Se connecter / S'enregistrer
Votre question

trojan Patched.Q.12 revient toujours [RESOLU]

Tags :
  • Trojan
  • Sécurité
Dernière réponse : dans Sécurité et virus
11 Janvier 2008 12:30:38

Re à tous,

j'ai depuis un moment ce trojan qui apparaît toutes les 15 secondes avec antivir je n'arrive pas à m'en débarrasser, mais alors pas du tout....

que pouvez faire pour m'aider, je vous envoie un rapport hijackthis, merci:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:31, on 11/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\LEGTP\Bureau\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [\\POSTE2\EPSON Stylus D88 Series (Copie 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P42 "\\POSTE2\EPSON Stylus D88 Series (Copie 1)" /O6 "USB001" /M "Stylus D88"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls...
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4083AE8-2788-4204-A34F-82779BC7466B}: NameServer = 193.252.19.3,193.252.19.4
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6251 bytes

Autres pages sur : trojan patched revient resolu

11 Janvier 2008 18:04:00

Bonsoir ,

Rien de visible dans ce rapport

Quel est l'emplacement du virus détecté ?

Poste le rapport Antivir
11 Janvier 2008 18:12:26

bonsoir,

l'ordinateurr n'est pas chez moi, ok, donc je ferai ça lundi

merci du coup de main.

je crois que c'est indiqué TR/Patched.Q.12 mais je t'envoie le rapport lundi
Contenus similaires
11 Janvier 2008 18:22:02


Ok , à lundi :) 
14 Janvier 2008 17:58:38

voici son chemin:
c:\WINDOWS\System32\winlogon.exe

et voici le rapport d'antivir:



AntiVir PersonalEdition Classic
Report file date: lundi 14 janvier 2008 12:30

Scanning for 1029987 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: POSTE4

Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 07:30:01
ANTIVIR2.VDF : 7.0.1.205 620544 Bytes 08/01/2008 07:45:12
ANTIVIR3.VDF : 7.0.1.229 187904 Bytes 14/01/2008 07:23:50
AVEWIN32.DLL : 7.6.0.46 3084800 Bytes 20/12/2007 07:31:30
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.2 360488 Bytes 20/12/2007 07:31:31
AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: lundi 14 janvier 2008 12:30

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'soffice.bin' - '1' Module(s) have been scanned
Scan process 'soffice.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'zlclient.exe' - '0' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'hpztsb04.exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'E_S00RP1.EXE' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'vsmon.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\winlogon.exe'
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

33 processes with 33 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.

The registry was scanned ( '26' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\LEGTP\Bureau\SmitfraudFix.exe
[DETECTION] Contains detection pattern of the dropper DR/BHO.agh.1
[INFO] The file was moved to '47f4488d.qua'!
C:\Documents and Settings\LEGTP\Bureau\SDFix\backups\backups.zip
[0] Archive type: ZIP
--> backups/movedfile.ren
[DETECTION] Is the Trojan horse TR/Dldr.Agent.bnm.37
--> backups/mstscex.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.bnm.37
--> backups/oleauth32.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.bnm.37
[INFO] The file was moved to '47ee4962.qua'!
C:\qoobox\Quarantine\C\Program Files\SecCenter\scprot4.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '47fb53cc.qua'!
C:\qoobox\Quarantine\C\Program Files\vulwlobu\rqnmhons.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47f953dc.qua'!
C:\qoobox\Quarantine\C\WINDOWS\system32\crehcjid.dll.vir
[DETECTION] Contains detection pattern of the worm WORM/SdBot.90112.5
[INFO] The file was moved to '47f053e0.qua'!
C:\qoobox\Quarantine\C\WINDOWS\system32\e404d.dll.vir
[DETECTION] Is the Trojan horse TR/Dldr.Agent.fsi
[INFO] The file was moved to '47bb53a4.qua'!
C:\qoobox\Quarantine\C\WINDOWS\system32\efcbawu.VIR.vir
[DETECTION] Is the Trojan horse TR/Agent.uaa
[INFO] The file was moved to '47ee53d8.qua'!
C:\qoobox\Quarantine\C\WINDOWS\system32\nuinopsd\nuinopsd2.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47f453ea.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP155\A0023899.exe
[DETECTION] Is the Trojan horse TR/Drop.Agent.zaa
[INFO] The file was moved to '47bb5490.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP156\A0025959.exe
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[INFO] The file was moved to '47bb5495.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP156\A0025961.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '47bb5497.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP159\A0027977.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47bb549d.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP161\A0028127.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.bnm.37
[INFO] The file was moved to '47bb54ac.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP161\A0028128.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.bnm.37
[INFO] The file was moved to '47bb54c9.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP161\A0028133.sys
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '47bb54cb.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP161\A0028134.sys
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '47bb54cd.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP161\A0028139.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.bnm.37
[INFO] The file was moved to '47bb54ce.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP161\A0028140.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.bnm.37
[INFO] The file was moved to '47bb54cf.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP164\A0028289.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47bb54d9.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP164\A0028292.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '47bb54db.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP165\A0028339.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.fsi
[INFO] The file was moved to '47bb54df.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP165\A0028360.exe
[DETECTION] Is the Trojan horse TR/BHO.agh
[INFO] The file was moved to '47bb54e5.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP166\A0028604.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47bb54f0.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP166\A0028605.dll
[DETECTION] Contains detection pattern of the worm WORM/SdBot.90112.5
[INFO] The file was moved to '47bb54f1.qua'!
C:\System Volume Information\_restore{FC3D311C-9C01-40E4-A746-7C4B3529EB68}\RP171\A0029067.exe
[DETECTION] Contains detection pattern of the dropper DR/BHO.agh.1
[INFO] The file was moved to '47bb54ff.qua'!
C:\WINDOWS\system32\winlogon.exe
[DETECTION] Is the Trojan horse TR/Patched.Q.12
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!


