TR/crypt.xpack.gen + TR/vundo.gen= SOS trojan
Forum Sécurité - Virus : TR/crypt.xpack.gen + TR/vundo.gen= SOS trojan
Bonjour,
Je me permets de réitérer une question déjà posée sur ce forum, en l'occurence comment se débarrasser des trojan cités ci-dessus.
J'ai suivi les instructions vu sur les autres topics, mais je n'arrvie qu'à nettoyer partiellement mon PC, des morceaux subsistent ici et là, enfin surtout dans les dossiers "system volume information" de mes disques durs.
Bref si une âme charitable peut m'aider à faire le ménage ce serait sympa.
Merci d'avance.
Bonjour,
Télécharge Hijackthis (de Trend Micro) sur ton Bureau.
- Double clique sur HJTInstall.exe pour lancer l'installation.
- Clique sur Install.
- Double clique sur le raccourci d'HijackThis qui vient d'être créé pour le lancer. (Clique droit -> lancer en tant qu'admin si sous Vista)
- Accepte la licence en cliquant sur Yes.
- Clique sur Do a system scan and save a logfile.
- Poste ici le rapport généré.
Note : Le rapport se trouve également ici : C:\Program Files\Trend Micro\Hijackthis\Hijackthis.log
Aide : Comment utiliser HijackThis.
Répondre à XmichouX
Merci pour l'aide, Hijackthis a été mon premier réflexe après avoir compris que j'avais choppé des virus, il m'a permis de nettoyer quelques virus mais c'était des anciens 8/
Bref le dernier log donne ça:
Logfile of HijackThis v1.99.1
Scan saved at 14:45:24, on 09/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\PROGRA~1\FICHIE~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\HHVcdV5Sys\VC5Play.exe
C:\Program Files\Orange\Systray\SystrayApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\FICHIE~1\France Telecom\Shared Modules\AlertModule\0\AlertModule.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Virtual CD v5\System\VC5Tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Orange\Deskboard\deskboard.exe
C:\Program Files\Orange\connectivity\connectivitymanager.exe
C:\Program Files\Orange\connectivity\CoreCom\CoreCom.exe
C:\Program Files\Orange\connectivity\CoreCom\OraConfigRecover.exe
C:\PROGRA~1\FICHIE~1\France Telecom\Shared Modules\FTCOMModule\0\FTCOMModule.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\bellerophon\Bureau\photo\le sauveur du pc\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\Program Files\Orange\SearchURLHook\SearchPageURL.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe
O4 - HKLM\..\Run: [SystrayORAHSS] "C:\Program Files\Orange\Systray\SystrayApp.exe"
O4 - HKLM\..\Run: [ORAHSSSessionManager] C:\Program Files\Orange\SessionManager\SessionManager.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - Startup: TribalWeb.lnk = C:\Program Files\TribalWeb.net\tribalweb.exe
O4 - Startup: TribalWeb.net.lnk = C:\Program Files\TribalWeb.net\tribalweb.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O15 - Trusted Zone: http://www.orange.fr
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C373394-F081-4546-8C54-FFBCE13D6DCB}: NameServer = 80.10.246.2,80.10.246.129
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom SA - C:\PROGRA~1\FICHIE~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nb) (pr2ah4nb) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nb.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Program Files\HHVcdV5Sys\VC5SecS.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Unknown owner - C:\Program Files\Inventel\Gateway\wlancfg.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Re,
Le rapport est propre (pas d'infection visible).
Répondre à XmichouX
Ouais c'est ce qui me semblait, pourtant quand je lance un scan Antivir, il retrouve dans mes dossiers "System volume information" de mes DD c: d: e: o: les fameux TR/crypt.xpack.gen + TR/vundo.gen.
