Jump to content

[LOGICIEL] virus sysyrest.sys et blphc


karara

Recommended Posts

Bonjour à tous,

Avast m'indique la présence de deux virus;

sysrest.sys dans system32 virus win32 ;Rootkit-gen

et

blphc74tj0e50a.src dans system32 virus win32 ;Rootkit-gen

Sans oublier le XP antivirus 2008 en fond d'écran impossible à enlever (la rubrique fond écran a disparue du panneau configuration)

Je ne sais pas comment m'en débarrasser. Merci à ceux qui pourront m'aider.

Link to comment
Share on other sites

Salut ,

Désinstalle Avast et autre Spybot ...

Désactive la restauration système .

Lance SmitfraudFix , option 2 .

Poste le rapport créé.

Lance Clean v2.0 by FRUiT , procédure 1.

Redémarre le pc .

Poste un rapport Hijackthis .

PS : vise ma signature pour télécharger les outils .

Link to comment
Share on other sites

Salut ,

Désinstalle Avast et autre Spybot ...

Désactive la restauration système .

Lance SmitfraudFix , option 2 .

Poste le rapport créé.

Lance Clean v2.0 by FRUiT , procédure 1.

Redémarre le pc .

Poste un rapport Hijackthis .

PS : vise ma signature pour télécharger les outils .

---------------------------------------------------------------------------------------------------------------------------------------

Bonjour snooky.

Merci de ton aide.

Voici le rapport Smitfraudfix:

SmitFraudFix v2.344

Rapport fait à 22:25:51,95, 01/09/2008

Executé à partir de C:\Documents and Settings\kara\Bureau\SmitfraudFix

OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT

Le type du système de fichiers est NTFS

Fix executé en mode normal

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Arret des processus

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés

C:\Documents and Settings\kara\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk supprimé

C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1\Antivirus XP 2008 supprimé

C:\DOCUME~1\ALLUSE~1\Bureau\Antivirus XP 2008.lnk supprimé

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix

AntiXPVSTFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/Wireless 3945ABG Network Connection - Miniport d'ordonnancement de paquets

DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B7E0E5DF-B98C-469B-8517-789E2133A8DC}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{B7E0E5DF-B98C-469B-8517-789E2133A8DC}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{B7E0E5DF-B98C-469B-8517-789E2133A8DC}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre

Nettoyage terminé.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Fin

Link to comment
Share on other sites

Salut ,

Désinstalle Avast et autre Spybot ...

Désactive la restauration système .

Lance SmitfraudFix , option 2 .

Poste le rapport créé.

Lance Clean v2.0 by FRUiT , procédure 1.

Redémarre le pc .

Poste un rapport Hijackthis .

PS : vise ma signature pour télécharger les outils .

---------------------------------------------------------------------------------------------------------------------------------------

Bonjour snooky.

Merci de ton aide.

Voici le rapport Smitfraudfix:

SmitFraudFix v2.344

Rapport fait à 22:25:51,95, 01/09/2008

Executé à partir de C:\Documents and Settings\kara\Bureau\SmitfraudFix

OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT

Le type du système de fichiers est NTFS

Fix executé en mode normal

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Arret des processus

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés

C:\Documents and Settings\kara\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk supprimé

C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1\Antivirus XP 2008 supprimé

C:\DOCUME~1\ALLUSE~1\Bureau\Antivirus XP 2008.lnk supprimé

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix

AntiXPVSTFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/Wireless 3945ABG Network Connection - Miniport d'ordonnancement de paquets

DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B7E0E5DF-B98C-469B-8517-789E2133A8DC}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{B7E0E5DF-B98C-469B-8517-789E2133A8DC}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{B7E0E5DF-B98C-469B-8517-789E2133A8DC}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre

Nettoyage terminé.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Fin

Voici le rapport Hijackthis. Il semble que l'opération ait marché pour une partie du problème (le fond d'écran a disparu mais toujours pas possible d'avoir accès à la gestion des fonds d'écran dans le panneau de configuration).

