ravagelo
Membres-
Compteur de contenus
3 -
Inscription
-
Dernière visite
ravagelo's Achievements
Junior Member (3/12)
0
Réputation sur la communauté
-
VIRTUMONDE (rapport HijackThis)
ravagelo a répondu à un(e) sujet de ravagelo dans Analyses et éradication malwares
Listing files found while scanning.... C:\WINDOWS\system32\rqopmnl.dll C:\WINDOWS\system32\ihkmp.bak1 C:\WINDOWS\system32\ihkmp.tmp C:\WINDOWS\system32\ihkmp.ini C:\WINDOWS\system32\ihkmp.ini2 C:\WINDOWS\system32\pmkhi.dll C:\WINDOWS\system32\ihkmp.ini2 C:\WINDOWS\system32\ihkmp.tmp C:\WINDOWS\system32\ihkmp.ini C:\WINDOWS\system32\ihkmp.ini2 C:\WINDOWS\system32\pmkhi.dll Attempting to delete C:\WINDOWS\system32\rqopmnl.dll C:\WINDOWS\system32\rqopmnl.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\ihkmp.bak1 C:\WINDOWS\system32\ihkmp.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\ihkmp.tmp C:\WINDOWS\system32\ihkmp.tmp Has been deleted! Attempting to delete C:\WINDOWS\system32\ihkmp.ini C:\WINDOWS\system32\ihkmp.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\ihkmp.ini2 C:\WINDOWS\system32\ihkmp.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\pmkhi.dll C:\WINDOWS\system32\pmkhi.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\ihkmp.ini C:\WINDOWS\system32\ihkmp.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\pmkhi.dll C:\WINDOWS\system32\pmkhi.dll Could not be deleted. Performing Repairs to the registry. Done! Logfile of HijackThis v1.99.1 Scan saved at 11:32:47, on 01/07/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AccessManager\Client\AMBroker.exe C:\Program Files\Belkin\Logiciel Bluetooth\bin\btwdins.exe C:\WINDOWS\System32\cusrvc.exe c:\Program Files\IP VPN Remote Services\cvpnd.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe C:\Program Files\AccessManager\PMAC\sp_SWIns.exe C:\Program Files\AccessManager\Client\sygman.exe C:\WINDOWS\System32\tlntsvr.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\NWTRAY.EXE C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe C:\Program Files\Belkin\Logiciel Bluetooth\BTTray.exe C:\PROGRA~1\Belkin\LOGICI~1\BTSTAC~1.EXE C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\TEMP\win28.tmp.exe C:\WINDOWS\TEMP\idd29.tmp.exe C:\Documents and Settings\lo\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.fr R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com F2 - REG:system.ini: UserInit=userinit.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Cisco Systems IP VPN Remote Services.lnk = C:\Program Files\IP VPN Remote Services\vpngui.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Envoyer à &Bluetooth - C:\Program Files\Belkin\Logiciel Bluetooth\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Logiciel Bluetooth\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Logiciel Bluetooth\btsendto_ie.htm O14 - IERESET.INF: START_PAGE_URL=http://www.google.fr http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chezmoi O17 - HKLM\Software\..\Telephony: DomainName = chezmoi O17 - HKLM\System\CCS\Services\Tcpip\..\{89277C11-48CF-4C26-9630-97A0E81B9156}: NameServer = 212.27.54.252,212.27.39.2 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chezmoi O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = chezmoi O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chezmoi O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = chezmoi O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = chezmoi O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Belkin\Logiciel Bluetooth\bin\btwdins.exe O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\IP VPN Remote Services\cvpnd.exe O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe O23 - Service: Network Monitor - Novell, Inc. - (no file) O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\appli\ORACLE\BIN\ONRSD.EXE O23 - Service: Serv-U FTP Server (Serv-U) - Rhino Software, Inc. +1(262) 560-9627 - C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing) O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -
VIRTUMONDE (rapport HijackThis)
ravagelo a répondu à un(e) sujet de ravagelo dans Analyses et éradication malwares
Bha le PC ne va pas bien du tout ^^ J'ai toute mes aapplication en Tray qui n'apparaissent plus (genre: trafic reseau Wifi, add-watch qui demarre plus en auto ...ect..etc) - add-ware signale 'Virtumonde' a chaque scan. (l'anti-virus ne voit rien, et la cle registre signalé par add-ware est absente) - Un Win32.dialer.trojan qui se fait bloquer 15 fois par jour ... - Un repertoire Temp repli de 'truc' pas sympa de genre machin.tmp.exe De plus en utilisant l'outil Vundofix, j'ai des .dll detectés en permanence mais qui reviennent toujours. -
Bonjour, j'ai parcouru enormement de post concernant ce 'truc', mais je n'arrive pas a l'eliminer .... Logfile of HijackThis v1.99.1 Scan saved at 00:56:19, on 01/07/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AccessManager\Client\AMBroker.exe C:\Program Files\Belkin\Logiciel Bluetooth\bin\btwdins.exe C:\WINDOWS\System32\cusrvc.exe c:\Program Files\IP VPN Remote Services\cvpnd.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe C:\Program Files\AccessManager\PMAC\sp_SWIns.exe C:\Program Files\AccessManager\Client\sygman.exe C:\WINDOWS\System32\tlntsvr.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\NWTRAY.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Belkin\Logiciel Bluetooth\BTTray.exe C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\lo\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.fr R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com F2 - REG:system.ini: UserInit=userinit.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Cisco Systems IP VPN Remote Services.lnk = C:\Program Files\IP VPN Remote Services\vpngui.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Logiciel Bluetooth\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Logiciel Bluetooth\btsendto_ie.htm O14 - IERESET.INF: START_PAGE_URL=http://google.fr O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chezmoi O17 - HKLM\Software\..\Telephony: DomainName = chezmoi O17 - HKLM\System\CCS\Services\Tcpip\..\{12D432AC-EBF7-4E49-93E7-8E1145307CEF}: NameServer = 212.27.54.252,212.27.39.2 O17 - HKLM\System\CCS\Services\Tcpip\..\{89277C11-48CF-4C26-9630-97A0E81B9156}: NameServer = 212.27.54.252,212.27.39.2 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chezmoi O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = chezmoi O17 - HKLM\System\CS1\Services\Tcpip\..\{12D432AC-EBF7-4E49-93E7-8E1145307CEF}: NameServer = 212.27.54.252,212.27.39.2 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chezmoi O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = chezmoi O17 - HKLM\System\CS2\Services\Tcpip\..\{12D432AC-EBF7-4E49-93E7-8E1145307CEF}: NameServer = 212.27.54.252,212.27.39.2 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = chezmoi O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Belkin\Logiciel Bluetooth\bin\btwdins.exe O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\IP VPN Remote Services\cvpnd.exe O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe O23 - Service: Network Monitor - Novell, Inc. - (no file) O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\appli\ORACLE\BIN\ONRSD.EXE O23 - Service: Serv-U FTP Server (Serv-U) - Rhino Software, Inc. +1(262) 560-9627 - C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing) O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe