| | infection par virtumonde | |
| | Auteur | Message |
---|
shoura Membre
Nombre de messages : 23 Age : 36 Date d'inscription : 20/08/2008
| Sujet: infection par virtumonde Mer 20 Aoû - 2:39:47 | |
| Salutation donc voila j'ai ete infecté par virtumonde le rapport hijackthis : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 01:31:12, on 20/08/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.20861) Boot mode: Normal
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Administrateur\Bureau\HiJT.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.fr R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Ultimate Edition R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O1 - Hosts: ;Tag&rename O2 - BHO: (no name) - {212E837F-ECD0-4DC1-91F2-357F66350A5d} - C:\WINDOWS\system32\blvpdnoh.dll O2 - BHO: {fe31bb9d-5861-4bdb-ede4-cd218e190c13} - {31c091e8-12dc-4ede-bdb4-1685d9bb13ef} - C:\WINDOWS\system32\aavprd.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {54018E98-10E3-46C6-9673-2999253F9C65} - C:\WINDOWS\system32\iiffExYQ.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {AC6DA111-C35B-48B1-8DDB-8C2ADD034C04} - C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\Content.IE5\BNHY01BD\3077htsbdjyf[1].dll O2 - BHO: (no name) - {C88BC945-42FE-4D84-8906-E76F6ACBE162} - (no file) O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [BMc3fe14ad] Rundll32.exe "C:\WINDOWS\system32\nscdvrvf.dll",s O4 - HKLM\..\Run: [c0cd2731] rundll32.exe "C:\WINDOWS\system32\eillhpwk.dll",b O4 - HKLM\..\RunOnce: [SpybotDeletingA4839] command /c del "C:\WINDOWS\system32\iiffExYQ.dll" O4 - HKLM\..\RunOnce: [SpybotDeletingC4061] cmd /c del "C:\WINDOWS\system32\iiffExYQ.dll" O4 - HKLM\..\RunOnce: [SpybotDeletingA5480] command /c del "C:\WINDOWS\system32\ljjGAQkH.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingC2061] cmd /c del "C:\WINDOWS\system32\ljjGAQkH.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingA2451] command /c del "C:\WINDOWS\system32\pekryats.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingC4756] cmd /c del "C:\WINDOWS\system32\pekryats.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingA4579] command /c del "C:\Documents and Settings\Administrateur\Local Settings\Temp\removalfile.bat" O4 - HKLM\..\RunOnce: [SpybotDeletingC3363] cmd /c del "C:\Documents and Settings\Administrateur\Local Settings\Temp\removalfile.bat" O4 - HKLM\..\RunOnce: [SpybotDeletingA6900] command /c del "C:\WINDOWS\system32\iiffExYQ.dll" O4 - HKLM\..\RunOnce: [SpybotDeletingC4789] cmd /c del "C:\WINDOWS\system32\iiffExYQ.dll" O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user') O4 - S-1-5-18 Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'SYSTEM') O4 - .DEFAULT Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'Default user') O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab O20 - AppInit_DLLs: wxohjc.dll hzwjvf.dll aavprd.dll O20 - Winlogon Notify: iiffExYQ - C:\WINDOWS\SYSTEM32\iiffExYQ.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
-- End of file - 8754 bytes
voila , j'vais commencé la procedure pour virer virtumonde ac malwarebytes toussa | |
| | | geoffrey5 Admin
Nombre de messages : 1849 Age : 43 Localisation : Liège - Belgique Système d\'exploitation * : XP IBM processeur Intel Celeron 2.4ghz 1.5GB RAM Date d'inscription : 28/07/2008
| Sujet: Re: ... Mer 20 Aoû - 2:41:20 | |
| lol... tu envois les rapports sur mon forum ou sur comment ca marche mais pas les deux lol ca ne sert à rien | |
| | | shoura Membre
Nombre de messages : 23 Age : 36 Date d'inscription : 20/08/2008
| Sujet: Re: infection par virtumonde Mer 20 Aoû - 2:43:18 | |
| j'les enverrais ici alors ^^
disons que j'suis un tit peu en panique .... :$ | |
| | | geoffrey5 Admin
Nombre de messages : 1849 Age : 43 Localisation : Liège - Belgique Système d\'exploitation * : XP IBM processeur Intel Celeron 2.4ghz 1.5GB RAM Date d'inscription : 28/07/2008
| Sujet: Re: ... Mer 20 Aoû - 2:45:35 | |
| ok pas de problèmes shoura | |
| | | geoffrey5 Admin
Nombre de messages : 1849 Age : 43 Localisation : Liège - Belgique Système d\'exploitation * : XP IBM processeur Intel Celeron 2.4ghz 1.5GB RAM Date d'inscription : 28/07/2008
| Sujet: Re: ... Mer 20 Aoû - 2:46:53 | |
| je ne serai pas sur le pc pendant une bonne demi heure...postes quand meme les rapports, je les vérifierai directement apres..
