Falkra: une reroutée de Sev en déroute

[Falkra]

Ce n'est pas DSS qui a pu faire ça, en tout cas.

Le bruit strident que tu évoques, ce sont des bips ? (bips longs, bips courts) Si oui, combien de bips ?

[l'oreleï]

falkra

 

Dur dur de lancer mon portable

mais réparer est une idée fixe!!

SDFix est passé mais je sens que tout n'a pas été fait

Je t'envoie le résultat et mes espoirs!

Bonne lecture

L'oreleï

SDFix: Version 1.208

Run by Administrateur on 28/07/2008 at 11:51

 

Microsoft Windows XP [version 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

 

Restoring Default Security Values

Restoring Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\WINDOWS\system32\rqRKEWNh.dll - Deleted

C:\WINDOWS\system32\msnav32.ax - Deleted

C:\WINDOWS\system32\pac.txt - Deleted

C:\WINDOWS\system32\wsnpoem\video.dll - Deleted

C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted

 

 

 

Folder C:\WINDOWS\system32\pnVes01 - Removed

Folder C:\WINDOWS\system32\wsnpoem - Removed

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-28 12:05:18

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

C:\Documents and Settings\Biketo\Mes documents\quatrième année science po\culture générale\DROIT\reforme etat\Réforme de l'adm territoriale\Fiches concours la réforme de l’administration territoriale de l’Etat - catégorie A - La Documentation française_fichiers\Thumbs.db:encryptable 0 bytes hidden from API

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 1

 

 

Remaining Services :

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Enabled:RealOne Player"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\71fa8e4b1f1c72b0e3a5d30a0a049f55\BIT4.tmp"

Sun 1 Jun 2008 12,800 ..SH. --- "C:\Documents and Settings\Biketo\Application Data\Microsoft\Windows\certiff.dll"

Sun 1 Jun 2008 86,016 ..SH. --- "C:\Documents and Settings\Biketo\Application Data\Microsoft\Windows\lsass.exe"

 

Finished!

 

Logfile of HijackThis v1.99.1

Scan saved at 12:37:40, on 28/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Biketo\Bureau\dss.exe

C:\DOCUME~1\Biketo\Bureau\Biketo.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fr.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: {b2a1fb2b-93e4-801b-d4d4-85e9303d5ef1} - {1fe5d303-9e58-4d4d-b108-4e39b2bf1a2b} - C:\WINDOWS\system32\gdioscjp.dll

O2 - BHO: (no name) - {91FE419D-C575-4CEB-9297-BC136FF5FCD0} - C:\WINDOWS\system32\opnlLDtt.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bM1ff89755] Rundll32.exe "C:\WINDOWS\system32\nbnfpkoq.dll",s

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - http://fichiers.touslesdrivers.com/fichier...on_3_0_0_32.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.orderingmemory.com/controls/cpcScanner.cab

O16 - DPF: {B9907873-6560-4A36-B76B-9DADE84A7F55} (FnacmusicDnl.DnlManager) - http://www.fnacmusic.com/telechargementFna...nacmusicDnl.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{5E594E80-8378-4E0F-8188-CAF89D009AD8}: NameServer = 192.168.1.1

[Falkra]

Ha bah impeccable.

 

Ta version de hijackthis est obsolète. Clique sur ce lien pour télécharger HijackThis 2.0.2 :

http://www.trendsecure.com/portal/en-US/_d.../HiJackThis.exe

Cette version est sans installateur ou Zip à décompresser, choisis de l'enregistrer sur le bureau.

 

Double-clique sur l'icône HijackThis :

 

HijackThis démarre, c'est le premier bouton qui nous intéresse "Do a system scan and save a logfile" (le fichier "log" est le rapport).

Clique dessus.

 

Copie-colle le contenu du rapport qui va s'afficher dans le Bloc-notes dans ta prochaine réponse, et n'utilise plus que cette version.

[l'oreleï]

Cher Falkra

 

Voilà le Log version 2.0.2,

Sdfix a bien travaillé, je constate que le méchant trojan

Vundo.gen est tjrs là!!!(O4 - HKLM\..\Run: [bM1ff89755] Rundll32.exe "C:\WINDOWS\system32\nbnfpkoq.dll",s)

Antivir l'avait repéré, mais que je n'ai jamais pu éliminer, car qd je le tiens par la barbichette dans système 32,

il me défit par ses protections multiples même en mode sans échec!

Je compte sur ta fermeté

L'oreileï

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:23:17, on 29/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Hijackthis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fr.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bM1ff89755] Rundll32.exe "C:\WINDOWS\system32\nbnfpkoq.dll",s

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-21-2118766884-1228678561-669110067-1007\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')

O4 - HKUS\S-1-5-21-2118766884-1228678561-669110067-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-2118766884-1228678561-669110067-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - http://fichiers.touslesdrivers.com/fichier...on_3_0_0_32.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.orderingmemory.com/controls/cpcScanner.cab

O16 - DPF: {B9907873-6560-4A36-B76B-9DADE84A7F55} (FnacmusicDnl.DnlManager) - http://www.fnacmusic.com/telechargementFna...nacmusicDnl.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{5E594E80-8378-4E0F-8188-CAF89D009AD8}: NameServer = 192.168.1.1

 

--

End of file - 3465 bytes

[Falkra]

Mais ce n'est pas fini.

On va lui faire la peau aussi à lui.

 

Désactive antivir avant de faire ce qui suit.

 

Télécharge Malwarebytes' Anti-Malware (MBAM)

 

• Double clique sur le fichier téléchargé pour lancer le processus d'installation.
  
• Dans l'onglet "Mise à jour", clique sur le bouton "Recherche de mise à jour": si le pare-feu demande l'autorisation à MBAM de se connecter, accepte.
  
• Une fois la mise à jour terminée, rends-toi dans l'onglet "Recherche".
  
• Sélectionne "Exécuter un examen rapide"
  
• Clique sur "Rechercher"
  
• L'analyse démarre, le scan est relativement long, c'est normal.
  
• A la fin de l'analyse, un message s'affiche :

  L'examen s'est terminé normalement. Clique sur 'Afficher les résultats' pour afficher tous les objets trouvés.

  Clique sur "Ok" pour poursuivre. Si MBAM n'a rien trouvé, il te le dira aussi.
  
• Ferme tes navigateurs.
  
• Si des malwares ont été détectés, clique sur Afficher les résultats.
  Sélectionne tout (ou laisse coché) et clique sur Supprimer la sélection, MBAM va détruire les fichiers et clés de registre et en mettre une copie dans la quarantaine.
  
• MBAM va ouvrir le Bloc-notes et y copier le rapport d'analyse. Copie-colle ce rapport et poste-le dans ta prochaine réponse.
  

 

Réactive antivir.

[l'oreleï]

Cher Falkra

 

Voilà la suite, vundo m'a corrompu beaucoup de fichiers

mais je crois qu'on progresse!

Malwarebytes' Anti-Malware 1.23

Version de la base de données: 985

Windows 5.1.2600 Service Pack 2

 

11:25:00 29/07/2008

mbam-log-7-29-2008 (11-25-00).txt

 

Type de recherche: Examen rapide

Eléments examinés: 37936

Temps écoulé: 4 minute(s), 10 second(s)

 

Processus mémoire infecté(s): 0

Module(s) mémoire infecté(s): 2

Clé(s) du Registre infectée(s): 15

Valeur(s) du Registre infectée(s): 2

Elément(s) de données du Registre infecté(s): 2

Dossier(s) infecté(s): 1

Fichier(s) infecté(s): 20

 

Processus mémoire infecté(s):

(Aucun élément nuisible détecté)

 

Module(s) mémoire infecté(s):

C:\WINDOWS\system32\opnlLDtt.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\gdioscjp.dll (Trojan.Vundo) -> Delete on reboot.

