Help! Virus Virtumonde et autres
GregetLau
Messages postés
5
Statut
Membre
-
jlpjlp Messages postés 52399 Statut Contributeur sécurité -
jlpjlp Messages postés 52399 Statut Contributeur sécurité -
Bonjour à tous,
Je viens ici pour avoir un peu d'aide. J'ai un virus sur mon pc qui est détecté par certains anti-virus mais jamais sous le même nom sauf par spybot qui me trouve "smitfraud-C.MSVPS dans la base de registre, Vitumonde idem, virtumonde.dll et Zlobdownloads.
Le soucis c'estq ue lorsque je les suppriment en mode sans échec et après avoir supprimé tout virus avec McAfee, Kapersky, Avast et avoir nettoyé la base de registre avec Ccleaner, quand je relance le PC en mode normal il semble se réinstaller et notamment dans le dossier Temp de App data.
Donc en gros les effets sont les suivants: Spybot Sd m'envoie un message toutes les 5 minutes et surtout au démarrage en me disant:
"System stratup user entry
valeur ajoutée
e4ad19ed
rundll32.cx: Appdata\local\temp\wnbiruln.dll"
Puis quand je ne suis pas connecté au net il tente de se connecter car un message apparait me disant travailler hors connexion ou se connecter.
Enfin, quand je suis sur le net il va sur une page où un soit disant anti-virus essaie de faire un scan....
Donc si quelqu'un pouvait m'aider à m'en débarrasser proprement je dois avouer que ça m'arrangerait bien!
Comme j'ai vu que les experts demandais un rapport HijackThis voici ce que dit le rapport que je viens de faire.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:43:36, on 02/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Grégory\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Grégory\AppData\Roaming\Adobe\Player.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer fourni par Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QXK Olive - {11DFB01A-0852-4955-9747-C59E21DBBDA5} - C:\Windows\dfmlxbpkvlo.dll
O2 - BHO: McAfee Phishing Filter - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: QXK Olive - {AA1601A0-0E35-4E80-A507-EBEAD0463D75} - C:\Windows\nkefbltdxvk.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: peltodgx - {0FA15166-39DA-4DAB-9B1A-0DDDBACA8BD5} - C:\Windows\peltodgx.dll
O3 - Toolbar: dkwqgnbe - {0E3A3463-7B9C-44E9-B0BF-D71133330658} - C:\Windows\dkwqgnbe.dll
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: dkwqgnbe - {106198B5-9A3D-4D97-8DEF-845A1FDCD787} - C:\Windows\dkwqgnbe.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\urQIcCuV.dll,#1
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [EPSON Stylus DX5000 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\Windows\TEMP\E_S27F0.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Grégory\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [] C:\Users\Grégory\AppData\Roaming\Adobe\Player.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [DelayShred] "C:\Program Files\McAfee\MSHR\ShrCL.EXE" /P7 /q C:\Users\GRGORY~1\AppData\Local\Temp\History\History.SH! C:\Users\GRGORY~1\AppData\Local\Temp\History.SH! C:\Users\GRGORY~1\AppData\Local\Temp\FICHIE~1\Content.SH! C:\Users\GRGORY~1\AppData\Local\Temp\FICHIE~1.SH! C:\Users\GRGORY~1\AppData\Local\Temp\Cookies.SH! (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DelayShred] "C:\Program Files\McAfee\MSHR\ShrCL.EXE" /P7 /q C:\Users\GRGORY~1\AppData\Local\Temp\History\History.SH! C:\Users\GRGORY~1\AppData\Local\Temp\History.SH! C:\Users\GRGORY~1\AppData\Local\Temp\FICHIE~1\Content.SH! C:\Users\GRGORY~1\AppData\Local\Temp\FICHIE~1.SH! C:\Users\GRGORY~1\AppData\Local\Temp\Cookies.SH! (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: Envoyer au périphérique &Bluetooth... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: Envoyer l'&image au périphérique Bluetooth... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O21 - SSODL: onfwbsak - {A83F3B5F-AECD-4599-ABA3-19858B4E66F4} - C:\Windows\onfwbsak.dll
