Répondre à : Clé USB infectée par SURVUVAL 2016-09-08T13:53:14+00:00
Vianney
Nombre d'articles : 0

Voila :p

############################## | UsbFix V 7.155 | [Suppression]

Utilisateur: user (Administrateur) # VIANNEY
Mis à jour le 16/12/2013 par El Desaparecido – Team SosVirus
Lancé à 16:50:21 | 25/12/2013

Site Web : http://www.usbfix.net” onclick=”window.open(this.href);return false;
Forum : https://www.sosvirus.net/” onclick=”window.open(this.href);return false;
Upload Malware : upload_malware.php
Contact : http://www.usbfix.net/contact/” onclick=”window.open(this.href);return false;

PC: Intel Corp. (Base Board Product Name)
CPU: Intel(R) Core(TM) i7-2670QM CPU @ 2.20GHz
RAM -> [Total : 6126 | Free : 1493]
Bios: INSYDE
Boot: Normal boot

OS: Microsoft Windows 7 Édition Familiale Premium (6.1.7601 64-Bit) Service Pack 1
WB: Windows Internet Explorer : 11.0.9600.16476
WB: Google Chrome : 31.0.1650.63

SC: Security Center Service [Enabled]
WU: Windows Update Service [Enabled]
AV: avast! Antivirus [(!) Disabled | Updated]
AS: Windows Defender : 6.1.7600.16385 (win7_rtm.090713-1255)
FW: Windows FireWall Service [Enabled]

C: (%systemdrive%) -> Disque fixe # 297 Go (146 Go libre(s) – 49%) [WINDOWS] # NTFS
D: -> Disque fixe # 298 Go (281 Go libre(s) – 94%) [Data] # NTFS
E: -> CD-ROM
F: -> Disque amovible # 15 Go (5 Go libre(s) – 31%) [KINGSTON VI] # FAT32