Je suppose que tu commence par malwarebytes donc l analyse va prendre un peu de temps
@+ | |
| | | shoura Membre
Nombre de messages : 23 Age : 36 Date d'inscription : 20/08/2008
| Sujet: Re: infection par virtumonde Mer 20 Aoû - 2:48:20 | |
| | |
| | | shoura Membre
Nombre de messages : 23 Age : 36 Date d'inscription : 20/08/2008
| Sujet: Re: infection par virtumonde Mer 20 Aoû - 14:25:28 | |
| voici le rapport de malwarebyte :
Malwarebytes' Anti-Malware 1.25 Version de la base de données: 1071 Windows 5.1.2600 Service Pack 3
13:18:48 20/08/2008 mbam-log-08-20-2008 (13-18-48).txt
Type de recherche: Examen complet (C:\|D:\|) Eléments examinés: 59163 Temps écoulé: 10 minute(s), 15 second(s)
Processus mémoire infecté(s): 0 Module(s) mémoire infecté(s): 6 Clé(s) du Registre infectée(s): 21 Valeur(s) du Registre infectée(s): 11 Elément(s) de données du Registre infecté(s): 3 Dossier(s) infecté(s): 0 Fichier(s) infecté(s): 38
Processus mémoire infecté(s): (Aucun élément nuisible détecté)
Module(s) mémoire infecté(s): C:\WINDOWS\system32\mlJAsRJa.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\wxohjc.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\hzwjvf.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\aavprd.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\gtkluu.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\iiffExYQ.dll (Trojan.Vundo) -> Delete on reboot.
Clé(s) du Registre infectée(s): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17fbae0a-8cbd-4cc5-809d-8ed6ebf5b47a} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{17fbae0a-8cbd-4cc5-809d-8ed6ebf5b47a} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4a839ae7-f841-48b2-a340-c5cc0bf5ff18} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{4a839ae7-f841-48b2-a340-c5cc0bf5ff18} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54018e98-10e3-46c6-9673-2999253f9c65} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iiffexyq (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{54018e98-10e3-46c6-9673-2999253f9c65} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{212e837f-ecd0-4dc1-91f2-357f66350a5d} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{212e837f-ecd0-4dc1-91f2-357f66350a5d} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ac6da111-c35b-48b1-8ddb-8c2add034c04} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ac6da111-c35b-48b1-8ddb-8c2add034c04} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{edf86774-80ef-4ae0-9dd2-0f2e24d8d30b} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
Valeur(s) du Registre infectée(s): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c0cd2731 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{54018e98-10e3-46c6-9673-2999253f9c65} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga4839 (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc4061 (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga6900 (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc4789 (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmc3fe14ad (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
Elément(s) de données du Registre infecté(s): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\mljasrja -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\mljasrja | |
| | | shoura Membre
Nombre de messages : 23 Age : 36 Date d'inscription : 20/08/2008