O21 - SSODL: rwlfsdmk - {B6CB70A2-58BD-4B41-BEFF-E318DDC422BC} - C:\Windows\rwlfsdmk.dll
O21 - SSODL: neksolda - {69D6001B-6EC0-4F5D-9E51-004ACEEC14DD} - C:\Windows\neksolda.dll
O21 - SSODL: xgpsarbm - {EA04F47D-0C98-4CD7-A823-0B7D7B5BD1B3} - C:\Windows\xgpsarbm.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 13147 bytes
J'ai aussi un autre rapport si ça peut aider:
<AVZ_CollectSysInfo>
--------------------
Start time: 03/10/2008 15:11:44
Duration: 00:02:36
Finish time: 03/10/2008 15:14:20
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
03/10/2008 15:11:48 Windows version: Windows Vista (TM) Home Premium, Build=6001, SP="Service Pack 1"
03/10/2008 15:11:48 System Restore: enabled
03/10/2008 15:11:48 System booted in Safe Mode
03/10/2008 15:11:50 1.1 Searching for user-mode API hooks
03/10/2008 15:11:51 Analysis: kernel32.dll, export table found in section .text
03/10/2008 15:11:51 Function kernel32.dll:CreateProcessA (151) intercepted, method ProcAddressHijack.GetProcAddress ->773F1C36->61F03F42
03/10/2008 15:11:51 Hook kernel32.dll:CreateProcessA (151) blocked
03/10/2008 15:11:51 Function kernel32.dll:CreateProcessW (154) intercepted, method ProcAddressHijack.GetProcAddress ->773F1C01->61F04040
03/10/2008 15:11:51 Hook kernel32.dll:CreateProcessW (154) blocked
03/10/2008 15:11:51 Function kernel32.dll:FreeLibrary (335) intercepted, method ProcAddressHijack.GetProcAddress ->774308F8->61F041FC
03/10/2008 15:11:51 Hook kernel32.dll:FreeLibrary (335) blocked
03/10/2008 15:11:51 Function kernel32.dll:GetModuleFileNameA (503) intercepted, method ProcAddressHijack.GetProcAddress ->7743440D->61F040FB
03/10/2008 15:11:51 Hook kernel32.dll:GetModuleFileNameA (503) blocked
03/10/2008 15:11:51 Function kernel32.dll:GetModuleFileNameW (504) intercepted, method ProcAddressHijack.GetProcAddress ->774358E5->61F041A0
03/10/2008 15:11:51 Hook kernel32.dll:GetModuleFileNameW (504) blocked
03/10/2008 15:11:51 Function kernel32.dll:GetProcAddress (548) intercepted, method ProcAddressHijack.GetProcAddress ->7743B8B6->61F04648
03/10/2008 15:11:51 Hook kernel32.dll:GetProcAddress (548) blocked
03/10/2008 15:11:51 Function kernel32.dll:LoadLibraryA (759) intercepted, method ProcAddressHijack.GetProcAddress ->77419491->61F03C6F
03/10/2008 15:11:51 Hook kernel32.dll:LoadLibraryA (759) blocked
03/10/2008 15:11:51 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
03/10/2008 15:11:51 Function kernel32.dll:LoadLibraryExA (760) intercepted, method ProcAddressHijack.GetProcAddress ->77419469->61F03DAF
03/10/2008 15:11:51 Hook kernel32.dll:LoadLibraryExA (760) blocked
03/10/2008 15:11:51 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
03/10/2008 15:11:51 Function kernel32.dll:LoadLibraryExW (761) intercepted, method ProcAddressHijack.GetProcAddress ->774130C3->61F03E5A
03/10/2008 15:11:51 Hook kernel32.dll:LoadLibraryExW (761) blocked
03/10/2008 15:11:51 Function kernel32.dll:LoadLibraryW (762) intercepted, method ProcAddressHijack.GetProcAddress ->7741361F->61F03D0C
03/10/2008 15:11:51 Hook kernel32.dll:LoadLibraryW (762) blocked
03/10/2008 15:11:51 IAT modification detected: GetModuleFileNameW - 00BC0010<>774358E5
03/10/2008 15:11:51 Analysis: ntdll.dll, export table found in section .text
03/10/2008 15:11:52 Analysis: user32.dll, export table found in section .text
03/10/2008 15:11:52 Analysis: advapi32.dll, export table found in section .text
03/10/2008 15:11:52 Analysis: ws2_32.dll, export table found in section .text
03/10/2008 15:11:52 Analysis: wininet.dll, export table found in section .text
03/10/2008 15:11:53 Analysis: rasapi32.dll, export table found in section .text
