Win32:Trojan-gen. {UPX!} - Sécurité - Windows & Software
Marsh Posté le 21-02-2005 à 19:34:46
ok, ben pour commencer : http://www.hijackthis.de
ensuite :
toutes les maj windows, installation de ms antispy, scan
byebye le mulet, bonjour le firewall!
Marsh Posté le 21-02-2005 à 17:10:07
Salut à tous,
Je n'arrive décidément pas à éradiquer ce trojan.
De plus, depuis son "apparition", mon dossier "Program Files" affiche un poids de 50 Go, et mon disque dur semble (sic) saturé !
Voici le log de Hijackthis :
Logfile of HijackThis v1.99.1
Scan saved at 16:12:33, on 21/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast! 4.5.549\aswUpdSv.exe
C:\Program Files\Avast! 4.5.549\ashServ.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\CheckFlow\FlowProtector\4.0.0.1\FlowService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\AVAST!~1.549\ashDisp.exe
C:\WINDOWS\iqyqtpx.exe
C:\WINDOWS\logon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Quintessential Player 4.51\Quintessential Player\QCDPlayer.exe
C:\Program Files\eMule v0.42e\eMule v0.42e.exe
C:\Program Files\Skype 0.97\Skype.exe
C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox 0.9.3\firefox\firefox.exe
C:\Program Files\Groove Workspace v2.5g\Bin\Groove.exe
C:\Program Files\Notmad 8.7.1\Notmad Explorer\notmgr.exe
C:\Program Files\Avast! 4.5.549\ashMaiSv.exe
C:\Documents and Settings\JD Dalloz\Bureau\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries [...] efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search [...] id=1001732
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search [...] id=1001732
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search [...] id=1001732
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - \Program Files\Groove Workspace v2.5g\Bin\GrooveShellExtensions.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - \Program Files\SideFind\sfbho.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] :"C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVAST!~1.549\ashDisp.exe
O4 - HKLM\..\Run: [¢¸K0¨4W
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\iqyqtpx.exe
O4 - HKLM\..\Run: [uJ8chOGfd] C:\WINDOWS\iqyqtpx.exe
O4 - HKLM\..\Run: [QuickTime Task] :"C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [¢¸K0¨4W
}ïÁzîigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\iqyqtpx.exe
O4 - HKLM\..\Run: [sais] \program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] \Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [¢¸K0Ô@ÔÁß]§ú"üüiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\iqyqtpx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MyIE 2 0.9.11] :"C:\Program Files\MyIE2 0.9.11\MyIE.exe"
O4 - HKCU\..\Run: [Quintessential Player] "C:\Program Files\Quintessential Player 4.51\Quintessential Player\QCDPlayer.exe"
O4 - HKCU\..\Run: [eMule 0.42] "C:\Program Files\eMule v0.42e\eMule v0.42e.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype 0.97\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Copernic Desktop Search] "C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [Outlook 2003] "C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE"
O4 - HKCU\..\Run: [Firefox] "C:\Program Files\Mozilla Firefox 0.9.3\firefox\firefox.exe"
O4 - Startup: Notmad Manager.lnk = C:\Program Files\Notmad 8.7.1\Notmad Explorer\notmgr.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Groove Virtual Office.lnk = C:\Program Files\Groove Workspace v2.5g\Bin\Groove.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O15 - Trusted Zone: http://club.lemonde.fr
O16 - DPF: KANA IQ LiveA - http://dmzchatonly.europe.creative.com/srvs/eu/eu1.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.f [...] r_cert.cab
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.advnt01.com/dialer/france_nos.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://www.mayeticvillage.fr/qp2.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6 [...] vSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4B1A4A31-8845-11D5-9769-00B0D071D434} (Avaya ICM Client) - http://81.255.93.68/icm/caller.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/ac [...] 0-3-12.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/09a69515a2174 [...] 601_fr.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6 [...] /cabsa.cab
O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://www.mypixmania.com/tools/activex/fpu.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537 [...] scan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/software [...] egular.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AA0A1054-0000-0000-0000-000000000000} - http://wsw38.amenworld.com/agendiz [...] utlook.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://ni.centra.com/main/Install/ [...] loader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ [...] loader.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandondemand.com/eva [...] cssweb.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {F49B63B2-D338-11D3-BA96-00A0C9E0A834} (QuickPlace Offline Class) - http://www.mayeticvillage.fr/download/qpoffline.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast! 4.5.549\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast! 4.5.549\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast! 4.5.549\ashMaiSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: FlowProtectorService - Unknown owner - C:\Program Files\CheckFlow\FlowProtector\4.0.0.1\FlowService.exe
O23 - Service: Groove Audit Service (GrooveAuditService) - Groove Networks, Inc. - C:\Program Files\Groove Workspace v2.5g\Bin\GrooveAuditService.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Workspace v2.5g\Bin\GrooveInstallerService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Quelqu'un a-t-il la clé ?
Merci d'avance, et longue vie à tous !