Voici d'ailleurs le log d'antivir:
Avira AntiVir Personal
Report file date: mardi 8 juillet 2008 14:11
Scanning for 1381683 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: BELLEROPHON
Version information:
BUILD.DAT : 8.1.0.308 16478 Bytes 28/05/2008 17:03:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 26/04/2008 18:15:31
AVSCAN.DLL : 8.1.1.0 53505 Bytes 26/04/2008 18:15:31
LUKE.DLL : 8.1.2.9 151809 Bytes 26/04/2008 18:15:31
LUKERES.DLL : 8.1.2.1 12033 Bytes 26/04/2008 18:15:31
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 12:51:55
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 24/06/2008 13:58:44
ANTIVIR2.VDF : 7.0.5.51 273408 Bytes 04/07/2008 13:14:03
ANTIVIR3.VDF : 7.0.5.56 37376 Bytes 07/07/2008 13:14:04
Engineversion : 8.1.0.64
AEVDF.DLL : 8.1.0.5 102772 Bytes 26/04/2008 18:15:32
AESCRIPT.DLL : 8.1.0.46 283002 Bytes 02/07/2008 16:09:18
AESCN.DLL : 8.1.0.22 119157 Bytes 30/06/2008 13:59:05
AERDL.DLL : 8.1.0.20 418165 Bytes 26/04/2008 18:15:32
AEPACK.DLL : 8.1.1.6 364918 Bytes 30/06/2008 13:59:03
AEOFFICE.DLL : 8.1.0.20 192891 Bytes 30/06/2008 13:59:00
AEHEUR.DLL : 8.1.0.35 1298806 Bytes 02/07/2008 16:09:16
AEHELP.DLL : 8.1.0.15 115063 Bytes 30/05/2008 12:47:42
AEGEN.DLL : 8.1.0.29 307573 Bytes 30/06/2008 13:58:49
AEEMU.DLL : 8.1.0.6 430451 Bytes 08/05/2008 18:06:39
AECORE.DLL : 8.1.0.32 168311 Bytes 02/07/2008 16:09:07
AVWINLL.DLL : 1.0.0.7 14593 Bytes 26/04/2008 18:15:31
AVPREF.DLL : 8.0.0.1 25857 Bytes 26/04/2008 18:15:31
AVREP.DLL : 7.0.0.1 155688 Bytes 23/04/2007 22:15:17
AVREG.DLL : 8.0.0.0 30977 Bytes 26/04/2008 18:15:31
AVARKT.DLL : 1.0.0.23 307457 Bytes 26/04/2008 18:15:31
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 26/04/2008 18:15:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 26/04/2008 18:15:31
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 26/04/2008 18:15:31
NETNT.DLL : 8.0.0.1 7937 Bytes 26/04/2008 18:15:31
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 26/04/2008 18:15:29
RCTEXT.DLL : 8.0.32.0 86273 Bytes 26/04/2008 18:15:29
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:, E:, O:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: mardi 8 juillet 2008 14:11
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'utplqtui.exe' - '1' Module(s) have been scanned
Scan process 'avirarkd.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'FTCOMModule.exe' - '1' Module(s) have been scanned
Scan process 'OraConfigRecover.exe' - '1' Module(s) have been scanned
Scan process 'CoreCom.exe' - '1' Module(s) have been scanned
Scan process 'ConnectivityManager.exe' - '1' Module(s) have been scanned
Scan process 'Deskboard.exe' - '1' Module(s) have been scanned
Scan process 'CCC.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'VC5Tray.exe' - '1' Module(s) have been scanned
Scan process 'AlertModule.exe' - '1' Module(s) have been scanned
Scan process 'MOM.exe' - '1' Module(s) have been scanned
Scan process 'SystrayApp.exe' - '1' Module(s) have been scanned
Scan process 'VC5Play.exe' - '1' Module(s) have been scanned
Scan process 'dragdiag.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'CLSched.exe' - '1' Module(s) have been scanned
Scan process 'VC5SecS.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RichVideo.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'nSvcLog.exe' - '1' Module(s) have been scanned
Scan process 'nSvcIp.exe' - '1' Module(s) have been scanned
Scan process 'FTRTSVC.exe' - '1' Module(s) have been scanned
Scan process 'CLMLServer.exe' - '1' Module(s) have been scanned
Scan process 'CLCapSvc.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
48 processes with 48 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
[WARNING] Le périphérique n'est pas prêt.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] Le périphérique n'est pas prêt.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] Le périphérique n'est pas prêt.
