Trojan Vundo

[denfert]

Infection récurrente à Trojan Vundo sur une machine protégée par NIS, en réseau. Outil spécifique Symantec utilisé à plusieurs reprises (FixVundo.exe), idem Trojan Remover en mode nomal ou en mode sans échec. Le virus est parfois retrouvé et éradiqué, mais détection ultérieure récurrente par NIS.

J'ai fait une analyse par ComboFix dont voici le résultat : qu'en pensez vous ? Autre outil à me conseiller ?

 

ComboFix 08-11-13.01 - Parents 2008-11-15 17:11:36.1 - NTFSx86

Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.1321 [GMT 1:00]

Lancé depuis: c:\telechargementbis\ComboFix.exe

* Un nouveau point de restauration a été créé

.

ADS - WINDOWS: deleted 24 bytes in 1 streams.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\d.exe

c:\windows\IE4 Error Log.txt

c:\windows\system32\jxifhlax.dll

c:\windows\system32\synfel.dll

 

.

((((((((((((((((((((((((((((( Fichiers créés du 2008-10-15 au 2008-11-15 ))))))))))))))))))))))))))))))))))))

.

 

2008-11-09 21:38 . 2008-11-09 21:38 <REP> d-------- c:\documents and settings\All Users\Application Data\SiComponents

2008-11-09 10:48 . 2008-11-09 10:49 <REP> d-------- c:\program files\mp3DirectCut

2008-11-01 10:51 . 2008-11-01 10:51 <REP> d-------- c:\program files\Fichiers communs\DVDVIDEOSOFT

2008-11-01 10:51 . 2008-11-01 10:51 <REP> d-------- c:\program files\DVDVIDEOSOFT

2008-11-01 10:51 . 2002-01-05 15:37 344,064 --a------ c:\windows\system32\msvcr70.dll

2008-11-01 10:36 . 2008-11-01 10:50 <REP> d-------- c:\program files\MediaCoder

2008-10-28 23:30 . 2008-11-15 15:54 <REP> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2008-10-28 23:29 . 2008-10-29 08:32 <REP> d-------- c:\program files\Trojan Remover

2008-10-28 23:29 . 2008-10-28 23:29 <REP> d-------- c:\documents and settings\Parents\Application Data\Simply Super Software

2008-10-28 23:29 . 2008-10-28 23:29 <REP> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software

2008-10-28 23:29 . 2006-05-25 15:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll

2008-10-28 23:29 . 2003-02-02 20:06 153,088 --a------ c:\windows\system32\UNRAR3.dll

2008-10-28 23:29 . 2005-08-26 01:50 77,312 --a------ c:\windows\system32\ztvunace26.dll

2008-10-28 23:29 . 2002-03-06 01:00 75,264 --a------ c:\windows\system32\unacev2.dll

2008-10-28 23:29 . 2006-06-19 13:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll

2008-10-24 21:12 . 2008-10-24 21:12 552 --a------ c:\windows\system32\d3d8caps.dat

2008-10-20 21:58 . 2008-10-20 22:04 705 --a------ C:\d3.exe

2008-10-20 21:58 . 2008-10-20 22:04 705 --a------ C:\d2.exe

2008-10-20 21:57 . 2008-10-20 22:04 2 --a------ C:\-1599513958

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-15 16:16 --------- d-----w c:\program files\SPAMfighter

2008-11-15 16:13 --------- d-----w c:\program files\Fichiers communs\Symantec Shared

2008-11-15 16:03 --------- d-----w c:\program files\Winamp Remote

2008-11-15 10:35 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2008-10-25 17:59 --------- d-----w c:\documents and settings\Enfants\Application Data\DivX

2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-12 18:07 --------- d-----w c:\documents and settings\All Users\Application Data\SlySoft

2008-10-12 18:05 --------- d-----w c:\program files\SlySoft

2008-09-20 10:44 99,648 ----a-w c:\windows\system32\drivers\AnyDVD.sys

2008-01-13 12:38 357,768 ----a-w c:\documents and settings\Parents\SymXPep2.dll

2001-03-28 10:02 122,880 ----a-w c:\windows\inf\Agfa\message.exe

.

