[RESOLU] aide, troj_vundo.be rappro hjackthis

[ciko_59]

depuis 3 jours, j'ai choppé troj_vundo.be

 

j'ai essayé adaware, spybot, antivir...

 

rien n'y fait

 

voici le rapport hijackthis

 

qui a une idée ?

 

Logfile of HijackThis v1.99.1

Scan saved at 13:39:08, on 21/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

C:\Windows\Cpqdiag\Cpqdfwag.exe

C:\Windows\System32\inetsrv\inetinfo.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\Windows\System32\NMSSvc.exe

C:\OfficeScan NT\ntrtscan.exe

C:\OfficeScan NT\OfcPfwSvc.exe

C:\Windows\System32\svchost.exe

C:\OfficeScan NT\tmlisten.exe

C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

C:\WINDOWS\TEMP\CF4B23.EXE

C:\Windows\Explorer.EXE

C:\OfficeScan NT\pccntmon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Fichiers communs\{FC702006-06A4-1036-1002-020522200021}\Update.exe

C:\Windows\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Windows\Resources\Themes\DameK UltraBlue\Desktop Sidebar\sidebar.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\wuauclt.exe

C:\Documents and Settings\jeherbin\Bureau\hijackthis_199\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/040C/bl8.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sezam/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/040C/bl8.asp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/040C/bl7.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/040C/bl7.asp

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxys:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = omnivista;sezam;150.1.10.6;http://kidam;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: (no name) - <default> - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\Windows\system32\tuvusts.dll

O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\Windows\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [sIDEBAR] "C:\Windows\Resources\Themes\DameK UltraBlue\Desktop Sidebar\sidebar.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll

O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - http://activex.camfrogweb.com/advanced/cfw..._instmodule.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150811665156

O16 - DPF: {64E27CFB-8B69-4B83-80F0-36A81437D587} - http://activex.camfrogweb.com/basic/cfweb_..._instmodule.exe

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/fr/big/1.1....g/GoogleNav.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/...p/TLIEFlash.CAB

O16 - DPF: {CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA} (Environnement d'exécution Java 1.4.1_06) -

O17 - HKLM\System\CCS\Services\Tcpip\..\{73702708-2322-43D0-BCB8-BDE17D9E0A4A}: Domain = lmcu.fr

O17 - HKLM\System\CS1\Services\Tcpip\..\{73702708-2322-43D0-BCB8-BDE17D9E0A4A}: Domain = lmcu.fr

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Fichiers communs\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: tuvusts - C:\Windows\SYSTEM32\tuvusts.dll

O20 - Winlogon Notify: WgaLogon - C:\Windows\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: wingsa32 - wingsa32.dll (file missing)

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Compaq Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett Packard - C:\Windows\Cpqdiag\Cpqdfwag.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe

O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)

O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Modifié le 31 juillet 2006 par ciko_59

[bruce lee]

Bonjour,

 

analyse en cours...

[bruce lee]

re,

 

Télécharge VundoFix.exe (par Atribune) sur ton Bureau.

• Double-clique VundoFix.exe afin de le lancer.
  
• Coche Run VundoFix as a task.
  
• Un message t'avertira que l'outil va se fermer et s'ouvrir à nouveau : clique Ok
  
• Clique sur le bouton Scan for Vundo.
  
• Lorsque le scan est complété, clique sur le bouton Remove Vundo.
  
• Une invite te demandera si tu veux supprimer les fichiers, clique YES
  
• Après avoir cliqué "Yes", le Bureau disparaîtra un moment lors de la suppression des fichiers.
  
• Tu verras une invite qui t'annonce que ton PC va s'éteindre ("shutdown"); clique OK
  
• Démarre ton PC à nouveau.
  
• Copie/colle le contenu du rapport situé dans C:\vundofix.txt ainsi qu'un nouveau rapport HijackThis! dans ta prochaine réponse.
  

 

@+

[ciko_59]

j'ai lancé vundofix.exe comme tu me l'as dis mais il me repond après scan

"done searching for files. Not infected files were found"

 

si ça peut t'aider, lorsque j'allume le micro j'ai un message dans une fenetre dos concernant le fichier ishost.exe

 

voila le nouveau rapport

 

merci d'avance

 

Logfile of HijackThis v1.99.1

Scan saved at 14:40:23, on 21/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\spoolsv.exe

C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

C:\Windows\Cpqdiag\Cpqdfwag.exe

C:\Windows\System32\inetsrv\inetinfo.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\Windows\System32\NMSSvc.exe

