Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes intempestv [resolu]

Section d'analyse de rapports et de désinfection : malwares en tous genre et autres indésirables. Demandes de nettoyage uniquement. Prise en charge restreinte : équipe spécialisée.

Modérateur: Modérateurs

Règles du forum :arrow: Les désinfections sont prises en charge par un groupe spécifique, tout le monde ne peut pas intervenir pour désinfecter les machines (règles).
:arrow: Les procédures sont sur-mesure, ne faites pas la même chose chez vous (explications).
:arrow: Un topic par machine, chacun crée le sien. ;)

Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes intempestv [resolu]

Messagepar chasko » 06 Juin 2010 10:58

Bonjour ,

J'ai depuis quelques jours un trojan qui est apparu sur mon ordi qu'Avira et MBAM détecte sans pour autant pouvoir le détruire.
A chaque redémarrage une dizaine d'alerte Avira apparaissent avec des noms de fichiers type Malware corrompus différents.
D'après Avira il s'agit d'un virus "TR/Vundo.Gen" ou "Trojan TR/ATRAPS.Gen2", il prend des noms différents à chaque fois.
Grâce à MBAM ou RSIT j'ai récupéré les fichiers logs mais je ne suis pas assez calée pour pouvoir les interprêter...
D'après les forums que j'ai consultés, ça semble être un peu plus sérieux que ce que je pensais pour pouvoir l'enlever et j'ai peur de faire une connerie qui pourrait endommager encore plus mon ordi...
Si quelqu'un peut donc m'assister dans la marche à suivre pour se débarrasser de cette petite chose, je lui en serai très reconnaissante!!! D'avance, merci pour votre aide
Dernière édition par chasko le 08 Juin 2010 17:20, édité 1 fois.
chasko
 
Messages: 12
Inscription: 06 Juin 2010 00:20

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar Florinator » 06 Juin 2010 11:35

Bonjour Chasko,

Peux tu me poster les rapports RSIT stp.

A++
Le savoir n'est utile que si il est transmis.
Avatar de l’utilisateur
Florinator
Maître Libellulien
Maître Libellulien
 
Messages: 661
Inscription: 28 Déc 2009 16:19

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar chasko » 06 Juin 2010 11:50

Logfile of random's system information tool 1.07 (written by random/random)
Run by charlotte1 at 2010-06-06 11:52:51
Microsoft Windows XP Professional Service Pack 3
System drive C: has 3 GB (11%) free of 26 GB
Total RAM: 1013 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:53:04 AM, on 6/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\program files\avira\antivir desktop\avnotify.exe
C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Mes images\Downloads\RSIT.exe
C:\Program Files\trend micro\charlotte1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.cn/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ec-lille.fr:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\pdfforge Toolbar\SearchSettings.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7339 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-448539723-299502267-1003Core1cac73fd7b397be.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B922D405-6D13-4A2B-AE89-08A030DA4402}]
pdfforge Toolbar - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll [2010-01-08 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-05-30 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}]
C:\Program Files\pdfforge Toolbar\SearchSettings.dll [2010-01-08 1109504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-05-30 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B922D405-6D13-4A2B-AE89-08A030DA4402} - pdfforge Toolbar - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll [2010-01-08 700416]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2008-02-15 135168]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2008-02-15 159744]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2008-02-15 131072]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-05-07 16862208]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"SearchSettings"=C:\Program Files\pdfforge Toolbar\SearchSettings.exe [2010-01-08 974848]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-02-15 141608]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"Google Update"=C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-26 135664]

C:\Documents and Settings\charlotte1\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2008-02-15 208896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
WgaLogon.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Documents and Settings\charlotte1\Local Settings\Temp\7zS6D11\setup\hpznui01.exe"="C:\Documents and Settings\charlotte1\Local Settings\Temp\7zS6D11\setup\hpznui01.exe:*:Enabled:hpznui01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\charlotte1\Local Settings\Temp\7zS6D11\setup\hpznui01.exe"="C:\Documents and Settings\charlotte1\Local Settings\Temp\7zS6D11\setup\hpznui01.exe:*:Enabled:hpznui01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df1300c7-c322-11de-90f9-806d6172696f}]
shell\AutoRun\command - y.exe
shell\open\command - y.exe