| Sujet: Re: infection par virtumonde Mer 20 Aoû - 14:57:21 | |
| voici le rapport de virtumunobegon :
[08/20/2008, 13:33:23] - VirtumundoBeGone v1.5 ( "C:\\Documents and Settings\\Administrateur\\Bureau\\VirtumundoBeGone.exe" ) [08/20/2008, 13:33:32] - Detected System Information: [08/20/2008, 13:33:32] - Windows Version: 5.1.2600, Service Pack 3 [08/20/2008, 13:33:32] - Current Username: Administrateur (Admin) [08/20/2008, 13:33:32] - Windows is in NORMAL mode. [08/20/2008, 13:33:32] - Searching for Browser Helper Objects: [08/20/2008, 13:33:32] - BHO 1: {12e245ec-acf7-4b71-b43c-6e228e552dfb} () [08/20/2008, 13:33:32] - WARNING: BHO has no default name. Checking for Winlogon reference. [08/20/2008, 13:33:32] - Checking for HKLM\\...\\Winlogon\\Notify\\wlvjhg [08/20/2008, 13:33:32] - Key not found: HKLM\\...\\Winlogon\\Notify\\wlvjhg, continuing. [08/20/2008, 13:33:32] - BHO 2: {4A839AE7-F841-48B2-A340-C5CC0BF5FF18} () [08/20/2008, 13:33:32] - WARNING: BHO has no default name. Checking for Winlogon reference. [08/20/2008, 13:33:32] - Checking for HKLM\\...\\Winlogon\\Notify\\mlJAsRJa [08/20/2008, 13:33:32] - Key not found: HKLM\\...\\Winlogon\\Notify\\mlJAsRJa, continuing. [08/20/2008, 13:33:32] - BHO 3: {54018E98-10E3-46C6-9673-2999253F9C65} () [08/20/2008, 13:33:32] - WARNING: BHO has no default name. Checking for Winlogon reference. [08/20/2008, 13:33:32] - Checking for HKLM\\...\\Winlogon\\Notify\\iiffExYQ [08/20/2008, 13:33:32] - Found: HKLM\\...\\Winlogon\\Notify\\iiffExYQ - This is probably Virtumundo. [08/20/2008, 13:33:32] - Assigning {54018E98-10E3-46C6-9673-2999253F9C65} MSEvents Object [08/20/2008, 13:33:32] - BHO list has been changed! Starting over... [08/20/2008, 13:33:32] - BHO 1: {12e245ec-acf7-4b71-b43c-6e228e552dfb} () [08/20/2008, 13:33:32] - WARNING: BHO has no default name. Checking for Winlogon reference. [08/20/2008, 13:33:32] - Checking for HKLM\\...\\Winlogon\\Notify\\wlvjhg [08/20/2008, 13:33:32] - Key not found: HKLM\\...\\Winlogon\\Notify\\wlvjhg, continuing. [08/20/2008, 13:33:32] - BHO 2: {4A839AE7-F841-48B2-A340-C5CC0BF5FF18} () [08/20/2008, 13:33:32] - WARNING: BHO has no default name. Checking for Winlogon reference. [08/20/2008, 13:33:32] - Checking for HKLM\\...\\Winlogon\\Notify\\mlJAsRJa [08/20/2008, 13:33:32] - Key not found: HKLM\\...\\Winlogon\\Notify\\mlJAsRJa, continuing. [08/20/2008, 13:33:32] - BHO 3: {54018E98-10E3-46C6-9673-2999253F9C65} (MSEvents Object) [08/20/2008, 13:33:32] - ALERT: Found MSEvents Object! [08/20/2008, 13:33:32] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class) [08/20/2008, 13:33:32] - BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Programme d'aide de l'Assistant de connexion Windows Live) [08/20/2008, 13:33:32] - BHO 6: {C88BC945-42FE-4D84-8906-E76F6ACBE162} () [08/20/2008, 13:33:32] - WARNING: BHO has no default name. Checking for Winlogon reference. [08/20/2008, 13:33:32] - No filename found. Continuing. [08/20/2008, 13:33:32] - Finished Searching Browser Helper Objects [08/20/2008, 13:33:32] - *** Detected MSEvents Object [08/20/2008, 13:33:32] - Trying to remove MSEvents Object... [08/20/2008, 13:33:33] - Terminating Process: IEXPLORE.EXE [08/20/2008, 13:33:33] - Terminating Process: RUNDLL32.EXE [08/20/2008, 13:33:33] - Disabling Automatic Shell Restart [08/20/2008, 13:33:33] - Terminating Process: EXPLORER.EXE [08/20/2008, 13:33:33] - Suspending the NT Session Manager System Service [08/20/2008, 13:33:33] - Terminating Windows NT Logon/Logoff Manager [08/20/2008, 13:33:33] - Re-enabling Automatic Shell Restart [08/20/2008, 13:33:33] - File to disable: C:\\WINDOWS\\system32\\iiffExYQ.dll [08/20/2008, 13:33:33] - Removing HKLM\\...