C:\OfficeScan NT\ntrtscan.exe

C:\OfficeScan NT\OfcPfwSvc.exe

C:\Windows\System32\svchost.exe

C:\OfficeScan NT\tmlisten.exe

C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

C:\WINDOWS\TEMP\LXA76F.EXE

C:\Windows\Explorer.EXE

C:\OfficeScan NT\pccntmon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Fichiers communs\{FC702006-06A4-1036-1002-020522200021}\Update.exe

C:\Windows\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Windows\Resources\Themes\DameK UltraBlue\Desktop Sidebar\sidebar.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\jeherbin\Bureau\hijackthis_199\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/040C/bl8.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sezam/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/040C/bl8.asp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/040C/bl7.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/040C/bl7.asp

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxys:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = omnivista;sezam;150.1.10.6;http://kidam;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: (no name) - <default> - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\Windows\system32\tuvusts.dll

O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\Windows\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [sIDEBAR] "C:\Windows\Resources\Themes\DameK UltraBlue\Desktop Sidebar\sidebar.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll

O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - http://activex.camfrogweb.com/advanced/cfw..._instmodule.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150811665156

O16 - DPF: {64E27CFB-8B69-4B83-80F0-36A81437D587} - http://activex.camfrogweb.com/basic/cfweb_..._instmodule.exe

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/fr/big/1.1....g/GoogleNav.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/...p/TLIEFlash.CAB

O16 - DPF: {CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA} (Environnement d'exécution Java 1.4.1_06) -

O17 - HKLM\System\CCS\Services\Tcpip\..\{73702708-2322-43D0-BCB8-BDE17D9E0A4A}: Domain = lmcu.fr

O17 - HKLM\System\CS1\Services\Tcpip\..\{73702708-2322-43D0-BCB8-BDE17D9E0A4A}: Domain = lmcu.fr

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Fichiers communs\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: tuvusts - C:\Windows\SYSTEM32\tuvusts.dll

O20 - Winlogon Notify: WgaLogon - C:\Windows\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: wingsa32 - wingsa32.dll (file missing)

O23 - Service: Compaq Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett Packard - C:\Windows\Cpqdiag\Cpqdfwag.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe

O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)

O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[bruce lee]

re,

 

merci de l'info sur le message de vundofix

 

Télécharge VirtumundoBegone sur le bureau:

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

 

Double clique ensuite sur VirtumundoBeGone.exe et suis les instructions.

Une fois terminé, redémarre et poste le rapport VBG.TXT créé sur le bureau

dans ta prochaine réponse avec un nouveau rapport HijackThis.

 

Ne t'inquiète pas si tu vois un message Ecran bleu "Erreur fatale", c'est normal et attendu.

[ciko_59]

re

 

merci pour ton aide

 

tjrs apres le rebbot le msg sur ishost.exe

et j'ai pas eu l'ecran bleu

 

voici le rapport vbg.txt

 

 

[07/24/2006, 9:34:50] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\jeherbin\Bureau\VirtumundoBeGone.exe" )

[07/24/2006, 9:35:02] - Detected System Information:

[07/24/2006, 9:35:02] - Windows Version: 5.1.2600, Service Pack 2

[07/24/2006, 9:35:02] - Current Username: jeherbin (Admin)

[07/24/2006, 9:35:02] - Windows is in NORMAL mode.

[07/24/2006, 9:35:02] - Searching for Browser Helper Objects:

[07/24/2006, 9:35:02] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()

[07/24/2006, 9:35:02] - WARNING: BHO has no default name. Checking for Winlogon reference.

[07/24/2006, 9:35:02] - Checking for HKLM\...\Winlogon\Notify\SDHelper

[07/24/2006, 9:35:02] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.

[07/24/2006, 9:35:02] - BHO 2: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ()

[07/24/2006, 9:35:02] - WARNING: BHO has no default name. Checking for Winlogon reference.

[07/24/2006, 9:35:02] - Checking for HKLM\...\Winlogon\Notify\tuvusts

[07/24/2006, 9:35:02] - Found: HKLM\...\Winlogon\Notify\tuvusts - This is probably Virtumundo.

[07/24/2006, 9:35:02] - Assigning {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} MSEvents Object

[07/24/2006, 9:35:02] - BHO list has been changed! Starting over...

[07/24/2006, 9:35:02] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()

[07/24/2006, 9:35:02] - WARNING: BHO has no default name. Checking for Winlogon reference.

[07/24/2006, 9:35:02] - Checking for HKLM\...\Winlogon\Notify\SDHelper

[07/24/2006, 9:35:02] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.

[07/24/2006, 9:35:02] - BHO 2: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (MSEvents Object)

[07/24/2006, 9:35:02] - ALERT: Found MSEvents Object!