03/10/2008 15:11:53 Analysis: urlmon.dll, export table found in section .text
03/10/2008 15:11:54 Analysis: netapi32.dll, export table found in section .text
03/10/2008 15:11:55 1.2 Searching for kernel-mode API hooks
03/10/2008 15:11:55 Error loading driver - scan interrupted [C000035F]
03/10/2008 15:11:56 1.4 Searching for masking processes and drivers
03/10/2008 15:11:56 Checking not performed: extended monitoring driver (AVZPM) is not installed
03/10/2008 15:11:56 Error loading driver - scan interrupted [C000035F]
03/10/2008 15:12:02 C:\Program Files\Protector Suite QL\farchns.dll --> Suspicion for Keylogger or Trojan DLL
03/10/2008 15:12:02 C:\Program Files\Protector Suite QL\farchns.dll>>> Behavioral analysis
03/10/2008 15:12:02 Behaviour typical for keyloggers not detected
03/10/2008 15:12:02 C:\Program Files\Protector Suite QL\infra.dll --> Suspicion for Keylogger or Trojan DLL
03/10/2008 15:12:02 C:\Program Files\Protector Suite QL\infra.dll>>> Behavioral analysis
03/10/2008 15:12:02 Behaviour typical for keyloggers not detected
03/10/2008 15:12:05 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
03/10/2008 15:12:15 Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL"
03/10/2008 15:12:16 >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
03/10/2008 15:12:16 >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
03/10/2008 15:12:16 >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
03/10/2008 15:12:16 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
03/10/2008 15:12:16 >> Security: disk drives' autorun is enabled
03/10/2008 15:12:16 >> Security: administrative shares (C$, D$ ...) are enabled
03/10/2008 15:12:16 >> Security: anonymous user access is enabled
03/10/2008 15:12:16 >> Security: sending Remote Assistant queries is enabled
03/10/2008 15:12:19 >> Disable HDD autorun
03/10/2008 15:12:19 >> Disable autorun from network drives
03/10/2008 15:12:20 >> Disable CD/DVD autorun
03/10/2008 15:12:20 >> Disable removable media autorun
03/10/2008 15:12:20 System Analysis in progress
03/10/2008 15:14:20 System Analysis - complete
03/10/2008 15:14:20 Delete file:C:\Users\Grégory\Desktop\Kaspersky Lab Tool\is-FR5DS\LOG\avptool_syscheck.htm
03/10/2008 15:14:20 Delete file:C:\Users\Grégory\Desktop\Kaspersky Lab Tool\is-FR5DS\LOG\avptool_syscheck.xml
03/10/2008 15:14:20 Deleting service/driver: uti4nzi1
03/10/2008 15:14:20 Delete file:C:\Windows\system32\Drivers\uti4nzi1.sys
03/10/2008 15:14:20 Deleting service/driver: uji4nzi1
03/10/2008 15:14:20 Script executed without errors
Merci mille fois pour celui ou celle qui voudra bien m'aider à exploser ce virus!
Bonne journée.
Je viens ici pour avoir un peu d'aide. J'ai un virus sur mon pc qui est détecté par certains anti-virus mais jamais sous le même nom sauf par spybot qui me trouve "smitfraud-C.MSVPS dans la base de registre, Vitumonde idem, virtumonde.dll et Zlobdownloads.
Le soucis c'estq ue lorsque je les suppriment en mode sans échec et après avoir supprimé tout virus avec McAfee, Kapersky, Avast et avoir nettoyé la base de registre avec Ccleaner, quand je relance le PC en mode normal il semble se réinstaller et notamment dans le dossier Temp de App data.
Donc en gros les effets sont les suivants: Spybot Sd m'envoie un message toutes les 5 minutes et surtout au démarrage en me disant:
"System stratup user entry
valeur ajoutée
e4ad19ed
rundll32.cx: Appdata\local\temp\wnbiruln.dll"
Puis quand je ne suis pas connecté au net il tente de se connecter car un message apparait me disant travailler hors connexion ou se connecter.
Enfin, quand je suis sur le net il va sur une page où un soit disant anti-virus essaie de faire un scan....
Donc si quelqu'un pouvait m'aider à m'en débarrasser proprement je dois avouer que ça m'arrangerait bien!