Master boot sector HD5
[INFO] No virus was found!
[WARNING] Le périphérique n'est pas prêt.
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!
Boot sector 'O:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '29' files ).
Starting the file scan:
Begin scan in 'C:\' <BOOT>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{1C714A9C-992B-43ED-8366-D7FDDF1AF384}\RP734\A0160154.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48a49460.qua'!
C:\System Volume Information\_restore{1C714A9C-992B-43ED-8366-D7FDDF1AF384}\RP735\A0160246.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48a49467.qua'!
C:\System Volume Information\_restore{1C714A9C-992B-43ED-8366-D7FDDF1AF384}\RP735\A0160247.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48a4946a.qua'!
C:\System Volume Information\_restore{1C714A9C-992B-43ED-8366-D7FDDF1AF384}\RP735\A0160300.com
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48a4946c.qua'!
Begin scan in 'D:\' <BACKUP>
D:\qxbx9blb.com
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48d59c84.qua'!
D:\System Volume Information\_restore{1C714A9C-992B-43ED-8366-D7FDDF1AF384}\RP736\A0160467.com
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48a4a13f.qua'!
Begin scan in 'E:\' <RECOVER>
E:\qxbx9blb.com
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48d5b59d.qua'!
E:\System Volume Information\_restore{1C714A9C-992B-43ED-8366-D7FDDF1AF384}\RP736\A0160468.com
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48a4b558.qua'!
Begin scan in 'O:\' <DATA>
O:\qxbx9blb.com
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48d5b5a4.qua'!
O:\System Volume Information\_restore{1C714A9C-992B-43ED-8366-D7FDDF1AF384}\RP736\A0160469.com
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48a4b5c0.qua'!
End of the scan: mardi 8 juillet 2008 19:47
Used time: 5:36:10 min
The scan has been done completely.
15971 Scanning directories
529068 Files were scanned
10 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
10 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
529058 Files not concerned
9412 Archives were scanned
6 Warnings
10 Notes
Bref je ne sais sur quel pied danser...
C'est la restauration système, rien de grave.
Télécharge Flash Disinfector (de sUBs) sur ton Bureau.
- Connecte tous les périphériques externes. ( DD , USB , ..... )
- Double clique sur Flash Disinfector et laisse toi guider.
*********
On va vérifier s'il en reste mais je ne pense pas :
Télécharge ComboFix (de sUBs) sur ton Bureau.
- Désactive temporairement toute protection résidente ! (Antivirus, antispywares..)
- Double clique sur ComboFix.exe.
- Accepte la licence en cliquant sur Oui.
- Lorsque l'opération sera terminée, un rapport apparaîtra. Poste ce rapport dans ta prochaine réponse.
Le rapport se trouve ici : %systemdrive%\ComboFix.txt (%systemdrive% étant la partition où est installée Windows; C:\ en général)
Aide : Comment utiliser ComboFix.
Répondre à XmichouX
Hmmm j'ai déjà passer plusieurs coups de ComboFix, je vais en refaire un, je retrouve plus le dernier log.
Flash Disinfector je l'ai déjà passé.
Merci pour les conseils.
Voila le rapport ComboFix, tout chaud:
ComboFix 08-07-05.1 - bellerophon 2008-07-09 17:24:43.4 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.1378 [GMT 1:00]
Endroit: C:\Documents and Settings\bellerophon\Bureau\ComboFix.exe
[color=red]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/color]
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\bellerophon\Local Settings\Temporary Internet Files\Vaccin_USB-Lisez_moi.html
.
((((((((((((((((((((((((((((( Fichiers créés 2008-06-09 to 2008-07-09 ))))))))))))))))))))))))))))))))))))
.