################## | Processus Stoppés |

Stoppé! C:Windowssystem32nvvsvc.exe (ID: 932 |ParentID: 680)
Stoppé! C:Windowssystem32WLANExt.exe (ID: 1388 |ParentID: 456)
Stoppé! C:Windowssystem32conhost.exe (ID: 1396 |ParentID: 552)
Stoppé! C:Program FilesAVAST SoftwareAvastAvastSvc.exe (ID: 1408 |ParentID: 680)
Stoppé! C:WindowsSystem32spoolsv.exe (ID: 1576 |ParentID: 680)
Stoppé! C:Program Files (x86)Common FilesAdobeARM1.0armsvc.exe (ID: 1736 |ParentID: 680)
Stoppé! C:Program Files (x86)Common FilesAppleMobile Device SupportAppleMobileDeviceService.exe (ID: 1760 |ParentID: 680)
Stoppé! C:Program FilesNVIDIA CorporationDisplayNvXDSync.exe (ID: 1844 |ParentID: 932)
Stoppé! C:Windowssystem32nvvsvc.exe (ID: 1856 |ParentID: 932)
Stoppé! C:Program FilesBonjourmDNSResponder.exe (ID: 1088 |ParentID: 680)
Stoppé! c:PROGRA~2mcafeeSITEAD~1McSACore.exe (ID: 1480 |ParentID: 680)
Stoppé! C:Windowssystem32rundll32.exe (ID: 2068 |ParentID: 1480)
Stoppé! C:Windowssystem32rundll32.exe (ID: 2076 |ParentID: 1480)
Stoppé! C:WindowsSysWOW64rundll32.exe (ID: 2104 |ParentID: 2068)
Stoppé! C:Program Files (x86)NVIDIA Corporation3D VisionnvSCPAPISvr.exe (ID: 2220 |ParentID: 680)
Stoppé! C:Windowssystem32TODDSrv.exe (ID: 2280 |ParentID: 680)
Stoppé! C:Program FilesTOSHIBAPower SaverTosCoSrv.exe (ID: 2316 |ParentID: 680)
Stoppé! C:Program FilesWestern DigitalWD SmartWareWDDMService.exe (ID: 2424 |ParentID: 680)
Stoppé! C:Program FilesWestern DigitalWD SmartWareWDRulesEngine.exe (ID: 2480 |ParentID: 680)
Stoppé! C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLIDSVC.EXE (ID: 2576 |ParentID: 680)
Stoppé! C:Program FilesTOSHIBATECOTecoService.exe (ID: 2672 |ParentID: 680)
Stoppé! C:Program FilesWestern DigitalWD SmartWareWDFME.exe (ID: 3096 |ParentID: 680)
Stoppé! C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLIDSvcM.exe (ID: 3128 |ParentID: 2576)
Stoppé! C:WindowsMicrosoft.NetFramework64v3.0WPFPresentationFontCache.exe (ID: 3420 |ParentID: 680)
Stoppé! C:Windowssystem32taskhost.exe (ID: 3808 |ParentID: 680)
Stoppé! C:Program Files (x86)Toshiba TEMPROTemproTray.exe (ID: 3772 |ParentID: 3920)
Stoppé! C:Program FilesTOSHIBABulletinBoardTosNcCore.exe (ID: 3700 |ParentID: 3920)
Stoppé! C:Program FilesTOSHIBAReelTimeTosReelTimeMonitor.exe (ID: 1768 |ParentID: 3920)
Stoppé! C:Program FilesTOSHIBAPower SaverTPwrMain.exe (ID: 2944 |ParentID: 3920)
Stoppé! C:Program FilesTOSHIBAFlashCardsTCrdMain.exe (ID: 4128 |ParentID: 3920)
Stoppé! C:Windowssystem32SearchIndexer.exe (ID: 4316 |ParentID: 680)
Stoppé! C:Program FilesWindows Media Playerwmpnetwk.exe (ID: 4476 |ParentID: 680)
Stoppé! C:Program FilesSynapticsSynTPSynTPEnh.exe (ID: 4564 |ParentID: 3920)
Stoppé! C:Program FilesTOSHIBATECOTeco.exe (ID: 4592 |ParentID: 3920)
Stoppé! C:Program FilesSynapticsSynTPSynTPHelper.exe (ID: 4792 |ParentID: 4564)
Stoppé! C:Program Files (x86)TOSHIBATOSHIBA Online Product InformationTOPI.exe (ID: 4864 |ParentID: 3920)
Stoppé! C:Program Files (x86)GoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe (ID: 4884 |ParentID: 3920)
Stoppé! C:Program Files (x86)Microsoft OfficeOffice14MSOSYNC.EXE (ID: 4900 |ParentID: 3920)
Stoppé! C:WindowsSystem32StikyNot.exe (ID: 5040 |ParentID: 3920)
Stoppé! C:Program FilesHPHP Officejet Pro 8600BinScanToPCActivationApp.exe (ID: 5232 |ParentID: 3920)
Stoppé! C:Program Files (x86)TOSHIBATOSHIBA Sleep UtilityTSleepSrv.exe (ID: 5640 |ParentID: 5272)
