Votre question

Infection du type xxhblxw et MSWVR32

Tags :
  • Trojan
  • Sécurité
Dernière réponse : dans Sécurité et virus
5 Novembre 2007 17:40:01

Bien le bonsoir
Je me permet d'ouvrir un nouveau post car apres plusieurs jours de recherche sur ces deux executables, j'ai toujours rien trouvé.
Alors, diagnostique:
- MSWVR32.exe est un processus qui revient tout le temps, je le kill, 2 secondes plus tard, il retourne ...
- xxhblxw.exe est un processus que je peux killer le temps de l'ouverture de session, je peux ensuite supprimer l'exe qui se loge a chaques fois a la racine de ma partition, mais a chaques redemarrages, il est re la :) 
- A l'ouverture d'internet, avast s'emballe en me répétant toute les 2 secondes qu'un cheval de troie essaie de s'introduire sur le pc, je le refoule, mais bon, refoulé un cheval tout les 2 secondes, c'est assez "relou".
- Spybot et AVG trouve des spywares, les supprimes, mais apparement ca ne change strictement rien...

Voila, je pense avoir fait le tour...
Quelqu'un peu m'aider?
D'avance, Merki!

Autres pages sur : infection type xxhblxw mswvr32

5 Novembre 2007 19:19:16

Voila le rapport:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:14:59, on 05/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
D:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\wscntfy.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
D:\Program Files\Fichiers communs\System\MSWVR32.exe
D:\Documents and Settings\GoraK\Bureau\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = D:\Program Files\AOL Toolbar\welcome.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - D:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AOLSAV] D:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] D:\Program Files\Fichiers communs\AOL\1194089131\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "D:\Program Files\AOL 9.0 VR\AOL.EXE" -b
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Recherche AOL Toolbar - res://D:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - D:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - D:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.fr/
O20 - Winlogon Notify: crehcjid - D:\WINDOWS\SYSTEM32\crehcjid.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - D:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Microsoft Windows Video Driver - Unknown owner - D:\Program Files\Fichiers communs\System\MSWVR32.exe
O23 - Service: Microsoft wscntfy Service - Unknown owner - D:\WINDOWS\wscntfy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - D:\WINDOWS\wanmpsvc.exe

--
End of file - 5335 bytes

La le scan a été fait apres que j'ai killé le processus redondant. Tu me diras si ca change quelque chose pour le rapport stp
Contenus similaires
5 Novembre 2007 20:22:01

re

je ne veux pas que tu kill quoi que ce soit, ça m'empêche de tout voir...

~Télécharge VundoFix.exe (par Atribune) sur ton Bureau.
http://www.atribune.org/ccount/click.php?id=4
Double-clique VundoFix.exe afin de le lancer
Clique sur le bouton Scan for Vundo.
~Lorsque le scan est complété, clique sur le bouton Remove Vundo
Une invite te demandera si tu veux supprimer les fichiers, clique YES
Après avoir cliqué "Yes", le Bureau disparaîtra un moment lors de la suppression des fichiers
Tu verras une invite qui t'annonce que ton PC va redémarrer; clique OK.
~Copie/colle le contenu du rapport situé dans C:\vundofix.txt ainsi qu'un nouveau rapport HijackThis dans ta prochaine réponse
Note: Il est possible que VundoFix soit confronté à un fichier qu'il ne peut supprimer. Si tel est le cas, l'outil se lancera au prochain redémarrage; il faut simplement suivre les instructions ci-haut, à partir de "clique sur le bouton Scan for Vundo
6 Novembre 2007 15:14:20

Bonjour
Bien ce cher Vundo me dit qu'il trouve rien d'infecté!
6 Novembre 2007 18:48:16

bonjour
on va faire autrement

1

Virusscan
Analyse ce fichier :

D:\Program Files\Fichiers communs\System\MSWVR32.exe

Sur le site de virusscan

http://virusscan.jotti.org/

poste-nous le rapport.

2

Télécharge Combofix de sUBs :
combofix.exe
et sauvegarde le sur ton bureau et pas ailleurs!

