Discussion: "00000c80.EXE" : Trojan couplé à explorer.exe
Afficher un message
Vieux 07/12/2007, 17h00   #14 (permalink)
Nbasuki
Novice
 
Date d'inscription: novembre 2007
Messages: 10
Par défaut
bonjour

1) rapport de SDFix :


SDFix: Version 1.117
Run by NICOLAS on 07/12/2007 at 22:44
Microsoft Windows XP [version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...

Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\SYSTEM32\PAYTIME.EXE - Deleted
C:\Temp\tmp1.tmp - Deleted
C:\Temp\tmp5.tmp - Deleted
C:\WINDOWS\system32\.exe - Deleted


Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.


Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-07 22:51:27
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\d347prt\Cfg\0Jf40]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Eventlog\Application\ESENT]
"EventMessageFile"=str(2):"c:\windows\system32\ESE NT.dll"
"CategoryMessageFile"=str(2):"c:\windows\system32\ ESENT.dll"
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\cmdbcs.exe 17352 bytes executable
C:\WINDOWS\DbgHlp32.exe 17300 bytes executable
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2

Remaining Services:
------------------

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"C:\\Program Files\\Internet\\BitTorrent\\bittorrent.exe"="C:\\ Program Files\\Internet\\BitTorrent\\bittorrent.exe:*:Enab led:BitTorrent"
Remaining Files:
---------------
C:\Temp\tmp5.tmp Found
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Tue 27 Nov 2007 21,650 ..SH. --- "C:\PegeFile.pif"
Fri 7 Dec 2007 29,061 ..SH. --- "C:\WINDOWS\455373M.exe"
Fri 7 Dec 2007 47,409 A.SH. --- "C:\WINDOWS\455373MM.DLL"
Wed 4 Aug 2004 24,418 ..SH. --- "C:\WINDOWS\system32\avwghmn.dll"
Wed 4 Aug 2004 23,882 ..SH. --- "C:\WINDOWS\system32\avwlgmn.dll"
Fri 7 Dec 2007 11,450 ..SH. --- "C:\WINDOWS\system32\gdqqhxi32.dll"
Fri 7 Dec 2007 12,344 ..SH. --- "C:\WINDOWS\system32\gdzxi32.dll"
Wed 4 Aug 2004 22,356 ..SH. --- "C:\WINDOWS\system32\kawdfzy.dll"
Wed 4 Aug 2004 22,354 ..SH. --- "C:\WINDOWS\system32\kvdxjma.dll"
Wed 4 Aug 2004 23,890 ..SH. --- "C:\WINDOWS\system32\kvdxsjma.dll"
Wed 4 Aug 2004 22,864 ..SH. --- "C:\WINDOWS\system32\ratbmpi.dll"
Wed 4 Aug 2004 23,908 ..SH. --- "C:\WINDOWS\system32\sidjfzy.dll"
Thu 16 Feb 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 27 Nov 2007 21,650 ..SH. --- "C:\Program Files\Internet Explorer\PLUGINS\NewTemp.bak"
Tue 27 Nov 2007 16,942 A.SH. --- "C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll"
Fri 7 Dec 2007 48,282 A.SH. --- "C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys"
Fri 6 Jun 2003 24,576 A..H. --- "C:\Program Files\systeme\RamBoost XP\StopRam.exe"
Thu 16 Feb 2006 4,348 ...H. --- "C:\Documents and Settings\NICOLAS\Mes documents\Ma musique\Sauvegarde de la licence\drmv1key.bak"
Fri 16 Mar 2007 20 A..H. --- "C:\Documents and Settings\NICOLAS\Mes documents\Ma musique\Sauvegarde de la licence\drmv1lic.bak"
Thu 16 Feb 2006 400 A.SH. --- "C:\Documents and Settings\NICOLAS\Mes documents\Ma musique\Sauvegarde de la licence\drmv2key.bak"
Finished!