[07/24/2006, 9:35:02] - BHO 3: {944864A5-3916-46E2-96A9-A2E84F3F1208} ()

[07/24/2006, 9:35:02] - WARNING: BHO has no default name. Checking for Winlogon reference.

[07/24/2006, 9:35:02] - No filename found. Continuing.

[07/24/2006, 9:35:02] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)

[07/24/2006, 9:35:02] - Finished Searching Browser Helper Objects

[07/24/2006, 9:35:02] - *** Detected MSEvents Object

[07/24/2006, 9:35:02] - Trying to remove MSEvents Object...

[07/24/2006, 9:35:03] - Terminating Process: IEXPLORE.EXE

[07/24/2006, 9:35:03] - Terminating Process: RUNDLL32.EXE

[07/24/2006, 9:35:03] - Disabling Automatic Shell Restart

[07/24/2006, 9:35:03] - Terminating Process: EXPLORER.EXE

[07/24/2006, 9:35:03] - Suspending the NT Session Manager System Service

[07/24/2006, 9:35:04] - Terminating Windows NT Logon/Logoff Manager

[07/24/2006, 9:35:04] - Re-enabling Automatic Shell Restart

[07/24/2006, 9:35:04] - File to disable: C:\Windows\system32\tuvusts.dll

[07/24/2006, 9:35:04] - Renaming C:\Windows\system32\tuvusts.dll -> C:\Windows\system32\tuvusts.dll.vir

[07/24/2006, 9:35:04] - File successfully renamed!

[07/24/2006, 9:35:04] - Removing HKLM\...\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

[07/24/2006, 9:35:04] - Removing HKCR\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

[07/24/2006, 9:35:04] - Adding Kill Bit for ActiveX for GUID: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

[07/24/2006, 9:35:04] - Deleting ATLEvents/MSEvents Registry entries

[07/24/2006, 9:35:04] - Removing HKLM\...\Winlogon\Notify\tuvusts

[07/24/2006, 9:35:04] - Searching for Browser Helper Objects:

[07/24/2006, 9:35:04] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()

[07/24/2006, 9:35:04] - WARNING: BHO has no default name. Checking for Winlogon reference.

[07/24/2006, 9:35:04] - Checking for HKLM\...\Winlogon\Notify\SDHelper

[07/24/2006, 9:35:04] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.

[07/24/2006, 9:35:04] - BHO 2: {944864A5-3916-46E2-96A9-A2E84F3F1208} ()

[07/24/2006, 9:35:04] - WARNING: BHO has no default name. Checking for Winlogon reference.

[07/24/2006, 9:35:04] - No filename found. Continuing.

[07/24/2006, 9:35:04] - BHO 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)

[07/24/2006, 9:35:04] - Finished Searching Browser Helper Objects

[07/24/2006, 9:35:04] - Finishing up...

[07/24/2006, 9:35:04] - A restart is needed.

[07/24/2006, 9:35:09] - Attempting to Restart via STOP error (Blue Screen!)

 

 

et voici le rapport HijackThis

 

Logfile of HijackThis v1.99.1

Scan saved at 09:44:29, on 24/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\spoolsv.exe

C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

C:\Windows\Cpqdiag\Cpqdfwag.exe

C:\Windows\System32\inetsrv\inetinfo.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\OfficeScan NT\ntrtscan.exe

C:\OfficeScan NT\OfcPfwSvc.exe

C:\Windows\System32\svchost.exe

C:\OfficeScan NT\tmlisten.exe

C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

C:\WINDOWS\TEMP\SFB309.EXE

C:\Windows\Explorer.EXE

C:\OfficeScan NT\pccntmon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Fichiers communs\{FC702006-06A4-1036-1002-020522200021}\Update.exe

C:\Windows\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Windows\Resources\Themes\DameK UltraBlue\Desktop Sidebar\sidebar.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\jeherbin\Bureau\hijackthis_199\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/040C/bl8.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sezam/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/040C/bl8.asp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/040C/bl7.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/040C/bl7.asp

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxys:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = omnivista;sezam;150.1.10.6;http://kidam;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: (no name) - <default> - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\Windows\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [sIDEBAR] "C:\Windows\Resources\Themes\DameK UltraBlue\Desktop Sidebar\sidebar.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll

O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - http://activex.camfrogweb.com/advanced/cfw..._instmodule.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150811665156

O16 - DPF: {64E27CFB-8B69-4B83-80F0-36A81437D587} - http://activex.camfrogweb.com/basic/cfweb_..._instmodule.exe

