Se connecter / S'enregistrer
Votre question

trojan mdelk, srosa.sys et wintems.exe

Tags :
  • Windows
  • Sécurité
Dernière réponse : dans Sécurité et virus
20 Janvier 2008 18:19:55

bonjour,
j'ai le même problème que tout le monde apparemment. J'ai été infecté par mdelk.exe, j'ai aussi srosa.sys et wintems.exe. Aucun anti-virus que j'ai essayé n'a réussi à éradiquer ces 3 m....
Pouvez-vous m'aider à les virer de mon ordi.
Apparemment, selon les forums que j'ai visité, beaucoup de monde a le même problème que moi...
Merci d'avance

Autres pages sur : trojan mdelk srosa sys wintems exe

20 Janvier 2008 19:01:29

bonjour,
Et merci infiniment de vous occuper de mon problème.

Voici le rapport :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:00:13, on 20.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [Moon Secure Antivirus] "C:\Program Files\Moon Secure Antivirus\moontray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Moon Secure Antivirus Core (msav) - Unknown owner - C:\Program Files\Moon Secure Antivirus\msavcore.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2265 bytes
Contenus similaires
Pas de réponse à votre question ? Demandez !
20 Janvier 2008 19:05:34

~Télécharge Elibagla sur cette page :
http://www.zonavirus.com/datos/descargas/95/elibagla.as...

Tu trouveras le programme à télécharger tout en bas de la page :,
clique sur escargar Elibagla 10.14

Enregistre ce fichier sur le bureau
Va sur ton bureau et double-clic sur Elibagla.exe
La case "eliminar ficheros automaticamente" doit être cochée
Clique sur"explorar" et laisse-le travailler
~Poste le rapport final qui sera dans c:\infosat.txt
20 Janvier 2008 19:15:22

C'est la version escargar Elibagla 10.89, mais je l'ai téléchargé quand même. voici le rapport :


Sun Jan 20 19:08:01 2008
EliBagle v10.89 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Acceso Denegado.
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
Restaurada Clave: "SafeBoot\Minimal y Network"

Sun Jan 20 19:09:02 2008
EliBagle v10.89 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
C:\WINDOWS\system32\drivers\down\101062.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\118843.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\121812.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\136453.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\137093.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\14530796.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\14547156.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\14583093.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\14606250.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\14626984.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\14647609.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\163187.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\165546.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\168656.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\179734.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\29126578.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\29194328.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\29222265.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\42609.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\43000.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\43296.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\43562.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\43731515.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\43773031.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\44406.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\47687.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\50625.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\55843.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\58546.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\61703.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\69140.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\69453.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\69734.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\70484.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\76062.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\78890.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\80796.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\81375.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\84000.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\84375.EXE --> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\97328.EXE --> Eliminado Bagle

Nº Total de Directorios: 7615
Nº Total de Ficheros: 112347
Nº de Ficheros Analizados: 12709
Nº de Ficheros Infectados: 43
Nº de Ficheros Limpiados: 41

20 Janvier 2008 20:35:19

Il a bien éliminé ceux qui restait, mais le mdelk.exe est apparemment très virulent.
20 Janvier 2008 21:40:57

re

~Télécharge. F-Secure Blacklight

ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe



- Lance F-Secure Blacklight (fichier fsbl.exe)
- Accepte la licence, et clique enfin sur "Scan" puis Next et Exit.
- Un rapport fsbl-bxxxx.log (xx sont des chiffres) va être créé dans le même dossier que blbeta.exe
- Ouvre fsbl-bxxxx.log , fais un copier/coller dans ton prochain message.

Attention ! .
Il ne faut pas choisir l'option "Rename". de suite : nous devons analyser le rapport, car des fichiers légitimes peuvent être présents, tel wbemtest.exe .
Tuto de F-Secure BlackLight : (merci à Malekal) .
http://www.malekal.com/tutorial_f-secure_BlackLight.htm...
20 Janvier 2008 22:52:32

oula c'est vraiment une grosse m.... de virus.
merci en tout cas de votre aide.
voici le rapport :

01/20/08 22:35:24 [Info]: BlackLight Engine 1.0.67 initialized
01/20/08 22:35:24 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/20/08 22:35:24 [Note]: 7019 4
01/20/08 22:35:24 [Note]: 7005 0
01/20/08 22:35:34 [Note]: 7006 0
01/20/08 22:35:34 [Note]: 7011 1516
01/20/08 22:35:36 [Note]: 7026 0
01/20/08 22:35:37 [Note]: 7026 0
01/20/08 22:35:37 [Note]: 7024 3
01/20/08 22:35:37 [Info]: Hidden process: C:\WINDOWS\system32\drivers\hldrrr.exe
01/20/08 22:35:37 [Note]: 7024 3
01/20/08 22:35:37 [Info]: Hidden process: C:\WINDOWS\system32\wintems.exe
01/20/08 22:35:43 [Note]: FSRAW library version 1.7.1024
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\W9_1FR.HLP
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\W9_1gefr.cnt
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\W9_1GEFR.HLP
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\W9_1sput.cnt
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\wt9_1cbe.dll
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\Wt9_1cbefr.cbt
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\Wt9_1cf.icr
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\Wt9_1cf.sav
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\Wt9_1fr.adv
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\Wt9_1fr.hyd
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\Wt9_1fr.icr
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\Wt9_1fr.mor
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\wt9_1fr.rul
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\Wt9_1fr.sav
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\Wt9_1fr.ths
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\WT9_1LDFR.dll
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\WT9_1LDXX.dll
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\WT9_1LI.dll
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\Wt9_1sf.mor
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\Wt9_1sf.ths
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\wt9_1spls.dll
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\WT9_1SPTLEN.HLP
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\wt9_1sptlFR.exe
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\WT9_1SPTP.dll
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\WT9_1SPWP.dll
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Info]: Hidden file: c:\Program Files\Fichiers communs\Corel\Shared\Writing Tools\9.1\wt9_1uiFR.dll
01/20/08 22:37:14 [Note]: 10002 3
01/20/08 22:37:14 [Note]: 10002 2
01/20/08 22:37:14 [Note]: 10002 2
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 3
01/20/08 22:37:17 [Note]: 10002 2
01/20/08 22:37:17 [Note]: 10002 2
01/20/08 22:40:16 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Empty.txt
01/20/08 22:40:16 [Note]: 10002 3
01/20/08 22:40:16 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Filters.xml
01/20/08 22:40:16 [Note]: 10002 3
01/20/08 22:40:16 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\news.png
01/20/08 22:40:16 [Note]: 10002 3
01/20/08 22:40:16 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\paint.png
01/20/08 22:40:16 [Note]: 10002 3
01/20/08 22:40:16 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Profiles\Blank.txt
01/20/08 22:40:16 [Note]: 10002 3
01/20/08 22:40:16 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Sample1.jpg
01/20/08 22:40:16 [Note]: 10002 3
01/20/08 22:40:16 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Sample2.jpg
01/20/08 22:40:16 [Note]: 10002 3
01/20/08 22:40:16 [Note]: 10002 2
01/20/08 22:40:16 [Note]: 10002 2
01/20/08 22:47:24 [Note]: 10002 2
01/20/08 22:47:24 [Note]: 10002 2
01/20/08 22:47:51 [Info]: Hidden file: C:\WINDOWS\system32\wintems.exe
01/20/08 22:47:51 [Note]: 10002 2
01/20/08 22:48:11 [Info]: Hidden file: C:\WINDOWS\system32\drivers\hldrrr.exe
01/20/08 22:48:11 [Note]: 10002 2
01/20/08 22:48:11 [Info]: Hidden file: c:\WINDOWS\system32\drivers\srosa.sys
01/20/08 22:48:11 [Note]: 10002 2
01/20/08 22:50:05 [Note]: 2000 1012
01/20/08 22:50:46 [Note]: 7007 0
20 Janvier 2008 23:07:25

Je vous remercie déjà pour la réponse.
Je vais dormir et reprendrai cette désinfection demain. Désolé mais je suis mort devant mon écran.
A demain soir.
21 Janvier 2008 12:31:18

bonjour
Télécharge Combofix de sUBs :
combofix.exe
et sauvegarde le sur ton bureau et pas ailleurs!


Double-clic sur combofix, Il va te poser une question, réponds en appuyant sur la touche1 puis attends que combofix ait terminé, il est possible que ton PC reboot, c’est normal, un rapport sera créé. Poste le rapport.

ajoute un nouveau rapport Hijackthis.
21 Janvier 2008 19:44:24

Bonsoir,

Merci encore pour votre aide précieuse.

Voici le rapport de combofix.exe


ComboFix 08-01-20.1 - Serge Robert 2008-01-21 19:31:18.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.666 [GMT 1:00]
Running from: C:\Documents and Settings\Serge Robert\Bureau\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\version.txt

----- Unknown downloads made by BITS: ----
http://toolbar.google.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA


((((((((((((((((((((((((((((( Fichiers créés 2007-12-21 to 2008-01-21 ))))))))))))))))))))))))))))))))))))
.

2008-01-21 19:30 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-21 07:09 . 2008-01-21 07:09 <REP> d-------- C:\WINDOWS\LastGood.Tmp
2008-01-19 12:17 . 2008-01-19 13:52 <REP> d-------- C:\Program Files\NoAdware5.0
2008-01-18 13:27 . 2008-01-19 13:54 <REP> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-18 13:27 . 2008-01-18 13:27 <REP> d-------- C:\Documents and Settings\Serge Robert\Application Data\SUPERAntiSpyware.com
2008-01-18 13:27 . 2008-01-18 13:27 <REP> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-18 11:03 . 2008-01-19 14:17 <REP> d-------- C:\Program Files\Moon Secure Antivirus
2008-01-18 09:42 . 2008-01-19 14:09 <REP> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-18 09:39 . 2008-01-19 14:19 <REP> d-------- C:\Program Files\Trojan Remover
2008-01-18 09:33 . 2008-01-18 09:33 <REP> d-------- C:\Program Files\Trend Micro
2008-01-18 09:06 . 2008-01-18 09:06 <REP> d-------- C:\Documents and Settings\Serge Robert\Application Data\PrevxCSI
2008-01-18 09:06 . 2008-01-18 09:06 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-18 07:40 . 2008-01-18 07:40 <REP> d-------- C:\Program Files\Uniblue
2008-01-18 07:40 . 2008-01-18 07:40 <REP> d-------- C:\Documents and Settings\Serge Robert\Application Data\Uniblue
2008-01-17 20:48 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-17 20:47 . 2008-01-17 22:23 <REP> d-------- C:\Documents and Settings\Serge Robert\Application Data\HouseCall 6.6
2008-01-17 17:48 . 2008-01-17 17:48 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-17 09:17 . 2008-01-18 09:35 <REP> d-------- C:\WINDOWS\BDOSCAN8
2008-01-17 08:15 . 2008-01-17 19:45 <REP> d-------- C:\Documents and Settings\Serge Robert\.housecall6.6
2008-01-16 07:21 . 2008-01-20 22:02 70,660 --a------ C:\WINDOWS\system32\mdelk.exe
2008-01-14 15:03 . 2008-01-14 15:03 <REP> d-------- C:\Program Files\Fichiers communs\AVSMedia
2008-01-14 15:03 . 2008-01-14 15:03 <REP> d-------- C:\Program Files\AVS4YOU
2008-01-14 11:42 . 2008-01-14 11:42 <REP> d-------- C:\Program Files\Lavasoft
2008-01-14 11:42 . 2008-01-14 11:43 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 11:41 . 2008-01-18 13:26 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-01-14 07:32 . 2008-01-20 22:04 <REP> d-------- C:\WINDOWS\system32\drivers\down
2008-01-14 07:20 . 2007-03-01 12:08 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-01-11 11:51 . 2008-01-11 11:51 <REP> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-01-11 11:51 . 2003-05-21 13:50 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-07 20:35 . 2008-01-07 20:35 268 --ah----- C:\sqmdata19.sqm
2008-01-07 20:35 . 2008-01-07 20:35 244 --ah----- C:\sqmnoopt19.sqm
2007-12-28 13:45 . 2007-12-28 13:45 244 --ah----- C:\sqmnoopt18.sqm
2007-12-28 13:45 . 2007-12-28 13:45 232 --ah----- C:\sqmdata18.sqm
2007-12-27 21:18 . 2007-12-27 21:18 244 --ah----- C:\sqmnoopt17.sqm
2007-12-27 21:18 . 2007-12-27 21:18 244 --ah----- C:\sqmnoopt16.sqm
2007-12-27 21:18 . 2007-12-27 21:18 232 --ah----- C:\sqmdata17.sqm
2007-12-27 21:18 . 2007-12-27 21:18 232 --ah----- C:\sqmdata16.sqm
2007-12-25 10:57 . 2007-12-25 10:57 244 --ah----- C:\sqmnoopt15.sqm
2007-12-25 10:57 . 2007-12-25 10:57 232 --ah----- C:\sqmdata15.sqm

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 12:11 --------- d-----w C:\Program Files\DVD Shrink
2008-01-19 09:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-18 11:36 --------- d-----w C:\Program Files\Bricks Of Egypt
2008-01-18 11:36 --------- d-----w C:\Program Files\Big Kahuna Reef
2008-01-17 09:01 --------- d-----w C:\Program Files\7 Wonders
2008-01-14 14:58 --------- d-----w C:\Documents and Settings\Serge Robert\Application Data\Canon
2008-01-14 11:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-14 10:30 --------- d-----w C:\Program Files\Alwil Software
2008-01-14 06:46 90,112 ----a-w C:\WINDOWS\DUMP4ecb.tmp
2008-01-14 06:36 --------- d-----w C:\Program Files\eMule
2008-01-12 14:13 --------- d-----w C:\Program Files\Google
2008-01-08 19:11 --------- d-----w C:\Program Files\TWIXTEL
2007-12-14 16:33 --------- d-----w C:\Documents and Settings\Serge Robert\Application Data\123 Free Solitaire
2007-11-23 10:28 --------- d-----w C:\Program Files\DVDFab HD Decrypter 4
2007-09-05 09:55 650 ----a-w C:\Program Files\launch.ini
2006-05-28 10:09 24,192 ----a-w C:\Documents and Settings\Serge Robert\usbsermptxp.sys
2006-05-28 10:09 22,768 ----a-w C:\Documents and Settings\Serge Robert\usbsermpt.sys
2002-07-08 08:20 11,678 ----a-w C:\Program Files\readme.txt
2002-07-07 15:00 7,204,864 ----a-w C:\Program Files\Gutterball3D.exe
2002-07-01 11:54 8,831 ----a-w C:\Program Files\License.txt
2002-05-20 08:35 16,820 ----a-w C:\Program Files\upsell.bmp
2006-12-20 17:35 104 --sh--r C:\WINDOWS\system32\85087627A6.sys
2006-12-20 17:35 88 --sh--r C:\WINDOWS\system32\A627760885.sys
2007-01-11 18:14 6,686 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 12:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"="" []
"Moon Secure Antivirus"="C:\Program Files\Moon Secure Antivirus\moontray.exe" [2007-01-24 19:49 1153536]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-14 20:51 7323648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

S1 lusbaudio;Microphone USB Logitech;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 21:05]
S2 msav;Moon Secure Antivirus Core;C:\Program Files\Moon Secure Antivirus\msavcore.exe [2007-01-24 19:49]
S3 QCEmerald;QuickCam Web Logitech;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 21:05]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-05-01 12:16]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys [2006-05-01 12:17]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys [2006-05-01 12:17]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys [2006-05-01 12:18]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se2End5.sys [2006-05-01 12:15]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Eobex.sys [2006-05-01 12:18]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se2Eunic.sys [2006-05-01 12:15]
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 22:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce201459-aec6-11dc-b004-001372189a1a}]
\Shell\AutoRun\command - F:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6ddddf4-4fb3-11dc-af86-001372189a1a}]
\Shell\AutoRun\command - F:\USBNB.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 19:37:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-21 19:39:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-21 18:39:33
.
2008-01-21 18:19:53 --- E O F ---






Et voici le nouveua rapport Hijackthis :



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:43:52, on 21.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Moon Secure Antivirus\moontray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [Moon Secure Antivirus] "C:\Program Files\Moon Secure Antivirus\moontray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Moon Secure Antivirus Core (msav) - Unknown owner - C:\Program Files\Moon Secure Antivirus\msavcore.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2400 bytes
21 Janvier 2008 20:17:36

Je crois que je ne suis plus infecté. le virus mdelk.exe est désactivé. J'ai pu le mettre manuellement dans la corbeille.

Et les icones d'avast sont redevenu normaux.


21 Janvier 2008 20:28:01

l'icone spy bot également. J'ai pas encore redemarer mon système, mais j'attend de vos nouvelles.
merci d'avance
21 Janvier 2008 21:42:15

bonsoir

Voilà ce qu'on va faire, tu vas remplacer Avast! par Antivir, qui lui est un vrai antivirus, tu vas faire un scan avec et poster le rapport. :) 


Désinstalle correctement Avast!


Pour le remplacer par Antivir.

-->Tuto<--


Pourquoi changer ? : Avast! vs Antivir
21 Janvier 2008 23:30:43

Bonsoir,
Merci beaucoup pour ce que vous faites.
Avast a été désinstallé et remplacé par antivir.
Voici le rapport :



AntiVir PersonalEdition Classic
Report file date: lundi, 21. janvier 2008 22:45

Scanning for 1060579 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: SERGE

Version information:
BUILD.DAT : 270 15603 Bytes 19.09.2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23.08.2007 13:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16.08.2007 12:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14.08.2007 15:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21.08.2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18.07.2007 21:44:09
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14.12.2007 21:44:09
ANTIVIR2.VDF : 7.0.2.0 948736 Bytes 15.01.2008 21:44:10
ANTIVIR3.VDF : 7.0.2.25 271360 Bytes 21.01.2008 21:44:10
AVEWIN32.DLL : 7.6.0.48 3080704 Bytes 21.01.2008 21:44:11
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26.02.2007 10:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18.07.2007 07:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16.04.2007 13:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 21.01.2008 21:44:11
AVREG.DLL : 7.0.1.6 30760 Bytes 18.07.2007 07:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28.08.2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18.07.2007 07:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08.03.2007 11:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07.08.2007 12:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21.08.2007 12:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23.07.2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: lundi, 21. janvier 2008 22:45

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'IAANTMon.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
26 processes with 26 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '17' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Program Files\eMule\Incoming\DVD43.v2.5.0.192.WinALL.Cracked-xRTC.zip
[0] Archive type: ZIP
--> crack.zip
[1] Archive type: ZIP
--> DVD43_Tray.exe
[DETECTION] Contains suspicious code HEUR/Crypted
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP497\A0038095.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP497\A0038204.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP497\A0038251.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP497\A0038263.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP498\A0038309.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP498\A0038406.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP498\A0038425.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP499\A0038574.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP499\A0038591.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP499\A0038602.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038650.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038658.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038659.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038660.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038661.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038662.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038664.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038665.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038666.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038667.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038668.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038669.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038670.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038671.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038672.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038673.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038676.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038677.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038678.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038679.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038681.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038682.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038683.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038685.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038686.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038687.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038688.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038689.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP500\A0038690.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038703.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038704.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038720.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038721.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038722.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038732.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038733.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038734.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038745.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038746.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038747.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038759.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038761.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038762.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038773.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038795.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038796.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038797.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038808.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038809.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038810.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038820.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038821.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP501\A0038822.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP502\A0039819.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP502\A0039820.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP502\A0040817.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP502\A0040818.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP502\A0040819.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP503\A0040851.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP503\A0040852.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP503\A0040853.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP503\A0041852.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP503\A0041853.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP503\A0041854.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP503\A0042851.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP503\A0042852.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP503\A0042853.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0042906.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0042907.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0042908.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0042924.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0042925.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0042926.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0042964.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0042965.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0042966.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043053.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043054.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043055.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043056.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043057.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043058.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043059.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043060.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043061.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043062.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043063.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043064.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043065.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043066.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043067.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043068.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043069.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043070.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043071.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043072.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043073.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043074.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043075.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043076.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043077.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043078.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043079.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043080.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043081.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043082.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043083.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043084.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043085.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043086.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043087.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043088.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043089.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043090.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP504\A0043091.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP505\A0043097.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP505\A0043098.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP505\A0043105.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP505\A0043106.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP507\A0043213.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA39A09C-50BA-4996-869B-915C83FE3B53}\RP507\A0043214.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\WINDOWS\system32\drivers\down\14617625.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\WINDOWS\system32\drivers\down\44390.exe
[DETECTION] Is the Trojan horse TR/Crypt.CFI.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\drivers\down\81484.exe
[DETECTION] Is the Trojan horse TR/Crypt.CFI.Gen
[INFO] The file was deleted!