2008-07-09 15:25 . 2008-07-09 15:25 <REP> d-------- C:\WINDOWS\LastGood
2008-07-09 15:25 . 2008-07-09 15:25 <REP> d-------- C:\Program Files\Panda Security
2008-07-09 15:25 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-09 12:35 . 2008-07-09 12:35 <REP> drahs---- C:\winfile.exe
2008-07-09 12:35 . 2008-07-09 12:35 <REP> drahs---- C:\temp2.exe
2008-07-09 12:35 . 2008-07-09 12:35 <REP> drahs---- C:\temp1.exe
2008-07-09 12:35 . 2008-07-09 12:35 <REP> drahs---- C:\temp.exe
2008-07-09 12:35 . 2008-07-09 12:35 <REP> drahs---- C:\ravmon.exe
2008-07-09 12:35 . 2008-07-09 12:35 <REP> drahs---- C:\msvcr71.dll
2008-07-09 12:35 . 2008-07-09 12:35 <REP> drahs---- C:\host.exe
2008-07-09 12:35 . 2008-07-09 12:35 <REP> drahs---- C:\copy.exe
2008-07-09 12:35 . 2008-07-09 12:35 <REP> drahs---- C:\comment.htt
2008-07-09 12:35 . 2008-07-09 12:35 <REP> drahs---- C:\adober.exe
2008-07-09 12:34 . 2008-07-09 12:33 167,936 --a------ C:\VaccinUSB.exe
2008-07-08 14:05 . 2008-07-08 14:05 <REP> d-------- C:\Program Files\Avira GmbH
2008-07-08 13:39 . 2008-07-08 13:39 <REP> d-------- C:\WINDOWS\ERUNT
2008-07-08 13:34 . 2008-07-08 13:59 <REP> d-------- C:\SDFix
2008-07-08 01:40 . 2008-07-08 01:40 <REP> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-08 01:40 . 2008-07-08 01:40 <REP> d-------- C:\Documents and Settings\bellerophon\Application Data\Malwarebytes
2008-07-08 01:40 . 2008-07-08 01:40 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-08 01:40 . 2008-07-07 17:42 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-08 01:40 . 2008-07-07 17:42 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-07 22:21 . 2008-07-07 22:21 <REP> d-------- C:\VundoFix Backups
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 16:11 --------- d-----w C:\Program Files\Sonique
2008-07-08 13:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-07 12:37 --------- d-----w C:\Program Files\eMule
2008-07-07 12:37 --------- d-----w C:\Documents and Settings\bellerophon\Application Data\uTorrent
2008-07-03 22:36 --------- d-----w C:\Program Files\Steam
2008-05-26 00:48 --------- d-----w C:\Program Files\Microsoft Games
2008-05-25 14:42 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-05-25 14:42 110,592 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-05-21 23:20 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-21 23:20 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-01-02 14:29 74,864 ----a-w C:\Documents and Settings\bellerophon\Application Data\GDIPFONTCACHEV1.DAT
2006-05-29 12:57 278,528 ----a-w C:\Program Files\Fichiers communs\FDEUnInstaller.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-08_ 1.32.57,23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-08 00:26:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-09 11:20:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 09:39:58 128,256 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2008-07-08 00:59:22 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-07-08 12:39:26 10,887,168 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-07-08 12:39:26 163,840 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-08 00:59:22 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-07-08 12:39:25 10,887,168 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-07-08 12:39:25 163,840 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 22:48 68856]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-26 19:15 262401]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2003-09-05 07:59 878080]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 17:49 77824]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"VC5Player"="C:\Program Files\HHVcdV5Sys\VC5Play.exe" [2003-03-11 16:08 176128]
"SystrayORAHSS"="C:\Program Files\Orange\Systray\SystrayApp.exe" [2007-09-25 21:08 94208]
"ORAHSSSessionManager"="C:\Program Files\Orange\SessionManager\SessionManager.exe" [2007-09-25 20:10 102400]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 13:00 15360]
C:\Documents and Settings\bellerophon\Menu D‚marrer\Programmes\D‚marrage\
TribalWeb.lnk - C:\Program Files\TribalWeb.net\tribalweb.exe [2006-06-10 14:36:00 1060864]
TribalWeb.net.lnk - C:\Program Files\TribalWeb.net\tribalweb.exe [2006-06-10 14:36:00 1060864]
C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Adobe Gamma Loader.lnk - C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-23 15:52:40 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.VP40"= vp4vfw.dll