Double-clic sur combofix, Il va te poser une question, réponds en appuyant sur la touche1 puis attends que combofix ait terminé, il est possible que ton PC reboot, c’est normal, un rapport sera créé. Poste le rapport.

ajoute un nouveau rapport Hijackthis.
6 Novembre 2007 19:49:14

Apparement tu as géré!
Voici le rapport ComboFix:
ComboFix 07-11-06.4 - GoraK 2007-11-06 19:35:07.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.1.1252.1.1036.18.279 [GMT 1:00]
Running from: D:\Documents and Settings\GoraK\Bureau\ComboFix.exe
* Created a new restore point
.

Incapable d'obtenir les privilèges Système

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\rundll32.exe
D:\WINDOWS\system32\8_exception.nls
D:\WINDOWS\system32\drivers\secdrv.sys
D:\WINDOWS\system32\xpdx.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\symavc32
-------\xpdx


((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-10-06 to 2007-11-06 ))))))))))))))))))))))))))))))))))))
.

2007-11-06 19:34 51,200 --a------ D:\WINDOWS\NirCmd.exe
2007-11-06 15:09 <REP> d-------- D:\VundoFix Backups
2007-11-04 22:16 <REP> d-------- D:\Program Files\Fichiers communs\Adobe
2007-11-04 22:06 89,088 --a------ D:\WINDOWS\system32\crehcjid.dll
2007-11-04 22:06 16,768 --a------ D:\WINDOWS\system32\tcpip_patcher.sys
2007-11-04 19:06 <REP> d-------- D:\Documents and Settings\GoraK\Application Data\Grisoft
2007-11-04 19:06 <REP> d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-03 14:53 <REP> d-------- D:\WINDOWS\pss
2007-11-03 14:48 10,872 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-03 14:02 51,204 ---hs---- D:\WINDOWS\system32\mdm.exe
2007-11-03 13:49 <REP> d-------- D:\Program Files\CamStudio
2007-11-03 13:48 36,573 --a------ D:\WINDOWS\system32\ba.exe
2007-11-03 13:12 438,784 -r-hs---- D:\WINDOWS\wscntfy.exe
2007-11-03 13:10 <REP> d-------- D:\WINDOWS\Sun
2007-11-03 13:09 <REP> d-------- D:\Program Files\Java
2007-11-03 13:08 <REP> d-------- D:\Program Files\Fichiers communs\Java
2007-11-03 13:08 1,416 --a------ D:\WINDOWS\mozver.dat
2007-11-03 12:59 <REP> d-------- D:\Documents and Settings\GoraK\Contacts
2007-11-03 12:56 <REP> d----c--- D:\WINDOWS\system32\DRVSTORE
2007-11-03 12:56 <REP> d-------- D:\Program Files\MSN Messenger
2007-11-03 12:26 65,536 --a------ D:\WINDOWS\wanmpsvc.exe
2007-11-03 12:25 <REP> d-------- D:\Program Files\AOL 9.0 VR
2007-11-03 12:18 <REP> d-------- D:\Program Files\DirectX9c
2007-11-03 12:15 <REP> d-------- D:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-03 12:14 <REP> d-------- D:\Documents and Settings\GoraK\Application Data\Talkback
2007-11-03 12:11 <REP> d-------- D:\Documents and Settings\GoraK\Application Data\AOL
2007-11-03 12:10 <REP> d-------- D:\WINDOWS\system32\QuickTime
2007-11-03 12:10 <REP> d-------- D:\WINDOWS\occache
2007-11-03 12:10 <REP> d-------- D:\Program Files\Viewpoint
2007-11-03 12:10 <REP> d-------- D:\Program Files\QuickTime
2007-11-03 12:10 <REP> d-------- D:\Program Files\Learn2.com
2007-11-03 12:10 <REP> d-------- D:\Program Files\Fichiers communs\Nullsoft
2007-11-03 12:10 <REP> d-------- D:\Program Files\Fichiers communs\aolback
2007-11-03 12:10 <REP> d-------- D:\Program Files\AOL Toolbar
2007-11-03 12:10 <REP> d-------- D:\Documents and Settings\GoraK\Application Data\You've Got Pictures Screensaver
2007-11-03 12:10 <REP> d-------- D:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-03 12:10 <REP> d-------- D:\Documents and Settings\All Users\Application Data\QuickTime
2007-11-03 12:10 173,184 --a------ D:\WINDOWS\system32\ygpss.scr
2007-11-03 12:10 86,016 --a------ D:\WINDOWS\unvise32qt.exe
2007-11-03 12:09 <REP> d-------- D:\Program Files\Real
2007-11-03 12:09 <REP> d-------- D:\Program Files\Fichiers communs\Real
2007-11-03 12:09 <REP> d-------- D:\My Music
2007-11-03 12:09 <REP> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 12:09 8,552 --a------ D:\WINDOWS\system32\drivers\asctrm.sys
2007-11-03 12:08 <REP> d-------- D:\Program Files\Fichiers communs\aolshare
2007-11-03 12:08 <REP> d-------- D:\Program Files\AOL 9.0
2007-11-03 12:08 <REP> d-------- D:\Documents and Settings\All Users\Application Data\AOL
2007-11-03 12:08 153,088 --a------ D:\WINDOWS\system32\jgdwmie.dll
2007-11-03 12:08 33,588 --a------ D:\WINDOWS\system32\drivers\wanatw4.sys
2007-11-03 12:07 <REP> d-------- D:\Program Files\TechCity Solutions
2007-11-03 12:07 <REP> d-------- D:\Program Files\Fichiers communs\AOL
2007-11-03 12:07 335 --a------ D:\WINDOWS\nsreg.dat
2007-11-03 12:03 <REP> d-------- D:\Program Files\Alcatel
2007-11-03 12:03 743,136 --a------ D:\WINDOWS\system32\drivers\alcaudsl.sys
2007-11-03 12:03 36,048 --a------ D:\WINDOWS\system32\drivers\alcan5ln.sys
2007-11-03 12:03 5,607 --a------ D:\WINDOWS\system32\stci.dll
2007-11-03 12:03 5,312 --a------ D:\WINDOWS\system32\drivers\alcawh.sys
2007-11-03 12:03 4,000 --a------ D:\WINDOWS\system32\drivers\alcacr.sys

