DOS Executable Generic (13.6%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:<br>publisher....: n/a<br>copyright....: n/a<br>product......: n/a<br>description..: n/a<br>original name: n/a<br>internal name: n/a<br>file version.: n/a<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

 

C:\WINDOWS\system32\crt4.dll

 

Fichier crt4.dll reçu le 2009.11.26 13:11:29 (UTC)

Antivirus Version Dernière mise à jour Résultat

a-squared 4.5.0.43 2009.11.26 -

AhnLab-V3 5.0.0.2 2009.11.26 -

AntiVir 7.9.1.78 2009.11.26 -

Antiy-AVL 2.0.3.7 2009.11.26 -

Authentium 5.2.0.5 2009.11.26 -

Avast 4.8.1351.0 2009.11.26 -

AVG 8.5.0.425 2009.11.26 -

BitDefender 7.2 2009.11.26 -

CAT-QuickHeal 10.00 2009.11.26 -

ClamAV 0.94.1 2009.11.26 -

Comodo 3043 2009.11.26 -

DrWeb 5.0.0.12182 2009.11.26 -

eSafe 7.0.17.0 2009.11.24 -

eTrust-Vet 35.1.7143 2009.11.26 -

F-Prot 4.5.1.85 2009.11.25 -

F-Secure 9.0.15370.0 2009.11.24 -

Fortinet 4.0.14.0 2009.11.26 -

GData 19 2009.11.26 -

Ikarus T3.1.1.74.0 2009.11.26 -

Jiangmin 11.0.800 2009.11.26 -

K7AntiVirus 7.10.905 2009.11.25 -

Kaspersky 7.0.0.125 2009.11.26 -

McAfee 5813 2009.11.25 -

McAfee+Artemis 5813 2009.11.25 -

McAfee-GW-Edition 6.8.5 2009.11.26 -

Microsoft 1.5302 2009.11.26 -

NOD32 4638 2009.11.26 -

Norman 6.03.02 2009.11.25 -

nProtect 2009.1.8.0 2009.11.26 -

Panda 10.0.2.2 2009.11.25 Suspicious file

PCTools 7.0.3.5 2009.11.26 -

Prevx 3.0 2009.11.26 -

Rising 22.23.03.10 2009.11.26 -

Sophos 4.48.0 2009.11.26 -

Sunbelt 3.2.1858.2 2009.11.26 -

Symantec 1.4.4.12 2009.11.26 -

TheHacker 6.5.0.2.078 2009.11.25 -

TrendMicro 9.100.0.1001 2009.11.26 -

VBA32 3.12.12.0 2009.11.26 -

ViRobot 2009.11.26.2056 2009.11.26 -

VirusBuster 5.0.21.0 2009.11.25 -

Information additionnelle

File size: 168960 bytes

MD5...: 5e2ff53777c1175fa1925df6b1cc3667

SHA1..: 8340ae3bf6186a11829c8693318f188a4efa9987

SHA256: 9915bf887489c433aa028d872a77bb680c185da5281c002640dc987b2ffd54c9

ssdeep: 3072:ELNOi4XM5Ts27d3UKRAsbHh8A24ka0Qs9CgSOERkl7NVzwTBfdTlzgR:4NB<br>7X7GzYskOYWzwTB<br>

PEiD..: -

PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x22b70<br>timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)<br>machinetype.......: 0x14c (I386)<br><br>( 6 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>CODE 0x1000 0x21ba4 0x21c00 6.49 d36b205acd68c515aa37a1348ac0b495<br>DATA 0x23000 0x3150 0x3200 7.21 92d596ad9ffd55f3b64c607212c4afc5<br>BSS 0x27000 0xce9 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.idata 0x28000 0xd1a 0xe00 4.64 b1941fdaadfdd6854e4556a920846c48<br>.reloc 0x29000 0x2104 0x2200 6.59 e6907227b75ec028e619c148ab6fa4be<br>.rsrc 0x2c000 0x2000 0x1200 3.38 8b6fbf44ecade868381387e0da8c25c0<br><br>( 10 imports ) <br>> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle<br>> user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA<br>> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey<br>> oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen<br>> kernel32.dll: TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc<br>> kernel32.dll: lstrcatA, WriteFile, WaitForSingleObject, VirtualQuery, UnmapViewOfFile, SetFilePointer, SetEvent, SetEndOfFile, ResetEvent, ReadFile, OpenEventA, MapViewOfFile, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GetVersionExA, GetTickCount, GetThreadLocale, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeLibrary, FormatMessageA, ExitThread, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreateFileMappingA, CreateFileA, CreateEventA, CompareStringA, CloseHandle<br>> user32.dll: MessageBoxA, LoadStringA, GetSystemMetrics, CharNextA, CharToOemA<br>> kernel32.dll: Sleep<br>> oleaut32.dll: SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit<br>> ws2_32.dll: __WSAFDIsSet, WSAGetLastError, WSACleanup, WSAStartup, gethostbyname, socket, shutdown, setsockopt, sendto, send, select, recvfrom, recv, listen, inet_ntoa, inet_addr, htons, getsockopt, ioctlsocket, connect, closesocket, bind, accept<br><br>( 0 exports ) <br>

RDS...: NSRL Reference Data Set<br>-

pdfid.: -

trid..: Win32 Executable Generic (58.3%)<br>Win16/32 Executable Delphi generic (14.1%)<br>Generic Win/DOS Executable (13.7%)<br>DOS Executable Generic (13.6%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:<br>publisher....: n/a<br>copyright....: n/a<br>product......: n/a<br>description..: n/a<br>original name: n/a<br>internal name: n/a<br>file version.: n/a<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

 