===================================
avwghmn.dll
sidjfzy.dll
C:\WINDOWS\system32
PWS-OnlineGames.i
application : IEXPLORE.EXE
Wn_Sys8x.sys
C:\Program Files\Internet Explorer\PLUGINS




2) Rapport de Combofix :

ComboFix 07-12-07.3 - NICOLAS 2007-12-07 23:18:11.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.1.1252.1.1036.18.348 [GMT 9:00]
Running from: C:\Download\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
C:\WINDOWS\system32\sidjfzy.dll
C:\WINDOWS\system32\GDZXI32.dll
C:\WINDOWS\system32\GDQQHXI32.dll

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Internet Explorer\PLUGINS\Sy_Win7k.Jmp
C:\WINDOWS\455373MM.DLL
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\DbgHlp32.exe
C:\WINDOWS\Fonts\ardaase.fon
C:\WINDOWS\Fonts\ardasase.fon
C:\WINDOWS\Fonts\cadaafx.fon
C:\WINDOWS\Fonts\chtiaur.fon
C:\WINDOWS\Fonts\enweafx.fon
C:\WINDOWS\Fonts\msguasd.fon
C:\WINDOWS\Fonts\mswuasd.fon
C:\WINDOWS\Fonts\mszhasd.fon
C:\WINDOWS\hosts
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\components
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\GenProtect.dll
C:\WINDOWS\system32\gkptycfhln.dll
C:\WINDOWS\system32\gmswfilosvdg.dll
C:\WINDOWS\system32\jouxgjmpswyb.dll
C:\WINDOWS\system32\kouxgjlosuxy.dll
C:\WINDOWS\system32\kpuyfhloru.dll
C:\WINDOWS\system32\lymangr.dll
C:\WINDOWS\system32\mhsha1.dat
C:\WINDOWS\system32\msdeg32.dll
C:\WINDOWS\system32\MsPrint32D.dll
C:\WINDOWS\system32\nrwajlpruybd.dll
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\txbeimpsv.dll
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\vaehoruxadhj.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32runonce2.t__
C:\WINDOWS\system32runonce2.tm_
C:\WINDOWS\tool1.exe
C:\WINDOWS\tool2.exe
C:\WINDOWS\tool3.exe
C:\WINDOWS\tool4.exe
C:\WINDOWS\tool5.exe
C:\WINDOWS\upxdnd.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\poof

