Malwrares Report nr 2009G25FLUP

PC contaminé par des spywares : un exemple représentatif de pas mal de machines amenées en notre atelier pour décontamination.

Référence interne : pc080pmi2009g25flup : Athlon 1.26 GHz on MSI MS-6330 (PC2002)

Spybot : extraits du rapport :

- MagicControl.Agent: [SBI $8A93997C] Browser helper object (Clé du registre)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{008DB894-99ED-445D-8547-0E7C9808898D}

- Win32.Agent.pz: [SBI $7EC6899E] Réglages (Valeur du registre)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
- Win32.Agent.pz: [SBI $8980C6CD] Réglages (Valeur du registre)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
- Win32.Agent.pz: [SBI $0F1C75F7] Réglages (Valeur du registre)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID

- FunWebProducts: [SBI $685582A8] Fichier de configuration (Fichier)
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Properties.size=365
Properties.md5=88D1DC668D4F5133F62356A179368DDA
Properties.filedate=1121354882
Properties.filedatetext=2005-07-14 17:28:02
- FunWebProducts: [SBI $02540BAA] Exécutable (Fichier)
C:\WINDOWS\system32\f3PSSavr.scr
Properties.size=28672
Properties.md5=7F9361A12B2DFEBEC6C22B52446E3CF8
Properties.filedate=1128108428
Properties.filedatetext=2005-09-30 21:27:08

- MyWay.MyWebSearch: [SBI $7D166358] Interface (Clé du registre)
HKEY_CLASSES_ROOT\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}
- MyWay.MyWebSearch: [SBI $5B4611BE] Interface (Clé du registre)
HKEY_CLASSES_ROOT\Interface\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9}
...
- EGDACCESS: [SBI $4CD33124] Réglages Autorun (Instant Access) (Valeur du registre)
HKEY_USERS\S-1-5-21-299502267-1580436667-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Instant Access
- EGDACCESS: [SBI $4CD33124] Fichier de programme (Fichier)
C:\WINDOWS\system32\EGCOMLIB_1035.dll
Properties.size=75776
Properties.md5=9907AA7FDCE4D963A172907688DF2DA9
Properties.filedate=1079018204
Properties.filedatetext=2004-03-11 17:16:44

- Message Mates: [SBI $F535AAF1] Réglages utilisateur (Clé du registre)
HKEY_USERS\S-1-5-21-299502267-1580436667-854245398-1003\Software\AdTools, Inc.

- Win32.Agent.jg: [SBI $AFA60660] Dossier Programme (Répertoire)
C:\WINDOWS\system32\twain_32\
- Win32.Agent.jg: [SBI $D2B4E1D7] File (Fichier)
C:\WINDOWS\system32\twain_32\local.ds
Properties.size=46114
Properties.md5=E6472FE68B49BC33131173E92B1CDCA1
Properties.filedate=1222094834
Properties.filedatetext=2008-09-22 16:47:14
- Win32.Agent.jg: [SBI $48DFF879] File (Fichier)
C:\WINDOWS\system32\twain_32\user.ds
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Properties.filedate=1222421394
Properties.filedatetext=2008-09-26 11:29:54

- Win32.Machbot: [SBI $ABBFAE39] Bibliothèque (Fichier)
C:\WINDOWS\system32\Mservice.dll
Properties.size=13312
Properties.md5=442E08F93D78957F1F221F45A06A5B6F
Properties.filedate=1090948940
Properties.filedatetext=2004-07-27 19:22:20

- Win32.TDSS.rtk: [SBI $1C88479D] Réglages (Répertoire)
C:\Documents and Settings\LocalService\Application Data\twain_32\
- Win32.TDSS.rtk: [SBI $5A2B8A3C] Donnée (Fichier)
C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds
Properties.size=104
Properties.md5=59EF8A7E0C4C5F0FF7C942158303DDA0
Properties.filedate=1222087386
Properties.filedatetext=2008-09-22 14:43:06

- Win32.ZBot: [SBI $0BF16B2C] Dossier Programme (Répertoire)
C:\WINDOWS\system32\sysproc64\

- Win32.ZBot: [SBI $8C5D70B2] Donnée (Fichier)
C:\Documents and Settings\LocalService\Application Data\sysproc64\sysproc32.sys
Properties.size=208
Properties.md5=322C36CB557AA7C9DEAB6A936B4CC41E
Properties.filedate=1221416006
Properties.filedatetext=2008-09-14 20:13:26
- Win32.ZBot: [SBI $72741F5F] Dossier Programme (Répertoire)
C:\Documents and Settings\LocalService\Application Data\sysproc64\

Malwarebytes' Anti-Malware - Version de la base de données: 2421 - juillet 2009 : solde après nettoyage complet via Spybot (ci-dessus) :

Clé(s) du Registre infectée(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{67450775-3b18-49b1-aa83-0e010f07f4df} (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{69b3ebfa-0015-4914-9312-e7758eacfac1} (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{30de9920-2e84-40a2-88a5-b8d256e15101} (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\p2ecom.egp2ecom (Adware.EGDAccess) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\p2ecom.egp2ecom.1 (Adware.EGDAccess) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e8c88115-4951-425b-8c45-4dfc5a5540ee} (Adware.EGDAccess) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e30ac01-99d7-4e9c-b13e-94e1701b0ac9} (Adware.EGDAccess) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8f0a06f6-df4d-4d54-b8ca-e8eedbae6ddb} (Adware.EGDAccess) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cefb7b49-9652-464f-8afd-a577c0500f39} (Adware.EGDAccess) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\program files\common files\acd systems\Filters\EITCC_LinearBlur.dll (Trojan.Dropper) -> Quarantined and deleted successfully.

Fichier(s) infecté(s):
c:\program files\msn messenger\riched20.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
c:\tmp_Editor.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tmlpcert2005 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mseggrpid.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\P2ECOM.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.

... en cours ...

Tags : VinoSoft Selection Computers Brussels Bruxelles Europe [atelier@1200 en kine-online.com] Kentucky@1140 - Montana@1140 - Tous nos transports par BMS Delivery - Serrurerie, une seule adresse : Symulak - Opticien-Visagiste : "La Boîte à Lunettes" - Worthington Distributor : Gestimed - Electricien (et câblage réseau) : "Engineering Office Associated - Ces&Co" - Rénovation des bâtiments : Top Renove sprl - Internet : création de sites (cohérence graphique) et présentations Powerpoint (TriPod WebDesign, Christophe Van Wambeke) - Internet : hébergement et stratégies marketing (Boberlin, Benjamin Bobon) - Culture : Café Théatre "des 2 gares" - Artistes Peintres : Michèle Kumps & Jacques Kumps - Auteur Compositeur de musique celtique : Alain Herickx - VinoPlanet - VinoWeb - MiniZoo - ACWeb - Kine-online - Amis des Oiseaux : Charlotte Webmaster - Elevage familial de bergers belges : les loups de la nuit (à Lillois) - Antivirus en ligne (web-antivirus) - http://safeweb.norton.com - C o n v e n t i o n E u r o p é e n n e de la C o n s t r u c t i o n M é t a l l i q u e : ECCS