======List of files/folders created in the last 1 months======

2010-06-06 01:04:41 ----A---- C:\TB.txt
2010-06-06 01:01:22 ----D---- C:\Program Files\trend micro
2010-06-06 01:01:20 ----D---- C:\rsit
2010-06-06 00:55:21 ----D---- C:\ToolBar SD
2010-06-06 00:29:50 ----SHD---- C:\Config.Msi
2010-06-06 00:29:04 ----D---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-06-05 20:02:35 ----D---- C:\Documents and Settings\charlotte1\Application Data\Malwarebytes
2010-06-05 20:02:19 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-06-05 20:02:18 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-06-05 19:52:48 ----D---- C:\WINDOWS\Internet Logs
2010-06-05 17:20:45 ----RSH---- C:\Documents and Settings\charlotte1\Application Data\cift.exe
2010-05-30 23:42:34 ----D---- C:\Program Files\MSXML 4.0
2010-05-30 10:23:27 ----A---- C:\WINDOWS\system32\hpf3l70w.dll
2010-05-30 10:21:13 ----D---- C:\Program Files\Common Files\HP
2010-05-30 10:20:58 ----D---- C:\Program Files\Common Files\Hewlett-Packard
2010-05-30 10:20:01 ----A---- C:\WINDOWS\system32\javaws.exe
2010-05-30 10:20:01 ----A---- C:\WINDOWS\system32\javaw.exe
2010-05-30 10:20:01 ----A---- C:\WINDOWS\system32\java.exe
2010-05-30 10:20:01 ----A---- C:\WINDOWS\system32\deployJava1.dll
2010-05-30 10:19:33 ----D---- C:\Program Files\Java
2010-05-30 10:19:14 ----A---- C:\WINDOWS\system32\hppldcoi.dll
2010-05-30 10:19:14 ----A---- C:\WINDOWS\system32\hposwia_p02f.dll
2010-05-30 10:19:14 ----A---- C:\WINDOWS\system32\hpost_p02f.dll
2010-05-30 10:19:14 ----A---- C:\WINDOWS\system32\hposc_p02a.dll
2010-05-30 10:19:03 ----A---- C:\WINDOWS\system32\hpzids01.dll
2010-05-30 10:18:32 ----D---- C:\Program Files\HP
2010-05-27 13:17:55 ----A---- C:\WINDOWS\system32\muweb.dll
2010-05-27 13:17:55 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2010-05-27 13:17:55 ----A---- C:\WINDOWS\system32\mucltui.dll
2010-05-26 13:34:17 ----D---- C:\Program Files\Microsoft Silverlight
2010-05-26 12:00:41 ----HD---- C:\WINDOWS\$NtUninstallKB981793$
2010-05-24 11:16:02 ----SHD---- C:\FOUND.016
2010-05-13 17:05:29 ----HD---- C:\WINDOWS\$NtUninstallKB978542$

======List of files/folders modified in the last 1 months======

2010-06-06 01:29:58 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-05-28 14:09:28 ----A---- C:\WINDOWS\win.ini
2010-05-16 12:16:16 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-14 8832]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-12-10 56816]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2008-02-15 5854752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-05-07 4739072]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter; C:\WINDOWS\system32\DRIVERS\rtl8187Se.sys [2009-03-24 311936]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-05-07 106368]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-14 121984]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2008-04-14 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Application Updater;Application Updater; C:\Program Files\Application Updater\ApplicationUpdater.exe [2010-01-08 380928]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 HPSLPSVC;HP Network Devices Support; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-05-30 153376]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-02-15 545576]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------
chasko
 
Messages: 12
Inscription: 06 Juin 2010 00:20

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar Florinator » 06 Juin 2010 21:38

Effectivement certaines choses à supprimer:


1:
Télécharge sur le bureau Toolbar S/D crée par Eric_71

  • Double-clique dessus, un raccourci sera ajouté sur le Bureau.
  • Double-clique sur le raccourci pour démarrer l'outil, et choisis la langue.
  • Choisi l'option 1 puis valide afin de lancer la recherche.
  • Patiente jusqu'à la fin de la recherche.
  • Poste le rapport ouvert en copier/coller, dans ta prochaine réponse.

Remarque: Le rapport se trouve également sous : C:\TB.txt


2:
Branche tout tes supports externes (clé usb/disque dur externe...)
=>Ne les ouvre pas


Pour le reste de la manipulation, gardes les supports branchés tel qui sont pour ce scan.

A++
Le savoir n'est utile que si il est transmis.
Avatar de l’utilisateur
Florinator
Maître Libellulien
Maître Libellulien
 
Messages: 661
Inscription: 28 Déc 2009 16:19

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar chasko » 06 Juin 2010 22:02

Rapport 1
//


-----------\\ ToolBar S&D 1.2.9 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel(R) Atom(TM) CPU N270 @ 1.60GHz )
BIOS : Default System BIOS
USER : charlotte1 ( Administrator )
BOOT : Normal boot
Antivirus : AntiVir Desktop 9.0.1.32 (Activated)
C:\ (Local Disk) - FAT32 - Total:25 Go (Free:2 Go)
D:\ (Local Disk) - NTFS - Total:48 Go (Free:7 Go)
F:\ (USB)

"C:\ToolBar SD" ( MAJ : 22-08-2009|18:42 )
Option : [1] ( Sun 06/06/2010|22:59 )

-----------\\ Recherche de Fichiers / Dossiers ...