Stoppé! C:Program Files (x86)TOSHIBATOSHIBA Service StationToshibaServiceStation.exe (ID: 5664 |ParentID: 5272)
Stoppé! C:Program Files (x86)Ask.comUpdaterUpdater.exe (ID: 5748 |ParentID: 5272)
Stoppé! C:Program FilesAVAST SoftwareAvastAvastUI.exe (ID: 5756 |ParentID: 5272)
Stoppé! C:Program Files (x86)iTunesiTunesHelper.exe (ID: 5812 |ParentID: 5272)
Stoppé! C:Program FilesiPodbiniPodService.exe (ID: 5988 |ParentID: 680)
Stoppé! C:Program Files (x86)TOSHIBAConfigFreeCFIWmxSvcs64.exe (ID: 5288 |ParentID: 680)
Stoppé! C:Program Files (x86)TOSHIBAConfigFreeCFSvcs.exe (ID: 6004 |ParentID: 680)
Stoppé! C:Program Files (x86)IntelIntel(R) Management Engine ComponentsLMSLMS.exe (ID: 4124 |ParentID: 680)
Stoppé! c:Program Files (x86)NeroUpdateNASvc.exe (ID: 1252 |ParentID: 680)
Stoppé! C:Program Files (x86)TOSHIBATOSHIBA Service StationTMachInfo.exe (ID: 1952 |ParentID: 680)
Stoppé! C:Program FilesTOSHIBATOSHIBA HDD SSD AlertTosSmartSrv.exe (ID: 3440 |ParentID: 680)
Stoppé! C:Program FilesTOSHIBATOSHIBA HDD SSD AlertTosSENotify.exe (ID: 2852 |ParentID: 4632)
Stoppé! C:Program FilesTOSHIBATPHMTPCHSrv.exe (ID: 3956 |ParentID: 680)
Stoppé! C:Program FilesTOSHIBATPHMTPCHWMsg.exe (ID: 1944 |ParentID: 4748)
Stoppé! C:Program Files (x86)Common FilesAppleMobile Device SupportSyncServer.exe (ID: 6708 |ParentID: 6320)
Stoppé! C:Windowssystem32conhost.exe (ID: 6720 |ParentID: 640)
Stoppé! C:Program Files (x86)IntelIntel(R) Management Engine ComponentsUNSUNS.exe (ID: 6724 |ParentID: 680)
Stoppé! C:Program FilesCommon FilesMicrosoft SharedOfficeSoftwareProtectionPlatformOSPPSVC.EXE (ID: 6312 |ParentID: 680)
Stoppé! C:UsersuserAppDataRoamingDropboxbinDropbox.exe (ID: 1152 |ParentID: 7832)
Stoppé! C:Windowssystem32taskeng.exe (ID: 8860 |ParentID: 1036)
Stoppé! C:Program Files (x86)Kaspersky LabKaspersky Anti-Virus 14.0.0avpui.exe (ID: 6240 |ParentID: 3152)
Stoppé! C:Program Files (x86)Kaspersky LabKaspersky Anti-Virus 14.0.0avp.exe (ID: 8352 |ParentID: 680)
Stoppé! C:Windowssystem32taskhost.exe (ID: 6928 |ParentID: 680)
Stoppé! C:Program Files (x86)GoogleChromeApplicationchrome.exe (ID: 7772 |ParentID: 3920)
Stoppé! C:Program Files (x86)GoogleChromeApplicationchrome.exe (ID: 8880 |ParentID: 7772)
Stoppé! C:Program Files (x86)GoogleChromeApplicationchrome.exe (ID: 7532 |ParentID: 7772)
Stoppé! C:Program Files (x86)GoogleChromeApplicationchrome.exe (ID: 1064 |ParentID: 7772)
Stoppé! C:Program Files (x86)GoogleChromeApplicationchrome.exe (ID: 8308 |ParentID: 7772)
Stoppé! C:Program Files (x86)GoogleChromeApplicationchrome.exe (ID: 8960 |ParentID: 7772)
Stoppé! C:Program Files (x86)GoogleChromeApplicationchrome.exe (ID: 8840 |ParentID: 7772)
Stoppé! C:Program Files (x86)GoogleChromeApplicationchrome.exe (ID: 4412 |ParentID: 7772)
Stoppé! C:Program Files (x86)GoogleChromeApplicationchrome.exe (ID: 7712 |ParentID: 7772)
Stoppé! C:Program Files (x86)GoogleChromeApplicationchrome.exe (ID: 2876 |ParentID: 7772)
Stoppé! C:Program Files (x86)AdobeReader 11.0ReaderAcroRd32.exe (ID: 7368 |ParentID: 2876)
Stoppé! C:Program Files (x86)AdobeReader 11.0ReaderAcroRd32.exe (ID: 7616 |ParentID: 7368)
Stoppé! C:WindowsSystem32WUDFHost.exe (ID: 448 |ParentID: 456)
Stoppé! C:Program Files (x86)GoogleChromeApplicationchrome.exe (ID: 7480 |ParentID: 7772)
Stoppé! C:Program Files (x86)GoogleChromeApplicationchrome.exe (ID: 6392 |ParentID: 7772)