((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-11-07 to 2007-12-07 ))))))))))))))))))))))))))))))))))))
.
2007-12-07 23:35 . 2007-12-07 23:35 53,248 --a------ C:\temp\fginbkyqFT8K47H.dll
2007-12-07 23:07 . 2007-12-07 23:15 <REP> d-------- C:\quarantine
2007-12-07 22:52 . 2007-12-07 22:52 29,061 ---hs---- C:\WINDOWS\455373M.exe
2007-12-07 22:52 . 2007-12-07 22:52 16,668 --a------ C:\WINDOWS\system32\avwghst.exe
2007-12-07 22:52 . 2007-12-07 22:52 16,322 --a------ C:\WINDOWS\system32\avwlgst.exe
2007-12-07 22:52 . 2007-12-07 22:52 16,176 --a------ C:\WINDOWS\system32\sidjfaz.exe
2007-12-07 22:52 . 2007-12-07 22:52 15,440 --a------ C:\WINDOWS\system32\kvdxjis.exe
2007-12-07 22:52 . 2007-12-07 22:52 15,067 --a------ C:\WINDOWS\system32\kawdfaz.exe
2007-12-07 22:43 . 2007-12-07 22:43 <REP> d-------- C:\WINDOWS\ERUNT
2007-12-07 12:55 . 2007-12-07 13:07 <REP> d-------- C:\DiagHelp
2007-12-07 11:11 . 2000-12-04 22:40 18,997 --a------ C:\WINDOWS\ywuhfz.exe
2007-12-07 11:05 . 2007-12-07 22:52 14,995 --a------ C:\WINDOWS\system32\ratbmtl.exe
2007-12-07 11:05 . 2007-12-07 22:52 14,592 --a------ C:\WINDOWS\system32\drivers\comint32.sys
2007-12-07 11:05 . 2007-12-07 22:52 12,344 --a------ C:\WINDOWS\system32\gdzxi32.dll.vir
2007-12-07 11:05 . 2007-12-07 22:52 47 --a------ C:\WINDOWS\system32\avwlgin.dll
2007-12-04 11:35 . 2007-12-07 12:48 <REP> d-------- C:\HJT
2007-12-03 10:34 . 2000-11-28 22:37 18,997 --a------ C:\WINDOWS\ybfzvk.exe
2007-12-01 22:24 . 2007-12-01 22:24 499 --a------ C:\WINDOWS\eReg.dat
2007-12-01 21:22 . 2007-12-01 21:22 <REP> d-------- C:\Program Files\Online_TV
2007-12-01 21:18 . 2007-12-01 21:19 <REP> d-------- C:\Program Files\BitTorrent Fastest Tool
2007-12-01 12:14 . 2007-12-07 22:52 11,450 --a------ C:\WINDOWS\system32\gdqqhxi32.dll.vir
2007-12-01 12:14 . 2007-12-01 12:14 60 --a------ C:\WINDOWS\system32\avwggin.dll
2007-12-01 12:14 . 2007-12-01 12:14 47 --a------ C:\WINDOWS\system32\avwlfin.dll
2007-11-28 07:33 . 2007-11-28 07:33 72,192 --a------ C:\WINDOWS\system32\tasklist.exe
2007-11-27 12:37 . 2007-11-27 12:37 21,650 --a------ C:\WINDOWS\~Temp2333.tmp
2007-11-27 12:36 . 2007-11-27 12:36 21,650 --a------ C:\WINDOWS\~Temp7457.tmp
2007-11-27 12:36 . 2007-11-27 12:37 21,650 ---hs---- C:\PegeFile.pif
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-07 14:34 111 ----a-w C:\WINDOWS\Fonts\avwghin.dll
2007-12-07 14:34 105 ----a-w C:\WINDOWS\Fonts\kawdfcs.dll
2007-12-07 14:34 104 ----a-w C:\WINDOWS\Fonts\kvdxjcf.dll
2007-12-07 14:34 103 ----a-w C:\WINDOWS\Fonts\ratbmni.dll
2007-12-07 14:20 112 ----a-w C:\WINDOWS\Fonts\sidjfcs.dll
2007-12-06 14:17 --------- d-----w C:\Documents and Settings\NICOLAS\Application Data\Skype
2007-12-04 02:33 --------- d-----w C:\Program Files\systeme
2007-12-02 14:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 14:17 --------- d-----w C:\Program Files\Google
2007-12-01 03:16 112 ----a-w C:\WINDOWS\Fonts\sidjecs.dll
2007-12-01 03:16 110 ----a-w C:\WINDOWS\Fonts\avzxjin.dll
2007-12-01 03:16 103 ----a-w C:\WINDOWS\Fonts\kvdxsjcf.dll
2007-10-15 09:49 --------- d-----w C:\Program Files\Internet
2007-07-31 02:13 10,218,668 -c--a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-04-13 02:47 88,544 -c--a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_04_12_22_31_26_small.dmp.zip
2007-02-19 04:25 41,456 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_02_19_13_20_52_small.dmp.zi p
2007-02-19 04:25 41,226 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_02_19_13_20_54_small.dmp.zi p
2007-01-17 12:36 91,779 -c--a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_17_15_47_49_small.dmp.zip
2006-02-13 08:46 40,888 -c--a-w C:\Documents and Settings\NICOLAS\Application Data\GDIPFONTCACHEV1.DAT
2004-08-04 13:52 24,418 --sh--w C:\WINDOWS\system32\avwghmn.dll
2004-08-04 13:52 23,882 --sh--w C:\WINDOWS\system32\avwlgmn.dll
2004-08-04 13:52 22,356 --sh--w C:\WINDOWS\system32\kawdfzy.dll
2004-08-04 13:52 22,354 --sh--w C:\WINDOWS\system32\kvdxjma.dll
2004-08-04 03:14 23,890 --sh--w C:\WINDOWS\system32\kvdxsjma.dll
2004-08-04 13:52 22,864 --sh--w C:\WINDOWS\system32\ratbmpi.dll
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9963387B-212E-4643-B207-82DAEA0E713D}]