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/fr/big/1.1....g/GoogleNav.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/...p/TLIEFlash.CAB

O16 - DPF: {CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA} (Environnement d'exécution Java 1.4.1_06) -

O17 - HKLM\System\CCS\Services\Tcpip\..\{73702708-2322-43D0-BCB8-BDE17D9E0A4A}: Domain = lmcu.fr

O17 - HKLM\System\CS1\Services\Tcpip\..\{73702708-2322-43D0-BCB8-BDE17D9E0A4A}: Domain = lmcu.fr

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Fichiers communs\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: WgaLogon - C:\Windows\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: wingsa32 - wingsa32.dll (file missing)

O23 - Service: Compaq Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett Packard - C:\Windows\Cpqdiag\Cpqdfwag.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe

O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)

O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[bruce lee]

Bonjour,

 

j'aimerai une petite analyse sur un fichier s'il te plait

 

1/affiche tout les fichiers:

 

Démarrer, Poste de travail ou autre dossier, Menu Outils, Option des dossiers, onglet Affichage :

Cocher la case : Afficher les fichiers et dossiers cachés

Décocher la case : Masquer les extensions des fichiers dont le type est connu

Décocher la case : Masquer les fichiers protégés du système d'exploitation

cliquer sur "Appliquer"

cliquer sur le bouton "Appliquer à tous les dossiers" / OK

 

 

 

2/rend toi ensuite sur ce site http://secubox.gateweb.org/mad.php et fait analyser {FC702006-06A4-1036-1002-020522200021} qui se trouve ici:

 

C:\Program Files\Fichiers communs\{FC702006-06A4-1036-1002-020522200021}

 

Une fois le fichier envoyé, dis le moi.

 

@+

[ciko_59]

re

 

C:\Program Files\Fichiers communs\{FC702006-06A4-1036-1002-020522200021} est en fait un dossier qui comporte services.dll et update.exe

 

j'ai donc demandé l'analyse de services.dll. c le bon fichier ?

 

voici la reponse du site http://secubox.gateweb.org/mad.php

 

Fichier: services.dll

Nom d'origine: Services.dll

Compilateur: Microsoft VC++

Compilé le: Mercredi 5 Juillet 2006 à 08:44:20

MD5: e2f1ec87af6d5767a882d89ea6b52fbe

SHA1: 579f57cb1f47288204b96175d80e5f5e6760fe93

 

La librairie dispose de 3 fonctions:

• RVA ›› 0x00001054 (Nom fonction: 0x00002133 -› DownloadFile)

• RVA ›› 0x00001000 (Nom fonction: 0x00002140 -› GetUserAgent)

• RVA ›› 0x0000103F (Nom fonction: 0x0000214D -› SetUserAgent

 

Fonctions importées:

10002000 ›› strcpy (importée de la librairie msvcr71.dll)

10002008 ›› URLDownloadToFileW (importée de la librairie urlmon.dll)

1000200C ›› UrlMkSetSessionOption (importée de la librairie urlmon.dll)

10002010 ›› UrlMkGetSessionOption (importée de la librairie urlmon.dll)

 

URLDownloadToFileW (

LPUNKNOWN,

LPCWSTR,

LPCWSTR,

DWORD,

LPBINDSTATUSCALLBACK

)

 

UrlMkSetSessionOption (

DWORD dwOption,

LPVOID pBuffer,

DWORD dwBufferLength,

DWORD dwReserved

)

 

UrlMkGetSessionOption(

DWORD dwOption,

LPVOID pBuffer,

DWORD dwBufferLength,

DWORD *pdwBufferLength,

DWORD dwReserved

)

[ciko_59]

j'ai envoyé aussi update.exe, mad m'a repondu

 

Hash des fichiers envoyés:

MD5: 56615860fde60e74d9d57c77aa45e1b4

SHA1: d2ca76f19ece32f4c0acee492b9c68750d95cbcb

 

Le fichier envoyé semble quant à lui différent de celui que nous avions. Nous sommes sur l'analyse de ce fichier, merci de votre patience.

 

merci de ta participation

[MAD­]

Après analyses et confirmations d'autres labos, il semble que ce fichier ne contienne aucun code malicieux.

Le simple fait d'avoir encodé en base64 des chaînes qui sont par la suite assemblées afin de générer des requêtes sur un serveur distant en dit long...

Pour ces raisons, je vous conseil de renommer ces fichiers & de constater si par la suite ça pose problème ou non.

A priori, "update.exe" & "services.dll" ne sont pas vitaux pour le bon fonctionnement de votre système.

 

Merci pour votre patience ciko_59.

A bientôt.