Trojan Downloader.Medbod.A

Trojan Downloader.Medbod.A - Sécurité - Windows & Software

Marsh Posté le 15-07-2006 à 22:57:05    

Salut,
 
Depuis quelques jours je suis infecté par un trojan : Trojan Downloader.Medbod.A
 
Bit defender 9 version pro me la detecte et me mets les fichiers infecté en quarantaine. 6 en tout.
 
Je les efface mais quelques jours apres meme alerte pourtant j'ai rien dl depuis. Je dois refaire encore la meme procedure ou le trojan est toujours sur mon pc ?
 
Voila les fichiers infectés (rapport de bit defender 9 pro):
 

Citation :

C:\Documents and Settings\stephane\Local Settings\Temp\21exssd32d.exe Infecté avec: Trojan.Downloader.Medbod.A
C:\Documents and Settings\stephane\Local Settings\Temp\21exssd32d.exe Désinfection impossible
C:\Documents and Settings\stephane\Local Settings\Temp\21exssd32d.exe Déplacé
C:\Documents and Settings\stephane\Local Settings\Temp\32exssd32d.exe Infecté avec: Trojan.Downloader.Medbod.A
C:\Documents and Settings\stephane\Local Settings\Temp\32exssd32d.exe Désinfection impossible
C:\Documents and Settings\stephane\Local Settings\Temp\32exssd32d.exe Déplacé
C:\Documents and Settings\stephane\Local Settings\Temp\59exssd32d.exe Infecté avec: Trojan.Downloader.Medbod.A
C:\Documents and Settings\stephane\Local Settings\Temp\59exssd32d.exe Désinfection impossible
C:\Documents and Settings\stephane\Local Settings\Temp\59exssd32d.exe Déplacé
C:\Documents and Settings\stephane\Local Settings\Temp\81exssd32d.exe Infecté avec: Trojan.Downloader.Medbod.A
C:\Documents and Settings\stephane\Local Settings\Temp\81exssd32d.exe Désinfection impossible
C:\Documents and Settings\stephane\Local Settings\Temp\81exssd32d.exe Déplacé
C:\Documents and Settings\stephane\Local Settings\Temp\86exssd32d.exe Infecté avec: Trojan.Downloader.Medbod.A
C:\Documents and Settings\stephane\Local Settings\Temp\86exssd32d.exe Désinfection impossible
C:\Documents and Settings\stephane\Local Settings\Temp\86exssd32d.exe Déplacé
C:\Documents and Settings\stephane\Local Settings\Temp\96exssd32d.exe Infecté avec: Trojan.Downloader.Medbod.A
C:\Documents and Settings\stephane\Local Settings\Temp\96exssd32d.exe Désinfection impossible
C:\Documents and Settings\stephane\Local Settings\Temp\96exssd32d.exe Déplacé
C:\Documents and Settings\stephane\Mes documents\Utilitaires\Cyberlink.PowerDVD.v7.0.1725.0.Multilangages.Incl-Activation.rar=>Activation\keygen.exe Infecté avec: Trojan.Pws.Banker.BA
C:\Documents and Settings\stephane\Mes documents\Utilitaires\Cyberlink.PowerDVD.v7.0.1725.0.Multilangages.Incl-Activation.rar=>Activation\keygen.exe Désinfection impossible
C:\Documents and Settings\stephane\Mes documents\Utilitaires\Cyberlink.PowerDVD.v7.0.1725.0.Multilangages.Incl-Activation.rar=>Activation\keygen.exe Déplacement impossible


 
J'ai executé HijackThis :
 

Citation :

Logfile of HijackThis v1.99.1
Scan saved at 10:18:56, on 15/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\stephane\Bureau\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://I:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/window [...] 7452004109
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - http://config.zebulon.fr/plugins/hardwaredetection.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


 
 
Apres ca et ne comprenant pas grand chose de ce qu'il y a d'ecrit, je poursuit et redemarre mon pc en mode sans echec :
 
Voici le rapport de Ewido :
 

Citation :

ewido anti-spyware - Scan Report
---------------------------------------------------------
 
+ Created at: 11:14:58 15/07/2006
 
+ Scan result:  
 
 
 