C:\Program Files\Mozilla Firefox\extensions\searchsettings@spigot.com
C:\DOCUME~1\CHARLO~1\APPLIC~1\Search Settings
C:\DOCUME~1\CHARLO~1\APPLIC~1\Search Settings\kb130
C:\DOCUME~1\CHARLO~1\APPLIC~1\Search Settings\kb130\temp
C:\DOCUME~1\CHARLO~1\APPLIC~1\Search Settings\kb130\temp\ws-14762.log
C:\DOCUME~1\CHARLO~1\APPLIC~1\Search Settings\kb130\temp\ws-14765.log
C:\DOCUME~1\CHARLO~1\APPLIC~1\Search Settings\kb130\temp\ws-14766.log

-----------\\ [..\Internet Explorer\Main]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Local Page"="C:\\WINDOWS\\system32\\blank.htm"
"Start Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://go.microsoft.com/fwlink/?LinkId=69157"
"Default_Search_URL"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"


--------------------\\ Recherche d'autres infections


Aucune autre infection trouvée !


1 - "C:\ToolBar SD\TB_1.txt" - Sun 06/06/2010| 1:06 - Option : [1]
2 - "C:\ToolBar SD\TB_2.txt" - Sun 06/06/2010|23:01 - Option : [1]

-----------\\ Fin du rapport a 23:01:15.93


--
chasko
 
Messages: 12
Inscription: 06 Juin 2010 00:20

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar chasko » 06 Juin 2010 22:04

Rapport 2//


C: - Fixe - Fichier Autorun.inf absent !
D: - Fixe - Fichier Autorun.inf trouvé !
open=y.exe
shell\open\Command=y.exe
F: - Amovible - Lecteur non prêt
G: - Amovible - Fichier Autorun.inf trouvé !
open=y.exe
shell\open\Command=y.exe

-----
A++ Merci de ton aide
chasko
 
Messages: 12
Inscription: 06 Juin 2010 00:20

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar Florinator » 07 Juin 2010 13:44

Parfait Chasko, on continu:
Laisse branché tes supports externes tel qu'ils étaient et au même emplacement pour le 1er scan

1:
Relance Toolbar S/D

  • Choisi la langue.
  • Choisi l'option 2 puis valide afin de lancer la suppression.
  • Patiente jusqu'à la fin de la suppression.
  • Poste le rapport ouvert en copier/coller, dans ta prochaine réponse.

Remarque: Le rapport se trouve également sous : C:\TB.txt


2:
Télécharge sur le bureau OTM crée par de Old_Timer

  • Enregistre-le sur ton Bureau.
  • Double-clique dessus.
  • Copie la liste qui se trouve dans la zone code ci-dessous et colle-la dans le cadre de gauche sous "Paste instructions for Items to be Moved".

Code: Tout sélectionner
go

:Services
Application Updater

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SearchSettings"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df1300c7-c322-11de-90f9-806d6172696f}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
"{E312764E-7706-43F1-8DAB-FCDD2B1E416D}"=-


:Files
C:\Program Files\Application Updater
C:\Documents and Settings\charlotte1\Application Data\cift.exe 
C:\Program Files\pdfforge Toolbar
D:\Autorun.inf
G:\Autorun.inf
D:\y.exe
G:\y.exe

:Commands
[clearallrestorepoints]
[emptytemp]
[Reboot]



  • Clique sur "MoveIt!" pour lancer la suppression. Le résultat apparaitra alors dans le cadre "Results"
  • Copie/Colle ce résultat
  • Clique sur Exit pour fermer.

Remarque: Il est possible qu'il te soit demandé de redémarrer ton ordinateur pour supprimer les fichiers,ce redémarrage peut être plus long qu’à l’accoutumé.Accepte et dans ce cas, après redémarrage, tu trouveras justement le rapport dans le dossier C:\OTMoveIt\MovedFiles.

    Si ton Bureau ne réapparaît pas:
    - Fais CTRL+ALT+SUPP pour ouvrir le Gestionnaire de tâches.
    - Clique en haut à gauche sur "Fichier"
    - Choisi "Nouvelle tâche" (Exécuter ...)
    - Tape "explorer" et valide.
    - Cela fera apparaître ton Bureau.