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:47:03, on 01/09/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

c:\WINDOWS\system32\o2flash.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE

C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\lphc74tj0e50a.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\OpenOffice.org 2.4\program\soffice.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\kara\Bureau\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe

O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [EPSON Stylus DX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE /P26 "EPSON Stylus DX4200 Series" /O6 "USB002" /M "Stylus DX4200"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [lphc74tj0e50a] C:\WINDOWS\system32\lphc74tj0e50a.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WOOKIT] C:\PROGRA~1\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe

O4 - Global Startup: Contrôleur d’état.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204576071652

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211023315328

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - c:\WINDOWS\system32\o2flash.exe

O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Fichiers communs\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SsBeSvc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SSScsiSV.exe

--

End of file - 8179 bytes

Link to comment
Share on other sites

Coche et fixe toutes les lignes 04 avec Hijackthis .

Lance MBAM , supprime tout ce qu'il trouve et poste le rapport créé .

Voici le résultat;

Malwarebytes' Anti-Malware 1.25

Version de la base de données: 1103

Windows 5.1.2600 Service Pack 3

23:39:46 01/09/2008

mbam-log-09-01-2008 (23-39-46).txt

Type de recherche: Examen rapide

Eléments examinés: 41508

Temps écoulé: 3 minute(s), 15 second(s)

Processus mémoire infecté(s): 0

Module(s) mémoire infecté(s): 0

Clé(s) du Registre infectée(s): 5

Valeur(s) du Registre infectée(s): 6

Elément(s) de données du Registre infecté(s): 2

Dossier(s) infecté(s): 12

Fichier(s) infecté(s): 20

Processus mémoire infecté(s):

(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):

(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc34tj0e50a (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\rhc34tj0e50a (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):

HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\backupwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Elément(s) de données du Registre infecté(s):

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Dossier(s) infecté(s):

C:\Program Files\rhc34tj0e50a (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\kara\Application Data\rhc34tj0e50a (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\kara\Application Data\rhc34tj0e50a\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\kara\Application Data\rhc34tj0e50a\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\kara\Application Data\rhc34tj0e50a\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\kara\Application Data\rhc34tj0e50a\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\kara\Application Data\rhc34tj0e50a\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\kara\Application Data\rhc34tj0e50a\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\kara\Application Data\rhc34tj0e50a\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\kara\Application Data\rhc34tj0e50a\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\kara\Application Data\rhc34tj0e50a\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\kara\Application Data\rhc34tj0e50a\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Fichier(s) infecté(s):

C:\WINDOWS\system32\blphc74tj0e50a.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\rhc34tj0e50a\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc34tj0e50a\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc34tj0e50a\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc34tj0e50a\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc34tj0e50a\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc34tj0e50a\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc34tj0e50a\rhc34tj0e50a.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc34tj0e50a\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\clean.cmd (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lphc74tj0e50a.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\phc74tj0e50a.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\kara\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\kara\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\kara\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\kara\results.txt (Malware.Trace) -> Quarantined and deleted successfully.

Link to comment
Share on other sites

Clean v2.0 by FRUiT t'a supprimé combien de Mo ? ( voir fin de rapport )

Le pc doit aller mieux après un redémarrage , non ?

Poste également un nouveau rapport Hijackthis .

Merci beaucoup Snooky. Le fond d'écran "windows anti virus a disparu" et le panneau de configuration est redevenu normal !

POur Clean v2.0 il m'a supprimé " Clean released 153 Megabytes, 153645 Kilobytes

Found and wiped 2824 files".

Comment puis-je m'assurer que les virus sysrest.sys et l'autre (je ne me rappelle plus du non :-) ) soient bien disparus?

Dois-je faire un scan en ligne? UN Hijackthis ? Réinstaller avast? La restauration système?

Merci en tous cas.

Link to comment
Share on other sites

Après la désinstallation de Antivir , lance ComboFix et poste le rapport créé .