C:\Documents and Settings\stephane\Cookies\stephane@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@iv2.bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@casinotropez[1].txt -> TrackingCookie.Casinotropez : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@promo.casinotropez[1].txt -> TrackingCookie.Casinotropez : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@-com-[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@fl01.ct2.comclick[2].txt -> TrackingCookie.Comclick : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@estat[2].txt -> TrackingCookie.Estat : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@as1.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@max.i12[1].txt -> TrackingCookie.I12 : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.10:C:\Documents and Settings\stephane\Application Data\Mozilla\Firefox\Profiles\sbzdv97f.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.11:C:\Documents and Settings\stephane\Application Data\Mozilla\Firefox\Profiles\sbzdv97f.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.12:C:\Documents and Settings\stephane\Application Data\Mozilla\Firefox\Profiles\sbzdv97f.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.13:C:\Documents and Settings\stephane\Application Data\Mozilla\Firefox\Profiles\sbzdv97f.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.14:C:\Documents and Settings\stephane\Application Data\Mozilla\Firefox\Profiles\sbzdv97f.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.15:C:\Documents and Settings\stephane\Application Data\Mozilla\Firefox\Profiles\sbzdv97f.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.8:C:\Documents and Settings\stephane\Application Data\Mozilla\Firefox\Profiles\sbzdv97f.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.9:C:\Documents and Settings\stephane\Application Data\Mozilla\Firefox\Profiles\sbzdv97f.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@spylog[1].txt -> TrackingCookie.Spylog : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@weborama[1].txt -> TrackingCookie.Weborama : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
D:\Nouveau dossier\Utilitaires\IncrediMail fr build 2014 + cerise by david44.zip/patch Build 18XX.exe -> Trojan.Agent.jh : Cleaned with backup (quarantined).
 
 
::Report end


 
Voici le rapport de Clean :
 

Citation :

Script clean par Malekal_morte - http://www.malekal.com  
 
*** SUPPRESSION DES FICHIERS  
 
 
 
*** Suppressions de trojans/vers sur...  
C:\WINDOWS\bootstat.dat FOUND  
C:\WINDOWS\inf\unregmp2.exe FOUND  
C:\WINDOWS\system32\bdod.bin FOUND  
C:\WINDOWS\system32\divxsm.exe FOUND  
C:\WINDOWS\system32\javaws.exe FOUND  
C:\WINDOWS\system32\nvsvcd.exe FOUND  
C:\WINDOWS\system\smss.exe FOUND  
 
 
 
*** Suppressions des adware connus...


 
Et voici de nouveau le rapport d'HijackThis :
 

Citation :

Logfile of HijackThis v1.99.1
Scan saved at 11:28:23, on 15/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\stephane\Bureau\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/p [...] nicode.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://I:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/window [...] 7452004109
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - http://config.zebulon.fr/plugins/hardwaredetection.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


 
J'ai fais ensuite le scan online Kasperky qui m'a trouvé un virus et un win32 que bitdefender a bloqué juste apres la fin du scan online, mis en quarantaine et supprimé mais sa fait quand meme beaucoup de trojan d'un coup je trouve...me conseillez vous par exemple les achats en ligne ??

Reply

Marsh Posté le 15-07-2006 à 22:57:05   

Reply

Marsh Posté le 16-07-2006 à 18:14:18    

Bonjour, si par achats en ligne tu entends cracks il fallait y penser avant (ne t'inquiète pas t'es pas le seul a avoir testé :D) lol.  
 
Je te déconseille pour l'instant les achats en ligne ;)
 
Bon, suis ces étapes et M.Keygen sera viré de ton ordi :D
 
1) Configures Bitdefender avec supprimer en deuxième action
2) Relance le scan
3) Démarres en mode sans échecs (tapotes F8 au boot) et reste y jusqu'a ce que je te le dise ;)
4) Vide le contenu des dossiers :

  • C:\Temp
  • C:\WINDOWS\Temp
  • C:\WINDOWS\Prefetch
  • C:\Documents and Settings\tous les comptes\Local Settings\Temp
  • C:\Documents and Settings\tous les comptes\Temporary internet files\CONTENT.IE5


5) Vide le cache+cookies+historique de TOUS les navigateurs installés
6) Supprime C:\Documents and Settings\stephane\Mes documents\Utilitaires\Cyberlink.PowerDVD.v7.0.1725.0.Multilangages.Incl-Activation.rar=>Activation\keygen.exe
 