A++
Le savoir n'est utile que si il est transmis.
Avatar de l’utilisateur
Florinator
Maître Libellulien
Maître Libellulien
 
Messages: 661
Inscription: 28 Déc 2009 16:19

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar chasko » 07 Juin 2010 18:35

1er rapport:

-----------\\ ToolBar S&D 1.2.9 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel(R) Atom(TM) CPU N270 @ 1.60GHz )
BIOS : Default System BIOS
USER : charlotte1 ( Administrator )
BOOT : Normal boot
Antivirus : AntiVir Desktop 9.0.1.32 (Activated)
C:\ (Local Disk) - FAT32 - Total:25 Go (Free:2 Go)
D:\ (Local Disk) - NTFS - Total:48 Go (Free:7 Go)
F:\ (USB)
G:\ (USB) - FAT32 - Total:3809 Mo (Free:3 Go)

"C:\ToolBar SD" ( MAJ : 22-08-2009|18:42 )
Option : [2] ( Mon 06/07/2010|19:32 )

-----------\\ SUPPRESSION

Supprime! - C:\Program Files\Mozilla Firefox\extensions\searchsettings@spigot.com
Supprime! - C:\DOCUME~1\CHARLO~1\APPLIC~1\Search Settings\kb130
Supprime! - C:\DOCUME~1\CHARLO~1\APPLIC~1\Search Settings

-----------\\ Recherche de Fichiers / Dossiers ...


-----------\\ [..\Internet Explorer\Main]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Local Page"="C:\\WINDOWS\\system32\\blank.htm"
"Start Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://go.microsoft.com/fwlink/?LinkId=69157"
"Default_Search_URL"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Start Page"="http://www.msn.com/"


--------------------\\ Recherche d'autres infections


Aucune autre infection trouvée !


1 - "C:\ToolBar SD\TB_1.txt" - Sun 06/06/2010| 1:06 - Option : [1]
2 - "C:\ToolBar SD\TB_2.txt" - Sun 06/06/2010|23:01 - Option : [1]
3 - "C:\ToolBar SD\TB_3.txt" - Mon 06/07/2010|19:34 - Option : [2]

-----------\\ Fin du rapport a 19:34:24.34
chasko
 
Messages: 12
Inscription: 06 Juin 2010 00:20

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar chasko » 07 Juin 2010 18:45

2ème rapport:
//

All processes killed
Error: Unable to interpret <go> in the current context!
========== SERVICES/DRIVERS ==========
Service Application Updater stopped successfully!
Service Application Updater deleted successfully!
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SearchSettings not found.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df1300c7-c322-11de-90f9-806d6172696f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{df1300c7-c322-11de-90f9-806d6172696f}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{E312764E-7706-43F1-8DAB-FCDD2B1E416D} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\ not found.
========== FILES ==========
C:\Program Files\Application Updater folder moved successfully.
C:\Documents and Settings\charlotte1\Application Data\cift.exe moved successfully.
C:\Program Files\pdfforge Toolbar\IE\1.1.2 folder moved successfully.
C:\Program Files\pdfforge Toolbar\IE folder moved successfully.
C:\Program Files\pdfforge Toolbar\Res folder moved successfully.
C:\Program Files\pdfforge Toolbar\FF\components folder moved successfully.
C:\Program Files\pdfforge Toolbar\FF\chrome\skin folder moved successfully.
C:\Program Files\pdfforge Toolbar\FF\chrome\locale\EN-US folder moved successfully.
C:\Program Files\pdfforge Toolbar\FF\chrome\locale folder moved successfully.
C:\Program Files\pdfforge Toolbar\FF\chrome\content folder moved successfully.
C:\Program Files\pdfforge Toolbar\FF\chrome folder moved successfully.
C:\Program Files\pdfforge Toolbar\FF folder moved successfully.
C:\Program Files\pdfforge Toolbar\SSFF\components folder moved successfully.
C:\Program Files\pdfforge Toolbar\SSFF\chrome\content folder moved successfully.
C:\Program Files\pdfforge Toolbar\SSFF\chrome\locale\en-US folder moved successfully.
C:\Program Files\pdfforge Toolbar\SSFF\chrome\locale folder moved successfully.
C:\Program Files\pdfforge Toolbar\SSFF\chrome\skin folder moved successfully.
C:\Program Files\pdfforge Toolbar\SSFF\chrome folder moved successfully.
C:\Program Files\pdfforge Toolbar\SSFF folder moved successfully.
C:\Program Files\pdfforge Toolbar folder moved successfully.
D:\autorun.inf moved successfully.
G:\autorun.inf moved successfully.
File/Folder D:\y.exe not found.
File/Folder G:\y.exe not found.
========== COMMANDS ==========

Restore points cleared and new OTM Restore Point set!