\\Browser Helper Objects\\{54018E98-10E3-46C6-9673-2999253F9C65} [08/20/2008, 13:33:33] - Removing HKCR\\CLSID\\{54018E98-10E3-46C6-9673-2999253F9C65} [08/20/2008, 13:33:33] - Adding Kill Bit for ActiveX for GUID: {54018E98-10E3-46C6-9673-2999253F9C65} [08/20/2008, 13:33:33] - Deleting ATLEvents/MSEvents Registry entries [08/20/2008, 13:33:33] - Removing HKLM\\...\\Winlogon\\Notify\\iiffExYQ [08/20/2008, 13:33:33] - Searching for Browser Helper Objects: [08/20/2008, 13:33:33] - BHO 1: {12e245ec-acf7-4b71-b43c-6e228e552dfb} () [08/20/2008, 13:33:33] - WARNING: BHO has no default name. Checking for Winlogon reference. [08/20/2008, 13:33:33] - Checking for HKLM\\...\\Winlogon\\Notify\\wlvjhg [08/20/2008, 13:33:33] - Key not found: HKLM\\...\\Winlogon\\Notify\\wlvjhg, continuing. [08/20/2008, 13:33:33] - BHO 2: {4A839AE7-F841-48B2-A340-C5CC0BF5FF18} () [08/20/2008, 13:33:33] - WARNING: BHO has no default name. Checking for Winlogon reference. [08/20/2008, 13:33:33] - Checking for HKLM\\...\\Winlogon\\Notify\\mlJAsRJa [08/20/2008, 13:33:33] - Key not found: HKLM\\...\\Winlogon\\Notify\\mlJAsRJa, continuing. [08/20/2008, 13:33:33] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class) [08/20/2008, 13:33:33] - BHO 4: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Programme d'aide de l'Assistant de connexion Windows Live) [08/20/2008, 13:33:33] - BHO 5: {C88BC945-42FE-4D84-8906-E76F6ACBE162} () [08/20/2008, 13:33:33] - WARNING: BHO has no default name. Checking for Winlogon reference. [08/20/2008, 13:33:33] - No filename found. Continuing. [08/20/2008, 13:33:33] - Finished Searching Browser Helper Objects [08/20/2008, 13:33:34] - Finishing up... [08/20/2008, 13:33:34] - A restart is needed. [08/20/2008, 13:33:34] - Automatic Reboot on STOP Error is not set. User will have to manually restart. [08/20/2008, 13:33:46] - Attempting to Restart via STOP error (Blue Screen!)
________________________________________________________________________________________________________________________________________ | |
| | | shoura Membre
Nombre de messages : 23 Age : 36 Date d'inscription : 20/08/2008
| Sujet: Re: infection par virtumonde Mer 20 Aoû - 15:00:41 | |
| voici celui de combofix :
ComboFix 08-08-18.05 - Administrateur 2008-08-20 13:43:45.1 - NTFSx86 Microsoft Windows XP Professionnel 5.1.2600.3.1252.1.1036.18.2065 [GMT 2:00] Endroit: C:\Documents and Settings\Administrateur\Bureau\ComboFix.exe * Création d'un nouveau point de restauration
AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !! .
(((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) .
C:\WINDOWS\BMc3fe14ad.txt C:\WINDOWS\pskt.ini C:\WINDOWS\system32\bpeafamf.dll C:\WINDOWS\system32\drcpdlwc.dll C:\WINDOWS\system32\HkQAGjjl.ini C:\WINDOWS\system32\HkQAGjjl.ini2 C:\WINDOWS\system32\jbnxrnwa.ini C:\WINDOWS\system32\kwphllie.ini C:\WINDOWS\system32\nnfjvbwf.exe C:\WINDOWS\system32\scroebtd.ini C:\WINDOWS\system32\wlvjhg.dll
. ((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))))))) .