 

Clé(s) du Registre infectée(s):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1fe5d303-9e58-4d4d-b108-4e39b2bf1a2b} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{1fe5d303-9e58-4d4d-b108-4e39b2bf1a2b} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{664a3104-25bf-4786-9e45-ea61e46dfe9f} (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{664a3104-25bf-4786-9e45-ea61e46dfe9f} (Trojan.Vundo) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AntiSpywareExpert (Rogue.AntiSpywareExpert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Valeur(s) du Registre infectée(s):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm1ff89755 (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

 

Elément(s) de données du Registre infecté(s):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnlldtt -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnlldtt -> Delete on reboot.

 

Dossier(s) infecté(s):

C:\WINDOWS\system32\mp (Trojan.Agent) -> Quarantined and deleted successfully.

 

Fichier(s) infecté(s):

C:\WINDOWS\system32\gdioscjp.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\opnlLDtt.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\ttDLlnpo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ttDLlnpo.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dmyrvhdw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wdhvrymd.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\klqysged.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uwjhyhlo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wgokpgdl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cjwickvd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rjfbqlhu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ueqkcbat.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hxjqulcx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nbnfpkoq.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\ljJYOeBS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\BM1ff89755.xml (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\BM1ff89755.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Biketo\Application Data\Microsoft\Windows\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Mreci de ton aide

L'oreleï

[l'oreleï]

Falkra

Je poste le log hijacthis apres malwarebytes

et le rapport du scan d'antivir que j'ai effectué

par la suite.

Je me tiens en veille

L'oreleï

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:07:46, on 29/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Hijackthis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fr.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-21-2118766884-1228678561-669110067-1007\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')

O4 - HKUS\S-1-5-21-2118766884-1228678561-669110067-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-2118766884-1228678561-669110067-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - http://fichiers.touslesdrivers.com/fichier...on_3_0_0_32.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.orderingmemory.com/controls/cpcScanner.cab

O16 - DPF: {B9907873-6560-4A36-B76B-9DADE84A7F55} (FnacmusicDnl.DnlManager) - http://www.fnacmusic.com/telechargementFna...nacmusicDnl.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{5E594E80-8378-4E0F-8188-CAF89D009AD8}: NameServer = 192.168.1.1

 

--

End of file - 3824 bytes

 

 

 

Avira AntiVir Personal

Report file date: mardi 29 juillet 2008 15:50

 

Scanning for 1302528 virus strains and unwanted programs.

 

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Boot mode: Normally booted

Username: Biketo

Computer name: CÉLINE

 

Version information:

