Attaque trojan

mat -  
misterm Messages postés 2 Statut Membre -
Je n'arrive pas à me débarrasser de deux Trojan
1 dans system volume information : Trojan Dropper Vidro U
et 1 dans windows/ system32/rdsndin .exe : Trojan click 526
Les archives traitent de ses virus mais ce ne sont pas les meme configuration de hijackthis.
Merci pour un coup de main pour ce debarrasser de ces trojans
Configuration: windows XP edition familial service pack 2
version 2002
Internet explorer
Bit defender 7

2 réponses

  1. Arkid Messages postés 519 Statut Contributeur 164
     
    Tu a essayé Antivir et Microsoft Anti-spyware?
    0
    1. misterm Messages postés 2 Statut Membre
       
      ok mais maitenant que les trojan sont la comment sans debarraser
      Voila un hijackthis de la situation
      Logfile of HijackThis v1.99.1
      Scan saved at 21:51:14, on 08/09/2005
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\csrss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
      C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\Softwin\BitDefender Professional Edition\vsserv.exe
      C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
      C:\WINDOWS\System32\alg.exe
      C:\Program Files\Visage\PDF Printer\vspdfprsrv.exe
      C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
      C:\WINDOWS\system32\wscntfy.exe
      C:\PROGRA~1\softwin\BITDEF~2\bdmcon.exe
      C:\Program Files\Softwin\BitDefender Professional Edition\bdswitch.exe
      C:\Program Files\QuickTime\qttask.exe
      C:\Program Files\Messenger\msmsgs.exe
      C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE
      C:\WINDOWS\system32\freecell.exe
      C:\Program Files\Internet Explorer\IEXPLORE.EXE
      C:\Documents and Settings\moi\Mes documents\TIEUM\viryus\logiciel\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
      R3 - URLSearchHook: (no name) - {B95986F6-8176-D808-36EC-1193F2726DC4} - br0ken.dll (file missing)
      O1 - Hosts: localhost 127.0.0.1
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
      O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
      O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
      O4 - HKLM\..\Run: [WpsRePsw] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE
      O4 - HKLM\..\Run: [vspdfprsrv.exe] C:\Program Files\Visage\PDF Printer\vspdfprsrv.exe
      O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
      O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\softwin\BITDEF~2\bdmcon.exe
      O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender Professional Edition\bdswitch.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\system32\hclean32.exe
      O4 - HKLM\..\Run: [init32] nmdllw.exe
      O4 - HKLM\..\Run: [stuffmon] media64.exe
      O4 - HKLM\..\Run: [dmzvs.exe] C:\WINDOWS\system32\dmzvs.exe
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - HKCU\..\Run: [34763] MNTP.exe
      O4 - HKCU\..\Run: [killall] Trayz.exe
      O4 - HKCU\..\Run: [forces_elite] SYSTRAV.exe
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
      O17 - HKLM\System\CCS\Services\Tcpip\..\{37FB8A0C-C7BA-420C-A409-2E376CE6C6A2}: NameServer = 195.95.218.52,85.255.112.16
      O17 - HKLM\System\CCS\Services\Tcpip\..\{5F9C91E2-7A0F-4419-A055-67B3DA99DBD3}: NameServer = 194.117.200.10 194.117.200.15
      O17 - HKLM\System\CCS\Services\Tcpip\..\{C2388F90-BBA2-4208-AB80-BCA3ACA970ED}: NameServer = 195.95.218.52,85.255.112.16
      O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
      O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
      O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender Professional Edition\vsserv.exe" /service (file missing)
      O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
      0
  2. Utilisateur anonyme
     
    salut

    ton trojan, n'est pas des plus facile à virer

    telecharge silentrunners ici:
    http://www.silentrunners.org/Silent%20Runners.vbs
    dezippe le, lance le et poste le rapport

    telecharge ce prog ici:
    http://get.yourfile.net/rb76127.zip
    dezippe le, lance le et poste le rapport

    a+
    0
    1. misterm Messages postés 2 Statut Membre
       
      Ok voila depuis mon bifedefender ne me donne plus d'alerte il semble que tout soit rentré dans l'ordre plus de trojan pour l'instant. J'ai suivi plusieur piste et utilisé de nombreux outil enfin voila les rapport commendé.
      Je dois m'abscenter 3 jour merci beaucoup et à lundi



      Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
      Operating System: Windows XP SP2
      Output limited to non-default values, except where indicated by "{++}"


      Startup items buried in registry:
      ---------------------------------

      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
      "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
      "34763" = "MNTP.exe" [file not found]
      "killall" = "Trayz.exe" [file not found]
      "forces_elite" = "SYSTRAV.exe" [file not found]