[EMPTYTEMP]

User: Default User
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: NetworkService
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temporary Internet Files folder emptied: 33170 bytes

User: charlotte1
->Temporary Internet Files folder emptied: 677106 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1512 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 70139 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 19728392 bytes

Total Files Cleaned = 20.00 mb


OTM by OldTimer - Version 3.1.12.2 log created on 06072010_193720

Files moved on Reboot...

Registry entries deleted on Reboot...
chasko
 
Messages: 12
Inscription: 06 Juin 2010 00:20

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar chasko » 07 Juin 2010 18:46

Salut Florinator,

Qu'en penses-tu? Ca semble bon maintenant? Dois-je faire quelque chose de plus?

Je te remercie en tout cas pour ton aide, et j'espère que ça sera concluant...
Bonne soirée
chasko
 
Messages: 12
Inscription: 06 Juin 2010 00:20

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar Florinator » 07 Juin 2010 18:49

Ok on est pas mal là
Rescan avec Antivir
Et poste moi le rapport stp,
Dis moi comment va la machine aussi.

A++
Le savoir n'est utile que si il est transmis.
Avatar de l’utilisateur
Florinator
Maître Libellulien
Maître Libellulien
 
Messages: 661
Inscription: 28 Déc 2009 16:19

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar chasko » 07 Juin 2010 20:27

Bonsoir,
Après une h de scan voici le rapport...:

----
Avira AntiVir Personal
Report file date: Monday, June 07, 2010 20:08

Scanning for 2189644 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : CHARLOTTE

Version information:
BUILD.DAT : 9.0.0.422 21701 Bytes 3/9/2010 10:29:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 11/20/2009 06:58:56
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 09:58:26
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 10:35:50
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 09:58:54
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 06:58:56
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 06:58:56
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 06:34:04
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 06:50:50
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 06:25:40
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 15:44:24
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 06:39:00
VBASE007.VDF : 7.10.7.219 2048 Bytes 6/2/2010 06:39:00
VBASE008.VDF : 7.10.7.220 2048 Bytes 6/2/2010 06:39:00
VBASE009.VDF : 7.10.7.221 2048 Bytes 6/2/2010 06:39:00
VBASE010.VDF : 7.10.7.222 2048 Bytes 6/2/2010 06:39:00
VBASE011.VDF : 7.10.7.223 2048 Bytes 6/2/2010 06:39:00
VBASE012.VDF : 7.10.7.224 2048 Bytes 6/2/2010 06:39:00
VBASE013.VDF : 7.10.7.225 2048 Bytes 6/2/2010 06:39:00
VBASE014.VDF : 7.10.7.226 2048 Bytes 6/2/2010 06:39:02
VBASE015.VDF : 7.10.7.227 2048 Bytes 6/2/2010 06:39:02
VBASE016.VDF : 7.10.7.228 2048 Bytes 6/2/2010 06:39:02
VBASE017.VDF : 7.10.7.229 2048 Bytes 6/2/2010 06:39:02
VBASE018.VDF : 7.10.7.230 2048 Bytes 6/2/2010 06:39:02
VBASE019.VDF : 7.10.7.231 2048 Bytes 6/2/2010 06:39:02
VBASE020.VDF : 7.10.7.232 2048 Bytes 6/2/2010 06:39:04
VBASE021.VDF : 7.10.7.233 2048 Bytes 6/2/2010 06:39:04
VBASE022.VDF : 7.10.7.234 2048 Bytes 6/2/2010 06:39:04
VBASE023.VDF : 7.10.7.235 2048 Bytes 6/2/2010 06:39:04
VBASE024.VDF : 7.10.7.236 2048 Bytes 6/2/2010 06:39:04
VBASE025.VDF : 7.10.7.237 2048 Bytes 6/2/2010 06:39:04
VBASE026.VDF : 7.10.7.238 2048 Bytes 6/2/2010 06:39:04
VBASE027.VDF : 7.10.7.239 2048 Bytes 6/2/2010 06:39:04
VBASE028.VDF : 7.10.7.240 2048 Bytes 6/2/2010 06:39:04
VBASE029.VDF : 7.10.7.241 2048 Bytes 6/2/2010 06:39:04
VBASE030.VDF : 7.10.7.242 2048 Bytes 6/2/2010 06:39:04
VBASE031.VDF : 7.10.7.251 73728 Bytes 6/4/2010 15:22:12
Engineversion : 8.2.2.6
AEVDF.DLL : 8.1.2.0 106868 Bytes 4/23/2010 22:06:32
AESCRIPT.DLL : 8.1.3.31 1352058 Bytes 6/3/2010 06:39:32
AESCN.DLL : 8.1.6.1 127347 Bytes 5/13/2010 15:05:18
AESBX.DLL : 8.1.3.1 254324 Bytes 4/23/2010 22:06:34
AERDL.DLL : 8.1.4.6 541043 Bytes 4/19/2010 15:44:26
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 14:06:06
AEOFFICE.DLL : 8.1.1.0 201081 Bytes 5/13/2010 15:05:16
AEHEUR.DLL : 8.1.1.33 2724214 Bytes 6/5/2010 15:22:36
AEHELP.DLL : 8.1.11.5 242038 Bytes 6/3/2010 06:39:10
AEGEN.DLL : 8.1.3.10 377205 Bytes 6/3/2010 06:39:08
AEEMU.DLL : 8.1.2.0 393588 Bytes 4/23/2010 22:06:24
AECORE.DLL : 8.1.15.3 192886 Bytes 5/13/2010 15:05:12
AEBB.DLL : 8.1.1.0 53618 Bytes 4/23/2010 22:06:22
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 07:48:00
AVPREF.DLL : 9.0.3.0 44289 Bytes 11/8/2009 13:59:14
AVREP.DLL : 8.0.0.7 159784 Bytes 2/28/2010 16:06:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 09:32:10
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 14:05:42
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 09:37:10
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 14:03:50
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 07:21:34
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 09:32:12
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 14:40:00
RCTEXT.DLL : 9.0.73.0 86785 Bytes 11/20/2009 06:58:54