C:\WINDOWS\system32\stu2.exe

 

 

Fichier stu2.exe reçu le 2009.11.26 13:12:48 (UTC)

Antivirus Version Dernière mise à jour Résultat

a-squared 4.5.0.43 2009.11.26 -

AhnLab-V3 5.0.0.2 2009.11.26 -

AntiVir 7.9.1.78 2009.11.26 -

Antiy-AVL 2.0.3.7 2009.11.26 -

Authentium 5.2.0.5 2009.11.26 -

Avast 4.8.1351.0 2009.11.26 -

AVG 8.5.0.425 2009.11.26 -

BitDefender 7.2 2009.11.26 -

CAT-QuickHeal 10.00 2009.11.26 -

ClamAV 0.94.1 2009.11.26 -

Comodo 3043 2009.11.26 -

DrWeb 5.0.0.12182 2009.11.26 -

eSafe 7.0.17.0 2009.11.24 -

eTrust-Vet 35.1.7143 2009.11.26 -

F-Prot 4.5.1.85 2009.11.25 -

F-Secure 9.0.15370.0 2009.11.24 -

Fortinet 4.0.14.0 2009.11.26 -

GData 19 2009.11.26 -

Ikarus T3.1.1.74.0 2009.11.26 -

Jiangmin 11.0.800 2009.11.26 -

K7AntiVirus 7.10.905 2009.11.25 -

Kaspersky 7.0.0.125 2009.11.26 -

McAfee 5813 2009.11.25 -

McAfee+Artemis 5813 2009.11.25 -

McAfee-GW-Edition 6.8.5 2009.11.26 -

Microsoft 1.5302 2009.11.26 -

NOD32 4638 2009.11.26 -

Norman 6.03.02 2009.11.25 -

nProtect 2009.1.8.0 2009.11.26 -

Panda 10.0.2.2 2009.11.25 -

PCTools 7.0.3.5 2009.11.26 -

Prevx 3.0 2009.11.26 -

Rising 22.23.03.10 2009.11.26 -

Sophos 4.48.0 2009.11.26 -

Sunbelt 3.2.1858.2 2009.11.26 -

Symantec 1.4.4.12 2009.11.26 -

TheHacker 6.5.0.2.078 2009.11.25 -

TrendMicro 9.100.0.1001 2009.11.26 -

VBA32 3.12.12.0 2009.11.26 -

ViRobot 2009.11.26.2056 2009.11.26 -

VirusBuster 5.0.21.0 2009.11.25 -

Information additionnelle

File size: 26624 bytes

MD5...: e74ddb12188c2ff57a78624dbf7332fc

SHA1..: 37514e0296ac819c1f5b304bd9087ef52c12a652

SHA256: 22362cab11561d7bbae99bff4a8811fa33920b48f2027e736e1bdccb9b617cbd

ssdeep: 768:RioJi8jDLIDSAaQFxfftjaLacmkLGKyGo:R/JbDMDSA7FxffJaLaSLGxGo<br>

PEiD..: -

PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x54ad<br>timedatestamp.....: 0x480251a8 (Sun Apr 13 18:32:08 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x520e 0x5400 5.95 ff337745ae690578fb9ef2b2b041b87b<br>.data 0x7000 0x14c 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf<br>.rsrc 0x8000 0xd64 0xe00 3.64 73a99b08ab227beece0410fedc594efd<br><br>( 9 imports ) <br>> USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW<br>> ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA<br>> CRYPT32.dll: CryptProtectData<br>> WINSPOOL.DRV: SpoolerInit<br>> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, RtlConvertSidToUnicodeString, NtQueryInformationToken<br>> NETAPI32.dll: DsGetDcNameW, NetApiBufferFree<br>> WLDAP32.dll: -, -, -, -, -, -<br>> msvcrt.dll: __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _XcptFilter, _exit, _c_exit, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _cexit, exit<br>> KERNEL32.dll: CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpyW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, ExpandEnvironmentStringsW, SearchPathW, GetLastError, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, SetEvent, OpenEventW, Sleep, SetEnvironmentVariableW<br><br>( 0 exports ) <br>

RDS...: NSRL Reference Data Set<br>-

pdfid.: -

sigcheck:<br>publisher....: Microsoft Corporation<br>copyright....: © Microsoft Corporation. Tous droits r_serv_s.<br>product......: Syst_me d_exploitation Microsoft_ Windows_<br>description..: Application d_ouverture de session Userinit<br>original name: USERINIT.EXE<br>internal name: userinit<br>file version.: 5.1.2600.5512 (xpsp.080413-2113)<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<br>Win32 Executable Generic (14.7%)<br>Win32 Dynamic Link Library (generic) (13.1%)<br>Generic Win/DOS Executable (3.4%)<br>DOS Executable Generic (3.4%)

Rejoindre la conversation

Vous pouvez publier maintenant et vous inscrire plus tard. Si vous avez un compte, connectez-vous maintenant pour publier avec votre compte.
Remarque : votre message nécessitera l’approbation d’un modérateur avant de pouvoir être visible.

Invité
Répondre à ce sujet…

×   Collé en tant que texte enrichi.   Coller en tant que texte brut à la place

  Seulement 75 émoticônes maximum sont autorisées.

×   Votre lien a été automatiquement intégré.   Afficher plutôt comme un lien

×   Votre contenu précédent a été rétabli.   Vider l’éditeur

×   Vous ne pouvez pas directement coller des images. Envoyez-les depuis votre ordinateur ou insérez-les depuis une URL.

×
 Partager
Aller sur la liste des sujets

  • En ligne récemment   0 membre est en ligne

    • Aucun utilisateur enregistré regarde cette page.
×
×
  • Créer...