2008-08-20 13:46 . 2008-08-20 13:46 <REP> d-------- C:\WINDOWS\system32\xircom 2008-08-20 13:46 . 2008-08-20 13:46 <REP> d-------- C:\WINDOWS\system32\oobe 2008-08-20 13:46 . 2008-08-20 13:46 <REP> d-------- C:\WINDOWS\system32\npp 2008-08-20 13:46 . 2008-08-20 13:46 <REP> d-------- C:\WINDOWS\msagent 2008-08-20 13:46 . 2008-08-20 13:46 <REP> d-------- C:\Program Files\microsoft frontpage 2008-08-20 01:37 . 2008-08-20 01:37 <REP> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-20 01:37 . 2008-08-20 01:37 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-20 01:37 . 2008-08-20 01:37 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Malwarebytes 2008-08-20 01:37 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-20 01:37 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-20 01:06 . 2008-08-20 01:06 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-08-20 00:33 . 2008-08-20 00:46 358 --a------ C:\WINDOWS\wininit.ini 2008-08-19 23:41 . 2008-08-19 23:41 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Thinstall 2008-08-19 23:41 . 2008-08-20 00:32 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\mIRC 2008-08-17 23:44 . 2008-08-17 23:44 <REP> d-------- C:\Program Files\Asus 2008-08-17 23:39 . 2008-08-17 23:39 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Auslogics 2008-08-17 14:27 . 2004-08-19 01:21 189,568 -ra------ C:\WINDOWS\system32\drivers\yk51x86.sys 2008-08-17 13:43 . 2008-04-13 09:45 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys 2008-08-17 13:43 . 2001-08-17 20:00 2,944 --a------ C:\WINDOWS\system32\drivers\msmpu401.sys 2008-08-15 01:04 . 2008-08-15 01:04 <REP> d--h----- C:\WINDOWS\PIF 2008-08-14 00:47 . 2008-04-13 09:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2008-08-13 14:27 . 2008-08-20 13:47 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\OpenOffice.org2 2008-08-13 14:18 . 2008-08-13 14:18 <REP> d-------- C:\Program Files\OpenOffice.org 2.4 2008-08-13 14:18 . 2008-08-14 07:47 <REP> d-------- C:\Program Files\Java 2008-08-13 14:18 . 2008-08-13 14:18 <REP> d-------- C:\Program Files\Fichiers communs\Java 2008-08-13 14:18 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-08-13 14:06 . 2008-08-13 14:13 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk 2008-08-13 14:04 . 2008-08-13 14:07 <REP> d-------- C:\Program Files\Fichiers communs\Autodesk Shared 2008-08-13 14:04 . 2008-08-13 14:08 <REP> d-------- C:\Program Files\Autodesk 2008-08-13 14:03 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll 2008-08-13 14:00 . 2008-08-13 14:00 <REP> d-------- C:\Program Files\PowerISO 2008-08-13 13:55 . 2008-08-13 13:55 <REP> d-------- C:\Program Files\DAEMON Tools Lite 2008-08-13 13:52 . 2008-08-13 13:52 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\DAEMON Tools 2008-08-13 13:52 . 2008-08-13 13:52 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2008-08-13 00:34 . 2008-06-24 18:44 74,240 --------- C:\WINDOWS\system32\dllcache\mscms.dll 2008-08-13 00:07 . 2008-05-01 16:39 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-12 23:59 . 2008-04-11 21:05 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-08-12 19:58 . 2008-08-12 19:59 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Media Player Classic 2008-08-12 19:57 . 2008-08-12 19:57 <REP> d-------- C:\Program Files\K-Lite Codec Pack 2008-08-12 01:45 . 2008-08-12 01:45 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\BitDefender 2008-08-11 22:12 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll 2008-08-11 22:12 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll 2008-08-11 22:12 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2008-08-11 01:52 . 2008-08-19 16:45 <REP> d-------- C:\Program Files\eMule 2008-08-10 17:25 . 2008-08-11 17:05 <REP> d-------- C:\temp\msn 2008-08-10 17:25 . 2008-08-10 17:25 <REP> d-------- C:\temp 2008-08-10 17:25 . 2008-08-11 18:27 <REP> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2008-08-10 17:25 . 2008-08-10 17:25 289 --a------ C:\WINDOWS\system32\user_gensett.xml 2008-08-10 17:24 . 2008-08-10 17:25 <REP> d-------- C:\Program Files\Fichiers communs\BitDefender 2008-08-10 12:40 . 