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, June 07, 2010 20:08

Starting search for hidden objects.
'27296' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'CHROME.EXE' - '1' Module(s) have been scanned
Scan process 'CHROME.EXE' - '1' Module(s) have been scanned
Scan process 'CHROME.EXE' - '1' Module(s) have been scanned
Scan process 'ALG.EXE' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'WUAUCLT.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'JQS.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'AVGUARD.EXE' - '1' Module(s) have been scanned
Scan process 'ONENOTEM.EXE' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'MSMSGS.EXE' - '1' Module(s) have been scanned
Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'AVGNT.EXE' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'IGFXSRVC.EXE' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'IGFXPERS.EXE' - '1' Module(s) have been scanned
Scan process 'HKCMD.EXE' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SCHED.EXE' - '1' Module(s) have been scanned
Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
38 processes with 38 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '57' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
Begin scan in 'D:\'
D:\Mes images\Downloads\zaSuiteSetup_91_507_000_en.exe
[0] Archive type: ZIP SFX (self extracting)
--> SWITCHUNINST_44ZONE LABS.EXE
[1] Archive type: RSRC
--> WINDOWS6.0-KB929547-V2-X64.MSU
[1] Archive type: CAB (Microsoft)
--> Windows6.0-KB929547-v2-x64.cab
[WARNING] No further files can be extracted from this archive. The archive will be closed


End of the scan: Monday, June 07, 2010 21:14
Used time: 1:06:15 Hour(s)

The scan has been done completely.

7895 Scanned directories
265207 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
265206 Files not concerned
3201 Archives were scanned
2 Warnings
1 Notes
27296 Objects were scanned with rootkit scan
0 Hidden objects were found
--
A vu de nez, même si je ne suis pas une grande spécialiste, ça me semble plutôt bon...

Par contre j'ai aussi lancé MBAM avant avira qui m'a quand même trouvé 13
chasko
 
Messages: 12
Inscription: 06 Juin 2010 00:20

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar chasko » 07 Juin 2010 20:27

objets infectés que j'ai supprimés par la suite.
Tu penses que c'est OK?
chasko
 
Messages: 12
Inscription: 06 Juin 2010 00:20

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar Florinator » 08 Juin 2010 13:41

Poste moi le rapport de Mbam stp avec les 13 infections.

A++
Le savoir n'est utile que si il est transmis.
Avatar de l’utilisateur
Florinator
Maître Libellulien
Maître Libellulien
 
Messages: 661
Inscription: 28 Déc 2009 16:19

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar chasko » 08 Juin 2010 15:27

Salut

Voici le rapport d'hier soir:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4171

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/7/2010 8:02:59 PM
mbam-log-2010-06-07 (20-02-59).txt

Scan type: Quick scan
Objects scanned: 116916
Time elapsed: 12 minute(s), 17 second(s)

Memory Processes Infected: 5
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
C:\WINDOWS\Temp\wpv331275552789.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\WINDOWS\system32\userini.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\WINDOWS\system32\userini.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\WINDOWS\system32\userini.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\WINDOWS\system32\userini.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userini (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userini (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\wpv331275552789.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\userini.exe (Trojan.Dropper) -> Delete on reboot.
C:\WINDOWS\system32\wbem\grpconv.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\charlotte1\Local Settings\Temp\~TMA2.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\charlotte1\Application Data\wiaservg.log (Malware.Trace) -> Quarantined and deleted successfully.

