Trojan vitumonde

chadz -  
 chadz -
Bonjour, Je suis sur un serveur win2003 et je voulais savoir qui pourais lire mon rapport Hljacklist et me dire si j'ai reussis a virer ce trojan de m....

Merci d'avance
Configuration: Windows XP
Firefox 2.0.0.16

15 réponses

  1. kornophyl Messages postés 284 Statut Membre 38
     
    je viens de me remettre de cette saloperie, il faut que tu utilises combofix ca a marche directement pour moi ; apres, tu fais une analyse complete du systeme par ton antivirus et par spybot et c'est reparti.

    infos sur combofix et d autres (que j ai pas teste) :
    http://www.commentcamarche.net/faq/sujet 6862 supprimer le trojan vundo virtumonde

    balance ton rapport hijackthis
    0
  2. chadz
     
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:23:37, on 13/08/2008
    Platform: Windows 2003 SP2 (WinNT 5.02.3790)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
    C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
    C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
    C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
    C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
    C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
    C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
    C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
    C:\Program Files\CA\BrightStor ARCserve Backup\casmrtbk.exe
    C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
    C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
    C:\Program Files\CA\SharedComponents\BrightStor\UniAgent\UnivAgent.exe
    C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
    C:\Program Files\HP\Cissesrv\cissesrv.exe
    C:\WINDOWS\system32\cpqrcmc.exe
    C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
    C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\DBASVR.exe
    C:\WINDOWS\system32\Dfssvc.exe
    c:\divalto\sys\DhsDivalto.exe
    C:\WINDOWS\System32\dns.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\System32\ismserv.exe
    C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\CA\BrightStor ARCserve Backup\RDS.EXE
    C:\WINDOWS\system32\ntfrs.exe
    C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
    C:\Program Files\Trend Micro\Security Server\PCCSRV\web\service\ofcservice.exe
    C:\Program Files\Fighters\configservice.exe
    C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\dbasqlr.exe
    C:\Program Files\CA\BrightStor ARCserve Backup\caloggerd.exe
    C:\Program Files\Trend Micro\Security Server\PCCSRV\Web\Service\DbServer.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\sysdown.exe
    C:\hp\hpsmh\bin\smhstart.exe
    C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
    C:\hp\hpsmh\bin\hpsmhd.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
    C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
    C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
    c:\divalto\sys\DhsDivaAgent.exe
    c:\divalto\sys\DhsServices.exe
    c:\divalto\sys\DhsXlanServer.exe
    C:\hp\hpsmh\bin\rotatelogs.exe
    C:\hp\hpsmh\bin\rotatelogs.exe
    C:\Program Files\Fichiers communs\System\MSSearch\Bin\mssearch.exe
    C:\hp\hpsmh\bin\hpsmhd.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
    C:\Inetpub\wwwroot\PAPO\CRMEscalationService.exe
    C:\Inetpub\wwwroot\PAPO\eWareEmailManager.exe
    C:\hp\hpsmh\bin\rotatelogs.exe
    C:\hp\hpsmh\bin\rotatelogs.exe
    C:\Program Files\CA\BrightStor ARCserve Backup\Mediasvr.exe
    C:\Program Files\Fighters\licenseservice.exe
    C:\Program Files\Fighters\updateservice.exe
    C:\Program Files\Fighters\ScannerService.exe
    C:\Program Files\CA\BrightStor ARCserve Backup\caauthd.exe
    C:\Program Files\CA\BrightStor ARCserve Backup\LQServer.exe
    C:\WINDOWS\TEMP\TECEE2.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CA\BrightStor ARCserve Backup\LDBServer.exe
    C:\Program Files\CA\BrightStor ARCserve Backup\asalert.exe
    c:\windows\system32\inetsrv\w3wp.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\HP\NCU\cpqteam.exe
    C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
    C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe
    c:\program files\fighters\spywarefighter\SPYWAREfighterTray.exe
    C:\Program Files\Trojan Remover\Trjscan.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\divalto\sys\DhSession.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/windowsupdate/v6/default.aspx
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O4 - HKLM\..\Run: [CPQTEAM] C:\Program Files\HP\NCU\cpqteam.exe
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [spywarefighterguard] C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: DhsDivalto.lnk = C:\divalto\sys\DhSession.exe (User 'Default user')
    O4 - Startup: DhsDivalto.lnk = C:\divalto\sys\DhSession.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O15 - ESC Trusted Zone: http://runonce.msn.com
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {3DFD2B52-C6E9-11D4-8226-005004F658FC} (XeWare Control) - http://srv-divalto/PAPO/Plugin/eWarePluginX.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
    O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://srv-divalto.papo.fr:4343/SMB/console/html/root/AtxEnc.cab
    O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED40} (Console d'administration de Security Server) - https://srv-divalto.papo.fr:4343/SMB/console/html/root/AtxConsole.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = papo.fr
    O17 - HKLM\Software\..\Telephony: DomainName = papo.fr
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FA33FD94-004E-438D-8D5F-7CEB2591C107}: NameServer = 192.168.0.2,192.168.0.3
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = papo.fr
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = papo.fr
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
    O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
    O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
    O23 - Service: Moteur de bases de données CA BrightStor (CASDBEngine) - CA - C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
    O23 - Service: Service de découverte BrightStor de CA (CASDiscoverySvc) - CA - C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe
    O23 - Service: Moteur de jobs CA BrightStor (CASJobEngine) - CA - C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
    O23 - Service: Moteur de messages CA BrightStor (CASMsgEngine) - CA - C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
    O23 - Service: Contrôleur de service CA Brightstor (CASSvcControlSvr) - CA - C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
    O23 - Service: Moteur de bandes CA BrightStor (CASTapeEngine) - CA - C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
    O23 - Service: Serveur de domaine CA BrightStor (CASUnivDomainSvr) - CA - C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
    O23 - Service: Agent universel BrightStor de CA (CASUniversalAgent) - CA - C:\Program Files\CA\SharedComponents\BrightStor\UniAgent\UnivAgent.exe
    O23 - Service: Serveur d'appel de procédure distante CA (CATIRPC) - CA - C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
    O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\\lic98rmt.exe
    O23 - Service: HP Smart Array SAS/SATA Event Notification Service (Cissesrv) - Hewlett-Packard Company - C:\Program Files\HP\Cissesrv\cissesrv.exe
    O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
    O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\cpqrcmc.exe
    O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
    O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
    O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
    O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
    O23 - Service: CRM Escalation Service (CRMEscalationService) - Unknown owner - C:\Inetpub\wwwroot\PAPO\CRMEscalationService.exe
    O23 - Service: Serveur RPC de l'agent Backup BrightStor de CA (DbaRpcService) - CA - C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\DBASVR.exe
    O23 - Service: Divalto DhsDivaAgent Version 6.1a (DhsDivaAgent) - Divalto - c:\divalto\sys\DhsDivaAgent.exe
    O23 - Service: Divalto DhsDivalto Version 6.1a (DhsDivalto) - Divalto - c:\divalto\sys\DhsDivalto.exe
    O23 - Service: Divalto DhsServices Version 6.1a (DhsServices) - Divalto - c:\divalto\sys\DhsServices.exe
    O23 - Service: Divalto XLANSQL Version 6.1a (DhsXlanServer) - Divalto - c:\divalto\sys\DhsXlanServer.exe
    O23 - Service: CRM E-Mail Manager (EmailManager) - ACCPAC International, Inc. - C:\Inetpub\wwwroot\PAPO\eWareEmailManager.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
    O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
    O23 - Service: Scan en temps réel Trend Micro Client/Server Security Agent (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
    O23 - Service: Trend Micro Security Server Master Service (ofcservice) - Trend Micro Inc. - C:\Program Files\Trend Micro\Security Server\PCCSRV\web\service\ofcservice.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    O23 - Service: PTK License-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\licenseservice.exe
    O23 - Service: PTK Live Update-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\updateservice.exe
    O23 - Service: PTK Scanner-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\ScannerService.exe
    O23 - Service: PTK SharedAccess-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\configservice.exe
    O23 - Service: CA BrightStor Backup Agent Remote Service (RemoteDbagent) - CA - C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\dbasqlr.exe
    O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Hewlett-Packard Company - C:\WINDOWS\system32\sysdown.exe
    O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
    O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    0
  3. chadz
     