BUILD.DAT : 8.1.00.295 16479 Bytes 09/04/2008 16:24:00

AVSCAN.EXE : 8.1.2.12 311553 Bytes 30/04/2008 11:48:39

AVSCAN.DLL : 8.1.1.0 53505 Bytes 30/04/2008 11:48:39

LUKE.DLL : 8.1.2.9 151809 Bytes 30/04/2008 11:48:39

LUKERES.DLL : 8.1.2.1 12033 Bytes 30/04/2008 11:48:39

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 13:27:15

ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07/03/2008 12:42:00

ANTIVIR2.VDF : 7.0.4.53 1848832 Bytes 17/05/2008 16:35:14

ANTIVIR3.VDF : 7.0.4.118 376832 Bytes 30/05/2008 16:35:21

Engineversion : 8.1.0.50

AEVDF.DLL : 8.1.0.5 102772 Bytes 30/04/2008 11:48:40

AESCRIPT.DLL : 8.1.0.37 270715 Bytes 30/05/2008 16:35:41

AESCN.DLL : 8.1.0.20 119157 Bytes 30/05/2008 16:35:39

AERDL.DLL : 8.1.0.20 418165 Bytes 30/04/2008 11:48:40

AEPACK.DLL : 8.1.1.5 364918 Bytes 30/05/2008 16:35:38

AEOFFICE.DLL : 8.1.0.18 192890 Bytes 30/04/2008 11:48:40

AEHEUR.DLL : 8.1.0.29 1253750 Bytes 30/05/2008 16:35:35

AEHELP.DLL : 8.1.0.15 115063 Bytes 30/05/2008 16:35:27

AEGEN.DLL : 8.1.0.24 307573 Bytes 30/05/2008 16:35:26

AEEMU.DLL : 8.1.0.6 430451 Bytes 09/05/2008 17:27:55

AECORE.DLL : 8.1.0.30 168311 Bytes 30/05/2008 16:35:23

AVWINLL.DLL : 1.0.0.7 14593 Bytes 30/04/2008 11:48:39

AVPREF.DLL : 8.0.0.1 25857 Bytes 30/04/2008 11:48:39

AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 12:16:24

AVREG.DLL : 8.0.0.0 30977 Bytes 30/04/2008 11:48:39

AVARKT.DLL : 1.0.0.23 307457 Bytes 30/04/2008 11:48:39

AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 30/04/2008 11:48:39

SQLITE3.DLL : 3.3.17.1 339968 Bytes 30/04/2008 11:48:40

SMTPLIB.DLL : 1.2.0.19 28929 Bytes 30/04/2008 11:48:40

NETNT.DLL : 8.0.0.1 7937 Bytes 30/04/2008 11:48:39

RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 30/04/2008 11:48:30

RCTEXT.DLL : 8.0.32.0 86273 Bytes 30/04/2008 11:48:30

 

Configuration settings for the scan:

Jobname..........................: Local Drives

Configuration file...............: C:\Program Files\Avira\AntiVir PersonalEdition Classic\alldrives.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:, D:, E:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: on

Scan all files...................: All files

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox,

Macro heuristic..................: on

File heuristic...................: medium

Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,

 

Start of the scan: mardi 29 juillet 2008 15:50

 

Starting search for hidden objects.

'53170' objects were checked, '0' hidden objects were found.

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned

Scan process 'QTTask.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

16 processes with 16 modules were scanned

 

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

[WARNING] Le périphérique n'est pas prêt.

 

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] In the drive 'D:\' no data medium is inserted!

 

Starting to scan the registry.

The registry was scanned ( '20' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\' <HDD>

C:\hiberfil.sys

[WARNING] The file could not be opened!

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP2\A0001327.dll

[DETECTION] Is the Trojan horse TR/Trash.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP2\A0001329.dll

[DETECTION] Is the Trojan horse TR/Trash.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP2\A0001330.dll

[DETECTION] Is the Trojan horse TR/Trash.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP2\A0001331.dll

[DETECTION] Is the Trojan horse TR/Trash.Gen

[NOTE] The file was moved to '48bf27b0.qua'!

C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP2\A0001332.dll

[DETECTION] Is the Trojan horse TR/Trash.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP2\A0001333.dll

[DETECTION] Is the Trojan horse TR/Trash.Gen

[NOTE] The file was moved to '48bf27b9.qua'!

C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP2\A0001334.dll

[DETECTION] Is the Trojan horse TR/Trash.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP2\A0001335.dll

[DETECTION] Is the Trojan horse TR/Trash.Gen

[NOTE] The file was moved to '48bf27c3.qua'!

C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP2\A0001337.dll

[DETECTION] Is the Trojan horse TR/Trash.Gen

[NOTE] The file was moved to '48bf27cb.qua'!

C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP2\A0001338.exe

[DETECTION] Is the Trojan horse TR/Drop.Softomat.AN

[NOTE] The file was moved to '48bf27cd.qua'!

C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP2\A0001342.dll

[DETECTION] Is the Trojan horse TR/Trash.Gen

[NOTE] The file was moved to '48bf27d1.qua'!

C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP2\A0001343.dll

[DETECTION] Is the Trojan horse TR/Trash.Gen

[NOTE] The file was moved to '48bf27d4.qua'!

C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP2\A0001345.dll

[DETECTION] Is the Trojan horse TR/Trash.Gen

[NOTE] The file was moved to '48bf27d9.qua'!