-------
Pour le moment, tout semble fonctionner correctement,
J'attends ton avis sur le rapport pour confirmer que tout va bien!

A++
chasko
 
Messages: 12
Inscription: 06 Juin 2010 00:20

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar Florinator » 08 Juin 2010 15:36

:plaf: Un dropper...
Tu l'as pris où celui ci?...
Bref, en gros un fichier qui dépose une infection et se casse dans la foulée, celui ci est reconnu et detecté,
J'aimerai qu'on jette un oeuil sur ce qu'il aurait pu déposer si tu l'as attrapé entre temps:

Refais moi un RSIT stp

A++
Le savoir n'est utile que si il est transmis.
Avatar de l’utilisateur
Florinator
Maître Libellulien
Maître Libellulien
 
Messages: 661
Inscription: 28 Déc 2009 16:19

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar chasko » 08 Juin 2010 16:03

Et bien écoute je ne sais pas où je l'ai attrapé, j'aimerais bien le savoir également!!!
Voilà le scan
//
Logfile of random's system information tool 1.07 (written by random/random)
Run by charlotte1 at 2010-06-08 16:59:13
Microsoft Windows XP Professional Service Pack 3
System drive C: has 3 GB (12%) free of 26 GB
Total RAM: 1013 MB (27% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:59:42 PM, on 6/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Kerio\Personal Firewall\PERSFW.EXE
C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Mes images\Downloads\RSIT.exe
C:\Program Files\trend micro\charlotte1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.cn/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ec-lille.fr:3128
R3 - Default URLSearchHook is missing
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

--
End of file - 6775 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-448539723-299502267-1003Core1cac73fd7b397be.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B922D405-6D13-4A2B-AE89-08A030DA4402}]
pdfforge Toolbar - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-05-30 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-05-30 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B922D405-6D13-4A2B-AE89-08A030DA4402} - pdfforge Toolbar - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2008-02-15 135168]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2008-02-15 159744]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2008-02-15 131072]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-05-07 16862208]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-02-15 141608]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"Google Update"=C:\Documents and Settings\charlotte1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-26 135664]

C:\Documents and Settings\charlotte1\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2008-02-15 208896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
WgaLogon.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Documents and Settings\charlotte1\Local Settings\Temp\7zS6D11\setup\hpznui01.exe"="C:\Documents and Settings\charlotte1\Local Settings\Temp\7zS6D11\setup\hpznui01.exe:*:Enabled:hpznui01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Kerio\Personal Firewall\PERSFW.EXE"="C:\Program Files\Kerio\Personal Firewall\PERSFW.EXE:*:Enabled:Kerio Personal Firewall Engine"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\charlotte1\Local Settings\Temp\7zS6D11\setup\hpznui01.exe"="C:\Documents and Settings\charlotte1\Local Settings\Temp\7zS6D11\setup\hpznui01.exe:*:Enabled:hpznui01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"

======List of files/folders created in the last 1 months======

2010-06-06 12:13:13 ----D---- C:\Program Files\Kerio
2010-06-06 12:13:02 ----D---- C:\Program Files\Common Files\InstallShield
2010-06-06 01:04:41 ----A---- C:\TB.txt
2010-06-06 01:01:22 ----D---- C:\Program Files\trend micro
2010-06-06 01:01:20 ----D---- C:\rsit
2010-06-06 00:55:21 ----D---- C:\ToolBar SD
2010-06-06 00:29:50 ----SHD---- C:\Config.Msi
2010-06-06 00:29:04 ----D---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-06-05 20:02:35 ----D---- C:\Documents and Settings\charlotte1\Application Data\Malwarebytes
2010-06-05 20:02:19 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-06-05 20:02:18 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-06-05 19:52:48 ----D---- C:\WINDOWS\Internet Logs
2010-05-30 23:42:34 ----D---- C:\Program Files\MSXML 4.0
2010-05-30 10:23:27 ----A---- C:\WINDOWS\system32\hpf3l70w.dll
2010-05-30 10:21:13 ----D---- C:\Program Files\Common Files\HP
2010-05-30 10:20:58 ----D---- C:\Program Files\Common Files\Hewlett-Packard
2010-05-30 10:20:01 ----A---- C:\WINDOWS\system32\javaws.exe
2010-05-30 10:20:01 ----A---- C:\WINDOWS\system32\javaw.exe
2010-05-30 10:20:01 ----A---- C:\WINDOWS\system32\java.exe
2010-05-30 10:20:01 ----A---- C:\WINDOWS\system32\deployJava1.dll
2010-05-30 10:19:33 ----D---- C:\Program Files\Java
2010-05-30 10:19:14 ----A---- C:\WINDOWS\system32\hppldcoi.dll
2010-05-30 10:19:14 ----A---- C:\WINDOWS\system32\hposwia_p02f.dll
2010-05-30 10:19:14 ----A---- C:\WINDOWS\system32\hpost_p02f.dll
2010-05-30 10:19:14 ----A---- C:\WINDOWS\system32\hposc_p02a.dll
2010-05-30 10:19:03 ----A---- C:\WINDOWS\system32\hpzids01.dll
2010-05-30 10:18:32 ----D---- C:\Program Files\HP
2010-05-27 13:17:55 ----A---- C:\WINDOWS\system32\muweb.dll
2010-05-27 13:17:55 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2010-05-27 13:17:55 ----A---- C:\WINDOWS\system32\mucltui.dll
2010-05-26 12:00:41 ----HD---- C:\WINDOWS\$NtUninstallKB981793$
2010-05-24 11:16:02 ----SHD---- C:\FOUND.016
2010-05-13 17:05:29 ----HD---- C:\WINDOWS\$NtUninstallKB978542$