7) Démarres en mode normal
8) Repasse Hijackthis


Message édité par med365 le 16-07-2006 à 18:15:52
Reply

Marsh Posté le 16-07-2006 à 20:25:50    

Salut med365
 
Non par achat en ligne je pensais simplement a acheter sur des sites comme amazon.fr et autres sites du meme genre... ;)  
 
Le rapport de clean :
 

Citation :

Script clean par Malekal_morte - http://www.malekal.com  
 
*** SUPPRESSION DES FICHIERS  
 
 
 
*** Suppressions de trojans/vers sur...  
C:\WINDOWS\system32\bdod.bin FOUND  
 
 
 
*** Suppressions des adware connus...


 
Voila le rapport d'HijackThis
 

Citation :

Logfile of HijackThis v1.99.1
Scan saved at 20:22:50, on 16/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\stephane\Mes documents\Utilitaires\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/p [...] nicode.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://I:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/window [...] 7452004109
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - http://config.zebulon.fr/plugins/hardwaredetection.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


 
Tu en pense quoi ?
 
p:s : je n'ai pas de C:\temps
 
Merci ;)

Reply

Marsh Posté le 16-07-2006 à 22:12:40    

C'est C:\Temp
 
Quels résultats avec Bitdefender ?
 
Suis cette étape :
 
1) Télécharges la killbox : http://www.bleepingcomputer.com/killbox.php
2) Copies cette ligne dans le presse-papiers :
C:\WINDOWS\system32\bdod.bin
3) Lances la killbox et déroule le menu file/paste from clipboard
4) Coches la case "Delete a file on reboot"
5) Appuie sur la croix blanche et accepte de redémarrer
 
6) Coches ensuite:

Citation :


O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?  
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/p [...] nicode.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://I:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/window [...] 7452004109
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - http://config.zebulon.fr/plugins/hardwaredetection.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab  


 
j'ai vu que tu avais Ewido, mets le à jour et passe le, poste ensuite le rapport.
 
@+

Reply

Marsh Posté le 17-07-2006 à 00:37:30    


Citation :

ewido anti-spyware - Scan Report
---------------------------------------------------------
 
 + Created at: 23:31:22 16/07/2006
 
 + Scan result:  
 
 
 
C:\Documents and Settings\stephane\Cookies\stephane@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\stephane\Cookies\stephane@www.smartadserver[2].txt -> TrackingCookie.Smartadserver : No action taken.
C:\Documents and Settings\stephane\Cookies\stephane@weborama[1].txt -> TrackingCookie.Weborama : No action taken.
C:\Documents and Settings\stephane\Cookies\stephane@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
 
 
ewido anti-spyware - Scan Report


 
et donc ensuite apres avoir effacer tout ca :
 
 

Citation :

+ Created at: 23:32:22 16/07/2006
 
 + Scan result:  
 
 
 
C:\Documents and Settings\stephane\Cookies\stephane@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@www.smartadserver[2].txt -> TrackingCookie.Smartadserver : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@weborama[1].txt -> TrackingCookie.Weborama : Cleaned.
C:\Documents and Settings\stephane\Cookies\stephane@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
 
 
::Report end


 
 
Voila le rapport de bitdefender :  
 
 

Citation :

//-----------------------------------------------------------------
//
// Product: BitDefender 9 Professional Plus
// Version: 9.5
//
// Créé le:  16/07/2006 23:34:40
//
//-----------------------------------------------------------------
 
 
Statistiques
 
Chemin cible:  C:\
  D:\
Dossiers  : 4287
Fichiers  :  462346
Archives : 3165  
Fichiers empaquetés  : 58062
Virus trouvés   : 0
Fichiers infectés   : 0
Alertes   : 0
Fichiers suspects   : 0
Fichiers désinfectés   : 0
Fichiers effacés   : 0
Fichiers copiés   : 0
Fichiers déplacés : 0
Fichiers renommés   : 0
Erreurs I/O   : 30
Temps d'analyse   := 00:47:04
Fichiers/seconde   :163
 
Statistiques Spywares
 
Processus Mémoire analysés : 24
Processus Mémoire infectés : 0
Clés de registres analysées  : 1724
Clés de registres infectés  : 0
Cookies analysés   : 600
Cookies infectés  : 0
Fichiers spyware infectés   : 0
Menaces Spyware détectées : 0
 