 

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Fichiers communs\Ahead\lib\NMBgMonitor.exe" [2005-12-16 94208]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-03-02 15360]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-21 1211176]

"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]

"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-18 3628080]

"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-10-20 2177984]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]

"SSBkgdUpdate"="c:\program files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]

"DNS7reminder"="c:\program files\ScanSoft\NaturallySpeaking8\Program\ereg.exe" [2005-04-11 729088]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-24 217088]

"Microsoft Works Update Detection"="c:\program files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 50688]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]

"Ai Gear Help"="c:\program files\ASUS\AI Gear\GearHelp.exe" [2006-07-27 415744]

"Ai Nap"="c:\program files\ASUS\AI Nap\AiNap.exe" [2006-11-30 1419776]

"Launch PC Probe II"="c:\program files\ASUS\PC Probe II\Probe2.exe" [2007-01-05 2129920]

"TkBellExe"="c:\program files\Fichiers communs\Real\Update_OB\realsched.exe" [2007-11-27 185896]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-04 267048]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"ccApp"="c:\program files\Fichiers communs\Symantec Shared\ccApp.exe" [2008-10-17 51048]

"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608]

"ArianeLu"="c:\program files\Ariane\Lanceur\ArianeLU.exe" [2003-03-26 598016]

"SPAMfighter Agent"="c:\program files\SPAMfighter\SFAgent.exe" [2008-07-29 321672]

"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

 

c:\documents and settings\Administrateur\Menu D‚marrer\Programmes\D‚marrage\

Dragon NaturallySpeaking.lnk - c:\program files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe [2005-04-11 1994752]

 

c:\documents and settings\Parents\Menu D‚marrer\Programmes\D‚marrage\

Palm Registration.lnk - c:\program files\Palm\register.exe [2008-01-06 2494464]

 

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\

Adobe Gamma Loader.lnk - c:\program files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-18 110592]

ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2007-10-10 995328]

DataViz Inc Messenger.lnk - c:\program files\Fichiers communs\DataViz\DvzIncMsgr.exe [2007-10-21 28672]

HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-06-09 471040]

NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2005-02-10 178688]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=synfel.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"msacm.divxa32"= DivXa32.acm

"VIDC.LAGS"= lagarith.dll

"VIDC.HFYU"= huffyuv.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

 

R0 lpx;LPX Protocol;c:\windows\system32\DRIVERS\lpx.sys [2005-02-09 109184]

R1 lfsfilt;Lean File Sharing;c:\windows\system32\DRIVERS\lfsfilt.sys [2005-02-09 120704]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Fichiers communs\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]

R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\SPAMfighter\sfus.exe [2008-07-29 184968]

R3 ndasbus;NDAS Bus Driver;c:\windows\system32\DRIVERS\ndasbus.sys [2005-02-09 38656]

S3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\DRIVERS\ndasscsi.sys [2005-02-09 90752]

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2006-09-05 176128]

S3 SjyPkt;SjyPkt;c:\windows\System32\Drivers\SjyPkt.sys [2006-06-23 13532]

 

*Newly Created Service* - COMHOST

.

Contenu du dossier 'Tâches planifiées'

 

2008-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

 

2008-11-03 c:\windows\Tasks\Norton Internet Security - Effectuer une analyse complète du système - Administrateur.job

- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 18:19]

 

2008-11-03 c:\windows\Tasks\Norton Internet Security - Effectuer une analyse complète du système - Parents.job

- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 18:19]

.

- - - - ORPHELINS SUPPRIMES - - - -

 

BHO-{8b60f761-c432-4388-ac53-bbe565464af6} - c:\windows\system32\synfel.dll

 

 

.

------- Examen supplémentaire -------

.

FireFox -: Profile - c:\documents and settings\Parents\Application Data\Mozilla\Firefox\Profiles\5qne2x1q.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.orange.fr/|http://www.google.fr/firefox?client=firefox-a&rls=org.mozilla:fr:official

FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll

FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-15 17:15:38

Windows 5.1.2600 Service Pack 2 NTFS

 

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés: 0

 

**************************************************************************

.

------------------------ Autres processus actifs ------------------------

.

c:\program files\Fichiers communs\Symantec Shared\ccProxy.exe

c:\progra~1\FICHIE~1\SYMANT~1\CCPD-LC\symlcsvc.exe

c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe

c:\windows\system32\gearsec.exe

c:\program files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\NDAS\System\ndassvc.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

c:\windows\system32\nvsvc32.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

c:\windows\system32\rundll32.exe

c:\program files\Ariane\Ariane\Ariane.exe

c:\windows\system32\msiexec.exe

c:\program files\ASUS\AASP\1.00.25\aaCenter.exe

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\program files\Winamp Remote\bin\Orb.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Heure de fin: 2008-11-15 17:18:46 - La machine a redémarré

ComboFix-quarantined-files.txt 2008-11-15 16:18:42

 

Avant-CF: 64 712 310 784 octets libres

Après-CF: 68,928,057,344 octets libres

 

WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect /usepmtimer

 

203 --- E O F --- 2008-11-12 23:34:59

[Falkra]

Doublon :

http://forum.zebulon.fr/trojan-vundo-t154717.html