2007-12-07 22:52 48282 --ahs---- C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-30 21:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"PopUpStopperFreeEdition"="C:\PROGRA~1\Internet\PO P-UP~1\PSFree.exe" [2003-04-29 17:40]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 22:08]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2007-02-15 15:44]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\systeme\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 17:50]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.e xe" [2002-08-30 21:00]
"corega K.K. corega WL54GL Series"="C:\Program Files\corega\corega WL54GL Series\WLANmon.exe" [2004-04-06 21:36]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 23:30]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 23:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2003-08-21 16:11]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-25 08:00]
"Network Associates Error Reporting Service"="C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2007-02-08 18:14]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"WinampAgent"="C:\Program Files\multimedia\Winamp\winampa.exe" [2007-05-15 07:22]
"Zone Labs Client"="C:\Program Files\Internet\ZoneAlarm\zlclient.exe" [2006-06-20 23:32]
"iTunesHelper"="C:\Program Files\multimedia\iTunesHelper.exe" [2007-06-28 09:14]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-14 18:14]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 18:25]
"QuickTime Task"="C:\program files\multimedia\QuickTime\qttask.exe" [2007-04-27 09:41]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-30 21:00]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{0EA66AD2-CF26-2E23-532B-B292E22F3266}"= C:\Program Files\Internet Explorer\PLUGINS\NewTemp.dll [2007-11-27 12:37 16942]
"{B7777BE4-DD7E-4EFF-8F13-56C4ADD3F454}"= C:\WINDOWS\System32\kpuyfhloru.dll [ ]
"{542A5D37-9C24-48CE-8CF5-B5EF3C962711}"= C:\WINDOWS\System32\wchluyadh.dll [ ]
"{36FF2E71-1F0D-4E07-9213-E6740C57322E}"= C:\WINDOWS\System32\nrwajlpruybd.dll [ ]
"{B836BC72-54DA-48DB-B1CD-041BE4B67A61}"= C:\WINDOWS\System32\txbeimpsv.dll [ ]
"{AC87A354-ABC3-DEDE-FF33-3213FD7447CA}"= C:\WINDOWS\System32\kvdxjma.dll [2004-08-04 22:52 22354]
"{7960356A-458E-DE24-BD50-268F589A56A7}"= C:\WINDOWS\System32\avwlgmn.dll [2004-08-04 22:52 23882]
"{68907901-1416-3389-9981-372178569986}"= C:\WINDOWS\System32\kawdfzy.dll [2004-08-04 22:52 22356]
"{D6650011-3344-6688-4899-345FABCD156D}"= C:\WINDOWS\System32\ratbmpi.dll [2004-08-04 22:52 22864]
"{68847374-8323-FADC-B443-4732ABCD3786}"= C:\WINDOWS\System32\sidjfzy.dll [ ]
"{9963387B-212E-4643-B207-82DAEA0E713D}"= C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys [2007-12-07 22:52 48282]
"{8A1247C1-53DA-FF43-ABD3-345F323A48D8}"= C:\WINDOWS\System32\avwghmn.dll [2004-08-04 22:52 24418]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ratbmpi.dll
*Newly Created Service* - GTNDIS5
.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2007-11-06 06:04:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-07 23:35:26
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
************************************************** ************************
.
Completion time: 2007-12-07 23:37:10 - machine was rebooted
.
--- E O F ---



3) Fait nouveau, mon Trojan "00000c80.EXE" n'est plus détecté par mon antivirus, il a peut-être été enfin éradiqué ?! A suivre...
En revanche, de nouveaux Trojans ont fait leur apparition !! (formes hybrides ?) :

a) sidjfzy.dll
C:\WINDOWS\system32
PWS-OnlineGames.i
application : IEXPLORE.EXE

b) Wn_Sys8x.sys
C:\Program Files\Internet Explorer\PLUGINS

4) mon système est aussi beaucoup plus lent pour s'exécuter au démarrage; en clair aucun programme ne peut être lancé pendant les premières minutes, jusqu'à ce que mon antivirus m'alerte de la présence d'une forme de Trojan hybride (?) citée plus haut (le nom de ces fichiers "malware" varient presque à chaque fois) et le place en quarantaine (nettoyage impossible)...

Bref, c'est toujours le brouillard...sacrément coriace ces Trojans !

Merci encore pour votre aide, j'attends la suite (?)
Nbasuki est déconnecté   Réponse avec citation