 
Définitions virus  : 434237
Plugins d'analyse : 15
Plugins archives : 42
Plug-ins décompression : 5
Plug-ins messagerie : 6
Plug-ins système : 5
 
Options d'analyse
 
Détection
[X] Analyser le secteur de boot
[X] Analyser les archives
[X] Analyser les fichiers en paquets
[X] Analyser la messagerie
 
Masque fichiers
[ ] Programmes
[X] Tous les fichiers
[ ] Extensions définies par l'utilisateur:  
[ ] Exclure les extensions: ;
 
Action
 
Objets infectés
[ ] Ignorer
[X] Désinfecter
[ ] Effacer
[ ] Copier
[ ] Déplacer dans le dossier infectés
[ ] Renommer
[ ] Demander l'action
 
Seconde action
[ ] Ignorer
[ ] Effacer
[ ] Copier
[X] Déplacer dans le dossier infectés
[ ] Renommer
[ ] Demander l'action
 
Options d'analyse
[X] Activer les alertes
[X] Activer l'heuristique
[ ] Afficher tous les fichiers dans le journal
[X] Fichier journal : C:\Program Files\Softwin\BitDefender9\Logs\vscan_1153085680.log
 
Options d'analyse Spyware
 
[X] Processus mémoire
[X] Clés de registres
[X] Cookies

Reply

Marsh Posté le 17-07-2006 à 22:42:04    

Bon, ben on dirait bien que c'est parti :D  
 
Dernier truc, fait un scan de controle en ligne sur http://www.kaspersky.fr/ poste le rapport.  
 
As-tu encore des problèmes ?

Reply

Marsh Posté le 18-07-2006 à 09:49:52    

Salut Med365
 
Le scan est en route, juste pour signaler que j'ai installé Cyberhawk qui theoriquement detecte les virus qui ne sont pas encore repertorié par nos anti virus et il me detecte un soucis C:\WINDOWS\system32\WgaTray
 
Ca te dit quelque choses ? Nit bitedefender ni ewido ne lui trouve quelque chose de suspecte, seul Cyberhaws touve son compportement suspect

Reply

Marsh Posté le 18-07-2006 à 11:01:44    

Voila, il me trouve Trojan.Win32.Agent.xa
 

Citation :

KASPERSKY ONLINE SCANNER REPORT
 Tuesday, July 18, 2006 10:58:51 AM
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.83.0
 Kaspersky Anti-Virus database last update: 18/07/2006
 Kaspersky Anti-Virus database records: 195632
-------------------------------------------------------------------------------
 
Scan Settings:
 Scan using the following antivirus database: standard
 Scan Archives: true
 Scan Mail Bases: true
 
Scan Target - My Computer:
 A:\
 C:\
 D:\
 E:\
 F:\
 G:\
 H:\
 I:\
 J:\
 
Scan Statistics:
 Total number of scanned objects: 63643
 Number of viruses found: 1
 Number of infected objects: 1 / 0
 Number of suspicious objects: 0
 Duration of the scan process: 01:08:12
 
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Creative\CADI\Preset\PCI_BUS1102-5-211102-BC00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\stephane\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\stephane\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\stephane\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\stephane\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\stephane\Local Settings\Historique\History.IE5\MSHist012006071820060719\index.dat Object is locked skipped
C:\Documents and Settings\stephane\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\stephane\ntuser.dat Object is locked skipped
C:\Documents and Settings\stephane\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Creative\ShareDLL\CADI\CTPLang.dat Object is locked skipped
C:\Program Files\Softwin\BitDefender9\asdict.dat Object is locked skipped
C:\Program Files\Softwin\BitDefender9\aspdict.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{271F363B-3DF2-4CA3-B60A-ECBF1C5E804D}\RP323\A0036045.exe Infected: Trojan.Win32.Agent.xa skipped
C:\System Volume Information\_restore{271F363B-3DF2-4CA3-B60A-ECBF1C5E804D}\RP328\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_3a8.dat Object is locked skipped
C:\WINDOWS\Temp\tmp000023d2\tmp00000000 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{271F363B-3DF2-4CA3-B60A-ECBF1C5E804D}\RP319\A0033393.exe Object is locked skipped
D:\System Volume Information\_restore{271F363B-3DF2-4CA3-B60A-ECBF1C5E804D}\RP328\change.log Object is locked skipped
 
Scan process completed.


