sasser et The Trojan horse TR/Krepper.C

j'ai crashé mon disque dur et mon système par une fausse manoeuvre. Après avoir peineusement restauré l'ensemble, j'ai chopé Sasser dès ma première sortie sur Internet. Je l'ai enlevé avec fixsasser, mais apparemment, il y a autre chose. Voila de que me dit Antivir,

Platform: Windows NT Workstation

Windows version: 5.1 Build 2600 (Service Pack 1)

Username: moi

Processor: Pentium

Working memory: 523756 KB free



Version information:

AVEWIN32.DLL : v6.25.0.62 430592 09.06.2004 16:47:32

AVGNT.EXE : v6.24.01.02 118824 22.04.2004 14:39:48

AVGUARD.EXE : v6.24.01.01 180264 22.04.2004 15:51:24

GUARDMSG.DLL : v6.24.02.01 90152 26.04.2004 11:28:48

AVGCMSG.DLL : v6.24.01.03 241704 05.05.2004 17:28:24

AVGNTDD.SYS : v6.26.00.05 33456 18.05.2004 09:18:10

AVPACK32.DLL : v6.22.00.24 299048 08.06.2004 16:02:02

AVGETVER.DLL : v6.22.00.00 24576 20.01.2004 14:14:00

AVWIN.DLL : v6.25.00.03 557096 11.05.2004 12:17:30

AVSHLEXT.DLL : v6.22.00.00 57344 20.01.2004 14:14:00

AVSched32.EXE : v6.23.00.00 110632 20.01.2004 14:14:00

AVSched32.DLL : v6.23.00.00 122880 20.01.2004 14:14:00

AVREG.DLL : v6.22.00.00 41000 20.01.2004 14:14:00

AVRep.DLL : v6.25.00.11 450600 15.06.2004 11:04:58

INETUPD.EXE : v6.25.00.01 196608 27.04.2004 16:30:18

INETUPD.DLL : v6.25.00.01 143360 27.04.2004 16:30:18

CTL3D32.DLL : v2.31.000 27136 30.08.2002 13:00:00

MFC42.DLL : v6.00.8665.0 995383 30.08.2002 13:00:00

MSVCRT.DLL : v7.0.2600.1106 (xpsp1.020828-1920

MSVCRT.DLL : v7.0.2600.1106 323072 30.08.2002 13:00:00

CTL3DV2.DLL : No information



Configuration file:



Name of configuration file: C:\Program Files\AVPersonal\AVWIN.INI

Name of report file: C:\Program Files\AVPersonal\LOGFILES\AVWIN.LOG

Start path: C:\Program Files\AVPersonal

Command line:

Start mode: unknown



Mode of report file:

[ ] Do not create report

[X] Overwrite report

[ ] Append new report



Data in report file:

[X] Infected files

[ ] Infected files with paths

[ ] All scanned files

[ ] Full information



Abridge report file:

[ ] Abridge report file



Warnings in report:

[X] Access denied/file locked

[X] Wrong file size in directory

[X] Wrong creation time in directory

[ ] COM file is too large

[X] Invalid start address

[X] Invalid EXE header

[X] Possibly damaged



Summary report:

[X] Create summary report

Output file: AVWIN.ACT

Maximum number of entries: 100



Where to search:

[X] Memory

[X] Boot record of selected drives

[ ] Report unknown boot sectors

[ ] All files

[X] Program files

Extensions: .386 .ACM .ADE .ADP .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT .BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CRT .CSH .DLL .DLO .DO? .DRV .EML .EXE* .FLT .FOT .HLP .HT* .INF .INI .INS .ISP .JS* .JSE .LNK .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD .OV? .PCD .PDR .PGM .PIF .PKG .POT .PPS .PPT .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB .SHS .SHTM* .SPL .SWF .SYS .TLB .TMP .TSP .TTF .URL .VB? .VCS .VLM .VXD .VXO .WIZ .WLL .WMD .WMS .WMZ .WPC .WSC .WSF .WSH .WWK .XL? .XML .ZIP



Response in case of a detection:

[X] Repair with prompt

[ ] Repair without prompt

[ ] Delete with prompt

[ ] Delete without prompt

[ ] Write in report file only

[X] Acoustic alarm



Response in case of destroyed files:

[ ] Delete with prompt

[X] Delete without prompt

[ ] Ignore



Response in case of destroyed files:

[X] No change

[ ] Current system time

[ ] Correct date



Drag&drop settings:

[X] Scan subdirectories



Profile settings:

[X] Scan subdirectories



Archive options

[X] Search archive

[X] All archive types



Miscellaneous options:

Temporary path: %TEMP% -> C:\DOCUME~1\moi\LOCALS~1\Temp

[X] Overwrite infected files

[ ] Detect idle time

[X] Allow interruptions of scan

[X] Load AVWin®/NT Guard on System start



General settings:

[X] Save options on exiting AntiVir

Priority: medium



Drives:

A: Floppy drive

C: Hard disk

D: CD-ROM

E: CD-ROM

I: Floppy drive

J: Floppy drive

K: Floppy drive

L: Floppy drive



Start of scan: 23.06.2004 19:55



Memory test OK

Master boot record of hard disk HD0 OK

Master boot record of hard disk HD1

The record could not be read!