Désactive et réactive la restauration système avant .

http://www.bleepingcomputer.com/combofix/f...iliser-combofix

PS : Oublie Avast !!!

Tu dis " Après la désinstallation de Antivir".

Mais Antivir ne figure pas dans la liste de déinstallation de logiciel. Les seules traces de antivir que je trouve, avec la recherche windows sont : Antiviru.evt dans C:\WINDOWS\system32\config et Antivirus.Evt dans C:\WINDOWS\system32\config.

Sion voici le rapport Combofix;

ComboFix 08-09-01.01 - kara 2008-09-02 0:28:10.1 - NTFSx86

Microsoft Windows XP Édition familiale 5.1.2600.3.1252.1.1036.18.639 [GMT 2:00]

Endroit: C:\Documents and Settings\kara\Bureau\ComboFix.exe

* Création d'un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!

.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_TDSSSERV

-------\Service_6to4

-------\Service_TDSSserv

((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-08-01 to 2008-09-01 ))))))))))))))))))))))))))))))))))))

.

2008-09-01 23:15 . 2008-09-01 23:15 <REP> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-09-01 23:15 . 2008-09-01 23:15 <REP> d-------- C:\Documents and Settings\kara\Application Data\Malwarebytes

2008-09-01 23:15 . 2008-09-01 23:15 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-09-01 23:15 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-01 23:15 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-01 23:08 . 2008-09-02 00:18 <REP> d-------- C:\Documents and Settings\kara\.housecall6.6

2008-09-01 22:41 . 2004-08-05 14:00 19,456 --a--c--- C:\WINDOWS\system32\dllcache\cprofile.exe

2008-09-01 22:41 . 2004-08-05 14:00 19,456 --a------ C:\WINDOWS\system32\cprofile.exe

2008-09-01 22:39 . 2008-09-01 22:39 58 --a------ C:\SCRIPT.CLN

2008-09-01 22:25 . 2008-09-01 22:25 3,856 --a------ C:\WINDOWS\system32\tmp.reg

2008-09-01 22:24 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2008-09-01 22:24 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2008-09-01 22:24 . 2008-08-31 00:53 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe

2008-09-01 22:24 . 2008-08-27 15:17 87,040 --a------ C:\WINDOWS\system32\VACFix.exe

2008-09-01 22:24 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe

2008-09-01 22:24 . 2008-08-28 22:36 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe

2008-09-01 22:24 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe

2008-09-01 22:24 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2008-09-01 22:24 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2008-09-01 22:24 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2008-09-01 10:38 . 2008-09-01 10:38 <REP> d-------- C:\Program Files\Trend Micro

2008-08-30 15:03 . 2008-08-30 15:03 <REP> d-------- C:\Program Files\Real

2008-08-30 15:03 . 2008-08-30 15:03 <REP> d-------- C:\Program Files\Fichiers communs\xing shared

2008-08-30 15:03 . 2008-08-30 15:03 <REP> d-------- C:\Program Files\Fichiers communs\Real

2008-08-28 23:46 . 2008-08-28 23:46 244 --ah----- C:\sqmnoopt01.sqm

2008-08-28 23:46 . 2008-08-28 23:46 232 --ah----- C:\sqmdata01.sqm

2008-08-25 14:04 . 2008-09-01 22:39 <REP> d-------- C:\Program Files\Dactylo

2008-08-13 18:50 . 2008-05-01 16:36 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

2008-08-13 18:49 . 2008-04-11 21:05 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll

2008-08-09 21:55 . 2008-08-09 21:55 <REP> d-------- C:\Program Files\MSECache

2008-08-01 19:41 . 2008-09-01 22:39 <REP> d-------- C:\eolas

2008-08-01 18:43 . 2008-08-01 18:43 <REP> d-------- C:\Program Files\WinHTTrack

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-01 20:46 --------- d-----w C:\Documents and Settings\kara\Application Data\OpenOffice.org2

2008-09-01 20:40 --------- d-----w C:\Program Files\PDFCreator

2008-09-01 20:40 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 5

2008-09-01 20:39 --------- d-----w C:\Program Files\eMule

2008-08-26 22:10 --------- d-----w C:\Documents and Settings\kara\Application Data\U3

