Bonjour
J'ai eu aujourdhui pas mal d'alertes de Avast sur un cheval de Troie.
Tout est en Quarantaine.
Description
Sign of Win32 Trojan-Gen ... in "C:iha.exe" file
in "C:aajsi.exe" file
in Temprary Internet Files
Sign of Win3 Rootkit-Rkt in "C:aos.exe" file
J'ai effectué une 1ere fois MBAm :
Ensuite une 2nde fois et il ne restait que
C:Program FilesEoRezo (Rogue.Eorezo) -> Delete on reboot.
mais il apparait a chaques fois.
Voici le Log :
Malwarebytes' Anti-Malware 1.34
Version de la base de données: 1773
Windows 5.1.2600 Service Pack 3
18/02/2009 14:04:28
mbam-log-2009-02-18 (14-04-28).txt
Type de recherche: Examen complet (C:|E:|)
Eléments examinés: 170604
Temps écoulé: 40 minute(s), 2 second(s)
Processus mémoire infecté(s): 1
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 1
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 9
Processus mémoire infecté(s):
C:WINDOWSfxstaller.exe (Backdoor.Bot) -> Failed to unload process.
Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)
Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)
Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunWindow UDP Control Servic (Backdoor.Bot) -> Quarantined and deleted successfully.
Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)
Dossier(s) infecté(s):
(Aucun élément nuisible détecté)
Fichier(s) infecté(s):
C:WINDOWSfxstaller.exe (Backdoor.Bot) -> Delete on reboot.
C:U.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:Documents and SettingsestelleLocal SettingsTempIXP000.TMPbb.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:Documents and SettingsestelleLocal SettingsTemporary Internet FilesContent.IE52GHDRC8Wuddb[1].exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:System Volume Information\_restore{D2A18A11-B05B-4953-BB0B-B313A24ED657}RP207A0037002.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:System Volume Information\_restore{D2A18A11-B05B-4953-BB0B-B313A24ED657}RP207A0037044.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:System Volume Information\_restore{D2A18A11-B05B-4953-BB0B-B313A24ED657}RP207A0037054.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:WINDOWSwinlogon.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:Program FilesEoRezo (Rogue.Eorezo) -> Delete on reboot.
Voici un Log Hijackthis :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:16:05, on 18/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
E:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
E:Program FilesAlwil SoftwareAvast4ashServ.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesFichiers communsAppleMobile Device SupportinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesJavajre6injqs.exe
C:WINDOWSsystem32
vsvc32.exe
E:Program FilesSunbelt SoftwarePersonal FirewallSbPFLnch.exe
E:Program FilesSunbelt SoftwarePersonal FirewallSbPFSvc.exe
C:WINDOWSsystem32svchost.exe
E:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
E:Program FilesAlwil SoftwareAvast4ashWebSv.exe
C:WINDOWSExplorer.EXE
E:Program FilesSunbelt SoftwarePersonal FirewallSbPFCl.exe
C:WINDOWSRTHDCPL.EXE
E:PROGRA~1ALWILS~1Avast4ashDisp.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:Program FilesJavajre6injusched.exe
C:Program FilesUSB Disk Win98 DriverRes.EXE
E:Program FilesiTunesiTunesHelper.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesiPodiniPodService.exe
C:WINDOWSSystem32svchost.exe
E:Program FilesMozilla Firefoxfirefox.exe
H:HiJackThis.exe
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar =
http://g.msn.fr/0SEFRFR/SAOS01?FORM=TOOLBR
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page =
http://g.msn.fr/0SEFRFR/SAOS01?FORM=TOOLBR
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =
http://www.google.fr/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) =
http://g.msn.fr/0SEFRFR/SAOS01?FORM=TOOLBR
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page =
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre6inssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesFichiers communsMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6injp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..Run: [avast!] E:PROGRA~1ALWILS~1Avast4ashDisp.exe
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre6injusched.exe"
O4 - HKLM..Run: [USB Storage Toolbox] C:Program FilesUSB Disk Win98 DriverRes.EXE
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "E:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [Windows UDP Control Center] fxstaller.exe
O4 - HKLM..RunOnce: [Malwarebytes Anti-Malware (reboot)] "E:Program FilesMalwarebytes' Anti-Malwarembam.exe" /runcleanupscript
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SERVICE RESEAU')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) -
http://www.nvidia.com/content/DriverDow ... rtScan.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesFichiers communsAppleMobile Device SupportinAppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:Program FilesAlwil SoftwareAvast4ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:Program FilesAlwil SoftwareAvast4ashWebSv.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:Program FilesiPodiniPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6injqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32
vsvc32.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - E:Program FilesSunbelt SoftwarePersonal FirewallSbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - E:Program FilesSunbelt SoftwarePersonal FirewallSbPFSvc.exe
--
End of file - 6449 bytes
Je n'ai plus d'alertes en ce moment.
Voila merci pour votre aides et vos avis.