Error code: 0x0015

Master boot record of hard disk HD2

The record could not be read!

Error code: 0x0015

Master boot record of hard disk HD3

The record could not be read!

Error code: 0x0015

Master boot record of hard disk HD4

The record could not be read!

Error code: 0x0015

Boot record of drive A:

The record could not be read!

Error code: 0x0015

Boot record of drive C: OK

Boot record of drive I:

The record could not be read!

Error code: 0x0057

Boot record of drive J:

The record could not be read!

Error code: 0x0057

Boot record of drive K:

The record could not be read!

Error code: 0x0057

Boot record of drive L:

The record could not be read!

Error code: 0x0057





C:\

hiberfil.sys

Access denied! Error during file opening!

Error code: 0x000D

WARNING! Access error/file locked!

pagefile.sys

Access denied! Error during file opening!

This is a Windows swap file. This file is locked by Windows.

Error code: 0x000D

WARNING! Access error/file locked!

C:\Documents and Settings\moi\Local Settings\Temp

alchem.cab

ArchiveType: CAB (Microsoft)

--> alchem.exe

[DETECTION] The Trojan horse TR/Dldr.Alchemic

C:\Documents and Settings\moi\Local Settings\Temp\THI4512.tmp

polall1t.exe

The file contains signature of the PMS/Dldr.Krepper.3 program and was suppressed by the user.

preInsTT.exe

The file contains signature of the PMS/Dldr.Krepper.1 program and was suppressed by the user.

twaintec.cab

ArchiveType: CAB (Microsoft)

--> twaintec.dll

[DETECTION] The Trojan horse TR/Krepper.C

--> preInsTT.exe

The file contains signature of the PMS/Dldr.Krepper.1 program and was suppressed by the user.

--> polall1t.exe

The file contains signature of the PMS/Dldr.Krepper.3 program and was suppressed by the user.

C:\Documents and Settings\moi\Local Settings\Temporary Internet Files\Content.IE5\61A5SVE7

0006_regular[1].cab

ArchiveType: CAB (Microsoft)

--> istactivex.dll

NOTE! Bad header

--> istactivex.inf

NOTE! Bad header

xscan53[1].cab

ArchiveType: CAB (Microsoft)

--> xscan.inf

NOTE! Bad header

--> xscan53.ocx

NOTE! Bad header

--> loadhttp.dll

NOTE! Bad header

--> patchw32.dll

NOTE! Bad header

--> auunzip.dat

NOTE! Bad header

--> aupatch.dat

NOTE! Bad header

--> tmupdate.ini

NOTE! Bad header

--> aucfg.ini

NOTE! Bad header

--> runtsckl.exe

NOTE! Bad header

C:\Documents and Settings\moi\Mes documents\cours\bac

corriges.zip

ArchiveType: ZIP

NOTE! The whole archive is password protected

C:\Documents and Settings\moi\Mes documents\COURS2\bac

corriges.zip

ArchiveType: ZIP

NOTE! The whole archive is password protected

C:\DRIVERS

OTHER.EXE

ArchiveType: ARJ SFX (self extracting)

NOTE! The whole archive is password protected

C:\DRIVERS\MCDBF\SOURCE1

OTHER.EXE

ArchiveType: ARJ SFX (self extracting)

NOTE! The whole archive is password protected

TSADDON.EXE

ArchiveType: ARJ SFX (self extracting)

--> UNISHHS.ARJ

ArchiveType: ARJ

NOTE! The whole archive is password protected

C:\WINDOWS

preInsTT.exe

The file contains signature of the PMS/Dldr.Krepper.1 program and was suppressed by the user.

C:\WINDOWS\system32

lekwvph.exe

Access denied! Error during file opening!

Error code: 0x000D

WARNING! Access error/file locked!

van32.exe

WARNING! Invalid start address!

C:\WINDOWS\system32\config

DEFAULT

Access denied! Error during file opening!

Error code: 0x000D

WARNING! Access error/file locked!

SAM

Access denied! Error during file opening!

Error code: 0x000D

WARNING! Access error/file locked!

SECURITY

Access denied! Error during file opening!

Error code: 0x000D

WARNING! Access error/file locked!

SOFTWARE

Access denied! Error during file opening!

Error code: 0x000D

WARNING! Access error/file locked!

SYSTEM

Access denied! Error during file opening!

Error code: 0x000D

WARNING! Access error/file locked!

C:\WINDOWS\system32\f0alt

van32.exe

WARNING! Invalid start address!