End of the scan: lundi, 21. janvier 2008 23:29
Used time: 44:05 min

The scan has been done completely.

7623 Scanning directories
434429 Files were scanned
134 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
135 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
434295 Files not concerned
3872 Archives were scanned
2 Warnings
0 Notes

22 Janvier 2008 12:23:59

bonjour
reposte un log hijackthis stp
22 Janvier 2008 16:19:37

bonjour,

le voici :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:19:18, on 22.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Moon Secure Antivirus Core (msav) - Unknown owner - C:\Program Files\Moon Secure Antivirus\msavcore.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2547 bytes
22 Janvier 2008 17:10:43

re
Refais un scan avec Blacklight stp
22 Janvier 2008 17:31:30

re.

voici le rapport avec blacklight :

01/22/08 17:17:31 [Info]: BlackLight Engine 1.0.67 initialized
01/22/08 17:17:31 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/22/08 17:17:31 [Note]: 7019 4
01/22/08 17:17:31 [Note]: 7005 0
01/22/08 17:17:36 [Note]: 7006 0
01/22/08 17:17:36 [Note]: 7011 1592
01/22/08 17:17:36 [Note]: 7026 0
01/22/08 17:17:37 [Note]: 7026 0
01/22/08 17:17:41 [Note]: FSRAW library version 1.7.1024
01/22/08 17:29:27 [Note]: 2000 1012
01/22/08 17:31:22 [Note]: 7007 0
22 Janvier 2008 21:33:21

bien
tu as encore des soucis?
22 Janvier 2008 22:27:14

Non je crois que tout est parfait.

MERCI beaucoup pour ce que tu as fait.

22 Janvier 2008 22:37:14

bien :) 

Supprime tous les programmes installés pour la désinfection.

Merci de consulter ce dossier (en pdf) pour en connaître davantage sur les risques du Net.



Si tu trouves ce document intéressant, n'hésite pas à le transmettre à tes contacts.

~Edite ton premier message (en cliquant sur la gomme) et marque [résolu] dans le titre.

:hello: 
1 Mars 2008 15:53:19

Salut tout le monde. J'ai aussi mdelk.exe qui se trouve dans c://windws/system32.
Sauf que avec moi il est bien plus corriace qu'ici et je n'arrive vraiment pas à le supprimé, j'ai chopé le truc se matin vers 9h, je sais exactement comment, et depuis je traine sur la toile pour essayer de trouver une solution :/ 

J'ai essayer de suivre se qui était dit sur se post mais le problème c'est qu'il m'est impossible de lancé des .exe car de suite j'ai une erreur: blabla pas une application Win32 valide.
Je peut juste lancé Elibagla en mode normal de windows, il me trouve mdelk.exe mais ne le supprime pas. Le mode sans echec ne marche pas car j'ai un écran bleu...
Je suis vraiment perdu je pense qu'il y a quand même quelques rare exe qui se lance.
Ah oui j'ai aussi essayer une restauration à un point antérieur mais sa aurait été trop facile...

S'il vous plait aidez moi :/ 

edit: voila le rapport avec Elibagla:
http://aslan.infographie.free.fr/info.txt

Tom's guide dans le monde
  • Allemagne
  • Italie
  • Irlande
  • Royaume Uni
  • Etats Unis
Suivre Tom's Guide
Inscrivez-vous à la Newsletter
  • ajouter à twitter
  • ajouter à facebook
  • ajouter un flux RSS