Comme j'ai vu que les experts demandais un rapport HijackThis voici ce que dit le rapport que je viens de faire.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:43:36, on 02/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Grégory\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Grégory\AppData\Roaming\Adobe\Player.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer fourni par Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QXK Olive - {11DFB01A-0852-4955-9747-C59E21DBBDA5} - C:\Windows\dfmlxbpkvlo.dll
O2 - BHO: McAfee Phishing Filter - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: QXK Olive - {AA1601A0-0E35-4E80-A507-EBEAD0463D75} - C:\Windows\nkefbltdxvk.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: peltodgx - {0FA15166-39DA-4DAB-9B1A-0DDDBACA8BD5} - C:\Windows\peltodgx.dll
O3 - Toolbar: dkwqgnbe - {0E3A3463-7B9C-44E9-B0BF-D71133330658} - C:\Windows\dkwqgnbe.dll
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: dkwqgnbe - {106198B5-9A3D-4D97-8DEF-845A1FDCD787} - C:\Windows\dkwqgnbe.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\urQIcCuV.dll,#1
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [EPSON Stylus DX5000 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\Windows\TEMP\E_S27F0.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Grégory\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [] C:\Users\Grégory\AppData\Roaming\Adobe\Player.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [DelayShred] "C:\Program Files\McAfee\MSHR\ShrCL.EXE" /P7 /q C:\Users\GRGORY~1\AppData\Local\Temp\History\History.SH! C:\Users\GRGORY~1\AppData\Local\Temp\History.SH! C:\Users\GRGORY~1\AppData\Local\Temp\FICHIE~1\Content.SH! C:\Users\GRGORY~1\AppData\Local\Temp\FICHIE~1.SH! C:\Users\GRGORY~1\AppData\Local\Temp\Cookies.SH! (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DelayShred] "C:\Program Files\McAfee\MSHR\ShrCL.EXE" /P7 /q C:\Users\GRGORY~1\AppData\Local\Temp\History\History.SH! C:\Users\GRGORY~1\AppData\Local\Temp\History.SH! C:\Users\GRGORY~1\AppData\Local\Temp\FICHIE~1\Content.SH! C:\Users\GRGORY~1\AppData\Local\Temp\FICHIE~1.SH! C:\Users\GRGORY~1\AppData\Local\Temp\Cookies.SH! (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: Envoyer au périphérique &Bluetooth... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: Envoyer l'&image au périphérique Bluetooth... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O21 - SSODL: onfwbsak - {A83F3B5F-AECD-4599-ABA3-19858B4E66F4} - C:\Windows\onfwbsak.dll
O21 - SSODL: rwlfsdmk - {B6CB70A2-58BD-4B41-BEFF-E318DDC422BC} - C:\Windows\rwlfsdmk.dll
O21 - SSODL: neksolda - {69D6001B-6EC0-4F5D-9E51-004ACEEC14DD} - C:\Windows\neksolda.dll
O21 - SSODL: xgpsarbm - {EA04F47D-0C98-4CD7-A823-0B7D7B5BD1B3} - C:\Windows\xgpsarbm.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 13147 bytes
J'ai aussi un autre rapport si ça peut aider:
<AVZ_CollectSysInfo>
--------------------
Start time: 03/10/2008 15:11:44
Duration: 00:02:36
Finish time: 03/10/2008 15:14:20
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
03/10/2008 15:11:48 Windows version: Windows Vista (TM) Home Premium, Build=6001, SP="Service Pack 1"
03/10/2008 15:11:48 System Restore: enabled
03/10/2008 15:11:48 System booted in Safe Mode
03/10/2008 15:11:50 1.1 Searching for user-mode API hooks
03/10/2008 15:11:51 Analysis: kernel32.dll, export table found in section .text
03/10/2008 15:11:51 Function kernel32.dll:CreateProcessA (151) intercepted, method ProcAddressHijack.GetProcAddress ->773F1C36->61F03F42
03/10/2008 15:11:51 Hook kernel32.dll:CreateProcessA (151) blocked
03/10/2008 15:11:51 Function kernel32.dll:CreateProcessW (154) intercepted, method ProcAddressHijack.GetProcAddress ->773F1C01->61F04040
03/10/2008 15:11:51 Hook kernel32.dll:CreateProcessW (154) blocked
03/10/2008 15:11:51 Function kernel32.dll:FreeLibrary (335) intercepted, method ProcAddressHijack.GetProcAddress ->774308F8->61F041FC
03/10/2008 15:11:51 Hook kernel32.dll:FreeLibrary (335) blocked
03/10/2008 15:11:51 Function kernel32.dll:GetModuleFileNameA (503) intercepted, method ProcAddressHijack.GetProcAddress ->7743440D->61F040FB
03/10/2008 15:11:51 Hook kernel32.dll:GetModuleFileNameA (503) blocked
03/10/2008 15:11:51 Function kernel32.dll:GetModuleFileNameW (504) intercepted, method ProcAddressHijack.GetProcAddress ->774358E5->61F041A0
