deux infections détectées par antivir

maxcruger · le 12 juin 2008

Bonjour,

Antivir me détecte 2 infections, et ne peut rien faire contre :

- La 1ere est un fichier zz[1].exe identifié comme un trojan TR/Crypt.XPACK.gen

- La 2eme est un fichier Igrncie.bat. Antivir me dit qu'il contient un executable déguisé par une autre extension. Il l'identifie comme HIDDENEXT/Crypted

Voici le rapport HJT :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:09:45, on 12/06/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe

C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\VM_STI.EXE

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe

C:\WINDOWS\system32\lxdicoms.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Estelle\Bureau\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fr/0SEFRFR/SAOS02

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1098640

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Lexmark Barre d'outils - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll

O3 - Toolbar: Lexmark Barre d'outils - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"

O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE Vimicro USB PC Camera (ZC0301PL)

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL

O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\fichiers communs\logitech\lvmvfm\LVPrcSrv.exe (file missing)

O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe

O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe

--

End of file - 6458 bytes

Merci d'avance pour votre aide

angelique · le 12 juin 2008

'lu Estelle

» infection support usb que tu as inséré dans ton pc

• relance HijacThis "do as system scan only" coche les lignes ci dessous et clic fixchecked:

O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe

• supprime C:\WINDOWS\system32\kavo.exe si tjrs existant

• Ouvre le poste de travail

Clic sur le menu outils en haut à droite puis options des dossiers

Dans la nouvelle fenêtre, clic sur l'onglet Affichage en haut

Coche dans la liste "Afficher les fichiers cachés"

Décoche "masquer les fichier proteger du systeme d exploitation (recommandée)"

Tu vas recevoir un message qui te dit que cela peut endommager le système, n'en tiens pas compte.

Ouvrez le poste de travail

Pour chaque disque dans le poste de travail : Fais un clic droit sur le disque dur - surtout ne double-clic pas dessus!!!

Choisis ouvrir dans le menu déroulant.

Cherche un fichier autorun.inf et des fichiers : kavo.exe ;Adober.exe ou RavMonE.exe ou MS32DLL.DLL.VBS ou autorun.vbs ou UFO.exe ......

Si présents, supprimez le en faisant un clic droit puis supprimer.

Répétez l'opération sur tous les disques se trouvant dans le poste de travail.

maxcruger · le 13 juin 2008

Merci pour votre aide!

Je crois qu'en fait, j'étais plus infecté que je le pensais. J'ai du reformater la partition qui contenait windows.

Dès que je lançais un scan antivir, il détectais un fichier 2.cmd, pui plantais. J'ai voulu tenter le coup en mode sans echec, et là, plaf! Plus rien... Windows ne se lançait plus ni en mode normal ni en mode sans echec.

Après reformatage, antivir m'a détecté des menaces sur la partition non formatée, mais tout à l'air de fonctionner normalement. Il subsistait sur la partition non formatée un autorun caché que j'ai supprimé.

Voici, à tout hasard, le résultat du scan antivir :

Avira AntiVir Personal

Report file date: vendredi 13 juin 2008 09:54

Scanning for 1329875 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: TETELLL

Version information:

BUILD.DAT : 8.1.00.295 16479 Bytes 09/04/2008 16:24:00

AVSCAN.EXE : 8.1.2.12 311553 Bytes 18/03/2008 09:02:56

AVSCAN.DLL : 8.1.1.0 53505 Bytes 07/02/2008 08:43:37

LUKE.DLL : 8.1.2.9 151809 Bytes 28/02/2008 08:41:23

LUKERES.DLL : 8.1.2.1 12033 Bytes 21/02/2008 08:28:40

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 10:33:34

ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07/03/2008 13:08:58

ANTIVIR2.VDF : 7.0.4.120 2206720 Bytes 01/06/2008 07:53:56

ANTIVIR3.VDF : 7.0.4.188 360448 Bytes 13/06/2008 07:53:59

Engineversion : 8.1.0.55

AEVDF.DLL : 8.1.0.5 102772 Bytes 25/02/2008 09:58:21

AESCRIPT.DLL : 8.1.0.40 266618 Bytes 13/06/2008 07:54:14

AESCN.DLL : 8.1.0.21 119156 Bytes 13/06/2008 07:54:13

AERDL.DLL : 8.1.0.20 418165 Bytes 13/06/2008 07:54:12

AEPACK.DLL : 8.1.1.5 364918 Bytes 13/06/2008 07:54:10

AEOFFICE.DLL : 8.1.0.18 192890 Bytes 13/06/2008 07:54:09

AEHEUR.DLL : 8.1.0.30 1253750 Bytes 13/06/2008 07:54:08

AEHELP.DLL : 8.1.0.15 115063 Bytes 13/06/2008 07:54:04

AEGEN.DLL : 8.1.0.28 307572 Bytes 13/06/2008 07:54:03

AEEMU.DLL : 8.1.0.6 430451 Bytes 13/06/2008 07:54:02

AECORE.DLL : 8.1.0.31 168310 Bytes 13/06/2008 07:54:00

AVWINLL.DLL : 1.0.0.7 14593 Bytes 23/01/2008 17:07:53

AVPREF.DLL : 8.0.0.1 25857 Bytes 18/02/2008 10:37:50

AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:26:47

AVREG.DLL : 8.0.0.0 30977 Bytes 23/01/2008 17:07:49

AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 08:29:23

AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 28/02/2008 08:31:31

SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 17:28:02

SMTPLIB.DLL : 1.2.0.19 28929 Bytes 23/01/2008 17:08:39

NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 12:05:10

RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 10/03/2008 14:37:25

RCTEXT.DLL : 8.0.32.0 86273 Bytes 06/03/2008 12:02:11

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:, D:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: vendredi 13 juin 2008 09:54

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'kpf4ss.exe' - '1' Module(s) have been scanned

Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'igfxpers.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'igfxtray.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

26 processes with 26 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Starting to scan the registry.

The registry was scanned ( '25' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{B265AC30-8CB2-43F5-ACBC-79ABD6442B77}\RP2\A0000164.dll

[DETECTION] Is the Trojan horse TR/Wpakill

[NOTE] The file was moved to '48822846.qua'!

C:\System Volume Information\_restore{B265AC30-8CB2-43F5-ACBC-79ABD6442B77}\RP2\A0000166.exe

[DETECTION] Contains detection pattern of the dropper DR/Dldr.Delf.asz.18

[NOTE] The file was moved to '48822850.qua'!

Begin scan in 'D:\' <Les données de Tetel>

D:\2.cmd

[DETECTION] Is the Trojan horse TR/Vaklik.ard

[NOTE] The file was moved to '48b52923.qua'!

D:\m.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was moved to '48b72928.qua'!

D:\System Volume Information\_restore{AF2416B0-89B5-4636-AFA5-9B1D8A95BC2D}\RP158\A0070883.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was moved to '48822ce5.qua'!

D:\System Volume Information\_restore{AF2416B0-89B5-4636-AFA5-9B1D8A95BC2D}\RP158\A0070900.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was moved to '48822ce8.qua'!

D:\System Volume Information\_restore{AF2416B0-89B5-4636-AFA5-9B1D8A95BC2D}\RP159\A0070910.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was moved to '48822ceb.qua'!

D:\System Volume Information\_restore{AF2416B0-89B5-4636-AFA5-9B1D8A95BC2D}\RP159\A0070941.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was moved to '48822cec.qua'!

D:\System Volume Information\_restore{AF2416B0-89B5-4636-AFA5-9B1D8A95BC2D}\RP159\A0071937.cmd