"vidc.yv12"= yv12vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Activer le Poste de Travail Sans Fil Labtec.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Activer le Poste de Travail Sans Fil Labtec.lnk
backup=C:\WINDOWS\pss\Activer le Poste de Travail Sans Fil Labtec.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^bellerophon^Menu Démarrer^Programmes^Démarrage^TribalWeb.net.lnk]
path=C:\Documents and Settings\bellerophon\Menu Démarrer\Programmes\Démarrage\TribalWeb.net.lnk
backup=C:\WINDOWS\pss\TribalWeb.net.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 18:05 81920 C:\Program Files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-06-16 06:03 221184 C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 06:03 81920 C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2005-11-05 05:36 139264 C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoniqueQuickStart]
--a------ 2005-12-30 15:49 44832 C:\Program Files\Sonique\SQStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2003-09-05 07:59 878080 C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2004-05-17 18:30 543232 C:\WINDOWS\zHotkey.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\NetMeeting\\Conf.exe"=
"C:\\Program Files\\Ahead\\Nero MediaHome\\NeroMediaHome.exe"=
"C:\\Program Files\\Home Cinema\\PowerCinema\\PowerCinema.exe"=
"C:\\Program Files\\Home Cinema\\PowerCinema\\PCMService.exe"=
"C:\\Program Files\\army\\System\\ArmyOps.exe"=
"C:\\Program Files\\TribalWeb.net\\tribalweb.exe"=
"C:\\Program Files\\utclassic\\System\\UnrealTournament.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\QQLive\\QQLive.exe"=
"C:\\Program Files\\Tencent\\QQLive\\QQLive.exe"=
"C:\\Documents and Settings\\bellerophon\\Bureau\\photo\\Nouveau dossier\\sopcast\\SopCast_062\\SopCast\\SopCast.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"C:\\Documents and Settings\\bellerophon\\Bureau\\imaj daemon\\viviplay.exe"=
"C:\\UT2004\\System\\UT2004.exe"=
"C:\\Program Files\\EA GAMES\\Need for Speed Most Wanted\\speed.exe"=
"C:\\Program Files\\EA GAMES\\Need for Speed Most Wanted\\nfsMW.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"D:\\MotoGP2\\motogp2.exe"=
"C:\\Program Files\\war3\\war3.exe"=
"C:\\Program Files\\bf\\BF1942.exe"=
"C:\\Program Files\\counter\\hl.exe"=
"C:\\Program Files\\Empire Interactive\\FlatOut2\\FlatOut2.exe"=
"C:\\Program Files\\VoipDiscount.com\\VoipDiscount\\VoipDiscount.exe"=
"D:\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"D:\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"D:\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"D:\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"D:\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"D:\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"C:\\Program Files\\Orange\\Connectivity\\ConnectivityManager.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\PPMate\\ppamnet.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Sierra\\FEARCombat\\FEARMP.exe"=
"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13427:TCP"= 13427:TCP:NortonAV
R0 pe3ah4nb;DiRT Environment Driver (pe3ah4nb);C:\WINDOWS\system32\drivers\pe3ah4nb.sys [2007-07-19 15:45]
R0 ps6ah4nb;DiRT Synchronization Driver (ps6ah4nb);C:\WINDOWS\system32\drivers\ps6ah4nb.sys [2007-07-19 15:43]
R0 xmasbus;xmasbus;C:\WINDOWS\system32\DRIVERS\xmasbus.sys [2003-12-21 18:24]
R0 xmasscsi;xmasscsi;C:\WINDOWS\system32\Drivers\xmasscsi.sys [2003-12-20 21:03]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2002-10-15 15:48]
R1 vbev5mp;vbev5mp;C:\WINDOWS\system32\DRIVERS\vbev5mp.sys [2003-05-07 10:46]
R3 3xHybrid;Pinnacle PCTV 300i Stereo DVB-T;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-09-02 15:43]
S2 pr2ah4nb;DiRT Drivers Auto Removal (pr2ah4nb);C:\WINDOWS\system32\pr2ah4nb.exe svc []
S3 adiusbae;USB ADSL LAN Adapter;C:\WINDOWS\system32\DRIVERS\adiusbae.sys []
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-07-07 17:42]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;C:\WINDOWS\system32\DRIVERS\wg111v3.sys []
S3 SIS163u;SiS163 usb Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\sis163u.sys [2005-06-20 10:12]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\O]
\Shell\AutoRun\command - O:\qxbx9blb.com
\Shell\explore\Command - O:\qxbx9blb.com
\Shell\open\Command - O:\qxbx9blb.com
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-07-09 15:00:00 C:\WINDOWS\Tasks\HPpromotions psc 1600 series.job"
- C:\Program Files\HP\Digital Imaging\bin\HP Promotions\AiOMVC\HPpromo.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 17:28:33
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cachés ...