2008-08-10 12:40 <REP> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles 2008-08-10 02:17 . 2008-08-20 13:31 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-08-10 01:54 . 2008-08-10 01:54 <REP> d-------- C:\Program Files\uTorrent 2008-08-10 01:54 . 2008-08-20 02:35 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\uTorrent 2008-08-10 01:47 . 2008-08-10 13:06 <REP> d-------- C:\Documents and Settings\Administrateur\Contacts 2008-08-10 01:43 . 2008-08-10 01:44 <REP> d--hsc--- C:\Program Files\Fichiers communs\WindowsLiveInstaller 2008-08-10 01:43 . 2008-08-10 01:46 <REP> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-08-10 00:28 . 2008-08-13 01:51 <REP> d--h----- C:\WINDOWS\$hf_mig$ 2008-08-09 21:53 . 2008-08-09 21:53 <REP> d-------- C:\Program Files\Microsoft IntelliPoint 2008-08-09 21:38 . 2008-04-13 09:40 43,904 --a------ C:\WINDOWS\system32\drivers\sbp2port.sys 2008-08-09 19:11 . 2008-08-09 19:11 <REP> d-------- C:\Program Files\ASUSTeK 2008-08-09 19:10 . 2008-08-10 12:40 <REP> d-------- C:\WINDOWS\nview 2008-08-09 19:10 . 2008-08-09 19:10 <REP> d-------- C:\Program Files\QuickTime 2008-08-09 19:10 . 2008-08-09 19:10 <REP> d-------- C:\Program Files\iTunes 2008-08-09 19:10 . 2008-08-09 19:10 <REP> d-------- C:\Program Files\iPod 2008-08-09 19:10 . 2008-08-09 19:10 <REP> d-------- C:\Program Files\Fichiers communs\Apple 2008-08-09 19:10 . 2008-08-09 19:10 <REP> d-------- C:\Program Files\Bonjour 2008-08-09 19:10 . 2008-08-09 19:10 <REP> d-------- C:\Program Files\Apple Software Update 2008-08-09 19:10 . 2008-08-09 19:10 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-08-09 19:10 . 2008-08-09 19:10 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-08-09 19:10 . 2008-08-09 19:10 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Apple Computer 2008-08-09 19:10 . 2005-08-03 08:51 176,128 -ra------ C:\WINDOWS\system32\nvudisp.exe 2008-08-09 19:10 . 2008-07-22 20:32 32,000 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys 2008-08-09 19:10 . 2006-02-13 15:05 16,683 --a------ C:\WINDOWS\system32\nvdisp.nvu 2008-08-09 19:07 . 2006-02-08 10:26 11,264 -ra------ C:\WINDOWS\system32\drivers\EIO.sys 2008-08-09 19:05 . 2008-08-09 19:05 <REP> d-------- C:\Program Files\Realtek Sound Manager 2008-08-09 19:05 . 2008-08-09 19:05 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Xentient 2008-08-09 19:04 . 2008-08-09 19:04 <REP> d-------- C:\Program Files\Realtek AC97 2008-08-09 19:04 . 2008-08-17 23:48 <REP> d--h----- C:\Program Files\InstallShield Installation Information 2008-08-09 19:04 . 2008-08-09 19:05 <REP> d-------- C:\Program Files\AvRack 2008-08-09 19:04 . 2005-06-03 15:09 454,656 --a------ C:\WINDOWS\system32\CapabilityTable.exe 2008-08-09 19:04 . 2005-08-12 12:40 307,200 -r------- C:\WINDOWS\alcupd.exe 2008-08-09 19:04 . 2005-10-20 11:12 217,088 -r------- C:\WINDOWS\alcrmv.exe 2008-08-09 19:04 . 2001-07-05 18:19 164 -r------- C:\WINDOWS\avrack.ini 2008-08-09 19:03 . 2008-08-09 19:03 <REP> d-------- C:\WINDOWS\NV21482152.TMP 2008-08-09 19:03 . 2008-08-17 23:57 <REP> d-------- C:\Program Files\Fichiers communs\InstallShield 2008-08-09 19:03 . 2004-11-13 05:35 810,054 -ra------ C:\WINDOWS\system32\A8N-SLI.bmp 2008-08-09 19:03 . 2005-09-22 10:52 176,128 -ra------ C:\WINDOWS\system32\nvusmb.exe 2008-08-09 19:03 . 2005-08-03 08:51 176,128 -ra------ C:\WINDOWS\system32\NVUNINST.EXE 2008-08-09 19:03 . 2005-04-04 13:00 32,256 -ra------ C:\WINDOWS\system32\SET75.tmp 2008-08-09 19:03 . 2005-09-22 10:29 1,391 -ra------ C:\WINDOWS\system32\nvsmb.nvu 2008-08-09 19:03 . 2004-11-13 06:01 269 -ra------ C:\WINDOWS\system32\raidmgmt.ini 2008-08-09 19:02 . 2008-08-17 13:56 6,723 --a------ C:\WINDOWS\Ascd_tmp.ini 2008-08-09 19:02 . 2000-03-29 16:17 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS 2008-08-09 19:00 . 2008-08-09 19:00 <REP> d---s---- C:\WINDOWS\system32\Microsoft 2008-08-09 19:00 . 2008-08-09 19:00 <REP> d--hs---- C:\Documents and Settings\NetworkService 2008-08-09 19:00 . 2008-08-09 19:00 <REP> d--hs---- C:\Documents and Settings\LocalService 2008-08-09 19:00 . 