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 21:06 1,008,695 ----a-w D:\WINDOWS\explorer.exe
2007-11-03 11:03 --------- d--h--w D:\Program Files\InstallShield Installation Information
2007-11-02 19:45 --------- d-----w D:\Program Files\Alwil Software
2007-11-02 18:57 --------- d-----w D:\Documents and Settings\GoraK\Application Data\DivX
2007-11-02 18:51 --------- d-----w D:\Program Files\DivX
2007-11-02 18:50 --------- d-----w D:\Program Files\XviD
2007-11-02 18:47 --------- d-----w D:\Program Files\Fichiers communs\InstallShield
2007-11-02 18:41 --------- d-----w D:\Program Files\microsoft frontpage
2007-11-02 18:38 --------- d-----w D:\Program Files\Services en ligne
2007-11-02 18:37 --------- d-----w D:\Program Files\Fichiers communs\MSSoap
2007-11-02 18:31 --------- d-----w D:\Program Files\Fichiers communs\SpeechEngines
2007-11-02 18:31 --------- d-----w D:\Program Files\Fichiers communs\ODBC
2007-09-06 11:09 801,144 ----a-w D:\WINDOWS\system32\aswBoot.exe
2007-09-06 11:05 94,416 ----a-w D:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 11:05 92,848 ----a-w D:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 11:03 23,152 ----a-w D:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 11:02 42,912 ----a-w D:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 11:00 95,608 ----a-w D:\WINDOWS\system32\AvastSS.scr
2007-09-06 11:00 26,624 ----a-w D:\WINDOWS\system32\drivers\aavmker4.sys
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"SpeedTouch USB Diagnostics"="D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15]
"AOLSAV"="D:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe" [2004-03-15 12:39]
"AOLDialer"="D:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe" [2007-06-21 11:01]
"HostManager"="D:\Program Files\Fichiers communs\AOL\1194089131\ee\AOLSoftware.exe" [2006-09-26 01:52]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Office"=D:\WINDOWS\System32\mdm.exe
"Microsoft Windows Driver"=D:\WINDOWS\rundll32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crehcjid]
crehcjid.dll 2007-11-04 22:06 89088 D:\WINDOWS\system32\crehcjid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
path=D:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk
backup=D:\WINDOWS\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
D:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
D:\DOCUME~1\GoraK\LOCALS~1\Temp\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\qttask.exe" -atboottime