03/10/2008 15:11:51 Hook kernel32.dll:GetModuleFileNameW (504) blocked
03/10/2008 15:11:51 Function kernel32.dll:GetProcAddress (548) intercepted, method ProcAddressHijack.GetProcAddress ->7743B8B6->61F04648
03/10/2008 15:11:51 Hook kernel32.dll:GetProcAddress (548) blocked
03/10/2008 15:11:51 Function kernel32.dll:LoadLibraryA (759) intercepted, method ProcAddressHijack.GetProcAddress ->77419491->61F03C6F
03/10/2008 15:11:51 Hook kernel32.dll:LoadLibraryA (759) blocked
03/10/2008 15:11:51 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
03/10/2008 15:11:51 Function kernel32.dll:LoadLibraryExA (760) intercepted, method ProcAddressHijack.GetProcAddress ->77419469->61F03DAF
03/10/2008 15:11:51 Hook kernel32.dll:LoadLibraryExA (760) blocked
03/10/2008 15:11:51 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
03/10/2008 15:11:51 Function kernel32.dll:LoadLibraryExW (761) intercepted, method ProcAddressHijack.GetProcAddress ->774130C3->61F03E5A
03/10/2008 15:11:51 Hook kernel32.dll:LoadLibraryExW (761) blocked
03/10/2008 15:11:51 Function kernel32.dll:LoadLibraryW (762) intercepted, method ProcAddressHijack.GetProcAddress ->7741361F->61F03D0C
03/10/2008 15:11:51 Hook kernel32.dll:LoadLibraryW (762) blocked
03/10/2008 15:11:51 IAT modification detected: GetModuleFileNameW - 00BC0010<>774358E5
03/10/2008 15:11:51 Analysis: ntdll.dll, export table found in section .text
03/10/2008 15:11:52 Analysis: user32.dll, export table found in section .text
03/10/2008 15:11:52 Analysis: advapi32.dll, export table found in section .text
03/10/2008 15:11:52 Analysis: ws2_32.dll, export table found in section .text
03/10/2008 15:11:52 Analysis: wininet.dll, export table found in section .text
03/10/2008 15:11:53 Analysis: rasapi32.dll, export table found in section .text
03/10/2008 15:11:53 Analysis: urlmon.dll, export table found in section .text
03/10/2008 15:11:54 Analysis: netapi32.dll, export table found in section .text
03/10/2008 15:11:55 1.2 Searching for kernel-mode API hooks
03/10/2008 15:11:55 Error loading driver - scan interrupted [C000035F]
03/10/2008 15:11:56 1.4 Searching for masking processes and drivers
03/10/2008 15:11:56 Checking not performed: extended monitoring driver (AVZPM) is not installed
03/10/2008 15:11:56 Error loading driver - scan interrupted [C000035F]
03/10/2008 15:12:02 C:\Program Files\Protector Suite QL\farchns.dll --> Suspicion for Keylogger or Trojan DLL
03/10/2008 15:12:02 C:\Program Files\Protector Suite QL\farchns.dll>>> Behavioral analysis
03/10/2008 15:12:02 Behaviour typical for keyloggers not detected
03/10/2008 15:12:02 C:\Program Files\Protector Suite QL\infra.dll --> Suspicion for Keylogger or Trojan DLL
03/10/2008 15:12:02 C:\Program Files\Protector Suite QL\infra.dll>>> Behavioral analysis
03/10/2008 15:12:02 Behaviour typical for keyloggers not detected
03/10/2008 15:12:05 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
03/10/2008 15:12:15 Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL"
03/10/2008 15:12:16 >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
03/10/2008 15:12:16 >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
03/10/2008 15:12:16 >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
03/10/2008 15:12:16 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
03/10/2008 15:12:16 >> Security: disk drives' autorun is enabled
03/10/2008 15:12:16 >> Security: administrative shares (C$, D$ ...) are enabled
03/10/2008 15:12:16 >> Security: anonymous user access is enabled
03/10/2008 15:12:16 >> Security: sending Remote Assistant queries is enabled
03/10/2008 15:12:19 >> Disable HDD autorun
03/10/2008 15:12:19 >> Disable autorun from network drives
03/10/2008 15:12:20 >> Disable CD/DVD autorun
03/10/2008 15:12:20 >> Disable removable media autorun
03/10/2008 15:12:20 System Analysis in progress
03/10/2008 15:14:20 System Analysis - complete
03/10/2008 15:14:20 Delete file:C:\Users\Grégory\Desktop\Kaspersky Lab Tool\is-FR5DS\LOG\avptool_syscheck.htm
03/10/2008 15:14:20 Delete file:C:\Users\Grégory\Desktop\Kaspersky Lab Tool\is-FR5DS\LOG\avptool_syscheck.xml
03/10/2008 15:14:20 Deleting service/driver: uti4nzi1
03/10/2008 15:14:20 Delete file:C:\Windows\system32\Drivers\uti4nzi1.sys
03/10/2008 15:14:20 Deleting service/driver: uji4nzi1
03/10/2008 15:14:20 Script executed without errors
Merci mille fois pour celui ou celle qui voudra bien m'aider à exploser ce virus!