################## | Regedit Run |

04 – HKLMSOFTWARE | Run : [NBAgent] – “c:Program Files (x86)NeroNero 10Nero BackItUpNBAgent.exe” /WinStart
04 – HKLMSOFTWARE | Run : [ITSecMng] – %ProgramFiles%TOSHIBABluetooth Toshiba StackItSecMng.exe /START
04 – HKLMSOFTWARE | Run : [TSleepSrv] – %ProgramFiles(x86)%TOSHIBATOSHIBA Sleep UtilityTSleepSrv.exe
04 – HKLMSOFTWARE | Run : [ToshibaServiceStation] – C:Program Files (x86)TOSHIBATOSHIBA Service StationToshibaServiceStation.exe /hide:60
04 – HKLMSOFTWARE | Run : [MDX.CloudPin] – “C:Program Files (x86)Microsoft Digital ExperienceScriptsPinApps.vbs”
04 – HKLMSOFTWARE | Run : [APSDaemon] – “C:Program Files (x86)Common FilesAppleApple Application SupportAPSDaemon.exe”
04 – HKLMSOFTWARE | Run : [BCSSync] – “C:Program Files (x86)Microsoft OfficeOffice14BCSSync.exe” /DelayServices
04 – HKLMSOFTWARE | Run : [Adobe ARM] – “C:Program Files (x86)Common FilesAdobeARM1.0AdobeARM.exe”
04 – HKLMSOFTWARE | Run : [] –
04 – HKLMSOFTWARE | Run : [ApnUpdater] – “C:Program Files (x86)Ask.comUpdaterUpdater.exe”
04 – HKLMSOFTWARE | Run : [avast] – “C:Program FilesAVAST SoftwareAvastavastUI.exe” /nogui
04 – HKLMSOFTWARE | Run : [iTunesHelper] – “C:Program Files (x86)iTunesiTunesHelper.exe”
04 – HKLMSOFTWAREwow6432Node | Run : [NBAgent] – “c:Program Files (x86)NeroNero 10Nero BackItUpNBAgent.exe” /WinStart
04 – HKLMSOFTWAREwow6432Node | Run : [ITSecMng] – %ProgramFiles%TOSHIBABluetooth Toshiba StackItSecMng.exe /START
04 – HKLMSOFTWAREwow6432Node | Run : [TSleepSrv] – %ProgramFiles(x86)%TOSHIBATOSHIBA Sleep UtilityTSleepSrv.exe
04 – HKLMSOFTWAREwow6432Node | Run : [ToshibaServiceStation] – C:Program Files (x86)TOSHIBATOSHIBA Service StationToshibaServiceStation.exe /hide:60
04 – HKLMSOFTWAREwow6432Node | Run : [MDX.CloudPin] – “C:Program Files (x86)Microsoft Digital ExperienceScriptsPinApps.vbs”
04 – HKLMSOFTWAREwow6432Node | Run : [APSDaemon] – “C:Program Files (x86)Common FilesAppleApple Application SupportAPSDaemon.exe”
04 – HKLMSOFTWAREwow6432Node | Run : [BCSSync] – “C:Program Files (x86)Microsoft OfficeOffice14BCSSync.exe” /DelayServices
04 – HKLMSOFTWAREwow6432Node | Run : [Adobe ARM] – “C:Program Files (x86)Common FilesAdobeARM1.0AdobeARM.exe”
04 – HKLMSOFTWAREwow6432Node | Run : [] –
04 – HKLMSOFTWAREwow6432Node | Run : [ApnUpdater] – “C:Program Files (x86)Ask.comUpdaterUpdater.exe”