R2 Microsoft wscntfy Service;Microsoft wscntfy Service;"D:\WINDOWS\wscntfy.exe"
R3 P101bVID;Creative WebCam;D:\WINDOWS\System32\DRIVERS\P101bVid.sys
R3 STAC97NA;SigmaTel 3D Environmental Audio;D:\WINDOWS\System32\drivers\stac97na.sys
R3 STAC97NH;STAC97NH;D:\WINDOWS\System32\drivers\stac97nh.sys
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);D:\WINDOWS\System32\DRIVERS\alcan5ln.sys
S4 Microsoft Windows Video Driver;Microsoft Windows Video Driver;"D:\Program Files\Fichiers communs\System\MSWVR32.exe"

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 19:40:11
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-06 19:41:08 - machine was rebooted
.
--- E O F ---


Et voici le rapport hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:41:43, on 06/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\wscntfy.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
D:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
D:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
D:\Program Files\Fichiers communs\AOL\1194089131\ee\AOLSoftware.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Documents and Settings\GoraK\Bureau\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = D:\Program Files\AOL Toolbar\welcome.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - D:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AOLSAV] D:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] D:\Program Files\Fichiers communs\AOL\1194089131\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Recherche AOL Toolbar - res://D:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - D:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - D:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.fr/
O20 - Winlogon Notify: crehcjid - D:\WINDOWS\SYSTEM32\crehcjid.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - D:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Microsoft wscntfy Service - Unknown owner - D:\WINDOWS\wscntfy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - D:\WINDOWS\wanmpsvc.exe

--
End of file - 5230 bytes
6 Novembre 2007 23:07:52

re

pour: D:\Program Files\Fichiers communs\System\MSWVR32.exe

tu as oublié de me faire parvenir le scan de chez jotti. Je l'attends avant de faire la destruction.
analyse également ceux-ci:
D:\WINDOWS\system32\tcpip_patcher.sys
D:\WINDOWS\system32\ba.exe
c'est important.

1

~Télécharge rusbfix (par ejvindh)

http://www.uploads.ejvindh.net/rustbfix.exe
Sauvegarde -le sur ton Bureau.
Double clique rustbfix.exe afin de lancer l'outil.

~Note :Si une infection Rustock.b est détectée, une invite t'indiquera qu'il est nécessaire de redémarrer ton PC. Ce redémarrage pourrait être plus long que d'habitude, et il est possible que deux redémarrages soient requis. Tout cela se fera automatiquement.
Suite au(x) redémarrage(s), deux rapports s'ouvriront : (%root%\avenger.txt & %root%\rustbfix\pelog.txt).

~Poste (Copie/Colle) le contenu de ces deux rapports, dans ta prochaine réponse.

2

Copie (Ctrl+C) le texte ci-dessous :
File::
D:\WINDOWS\system32\crehcjid.dll
D:\WINDOWS\system32\mdm.exe
D:\WINDOWS\wscntfy.exe
D:\WINDOWS\unvise32qt.exe


Folder::
D:\VundoFix Backups

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Office"=-
"Microsoft Windows Driver"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crehcjid]



Ouvre le Bloc-Notes puis colle (Ctrl+V) le texte que tu viens de copier.
Sauvegarde ce fichier sous le nom de CFScript.txt

Fait un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe comme sur la capture


  • Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.
  • Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!
    Ne touche à rien tant que le scan n'est pas terminé.
  • Une fois le scan achevé, un rapport va s'afficher: poste son contenu.
  • Si le fichier ne s'ouvre pas, il se trouve ici > C:\ComboFix.txt

    ajoute un nouveau log hijackthis
    7 Novembre 2007 19:31:55

    Bonsoir,
    J'ai un soucis avec l'alimentation de mon pc, j'attends donc de pouvoir rallumer le pc avant de te faire parvenir tout ca.
    A plus tard
    7 Novembre 2007 22:57:28

    bonsoir

    pas de soucis ;) 
    22 Novembre 2007 13:07:42

    Bonjour

    Ayé! je vais profiter d'une nouvelle alim et d'un peu de répis pour poster tout ces logs.
    Alors tout d'abord les scans de chez jotti (J'ai eu du mal a les faire, avast s'emballe toujours autant lorsque je me connecte...): pour le fichier D:\Program Files\Fichiers communs\System\MSWVR32.exe j'ai pas pu faire car il n'est plus présent sur le pc.... :
    Scanner results (tcpip_patcher.sys)
    Scan taken on 22 Nov 2007 10:40:27 (GMT)
    A-Squared Found nothing
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found HackTool.DHI
    BitDefender Found nothing
    ClamAV Found nothing
    CPsecure Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found nothing
    Fortinet Found nothing
    Ikarus Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Rising Antivirus Found nothing
    Sophos Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing



    Scanner results (ba.exe)
    Scan taken on 22 Nov 2007 10:45:41 (GMT)
    A-Squared Found nothing
    AntiVir Found TR/PCK.PolyCrypt.D.486
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found Win32/PolyCrypt
    BitDefender Found Trojan.PWS.LDPinch.TAW
    ClamAV Found nothing
    CPsecure Found nothing
    Dr.Web Found Trojan.Packed.166
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found Packed.Win32.PolyCrypt.d
    Fortinet Found nothing
    Ikarus Found Packed.Win32.PolyCrypt.d
    Kaspersky Anti-Virus Found Packed.Win32.PolyCrypt.d
    NOD32 Found probably a variant of Win32/Obfuscated (probable variant)
    Norman Virus Control Found W32/PolyCrypt.A
    Panda Antivirus Found nothing
    Rising Antivirus Found nothing
    Sophos Antivirus Found Mal/EncPk-AW
    VirusBuster Found Trojan.DR.Cimuz.Gen.1
    VBA32 Found Trojan.Packed.166


    Ensuite, le log "pelog.txt" (avenger.txt est introuvable):
    ************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
    22/11/2007 12:19:22,50

    Rustock.b-driver on the system: NONE!

    Rustock.b-ADS attached to the System32-folder:
    No streams found.

    Looking for Rustock.b-files in the System32-folder:
    system32\xpdx.sys FOUND!
    attempting to delete xpdx.sys from system32-folder


    ******************* Post-run Status of system *******************

    Rustock.b-driver on the system: NONE!

    Rustock.b-ADS attached to the System32-folder:
    No System32-ADS found.

    Looking for Rustock.b-files in the System32-folder:
    No Rustock.b-files found in system32


    ******************************* End of Logfile ********************************


    Maintenant le log combofix:
    ComboFix 07-08-09.3 - "GoraK" 2007-11-22 12:47:32.2 - NTFSx86
    Microsoft Windows XP Professionnel 5.1.2600.1.1252.1.1036.18.271 [GMT 1:00]
    Command switches used :: D:\Documents and Settings\GoraK\Bureau\CFScript.txt
    * Created a new restore point

    FILE::
    D:\WINDOWS\system32\crehcjid.dll
    D:\WINDOWS\system32\mdm.exe
    D:\WINDOWS\wscntfy.exe
    D:\WINDOWS\unvise32qt.exe


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    D:\Program Files\Fichiers communs\microsoft shared\web folders\ibm00001.dll
    D:\Program Files\Fichiers communs\microsoft shared\web folders\ibm00002.dll
    D:\WINDOWS\rundll32.exe
    D:\WINDOWS\system32\5_exception.nls
    D:\WINDOWS\system32\crehcjid.dll
    D:\WINDOWS\system32\mdm.exe
    D:\WINDOWS\unvise32qt.exe
    D:\WINDOWS\wscntfy.exe