    merci de ta rapidité c'est vraiment agreable!!!
    0
  4. kornophyl Messages postés 284 Statut Membre 38
     
    utilise combofix et ensuite repost un rapport hijackthis
    0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. chadz
     
    je ne peux pas telecharger combofix mais j'ai lancer vundofix et il n'a rien trouver
    0
  7. kornophyl Messages postés 284 Statut Membre 38
     
    voila le lien pour dl combofix :
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    0
  8. chadz
     
    Que peux tu dire de mon premier rapport j'ai déjà remarqué que les ligne 02 et 20 avais disparus???
    0
  9. chadz
     
    OS incompatible la version ne marche pas sur 2003 serveur!!!
    0
  10. kornophyl Messages postés 284 Statut Membre 38
     
    je ne suis pas assez competent pour ton post, je pensais pouvoir l'analyser mais je ne saurais te dire ou est le probleme. sur mon pc c est facile parce que je connais les programmes mais la je bloque.

    tente combofix, ca regle le pb
    0
  11. chadz
     
    Je suis dans la merde il est revenu spyboy le retrouve dans les clef de registre
    0
  12. kornophyl Messages postés 284 Statut Membre 38
     
    tentez les deux autres methodes avec le lien de mon premier post, bon courage
    0
  13. chadz
     
    [08/12/2008, 15:08:03] - VirtumundoBeGone v1.5 ( "U:\VirtumundoBeGone.exe" )
    [08/12/2008, 15:08:08] - User choose NOT to continue. Exiting...

    [08/13/2008, 16:11:39] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrateur.PAPO\Bureau\VirtumundoBeGone.exe" )
    [08/13/2008, 16:12:26] - Detected System Information:
    [08/13/2008, 16:12:26] - Windows Version: 5.2.3790, Service Pack 2
    [08/13/2008, 16:12:26] - Current Username: ADMINISTRATEUR (Admin)
    [08/13/2008, 16:12:26] - Windows is in NORMAL mode.
    [08/13/2008, 16:12:26] - Searching for Browser Helper Objects:
    [08/13/2008, 16:12:26] - Finished Searching Browser Helper Objects
    [08/13/2008, 16:12:26] - Finishing up...
    [08/13/2008, 16:12:26] - Nothing found! Exiting...
    0
  14. kornophyl Messages postés 284 Statut Membre 38
     
    c est une vrai saloperie, je ne sais comment vous aider plus...
    0