Balayage caché autostart entries ...
Balayage des fichiers cachés ...
**************************************************************************
.
Temps d'accomplissement: 2008-07-09 17:31:47
ComboFix-quarantined-files.txt 2008-07-09 16:30:45
ComboFix2.txt 2008-07-08 00:33:10
ComboFix3.txt 2008-07-07 17:17:31
Pre-Run: 17,937,682,432 octets libres
Post-Run: 18,026,242,048 octets libres
200
Encore merci pour l'aide.
Ahh,
Repasse Flash-Disinfector stp.
Sélectionne l'intégralité du cadre ci-dessous :
Collect::
|
- Copie/colle le dans le Bloc Notes (Démarrer\Tous les programmes\Accessoires\Bloc notes.)
- Enregistre le sous sur ton bureau sous le nom de CFScript.txt
- Glisse maintenant le fichier CFScript.txt dans ComboFix.exe comme ci-dessous :
- Cela va relancer Combofix.
- ComboFix créera ces fichiers sur ton Bureau :
- Un fichier zippé nommé Submit [Date Time].zip
- Un second fichier nommé - CF-Submit.htm
- ComboFix peut exiger un redémarrage pour compléter son travail. Accepte.
- Lorsque l'outil aura terminé, un rapport ComboFix.log apparaîtra à l'écran.
- Une nouvelle fenêtre avec invite "Submit Files for further analysis" s'ouvrira. Clique "OK"
- Ton navigateur se lancera automatiquement avec le fichier CF-Submit.htm et une fenêtre s'ouvrira :
- Clique sur le bouton "Browse"("Parcourir" ) et navigue vers le fichier
Submit [Date Time].zip qui est sur ton Bureau.
- Clique sur le fichier afin de le sélectionner.
- Soumets le fichier en cliquant "OK"
- Lorsque cette opération sera complétée, tu peux supprimer ces deux fichiers qui se trouvent sur ton Bureau.
Poste le contenu du rapport ComboFix.txt après redémarrage s'il y en a un.
**********
- Poste de travail/outils/option des dossiers/affichage/cocher afficher les fichiers et dossiers cachés/Appliquer - - > OK
- Poste de travail/outils/option des dossiers/affichage/décocher masquer les fichiers protégés du système d’exploitation./Appliquer - - > OK
- Poste de travail/outils/option des dossiers/affichage/décocher masquer les extensions dont le type est connu/Appliquer - - > OK
N'oublie pas de recacher à nouveau les fichiers cachés et protégés du système d'exploitation en fin de désinfection, c'est important
Fais analyser ce(s) fichier(s) sur ce site >> Virustotal <<
- Clique sur Parcourir en haut, choisis Poste de travail et cherche ce fichier : C:\WINDOWS\system32\drivers\pavboot.sys
- Clique maintenant sur Envoyer le fichier.
- Poste le rapport (De Fichier *** reçu le *** jusqu’à SHA1 : ***)
Répondre à XmichouX
Il y a 2339 utilisateurs connus et inconnus. Pour voir la liste des connectés connus, cliquez ici.