End of the scan: lundi 14 janvier 2008 15:29
Used time: 2:59:40 min

The scan has been done completely.

2967 Scanning directories
153002 Files were scanned
29 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
25 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
152973 Files not concerned
1375 Archives were scanned
2 Warnings
51 Notes

merci a toi, Eric_71
14 Janvier 2008 20:58:22


Re ,

Télécharge SDFix [:eric_71:14] < ici
Enregistre le sur ton Bureau

Double clique sur SDFix.exe ( le .exe peut ne pas apparaitre )
Choisis Install pour l'extraire sur ton Bureau
Redémarre en mode sans échec : >> Comment démarrer en mode Sans Echec <<
Double clic sur le dossier SDFix
puis double clique sur RunThis.bat ( le .bat peut ne pas apparaitre )
Appuie sur Y pour le lancer , laisse le s'éxécuter
Il te sera demandé d'appuyer sur une touche pour redemarrer , fais le
Il est possible que le redémarrage soit plus long que d'habitude
Une fois ton Bureau chargé ,il affichera Finished
Appuie sur une touche pour finir l'exécution et charger les icônes de ton Bureau

Un rapport est généré , Copie / colle le dans ta réponse

tu trouveras aussi ce rapport dans le dossier SDFix ( Report.txt )
et un nouveau rapport Hijackthis

15 Janvier 2008 12:03:46

Re Eric_71; voici les rapports que tu m'as demandé:

rapport SDfix:


SDFix: Version 1.118

Run by LEGTP on 15/01/2008 at 11:43

Microsoft Windows XP [version 5.1.2600]

Running From: C:\DOCUME~1\LEGTP\Bureau\SDFix

Safe Mode:
Checking Services:


Infected Winlogon.exe Found!

Winlogon File Locations:

"C:\WINDOWS\system32\winlogon.exe" 506880 07/12/2007 11:24

Modified Files Are Listed Below:

C:\WINDOWS\system32\winlogon.exe

Note: SDFix Does Not Repair This File!


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 11:53:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 Le fichier spécifié est introuvable.
scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Sun 21 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5c703fe0947475848e966b61999878d1\BIT1.tmp"

Finished!


et rapport hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:12, on 15/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Documents and Settings\LEGTP\Bureau\HiJackThis.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [\\POSTE2\EPSON Stylus D88 Series (Copie 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P42 "\\POSTE2\EPSON Stylus D88 Series (Copie 1)" /O6 "USB001" /M "Stylus D88"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls...
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4083AE8-2788-4204-A34F-82779BC7466B}: NameServer = 193.252.19.3,193.252.19.4
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6291 bytes

merci a toi d'y voir clair dans tout ça, moi je nage ...
15 Janvier 2008 21:32:00


Re ,
Citation :
Infected Winlogon.exe Found!