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_NTMLSVC
    -------\NtmlSvc
    -------\runtime


    ((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))


    2007-11-22 12:16 95 --a------ D:\avexport.bat
    2007-11-22 12:16 60,416 --a------ D:\WINDOWS\system32\drivers\qdqtensc.sys
    2007-11-22 12:16 336 --a------ D:\reboot.bat
    2007-11-22 12:16 19,814 --a------ D:\reboot.exe
    2007-11-22 12:16 126,976 --a------ D:\zip.exe
    2007-11-22 12:16 1,080 --a------ D:\eacyxucc.bat
    2007-11-22 12:16 <REP> d-------- D:\Rustbfix
    2007-11-22 12:01 <REP> d-------- D:\DOCUME~1\LOCALS~1\APPLIC~1\AOL
    2007-11-07 13:07 385,536 -r-hsc--- D:\WINDOWS\system32\dllcache\mravsc32.exe
    2007-11-06 19:34 51,200 --a------ D:\WINDOWS\NirCmd.exe
    2007-11-04 22:06 16,768 --a------ D:\WINDOWS\system32\tcpip_patcher.sys
    2007-11-03 14:53 <REP> d-------- D:\WINDOWS\pss
    2007-11-03 14:48 10,872 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-11-03 13:49 <REP> d-------- D:\Program Files\CamStudio
    2007-11-03 13:48 36,573 --a------ D:\WINDOWS\system32\ba.exe
    2007-11-03 13:45 8,192 --a--c--- D:\WINDOWS\system32\dllcache\tsbyuv.dll
    2007-11-03 13:45 8,192 --a------ D:\WINDOWS\system32\tsbyuv.dll
    2007-11-03 13:45 61,440 -ra------ D:\WINDOWS\CtDrvIns.exe
    2007-11-03 13:45 50,688 --a--c--- D:\WINDOWS\system32\dllcache\vfwwdm32.dll
    2007-11-03 13:45 50,688 --a------ D:\WINDOWS\system32\vfwwdm32.dll
    2007-11-03 13:45 45,568 --a--c--- D:\WINDOWS\system32\dllcache\iyuv_32.dll
    2007-11-03 13:45 45,568 --a------ D:\WINDOWS\system32\iyuv_32.dll
    2007-11-03 13:45 28,672 -ra------ D:\WINDOWS\system32\P101bPin.dll
    2007-11-03 13:45 24,795 -ra------ D:\WINDOWS\system32\drivers\P101bCmD.sys
    2007-11-03 13:45 24,576 -ra------ D:\WINDOWS\system32\P101bVfw.dll
    2007-11-03 13:45 24,576 -ra------ D:\WINDOWS\P101bCfg.exe
    2007-11-03 13:45 200,968 -ra------ D:\WINDOWS\VfwUpd.exe
    2007-11-03 13:45 184,362 -ra------ D:\WINDOWS\system32\drivers\P101bVid.sys
    2007-11-03 13:45 15,934 -ra------ D:\WINDOWS\system32\P101bSti.dll
    2007-11-03 13:45 <REP> d-------- D:\WINDOWS\OvtCam
    2007-11-03 13:08 1,416 --a------ D:\WINDOWS\mozver.dat
    2007-11-03 12:59 <REP> d-------- D:\DOCUME~1\GoraK\Contacts
    2007-11-03 12:56 <REP> d----c--- D:\WINDOWS\system32\DRVSTORE
    2007-11-03 12:56 <REP> d-------- D:\Program Files\MSN Messenger
    2007-11-03 12:51 <REP> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
    2007-11-03 12:27 981,504 --a--c--- D:\WINDOWS\system32\dllcache\wmnetmgr.dll
    2007-11-03 12:27 981,504 --a------ D:\WINDOWS\system32\wmnetmgr.dll
    2007-11-03 12:27 9,728 --a--c--- D:\WINDOWS\system32\dllcache\npwmsdrm.dll