 
Donc c'est cette ligne la qui gene

Citation :

C:\System Volume Information\_restore{271F363B-3DF2-4CA3-B60A-ECBF1C5E804D}\RP323\A0036045.exe Infected: Trojan.Win32.Agent.xa skipped


 
j'entre donc cette adresse dans mon navigateur C:\System Volume Information\_restore{271F363B-3DF2-4CA3-B60A-ECBF1C5E804D}\RP323\A0036045.exe et est un message d'alerte, ewido met le trojan en quarantaine, je vais voir dans quarantaine, et y trouve un fichier certainement renomer par ewido et l'efface.........je refais le scan de kapersky


Message édité par asjacks le 18-07-2006 à 11:14:29
Reply

Marsh Posté le 18-07-2006 à 11:55:23    

Ca a l'air bon...
 

Citation :

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Tuesday, July 18, 2006 11:54:35 AM
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.83.0
 Kaspersky Anti-Virus database last update: 18/07/2006
 Kaspersky Anti-Virus database records: 195639
-------------------------------------------------------------------------------
 
Scan Settings:
 Scan using the following antivirus database: standard
 Scan Archives: true
 Scan Mail Bases: true
 
Scan Target - Folders:
 C:\Documents and Settings\
 C:\Program Files\
 C:\RECYCLER\
 C:\System Volume Information\
 C:\WINDOWS\
 
Scan Statistics:
 Total number of scanned objects: 54064
 Number of viruses found: 0
 Number of infected objects: 0 / 0
 Number of suspicious objects: 0
 Duration of the scan process: 00:47:21
 
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Creative\CADI\Preset\PCI_BUS1102-5-211102-BC00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\stephane\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\stephane\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\stephane\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\stephane\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\stephane\Local Settings\Historique\History.IE5\MSHist012006071820060719\index.dat Object is locked skipped
C:\Documents and Settings\stephane\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\stephane\ntuser.dat Object is locked skipped
C:\Documents and Settings\stephane\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Creative\ShareDLL\CADI\CTPLang.dat Object is locked skipped
C:\Program Files\Softwin\BitDefender9\asdict.dat Object is locked skipped
C:\Program Files\Softwin\BitDefender9\aspdict.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{271F363B-3DF2-4CA3-B60A-ECBF1C5E804D}\RP328\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_3a8.dat Object is locked skipped
C:\WINDOWS\Temp\tmp00005bc7\tmp00000000 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
 
Scan process completed.

Reply

Marsh Posté le 18-07-2006 à 19:49:05    

Oui, bravo ca à l'air bon... J'aurais du te dire de désactiver la rstauration du système des le début... par prudence fait ceci :
 
1° Désactive la restauration du système
 
2° Télécharges ATF Cleaner : http://www.atribune.org/
 
3° Lances ATF Cleaner, dans l'onglet "Main" coches la dernière case "Select All" cliques alors sur Empty Selected et recommence l'opération jusqu'à ce qu'il t'affiche "0 bytes freed"
 
Fait moi une copie d'écran du message de cyberhawk stp

Reply

Marsh Posté le 18-07-2006 à 19:49:05   

Reply

Marsh Posté le 18-07-2006 à 23:40:30    

Bonsoir Asjacks,
 

Citation :

Le scan est en route, juste pour signaler que j'ai installé Cyberhawk qui theoriquement detecte les virus qui ne sont pas encore repertorié par nos anti virus et il me detecte un soucis C:\WINDOWS\system32\WgaTray


 
 
S'il est bien localisé dans le dossier System32 de Windows XP, le processus "wgatray.exe" correspond à une notification système pour le logiciel "Windows Genuine Advantage" (validation de l'authenticité de l'installation).
 
Microsoft a d'ailleurs fourni un moyen (non-garanti) de le désinstaller...
 
Bonne nuit,

Reply

Marsh Posté le 19-07-2006 à 19:59:08    

De toute facon à quoi sa peut servir de le désinstaller d'apres toi ? Ils ont de droles d'idées chez 'cro$oft des fois  :heink:

Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed