Se connecter / S'enregistrer
Votre question

Malware WinAD

Tags :
  • Malware
  • Sécurité
Dernière réponse : dans Sécurité et virus
2 Janvier 2009 15:00:46

ce matin, en faisant une analyse avec Ad-Aware , celui-çi m'a détecté un malware. Problème: soi disant ce dernier se situerait dans mon anti virus . Je vous pose la question suivante: Ce programme est-il effectivement un virus ou pas ? Je vous colle ci joint le résultat que m'a trouvé ad-aware . Je vous fait également un copié collé de mon HijackThis au cas ou.

___________________________________________________________

WinAD Objet reconnu !
Type : Processus
Données : mcodsax.dll
Notation TAC : 7
Catégorie : Malware
Commentaire : (CSI MATCH)
Objet : c:\PROGRA~1\mcafee\VIRUSS~1\
FileVersion : 13,0,218,0
ProductVersion : 13,0,0,0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee ODS Configuration DLL
InternalName : McOdsAx
LegalCopyright : Copyright © 2008 McAfee, Inc.
OriginalFilename : McOdsAx.dll

Avertissement ! WinAD Objet détecté dans la mémoire(c:\PROGRA~1\mcafee\VIRUSS~1\mcodsax.dll)

___________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:21:58, on 02/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\fichiers communs\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\FICHIE~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM_STI.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\Program Files\Fichiers communs\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.01net.com/telecharger/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.01net.com/telecharger/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC210NC Webcam
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/curre...

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15106/CT...
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: McAfee Application Installer Cleanup (0213141230901480) (0213141230901480mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\021314~1.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\fichiers communs\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\FICHIE~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9630 bytes

Autres pages sur : malware winad

a b 8 Sécurité
2 Janvier 2009 18:19:12

Bonjour,

Analyse ce fichier chez VirusTotal.
2 Janvier 2009 19:16:02

j'ai bien analysé chez virus total et celui ci ne m'affiche rien de spécifique . Que dois-je en conclure? Y-a-t-il autre chose à tester?

Je te colle le rapport

Antivirus Version Dernière mise à jour Résultat
a-squared 4.0.0.73 2008.12.31 -
AhnLab-V3 2008.12.31.0 2009.01.02 -
AntiVir 7.9.0.45 2009.01.02 -
Authentium 5.1.0.4 2009.01.02 -
Avast 4.8.1281.0 2009.01.02 -
AVG 8.0.0.199 2008.12.31 -
BitDefender 7.2 2009.01.02 -
CAT-QuickHeal 10.00 2009.01.02 -
ClamAV 0.94.1 2009.01.02 -
Comodo 851 2008.12.31 -
DrWeb 4.44.0.09170 2009.01.02 -
eTrust-Vet 31.6.6287 2009.01.01 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2008.12.30 -
F-Secure 8.0.14470.0 2009.01.02 -
Fortinet 3.117.0.0 2009.01.02 -
GData 19 2008.12.31 -
Ikarus T3.1.1.45.0 2009.01.02 -
K7AntiVirus 7.10.572 2008.12.31 -
Kaspersky 7.0.0.125 2009.01.02 -
McAfee 5481 2009.01.02 -
McAfee+Artemis 5479 2008.12.30 -
Microsoft 1.4205 2009.01.02 -
NOD32 3725 2008.12.31 -
Norman 5.80.02 2009.01.02 -
Panda 9.0.0.4 2009.01.02 -
PCTools 4.4.2.0 2008.12.31 -
Prevx1 V2 2009.01.02 -
Rising 21.10.22.00 2008.12.31 -
SecureWeb-Gateway 6.7.6 2008.12.31 -
Sophos 4.37.0 2009.01.02 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.31 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2008.12.31 -
VBA32 3.12.8.10 2009.01.01 -
ViRobot 2008.12.30.1540 2008.12.31 -
VirusBuster 4.5.11.0 2009.01.01 -


Information additionnelle
File size: 207688 bytes
MD5...: aebbe4520de5dd11ea4313bcddd80fa1
SHA1..: 5260a3e8a290d2218be9e233ee18aeeeee2d758f
SHA256: 468cbd5be284a3eadf2c0af9070625c8dfe04f03193a80d4b0a085fe1c4968e6
SHA512: f99fb2fac3c455593201e0c10d01fbe1c4dc59696a8b2f25f1b23756b226ad84
a09763ffdfd08ff0069ca53e711db003ff4eb56b6350c335f82892f6ce724ca3
ssdeep: 3072:HydpNJ73fw/z55NQLhowgpWrSDNuxO59L6ghI4RC4+tsbGYHM:C3fw/zSrg
pWrmvC47O
PEiD..: -
TrID..: File type identification
DirectShow filter (52.6%)
Windows OCX File (32.2%)
Win32 Executable MS Visual C++ (generic) (9.8%)
Win32 Executable Generic (2.2%)
Win32 Dynamic Link Library (generic) (1.9%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x60713fc4
timedatestamp.....: 0x485c1c35 (Fri Jun 20 21:08:05 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2493e 0x24a00 6.70 6d5756de234970a3ab31e231b3bf0d03
.rdata 0x26000 0x7774 0x7800 4.92 f10be48a1a2e4ce0abda77e40123ebba
.data 0x2e000 0x32f8 0x1600 3.61 9bbd1ccea1644209ed49704a8f1b09e5
.rsrc 0x32000 0xd34 0xe00 4.10 f805416e9951a02cdb7ab57bbd066976
.reloc 0x33000 0x2a3e 0x2c00 4.96 e17c01671a9a9d9fd52c755670f49ce7

( 7 imports )
> WINTRUST.dll: WinVerifyTrust
> KERNEL32.dll: GlobalFree, FindClose, FindNextFileW, OpenEventW, DeleteCriticalSection, GetShortPathNameW, CloseHandle, InterlockedIncrement, InterlockedDecrement, lstrlenW, CreateFileA, GetFileSize, CreateMutexW, SetFilePointer, WritePrivateProfileStructA, MoveFileExW, CreateDirectoryW, WaitForSingleObject, OutputDebugStringW, GetModuleHandleW, GetWindowsDirectoryA, WriteFile, GetFileAttributesW, EnterCriticalSection, CreateFileW, GetCurrentDirectoryW, DisableThreadLibraryCalls, GetPrivateProfileStringA, GetLocalTime, RemoveDirectoryW, GetPrivateProfileStructA, GetCurrentThreadId, ReleaseMutex, DeleteFileW, GetCurrentProcessId, SetFileAttributesW, SystemTimeToFileTime, GetVersionExA, LoadLibraryA, GetSystemDirectoryA, lstrlenA, GetShortPathNameA, Module32Next, Module32First, CreateToolhelp32Snapshot, OpenProcess, FindFirstFileA, IsBadWritePtr, CompareStringW, CompareStringA, GetProcAddress, GetThreadLocale, GetLastError, MultiByteToWideChar, GetACP, GetModuleFileNameW, LeaveCriticalSection, GetVersionExW, LoadLibraryW, WideCharToMultiByte, GlobalAlloc, InitializeCriticalSection, IsBadReadPtr, SetEvent, GetCurrentProcess, FreeLibrary, GetLocaleInfoA, FindFirstFileW, FlushFileBuffers, SetEnvironmentVariableA, ReadFile, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetConsoleMode, GetConsoleCP, HeapSize, GetTickCount, QueryPerformanceCounter, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetStartupInfoA, GetFileType, SetHandleCount, Sleep, GetOEMCP, GetCPInfo, InterlockedExchange, HeapFree, HeapAlloc, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapReAlloc, GetSystemTimeAsFileTime, VirtualProtect, VirtualAlloc, GetModuleHandleA, GetSystemInfo, VirtualQuery, GetCommandLineA, GetProcessHeap, RaiseException, RtlUnwind, HeapDestroy, HeapCreate, VirtualFree, ExitProcess, GetStdHandle, GetModuleFileNameA, GetTimeZoneInformation, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError
> USER32.dll: wsprintfW
> ADVAPI32.dll: RegDeleteKeyW, RegEnumKeyExW, RegOpenKeyExW, RegSetValueExW, RegCloseKey, FreeSid, RegEnumValueW, RegOpenCurrentUser, AllocateAndInitializeSid, RegDeleteValueW, RegOpenKeyExA, RegCreateKeyExA, RegQueryValueExW, RegQueryValueExA, EqualSid, RegCreateKeyExW, RegSetValueExA, GetTokenInformation, OpenProcessToken
> SHELL32.dll: SHGetFolderPathW
> ole32.dll: StringFromGUID2, CoCreateInstance
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer
a b 8 Sécurité
3 Janvier 2009 18:18:45

Ce fichier semble être légitime.
Tom's guide dans le monde
  • Allemagne
  • Italie
  • Irlande
  • Royaume Uni
  • Etats Unis
Suivre Tom's Guide
Inscrivez-vous à la Newsletter
  • ajouter à twitter
  • ajouter à facebook
  • ajouter un flux RSS