Un fichier système important est infecté ou endommagé ,

Menu Démarrer / Exécuter , tape cmd et valide
dans la fenêtre noire tape sfc/scannow puis valide
la vérification va démarrer
il est possible qu'il te demande d'insérer le CD Windows pour réparer

puis refais un scan SDfix


16 Janvier 2008 11:12:10

Re,
ok je vais faire ce que tu dis mais je ne sais pas s'il ya eu un CD windows avec le PC (c'est un PC de ma classe déjà installé avant que j'arrive), donc je verrai bien
merci à demain pour la suite
17 Janvier 2008 15:05:33

Re, voilà c'est terminé, je t'envoie le rapport de SDFix:


SDFix: Version 1.118

Run by LEGTP on 17/01/2008 at 13:28

Microsoft Windows XP [version 5.1.2600]

Running From: C:\DOCUME~1\LEGTP\Bureau\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 14:58:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 Le fichier spécifié est introuvable.
scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Sun 21 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5c703fe0947475848e966b61999878d1\BIT1.tmp"

Finished!

17 Janvier 2008 20:04:19


Bien ,

Le fichier est réparé :) 

Tu as toujours des problèmes ?
18 Janvier 2008 08:28:40

eh bien je n'ai plus de problème au démarrage et encore moins ensuite donc affaire résolu
merci du coup de main

PS: dis moi comment indiquer RESOLU dans mon sujet.
18 Janvier 2008 08:55:11

Re,

bon, notre affaire n'est pas encore complétement resolu puisque réapparition du problème décelé par Antivir dans

C:\System Volume Information\...\A0030396.exe

18 Janvier 2008 20:04:16

Re ,
Citation :
C:\System Volume Information\...\A0030396.exe


Rien de méchant , là ou il est :)  , on va le virer

Désactive la réstauration du système comme ceci :
>> Réstauration du Système <<
Redémarre ton PC , puis Réactive la

--------------------------------------------------------------

Télécharge ToolsCleaner2 [:eric_71:15] < ici

Installe le sur ton Bureau
Clique sur [Recherche] pour lancer le scan
Clique sur [Supprimer] pour nettoyer les outils utilisés
Clique sur [Quitter] , ceci va créer un rapport
Poste le rapport ( C:\TCleaner.txt )


21 Janvier 2008 08:51:02

Re, voici le rapport demandé:

-->- Recherche:

C:\Combofix: trouvé !
C:\Vundofix backups: trouvé !
C:\Qoobox: trouvé !
C:\Documents and Settings\LEGTP\Bureau\ComboFix.exe: trouvé !
C:\Documents and Settings\LEGTP\Bureau\vundoFix.exe: trouvé !
C:\Documents and Settings\LEGTP\Bureau\HijackThis.exe: trouvé !
C:\Documents and Settings\LEGTP\Recent\HijackThis.lnk: trouvé !
C:\qoobox\Quarantine\C\Combofix: trouvé !

---------------------------------
-->- Suppression:

C:\Documents and Settings\LEGTP\Bureau\ComboFix.exe: supprimé !
C:\Documents and Settings\LEGTP\Bureau\vundoFix.exe: supprimé !
C:\Documents and Settings\LEGTP\Bureau\HijackThis.exe: supprimé !
C:\Documents and Settings\LEGTP\Recent\HijackThis.lnk: supprimé !
C:\Combofix: supprimé !
C:\Vundofix backups: supprimé !
C:\Qoobox: supprimé !

A plus tard Eric_71
22 Janvier 2008 12:51:22


Hello ,

C'est tout bon , tu as toujours des problèmes ?
22 Janvier 2008 17:45:32

salut,

Eh bien c'est tout bon comme tu dis. merci vraiment du coup de main.

22 Janvier 2008 21:38:55


De rien :) 

Clique, dans ton premier message, sur le bouton "Editer"
Ajoute [Résolu] au titre
Clique ensuite sur "Valider votre message"



Bonne continuation ;) 
Anonyme
11 Avril 2009 17:53:35

bonjour j'ai le même problèmes sur mon pc et je ne sais pas quoi faire. aidez moi svp
Tom's guide dans le monde
  • Allemagne
  • Italie
  • Irlande
  • Royaume Uni
  • Etats Unis
Suivre Tom's Guide
Inscrivez-vous à la Newsletter
  • ajouter à twitter
  • ajouter à facebook
  • ajouter un flux RSS