C:\System Volume Information\_restore{9AEDEF4B-1977-4657-B854-EFDB21259CFF}\RP2\A0001346.exe

[DETECTION] Is the Trojan horse TR/Killav.28714

[NOTE] The file was moved to '48bf27de.qua'!

C:\WINDOWS\NirCmd.exe

[DETECTION] Contains detection pattern of the application APPL/NirCmd.3

[NOTE] The file was moved to '49012849.qua'!

C:\WINDOWS\system32\crtytkrs.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[NOTE] The file was moved to '49032e3a.qua'!

C:\WINDOWS\system32\hcwdtsdn.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[NOTE] The file was moved to '49062e42.qua'!

C:\WINDOWS\system32\jqrfroas.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[NOTE] The file was moved to '49012e5d.qua'!

C:\WINDOWS\system32\sksowirg.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[NOTE] The file was moved to '49022e87.qua'!

C:\WINDOWS\system32\tvhcelgu.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[NOTE] The file was moved to '48f72ea0.qua'!

C:\WINDOWS\system32\wvnrxunp.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[NOTE] The file was moved to '48fd2eb4.qua'!

C:\WINDOWS\system32\wvokqpxd.dll

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[NOTE] The file was moved to '48fe2eb7.qua'!

Begin scan in 'D:\'

Search path D:\ could not be opened!

Le périphérique n'est pas prêt.

 

Begin scan in 'E:\'

Search path E:\ could not be opened!

Fonction incorrecte.

 

 

 

End of the scan: mardi 29 juillet 2008 16:52

Used time: 1:02:04 min

 

The scan has been done completely.

 

6829 Scanning directories

205554 Files were scanned

22 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

5 files were deleted

0 files were repaired

17 files were moved to quarantine

0 files were renamed

2 Files cannot be scanned

205532 Files not concerned

6725 Archives were scanned

3 Warnings

22 Notes

53170 Objects were scanned with rootkit scan

0 Hidden objects were found

[Falkra]

Voilà la suite, vundo m'a corrompu beaucoup de fichiers

mais je crois qu'on progresse!

On progressse, en effet, et la bonne nouvelle, c'est que Vundo ne corromp pas tes fichiers, il ajoute les siens, mais sans modifier les tiens (mais c'est déjà assez casse pied comme ça).

 

2eme bonne nouvelle : Antivir et MBAM ont shooté Vundo apparemment, et ton rapport HijackThis est clean.

Est-ce qu'il y a encore des symptômes infectieux sur la machine ? Je ne vois plus d'infection active.

[l'oreleï]

Cher Falkra

 

Je constate avec toi que la bête sommeille, Antivir a beaucoup chuinté durant son scan, et

les fichiers siffleurs sont dans Système 32, comme un poisson dans l'eau!

Quand penses-tu empoisonner le bain des silènes?

J'ai récupéré un système un peu bancale! J'ai plus de reconnaissance des clés USB,

j'ai plus de son pour la musique, Window média ne reconnait plus les CDrom, et ma liaison internet

est défectueuse. Mais j'arrive à ouvrir le bureau sans que l'alerte stridente ne se mette en route.

J'ai bien imaginé, histoire de pousser les intrus dehors, lacher Vundofix dans Grand Corp Malade, mais,

en mémoire de Sev la tartineuse, qui m'a autrefois gourmandée pour mes initiatives audacieuses,

j'ai opté pour la reconnaissance et l'humilité! C'est dans cette disposition que j'attends tes nouvelles instructions

Merci de ton appui L'oreleï

[Falkra]

VundoFix est à la traîne. ton rapport ne montre plus de fichiers Vundo, d'ailleurs. Je ne vois plus d'intrus.

 

J'ai plus de reconnaissance des clés USB, j'ai plus de son pour la musique, Window média ne reconnait plus les CDrom, et ma liaison internet est défectueuse.

Pas cool. Ca le faisait avant la désinfection ?