Bonne journée.
A voir également:
- Help! Virus Virtumonde et autres
- Virus mcafee - Accueil - Piratage
- Virus facebook demande d'amis - Accueil - Facebook
- Virus informatique - Guide
- Panda anti virus gratuit - Télécharger - Antivirus & Antimalwares
- Undisclosed-recipients virus - Guide
9 réponses
slt tu es gavé!
désactive le tea timer de spybot (mode puis MODE AVANCE puis OUTILS puis RESISDENT)
__________________
ensuite
smit fraud fix (colle le rapport)
1/ telecharger :
http://siri.urz.free.fr/Fix/SmitfraudFix.php
2/ double clique sur smitfraudfix. puis sélectionne 1 et appuyer sur entrée afin de créer le rapport des infection présentes.
désactive le tea timer de spybot (mode puis MODE AVANCE puis OUTILS puis RESISDENT)
__________________
ensuite
smit fraud fix (colle le rapport)
1/ telecharger :
http://siri.urz.free.fr/Fix/SmitfraudFix.php
2/ double clique sur smitfraudfix. puis sélectionne 1 et appuyer sur entrée afin de créer le rapport des infection présentes.
Merci mais j'ai téléchargé smitfraud et je n'arrive pas à le lancer il me dit qu'il manque un fichier et que je dois unzipper les fichiers dans un dossier mais je n'ai aps de fichier.Zip...
alors passe a ceci:
scan avec
MalwareByte's Anti-Malware et vire ce qui est trouvé et colle le rapport
https://www.malekal.com/tutoriel-malwarebyte-anti-malware/
scan avec
MalwareByte's Anti-Malware et vire ce qui est trouvé et colle le rapport
https://www.malekal.com/tutoriel-malwarebyte-anti-malware/
Alors j'ai finalement réussi à passer smitfraudfix. J'ai fais les étapes 1 2 et 3. Mais quand je relance le PC j'ai le message suivant qui s'affiche:
"Erreur de chargement
c:\user\...\cbXoEwWp.dll
module spécifié introuvable"
D'ailleurs quand j'ai lancé smitfraudfix en mode sans échec j'ai eu un message d'erreur au milieu du scan et de la phase 2 qui s'inscrivait dans la fenetre qui disait en gris que certains fichiers ne pouvaient etre accessibles car utilisés par una autre application ou quelque chose comme ca.
Comment savoir si je suis toujours virusé?
"Erreur de chargement
c:\user\...\cbXoEwWp.dll
module spécifié introuvable"
D'ailleurs quand j'ai lancé smitfraudfix en mode sans échec j'ai eu un message d'erreur au milieu du scan et de la phase 2 qui s'inscrivait dans la fenetre qui disait en gris que certains fichiers ne pouvaient etre accessibles car utilisés par una autre application ou quelque chose comme ca.
Comment savoir si je suis toujours virusé?
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
si tu as le rapport smitfraudfix colle le puis
_____
scan avec
MalwareByte's Anti-Malware et vire ce qui est trouvé et colle le rapport
https://www.malekal.com/tutoriel-malwarebyte-anti-malware/
______
puis recolle un rapport hijakchits
a plus
_____
scan avec
MalwareByte's Anti-Malware et vire ce qui est trouvé et colle le rapport
https://www.malekal.com/tutoriel-malwarebyte-anti-malware/
______
puis recolle un rapport hijakchits
a plus