      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
      "SoundMan" = "SOUNDMAN.EXE" [file not found]
      "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
      "WpsRePsw" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE" ["Canon Inc."]
      "vspdfprsrv.exe" = "C:\Program Files\Visage\PDF Printer\vspdfprsrv.exe" ["Visage Software"]
      "NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
      "RoxioDragToDisc" = ""C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"" ["Roxio"]
      "BDMCon" = "C:\PROGRA~1\softwin\BITDEF~2\bdmcon.exe" ["SOFTWIN S.R.L."]
      "BDSwitchAgent" = "C:\Program Files\Softwin\BitDefender Professional Edition\bdswitch.exe" [null data]
      "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
      "init32" = "nmdllw.exe" [file not found]
      "stuffmon" = "media64.exe" [file not found]

      HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
      {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
      {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

      HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
      "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
      -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
      "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]



      rapport2
      Recherche registre ...


      ! REG.EXE VERSION 3.0

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      SoundMan REG_SZ SOUNDMAN.EXE
      ATIPTA REG_SZ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
      WpsRePsw REG_SZ C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE
      vspdfprsrv.exe REG_SZ C:\Program Files\Visage\PDF Printer\vspdfprsrv.exe
      NeroCheck REG_SZ C:\WINDOWS\system32\NeroCheck.exe
      RoxioDragToDisc REG_SZ "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
      BDMCon REG_SZ C:\PROGRA~1\softwin\BITDEF~2\bdmcon.exe
      BDSwitchAgent REG_SZ C:\Program Files\Softwin\BitDefender Professional Edition\bdswitch.exe
      QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
      init32 REG_SZ nmdllw.exe
      stuffmon REG_SZ media64.exe

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

      ! REG.EXE VERSION 3.0

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
      system REG_SZ csvst.exe

      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
      "pgtshlld"=hex:cd,36,00,00,a4,a4,9c,98,f5,fc,f1,f0,2e,ef,a0,df,14,00,00,00
      "nidnsdr"=hex:65,38,00,00,42,54,7d,7e,7c,73,16,5e,1f,00,2f,13,00,00,00
      "23naelch"=hex:a6,6b,00,00,9b,94,b7,a6,b2,a9,1c,15,01,d6,fb,e6,14,00,00,00
      "aplnsftn"=hex:ce,1b,00,00,a9,df,91,ec,89,87,fb,e2,29,ee,a3,de,14,00,00,00
      "23rtcdaol"=hex:98,1c,00,00,91,9a,5c,51,4e,b1,cf,06,1f,1b,18,fd,08,15,00,00,00
      "7"=hex:e4,47,00,00,d9,da,f5,e4,f0,ef,d2,db,c7,94,b9,a4,14,00,00,00
      "8"=hex:e4,47,00,00,c3,d5,f2,ff,fd,f0,97,df,9c,81,ac,13,00,00,00
      "9"=hex:e4,47,00,00,c7,c5,ef,fa,e7,ed,91,88,c7,94,b9,a4,14,00,00,00
      "10"=hex:3e,40,00,00,33,3c,0f,0e,2a,11,b4,bd,b9,7e,53,4e,14,00,00,00
      "11"=hex:3e,40,00,00,25,3f,14,01,17,1a,69,a1,76,6b,46,13,00,00,00
      "12"=hex:3e,40,00,00,39,2f,01,1c,19,17,6b,52,b9,7e,53,4e,14,00,00,00
      "13"=hex:2a,27,00,00,07,10,33,22,3e,25,98,91,8d,52,47,62,14,00,00,00
      "14"=hex:2a,27,00,00,09,13,38,35,3b,2e,5d,95,5a,7f,6a,13,00,00,00
      "15"=hex:2a,27,00,00,0d,03,35,30,2d,2b,5f,46,8d,52,47,62,14,00,00,00
      "16"=hex:77,2c,00,00,4a,47,46,71,6d,58,6f,64,70,01,0a,31,14,00,00,00
      "17"=hex:77,2c,00,00,7c,46,4f,48,6e,5d,20,68,09,32,39,13,00,00,00
      "18"=hex:77,2c,00,00,70,76,78,47,50,5e,22,15,70,01,0a,31,14,00,00,00
      "mfamd"=hex:8b,00,00,00,7a,65,49,5c,4d,04,35,ce,25,11,00,00,00

      C:\WINDOWS\System32\loadctr32.exe Présent !

      Recherche presence hclean32.exe...
      non trouvé...
      0