04 – HKLMSOFTWAREwow6432Node | Run : [avast] – “C:Program FilesAVAST SoftwareAvastavastUI.exe” /nogui
04 – HKLMSOFTWAREwow6432Node | Run : [iTunesHelper] – “C:Program Files (x86)iTunesiTunesHelper.exe”
04 – HKLMSOFTWARE | RunOnce : [] –
04 – HKLMSOFTWAREwow6432Node | RunOnce : [] –
04 – HKUS-1-5-19SOFTWARE | Run : [Sidebar] – %ProgramFiles%Windows SidebarSidebar.exe /autoRun
04 – HKUS-1-5-19SOFTWARE | Run : [TOPI.EXE] – C:Program Files (x86)TOSHIBATOSHIBA Online Product Informationtopi.exe /STARTUP
04 – HKUS-1-5-20SOFTWARE | Run : [Sidebar] – %ProgramFiles%Windows SidebarSidebar.exe /autoRun
04 – HKUS-1-5-20SOFTWARE | Run : [TOPI.EXE] – C:Program Files (x86)TOSHIBATOSHIBA Online Product Informationtopi.exe /STARTUP
04 – HKUS-1-5-21-840222712-683920496-2309199721-1000SOFTWARE | Run : [TOPI.EXE] – C:Program Files (x86)TOSHIBATOSHIBA Online Product Informationtopi.exe /STAR
04 – HKUS-1-5-21-840222712-683920496-2309199721-1000SOFTWARE | Run : [swg] – “C:Program Files (x86)GoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe”
04 – HKUS-1-5-21-840222712-683920496-2309199721-1000SOFTWARE | Run : [Facebook Update] – “C:UsersuserAppDataLocalFacebookUpdateFacebookUpdate.exe” /c /nocrashserver
04 – HKUS-1-5-21-840222712-683920496-2309199721-1000SOFTWARE | Run : [OfficeSyncProcess] – “C:Program Files (x86)Microsoft OfficeOffice14MSOSYNC.EXE”
04 – HKUS-1-5-21-840222712-683920496-2309199721-1000SOFTWARE | Run : [Skype] – “C:Program Files (x86)SkypePhoneSkype.exe” /minimized /regrun
04 – HKUS-1-5-21-840222712-683920496-2309199721-1000SOFTWARE | Run : [RESTART_STICKY_NOTES] – C:WindowsSystem32StikyNot.exe
04 – HKUS-1-5-21-840222712-683920496-2309199721-1000SOFTWARE | Run : [HP Officejet Pro 8600 (NET)] – “C:Program FilesHPHP Officejet Pro 8600BinScanToPCActivationApp.exe” -deviceID “CN37ID4H1V05KD:NW” -scfn “HP Officejet Pro 8600 (NET)” -AutoStart 1
04 – HKUS-1-5-21-840222712-683920496-2309199721-1000SOFTWARE | Run : [SURVIVAL] – wscript.exe //B “C:UsersuserAppDataLocalTempSURVIVAL.vbe”
04 – HKUS-1-5-18SOFTWARE | Run : [TOPI.EXE] – C:Program Files (x86)TOSHIBATOSHIBA Online Product Informationtopi.exe /STARTUP
04 – HKUS-1-5-19SOFTWARE | RunOnce : [mctadmin] – C:WindowsSystem32mctadmin.exe
04 – HKUS-1-5-20SOFTWARE | RunOnce : [mctadmin] – C:WindowsSystem32mctadmin.exe