2008-08-21 23:43 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-08-07 15:19 --------- d-----w C:\Program Files\CCleaner

2008-07-26 19:20 4,384 ----a-w C:\WINDOWS\system32\drivers\O2MDDISK.PNF

2008-07-26 19:20 4,352 ----a-w C:\WINDOWS\system32\drivers\O2SDDISK.PNF

2008-07-26 19:20 22,192 ----a-w C:\WINDOWS\system32\drivers\INFCACHE.1

2008-07-26 19:14 6,748 ----a-w C:\WINDOWS\system32\drivers\o2media.PNF

2008-07-26 19:14 6,708 ----a-w C:\WINDOWS\system32\drivers\o2sd.PNF

2008-07-26 19:14 13,096 ----a-w C:\WINDOWS\system32\drivers\o2mwxp.PNF

2008-07-26 19:14 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-07-26 13:49 --------- d-----w C:\Program Files\Intel

2008-07-13 22:18 --------- d-----w C:\Program Files\Wanadoo

2008-07-13 21:57 --------- d-----w C:\Program Files\Securitoo

2008-07-13 21:57 --------- d-----w C:\Program Files\Inventel

2008-07-10 19:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\UDL

2008-07-10 19:37 --------- d-----w C:\Program Files\epson

2008-07-02 17:09 --------- d-----w C:\Documents and Settings\kara\Application Data\Sony Corporation

2008-07-02 17:05 --------- d-----w C:\Program Files\Sony

2008-07-02 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Corporation

2008-07-02 17:03 --------- d-----w C:\Program Files\Fichiers communs\Sony Shared

2008-05-21 17:49 22,888 ----a-w C:\Documents and Settings\kara\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 04:33 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\eMule\\emule.exe"=

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 15:00]

R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 16:01]

R2 NwSapAgent;Agent SAP;C:\WINDOWS\system32\svchost.exe [2008-04-14 04:34]

S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys []

S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [2007-10-17 01:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\U]

\Shell\AutoRun\command - explorer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{850ea0bd-ebae-11dc-bc24-001302d44ca0}]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

.

Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\kara\Application Data\Mozilla\Firefox\Profiles\eq2fssrj.default\

FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

FF -: plugin - C:\Program Files\ma-config.com\nphardwaredetection.dll

FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npnul32.dll

FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin.dll

FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin2.dll

FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin3.dll

FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin4.dll

FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin5.dll

FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin6.dll

FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin7.dll

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-02 00:30:30

Windows 5.1.2600 Service Pack 3 NTFS

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succ¦s

Les fichiers cach‚s: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\6to4]

"ServiceDll"="%SystemRoot%\System32\6to4svc.dll"

--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv]

"imagepath"="\systemroot\system32\drivers\TDSSserv.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]

"ImagePath"="\??\C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\brss01a.exe

C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

C:\WINDOWS\system32\o2flash.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\verclsid.exe

.

**************************************************************************

.

Temps d'accomplissement: 2008-09-02 0:38:13 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-01 22:38:09

Pre-Run: 56,936,714,240 octets libres

Post-Run: 56,872,460,288 octets libres

158 --- E O F --- 2008-08-27 07:32:11

Enfin " PS : Oublie Avast !!!"

Que me conseilles-tu ?

Link to comment
Share on other sites

Antivir ! ;)

...mais teste un moment sans antivirus .

Lance un nettoyeur de registre ( Regseeker , par exemple ) , puis NTRegopt .

http://www.hoverdesk.net/freeware.htm

http://telechargement.zebulon.fr/ntregopt.html

Puis une défragmentation avec JKDefrag :

http://www.lepicea.net/forums/index.php?sh...ost&p=77425

@+

PS : désinstalle le Kit Wanadoo et Securitoo , si présents sur ton pc .

http://www.amula.asso.fr/site/article.php?id_article=61

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...