2008-08-17 23:45 <REP> d--h----- C:\Documents and Settings\Administrateur\Voisinage r‚seau 2008-08-09 19:00 . 2008-08-09 20:37 <REP> d--h----- C:\Documents and Settings\Administrateur\Voisinage d'impression 2008-08-09 19:00 . 2008-08-09 18:53 <REP> d-------- C:\Documents and Settings\Administrateur\nro.log 2008-08-09 19:00 . 2008-08-09 20:37 <REP> d--h----- C:\Documents and Settings\Administrateur\ModŠles 2008-08-09 19:00 . 2008-08-13 14:17 <REP> dr------- C:\Documents and Settings\Administrateur\Mes documents 2008-08-09 19:00 . 2008-08-10 01:54 <REP> d-------- C:\Documents and Settings\Administrateur\Menu D‚marrer 2008-08-09 19:00 . 2008-08-09 19:02 <REP> dr------- C:\Documents and Settings\Administrateur\Favoris 2008-08-09 19:00 . 2008-08-20 13:42 <REP> d-------- C:\Documents and Settings\Administrateur\Bureau 2008-08-09 19:00 . 2008-08-19 23:53 <REP> d-------- C:\Documents and Settings\Administrateur
. (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-09 23:43 --------- d-----w C:\Program Files\CCleaner 2008-08-09 16:53 --------- d-----w C:\Program Files\TaskSwitchXP 2008-08-09 16:53 --------- d-----w C:\Program Files\Nero 2008-08-09 16:53 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-08-09 16:53 --------- d-----w C:\Program Files\Fichiers communs\Nero 2008-08-09 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero 2008-08-09 16:45 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-07-07 07:40 56,108 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys 2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys . | |
| | | shoura Membre
Nombre de messages : 23 Age : 36 Date d'inscription : 20/08/2008
| Sujet: Re: infection par virtumonde Mer 20 Aoû - 15:01:39 | |
| voici la suite du rapport de combofix
------- Sigcheck -------
2008-05-03 00:57 2407040 5290f6c306dd4b1534090b4b50576a69 C:\WINDOWS\system32\ntkrnlpa.exe
2008-05-03 00:57 2530176 c85dc12bf40c065c1d7b579ef87ac545 C:\WINDOWS\system32\ntoskrnl.exe
2008-05-03 00:57 2011136 22f702a6dcbdb4f7282c4b73b95ee4e4 C:\WINDOWS\explorer.exe . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-05 00:29 62976] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-05-03 00:57 15360] "DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-07-24 17:02 490952] "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AppleSyncNotifier"="C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 15:05 7557120] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-13 15:05 86016] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 11:21 217088] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 09:34 167936] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "SoundMan"="SOUNDMAN.EXE" [2005-10-24 08:45 90112 C:\WINDOWS\soundman.exe] "nwiz"="nwiz.exe" [2006-02-13 15:05 1519616 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-05 00:29 62976]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_2"="shell32" [X]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3fhg"= mp3fhg.acm "msacm.divxa32"= divxa32.acm "VIDC.X264"= x264vfw.dll "VIDC.HFYU"= huffyuv.dll "vidc.i263"= i263_32.drv "VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\eMule\\emule.exe"= "C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"= "C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"= "C:\\Program Files\\Autodesk\\Backburner\\manager.exe"= "C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
R0 Si3124;Si3124;C:\WINDOWS\system32\drivers\Si3124.sys [2008-05-03 00:57] R0 Si3132r5;Si3132r5;C:\WINDOWS\system32\drivers\Si3132r5.sys [2008-05-03 00:57] R0 Si3531;Si3531;C:\WINDOWS\system32\drivers\Si3531.sys [2008-05-03 00:57]
*Newly Created Service* - HELPSVC . Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
2008-08-09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] . - - - - ORPHANS REMOVED - - - -
Toolbar-ITBar7Layout - (no file) Toolbar-ITBar7Position - (no file) HKLM-Run-BMc3fe14ad - C:\WINDOWS\system32\bpeafamf.dll
. ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\3wl8odlw.default\ FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll .
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-20 13:47:07 Windows 5.1.2600 Service Pack 3 NTFS
Balayage processus cach‚s ...
Balayage cach‚ autostart entries ...
Balayage des fichiers cach‚s ...
Scan termin‚ avec succŠs Les fichiers cach‚s: 0
************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\ATKKBService.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.bin C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\distnoted.exe . ************************************************************************** . Temps d'accomplissement: 2008-08-20 13:50:05 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-20 11:50:02
Pre-Run: 26,718,969,856 octets libres Post-Run: 26,729,324,544 octets libres
254 --- E O F --- 2008-08-12 23:51:56 | |
| | | shoura Membre
Nombre de messages : 23 Age : 36 Date d'inscription : 20/08/2008
| Sujet: Re: infection par virtumonde Mer 20 Aoû - 15:02:24 | |
| et enfin le rapport de hijackthis apres l'utilisation de combofix : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:56, on 20/08/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.20861) Boot mode: Normal
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ATKKBService.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Administrateur\Bureau\HiJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user') O4 - S-1-5-18 Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'SYSTEM') O4 - .DEFAULT Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'Default user') O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing) O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
-- End of file - 6502 bytes | |
| | | geoffrey5 Admin
Nombre de messages : 1849 Age : 43 Localisation : Liège - Belgique Système d\'exploitation * : XP IBM processeur Intel Celeron 2.4ghz 1.5GB RAM Date d'inscription : 28/07/2008
| Sujet: Re: ... Mer 20 Aoû - 16:15:12 | |
| Salut !! relance hijackthis en cliquant sur scan only et coches cette ligne stp : O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe puis tu cliques sur fix checked. vas faire la mise à niveau d adobe reader à cette adresse : http://www.adobe.com/fr/products/acrobat/readstep2.html et ensuite désinstalles la version antérieure. je ne vois pas d antivirus installé sur ton pc Si tu n en as pas, installes antivir qui est gratuit et tres performant : http://forum-aide-contre-virus.be/t%E9l%E9chargements.html et voici un tuto pour bien le configurer : http://www.malekal.com/tutorial_antivir.php est ce que tu as encore des problemes ?? | |
| | | shoura Membre
Nombre de messages : 23 Age : 36 Date d'inscription : 20/08/2008
| Sujet: Re: infection par virtumonde Mer 20 Aoû - 16:43:57 | |
| ouai j'ai formaté y'a pas longtps .... sinon tu pourrais me conseiller un firewall ? aussi | |
| | | geoffrey5 Admin
Nombre de messages : 1849 Age : 43 Localisation : Liège - Belgique Système d\'exploitation * : XP IBM processeur Intel Celeron 2.4ghz 1.5GB RAM Date d'inscription : 28/07/2008
| Sujet: Re: ... Jeu 21 Aoû - 0:38:26 | |
| ok...ton pc était pratiquement clean mais enfin...tant mieux d un coté tu as le choix entres des pares feu sur mon site dans le rubrique téléchargements : http://forum-aide-contre-virus.be/index.html | |
| | | shoura Membre
Nombre de messages : 23 Age : 36 Date d'inscription : 20/08/2008
| Sujet: Re: infection par virtumonde Jeu 21 Aoû - 0:46:55 | |
| Merci j'avoue le formatage n'est pas une bonne excuse pour ne pas avoir d'antivirus ...
et encore merci pour ton aide | |
| | | geoffrey5 Admin
Nombre de messages : 1849 Age : 43 Localisation : Liège - Belgique Système d\'exploitation * : XP IBM processeur Intel Celeron 2.4ghz 1.5GB RAM Date d'inscription : 28/07/2008
| Sujet: Re: ... Jeu 21 Aoû - 0:50:16 | |
| mais de rien, c est avec plaisir que je t ai aidé au cas où tu aurais encore des problemes, tu reviens quand tu veux... Bonne fin de soirée @+ | |
| | | Contenu sponsorisé
| Sujet: Re: infection par virtumonde | |
| |
| | | | infection par virtumonde | |
|
Sujets similaires | |
|
| Permission de ce forum: | Vous ne pouvez pas répondre aux sujets dans ce forum
| |
| |
| |