End of scan: 23.06.2004 20:06

Time taken: 11:04 min





2375 directories were scanned

45405 files were scanned

10 warning messages were issued

0 files were deleted

0 files were repaired

2 detections



Quant à Hijack This, voila son verdict:

Logfile of HijackThis v1.97.7

Scan saved at 20:36:06, on 23/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVPersonal\AVGUARD.EXE

C:\Program Files\AVPersonal\AVWUPSRV.EXE

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\slserv.exe

C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\apps\ABoard\ABoard.exe

C:\program files\180solutions\msbb.exe

C:\WINDOWS\System32\lekwvph.exe

C:\Program Files\AVPersonal\AVGNT.EXE

C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe

C:\apps\ABoard\AOSD.exe

C:\WINDOWS\System32\wuamgrd.exe

C:\Documents and Settings\moi\Application Data\dssh.exe

C:\WINDOWS\System32\NDrv.exe

C:\Program Files\ePrompter\ePrompter.exe

C:\Program Files\AVPersonal\AVWIN.EXE

C:\Program Files\Crazy Browser\Crazy Browser.exe

C:\WINDOWS\System32\notepad.exe

C:\Documents and Settings\moi\Mes documents\program files\hjt\HijackThis.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=151685

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=151685

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.noos.fr/abonnes/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=151685

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fr.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///C:/APPS/IE/offline/fr.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll (file missing)

O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Microsofts Updates] wuamgrd.exe

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe

O4 - HKLM\..\Run: [qzdphfthgqq] C:\WINDOWS\System32\lekwvph.exe

O4 - HKLM\..\Run: [tczyt] C:\WINDOWS\tczyt.exe

O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\RunServices: [Microsofts Updates] wuamgrd.exe

O4 - HKCU\..\Run: [Microsofts Updates] wuamgrd.exe

O4 - HKCU\..\Run: [Sra] C:\Documents and Settings\moi\Application Data\dssh.exe

O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe

O4 - HKLM\..\RunOnce: [KB826939] rundll32.exe apphelp.dll,ShimFlushCache

O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fr.htm

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housec(...)

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



J'ai aussi fait Spybot, qui a trouvé un tas d'horreurs, mais je ne sais pas copier le rapport pour vous l'envoyer...

Quelles cases est-ce que je coche dans Hijack This? J'ai déjà fait une connerie, je ne voudrais pas recommencer tout de suite...

Merci de m'éclairer...

Et c'est pas tout, ça: j'ai aussi, d'après Trend Micro,

Trojan BOTIRC a

Bat Sasser A

et encore le Trojan BOTIRC A (celui-là, il est à deux adresses différentes). Tout ça se trouve dans Windows\system32\ à des adresses différentes. Alors qu'est-ce que je fais?????

un scanner en ligne gratuit ICI ou LA ou encore par ici pour desinfecter ta machine.

edit ton topic pour le rendre plus lisible stp.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)

O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll (file missing)

O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)

O4 - HKLM\..\Run: [Microsofts Updates] wuamgrd.exe

O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe

O4 - HKLM\..\Run: [qzdphfthgqq] C:\WINDOWS\System32\lekwvph.exe

O4 - HKLM\..\Run: [tczyt] C:\WINDOWS\tczyt.exe

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\RunServices: [Microsofts Updates] wuamgrd.exe

O4 - HKCU\..\Run: [Microsofts Updates] wuamgrd.exe

O4 - HKCU\..\Run: [Sra] C:\Documents and Settings\moi\Application Data\dssh.exe

O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab



Coche ces lignes, ferme tous les programmes (y compris Internet Explorer) et fais Fix checked



Affiches les fichiers cachés : Ouvre le poste de travail

Outils/Options des dossiers

Onglet affichage

Au milieu il y a Fichiers et dossiers cachés

Coche Afficher les fichiers et dossiers cachés

Fais appliquer



Redémarre en mode sans échec (F8 au démarrage) et supprime (si présent)



C:\WINDOWS\nem219.dll -> fichier

C:\WINDOWS\twaintec.dll -> fichier

C:\WINDOWS\wsem218.dll -> fichier

C:\WINDOWS\System32\NDrv.dll-> fichier

C:\Program Files\ISTbar--> dossier

c:\program files\180solutions--> dossier

C:\WINDOWS\System32\lekwvph.exe-> fichier

C:\WINDOWS\tczyt.exe -> fichier

C:\Program Files\ISTsvc --> dossier

wuamgrd.exe-> fichier à trouver pr la recherche (supprime tout ce qui est trouvé !)

C:\Documents and Settings\moi\Application Data\dssh.exe-> fichier

C:\WINDOWS\System32\NDrv.exe-> fichier

Vas faire un scan en ligne sur rav : http://www.ravantivirus.com/scan

PS : une fois sur rav cliques sur to continue without suscribing

Il va charger quelques trucs sur ton PC (ActiveX laisse le faire (ça peut durer assez longtemps

si tu n'as pas l'ADSL) puis quand c'est écrit Ready to scan coche autoclean puis clique sur scan

my PC et l'analyse va démarrer)

Et colle le rapport ici





Et reposte un Hijackthis !

topic unique pour les Hijackthis

ce topic devrait etre dans le forum sécurité, virus et assimilés
cette partie n'est pas la bonne

Cpdjxw Bonjour

regardez la date avant de poster, vous avez fait remonter un sujet ancien de 2004

merci de ne plus déterrer des anciens sujets