################## | Recherche générique |

Supprimé! C:UsersuserAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupSURVIVAL.vbe
Supprimé! C:WindowsSysWOW64user.exe
Supprimé! C:UsersuserAppDataLocalTempSURVIVAL.vbe
Supprimé! C:UsersuserAppDataLocalTempDATA.exe
Supprimé! C:UsersuserAppDataLocalTempsvchost.exe
Supprimé! F:SURVIVAL.vbe
Supprimé! F:Nouveau dossier.lnk
Supprimé! C:UsersuserAppDataLocalTempetilqs_7OoXdBUc14ideje.pif

(!) Fichiers temporaires supprimés. (24 Ko)

################## | Référence de comparaison MD5 |

Md5 : 566A2952410520E6E384366F28F6871B -> C:UsersuserAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupSURVIVAL.vbe
Md5 : 5244D544B022E70881794563D657B5EF -> C:WindowsSysWOW64user.exe
Md5 : 566A2952410520E6E384366F28F6871B -> C:UsersuserAppDataLocalTempSURVIVAL.vbe
Md5 : F936FA87EC52A3373E254E1D559E8609 -> C:UsersuserAppDataLocalTempDATA.exe
Md5 : 566A2952410520E6E384366F28F6871B -> F:SURVIVAL.vbe

################## | Comparaison MD5 |

Supprimé! Md5 : 5244D544B022E70881794563D657B5EF -> C:WindowsSystem32user.exe
Supprimé! Md5 : 5244D544B022E70881794563D657B5EF -> C:WindowsSysWOW64user.exe
Supprimé! Md5 : 566A2952410520E6E384366F28F6871B -> F:Nouveau dossierSURVIVAL.vbe

################## | Registre |

Supprimé! HKCUSoftwareDC3_FEXEC
Supprimé! HKUS-1-5-21-840222712-683920496-2309199721-1000SoftwareMicrosoftWindowsCurrentVersionRun|SURVIVAL

################## | Listing |

[03/08/2011 – 11:59:41 | N | 0 Ko] – C:SWSTAMP.TXT
[25/12/2013 – 16:58:45 | A | 15 Ko] – C:UsbFix [Clean 3] VIANNEY.txt
[17/12/2013 – 15:17:28 | ASH | 4704660 Ko] – C:hiberfil.sys
[17/12/2013 – 15:17:29 | ASH | 6272880 Ko] – C:pagefile.sys
[23/09/2013 – 20:43:20 | SHD] – C:$RECYCLE.BIN
[14/07/2009 – 04:20:08 | D] – C:PerfLogs
[14/07/2009 – 06:08:56 | SHD] – C:Documents and Settings
[14/11/2011 – 10:24:03 | D] – C:Toshiba
[17/11/2011 – 12:04:09 | D] – C:Users
[06/10/2012 – 16:11:13 | RHD] – C:MSOCache
[11/01/2013 – 10:45:11 | D] – C:VXIPNP
[17/12/2013 – 13:24:25 | D] – C:Program Files
[25/12/2013 – 13:37:15 | D] – C:Program Files (x86)
[25/12/2013 – 13:37:20 | D] – C:Windows
[25/12/2013 – 13:37:30 | SHD] – C:System Volume Information
[25/12/2013 – 14:02:10 | HD] – C:ProgramData
[25/12/2013 – 16:57:54 | D] – C:UsbFix
[17/11/2011 – 12:06:59 | SHD] – D:$RECYCLE.BIN
[11/09/2012 – 16:33:20 | D] – D:fichiers présent à la base
[13/09/2012 – 22:29:20 | D] – D:Guitar Pro 6
[13/12/2012 – 11:12:30 | D] – D:Firefox
[25/12/2013 – 13:37:12 | SHD] – D:System Volume Information
[25/12/2013 – 16:07:46 | D] – F:Nouveau dossier

################## | Vaccin |

D:Autorun.inf -> Vaccin créé par UsbFix (El Desaparecido)
F:Autorun.inf -> Vaccin créé par UsbFix (El Desaparecido)

################## | E.O.F | http://www.usbfix.net” onclick=”window.open(this.href);return false; – https://www.sosvirus.net” onclick=”window.open(this.href);return false; |