Bonjour, à tous alors voilà j'ai depuis que j'ai voulu mettre des photos sur facebook un virus ! (je pense que c'est à cause de ce prog car c'est la seule chose que j'ai installé dernierement) vous savez pour creez un album il faut installer le javaruntime y a marqué cliquez pour avoir le pluging il a rien trouver en installation automatique alors j'ai cliqué sur instal manuelle est ça ma fait tel ce fichier "xpiinstall-6u11-fcs-bin-b90-windows-i586-25_nov_2008.exe"
bon ça me parait bizarre qu'il soit infecté car bon si il provient du site officiel de java !! bref
des qu'on supprime le fichier dans windows il se regenere automatiquement ! j'ai lu que c'est donc un rootkit !
j'ai essayé ccleaner en mode sans echec , j'ai fais un sdfix rien, j'ai fais un flash desinfector rien aussi donc voila je sais pas trop koi faire voici les rapport :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:27:02, on 31/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Windows\LSD\LClock\lclock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\AhnRpta.exe -----c'est celui là qui me fais chi...-----
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.winlsd.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winlsd.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [LClock] C:\Windows\LSD\LClock\lclock.exe
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exe ----ça aussi je sais pas trop cke sais ???-----
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [WinLSD_SP3] %systemroot%\LSD\end.cmd (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [WinLSD_SP3] %systemroot%\LSD\end.cmd (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WinLSD_SP3] %systemroot%\LSD\end.cmd (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WinLSD_SP3] %systemroot%\LSD\end.cmd (User 'Default user')
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
--
End of file - 4072 bytes
celui de sdfix :
[b]SDFix: Version 1.240
/b
Run by Administrateur on 31/01/2009 at 13:39
Microsoft Windows XP [version 5.1.2600]
Running From: C:\SDFix
[b]Checking Services
/b:
Restoring Default Security Values
Restoring Default Hosts File
Restoring Missing Security Center Service
Rebooting
[b]Checking Files
/b:
Trojan Files Found:
C:\autorun.inf - Deleted
C:\WINDOWS\Config\csrss.exe - Deleted
Removing Temp Files
[b]ADS Check
/b:
[b]Final Check
/b:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-01-31 13:51:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services
/b:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Application"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync RAPI Manager"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
[b]Remaining Files
/b:
File Backups: - C:\SDFix\backups\backups.zip
[b]Files with Hidden Attributes
/b:
Sun 16 Nov 2008 106,363 ..SHR --- "C:\0w.com"
Sat 6 Dec 2008 104,421 ..SHR --- "C:\2u.com"
Mon 8 Dec 2008 107,045 ..SHR --- "C:\6fnlpetp.exe"
Wed 21 Jan 2009 108,869 ..SHR --- "C:\gy.exe"
Sat 31 Jan 2009 109,127 ..SHR --- "C:\hl80c6b1.com"
Mon 8 Dec 2008 107,045 ..SHR --- "C:\m9ma.exe"
Sat 8 Nov 2008 108,973 ..SHR --- "C:\sq.com"
Wed 21 Jan 2009 107,983 ..SHR --- "C:\w98.com"
Mon 10 Nov 2008 108,271 ..SHR --- "C:\whi.com"
Fri 16 Jan 2009 110,003 ..SHR --- "C:\x2csvg.exe"
Sat 8 Nov 2008 108,973 ..SHR --- "C:\WINDOWS\system32\ckvo.exe"
Sun 9 Nov 2008 85,504 ..SHR --- "C:\WINDOWS\system32\ckvo0.dll"
Sat 8 Nov 2008 85,504 ..SHR --- "C:\WINDOWS\system32\ckvo1.dll"
Sat 31 Jan 2009 84,992 ..SHR --- "C:\WINDOWS\system32\gasretyw0.dll"
Mon 8 Dec 2008 84,992 ..SHR --- "C:\WINDOWS\system32\gasretyw1.dll"
Mon 8 Dec 2008 107,045 ..SHR --- "C:\WINDOWS\system32\kamsoft.exe"
Sat 31 Jan 2009 95,744 ..SHR --- "C:\WINDOWS\system32\nmdfgds1.dll"
Sat 31 Jan 2009 109,127 ..SHR --- "C:\WINDOWS\system32\olhrwef.exe"
Wed 24 Dec 2008 117,918 ..SHR --- "C:\WINDOWS\system32\vamsoft.exe"
Sat 31 Jan 2009 85,504 ..SHR --- "C:\WINDOWS\system32\vbsdfe0.dll"
Wed 24 Dec 2008 85,504 ..SHR --- "C:\WINDOWS\system32\vbsdfe1.dll"
Mon 24 Nov 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 24 Nov 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
[b]Finished!
/b
Mon ordi reste clean quand il y a de nouveaux processus je m'en apercois mais celui là j'arrive pas à m'en débarrasser donc je veux bien un peu d'aide merci beaucoup !! à oui y a le kamsoft.exe je sais pas trop ce que sais bref j'attends vos reponse avec impatiente merci encore
Configuration: Windows XP (lsd)
Firefox 3.0.5