======List of files/folders modified in the last 1 months======

2010-06-07 22:14:46 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-05-28 14:09:28 ----A---- C:\WINDOWS\win.ini
2010-05-16 12:16:16 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 fwdrv;Kerio Personal Firewall Driver; C:\WINDOWS\system32\Drivers\fwdrv.sys [2002-04-15 102912]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-14 8832]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-12-10 56816]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2008-02-15 5854752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-05-07 4739072]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter; C:\WINDOWS\system32\DRIVERS\rtl8187Se.sys [2009-03-24 311936]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-05-07 106368]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-14 121984]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2008-04-14 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 HPSLPSVC;HP Network Devices Support; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-05-30 153376]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-02-15 545576]
S2 PersFw;Kerio Personal Firewall; C:\Program Files\Kerio\Personal Firewall\persfw.exe [2002-04-15 393216]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------
chasko
 
Messages: 12
Inscription: 06 Juin 2010 00:20

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar Florinator » 08 Juin 2010 16:37

C'est bon et c'est ok pour moi.

En infection de présent tu en avais une qui se propageait par voies usb, le principe c'est un autorun qui s'exécute à chaque double clique sur le lecteur de clé pour libérer une infection sur le système, quand tu n'est pas sûr de la clé tu fais alors simplement un clique droit puis "explorer", l'infection n'infecte alors pas le système hôte:

:arrow: Lis ceci
les-infections-se-propageant-par-les-supports-amovibles-t25796.html

Ensuite la présence de search settings, une toolbar infectieuse, en générale elles sont toutes inutiles, et certaines pire, elles espionnent et revendent les infos récoltés pour spammer et remplir tout autre base de donnée concernant tes recherches et habitudes de navigation.

:arrow: Lis ceci:
http://www.libellules.ch/opt_out.php

Attention ne déménage pas demain quand même :xpdr:
Ils te retrouverons pas!

Modifies ton premier message, et modifies le titre en y rajoutant [Résolu]
Si tu as des questions, je suis là pour ça!Hesites pas.

A++
Le savoir n'est utile que si il est transmis.
Avatar de l’utilisateur
Florinator
Maître Libellulien
Maître Libellulien
 
Messages: 661
Inscription: 28 Déc 2009 16:19

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes virus intempest

Messagepar chasko » 08 Juin 2010 17:18

Et bien écoute un grand merci, good job!! ;)

Je pense effectivement que l'infection provient du réseau de mon école (d'ailleurs le virus tourne en ce moment), certains ordis étant bien infectés.
Pour les toolbars, je me sers de chrome donc a priori peu de risque à ce niveau là.
Super les docs sur la prévention et désinfection de périphériques, utiles et bien faits, je fais d'ailleurs tourner à mes potes pour qu'ils en prennent de la graine.

En tout cas encore merci pour ta réactivité et tes précieux conseils, et je te recontacterai au futur peut être pour des petits conseils si besoin :)

Bonne soirée
chasko
 
Messages: 12
Inscription: 06 Juin 2010 00:20

Re: Trojan,TR/Vundo.Gen ou TR/ATRAP, alertes intempestv [res

Messagepar Florinator » 09 Juin 2010 08:19

Au plaisir Chasko :wink:

A++
Le savoir n'est utile que si il est transmis.
Avatar de l’utilisateur
Florinator
Maître Libellulien
Maître Libellulien
 
Messages: 661
Inscription: 28 Déc 2009 16:19


Retourner vers Désinfections et demandes d'analyse

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 0 invités
cron