    2007-11-03 12:27 82,432 --a--c--- D:\WINDOWS\system32\dllcache\drmstor.dll
    2007-11-03 12:27 82,432 --a------ D:\WINDOWS\system32\drmstor.dll
    2007-11-03 12:27 816,264 --a--c--- D:\WINDOWS\system32\dllcache\wmvdmod.dll
    2007-11-03 12:27 816,264 --a------ D:\WINDOWS\system32\wmvdmod.dll
    2007-11-03 12:27 81,408 --a--c--- D:\WINDOWS\system32\dllcache\logagent.exe
    2007-11-03 12:27 81,408 --a------ D:\WINDOWS\system32\logagent.exe
    2007-11-03 12:27 760,968 --a--c--- D:\WINDOWS\system32\dllcache\wmsdmod.dll
    2007-11-03 12:27 760,968 --a------ D:\WINDOWS\system32\wmsdmod.dll
    2007-11-03 12:27 678,912 --a--c--- D:\WINDOWS\system32\dllcache\drmv2clt.dll
    2007-11-03 12:27 678,912 --a------ D:\WINDOWS\system32\drmv2clt.dll
    2007-11-03 12:27 670,208 --a--c--- D:\WINDOWS\system32\dllcache\wmadmoe.dll
    2007-11-03 12:27 670,208 --a------ D:\WINDOWS\system32\wmadmoe.dll
    2007-11-03 12:27 6,656 --a--c--- D:\WINDOWS\system32\dllcache\laprxy.dll
    2007-11-03 12:27 6,656 --a------ D:\WINDOWS\system32\laprxy.dll
    2007-11-03 12:27 410,248 --a--c--- D:\WINDOWS\system32\dllcache\wmadmod.dll
    2007-11-03 12:27 410,248 --a------ D:\WINDOWS\system32\wmadmod.dll
    2007-11-03 12:27 301,712 --a--c--- D:\WINDOWS\system32\dllcache\drmclien.dll
    2007-11-03 12:27 301,712 --a------ D:\WINDOWS\system32\drmclien.dll
    2007-11-03 12:27 253,952 --a--c--- D:\WINDOWS\system32\dllcache\msnetobj.dll
    2007-11-03 12:27 253,952 --a------ D:\WINDOWS\system32\msnetobj.dll
    2007-11-03 12:27 241,664 --a--c--- D:\WINDOWS\system32\dllcache\qasf.dll
    2007-11-03 12:27 241,664 --a--c--- D:\WINDOWS\system32\dllcache\mpg4dmod.dll
    2007-11-03 12:27 241,664 --a------ D:\WINDOWS\system32\qasf.dll
    2007-11-03 12:27 241,664 --a------ D:\WINDOWS\system32\mpg4dmod.dll
    2007-11-03 12:27 232,960 --a--c--- D:\WINDOWS\system32\dllcache\blackbox.dll
    2007-11-03 12:27 232,960 --a------ D:\WINDOWS\system32\blackbox.dll
    2007-11-03 12:27 218,112 --a--c--- D:\WINDOWS\system32\dllcache\wmasf.dll
    2007-11-03 12:27 218,112 --a------ D:\WINDOWS\system32\wmasf.dll
    2007-11-03 12:27 217,600 --a--c--- D:\WINDOWS\system32\dllcache\npdrmv2.dll
    2007-11-03 12:27 2,058,888 --a--c--- D:\WINDOWS\system32\dllcache\wmvcore.dll
    2007-11-03 12:26 65,536 --a------ D:\WINDOWS\wanmpsvc.exe
    2007-11-03 12:25 <REP> d-------- D:\Program Files\AOL 9.0 VR
    2007-11-03 12:18 <REP> d-------- D:\Program Files\DirectX9c
    2007-11-03 12:15 <REP> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
    2007-11-03 12:14 <REP> d-------- D:\DOCUME~1\GoraK\APPLIC~1\Talkback
    2007-11-03 12:11 <REP> d-------- D:\DOCUME~1\GoraK\APPLIC~1\AOL
    2007-11-03 12:10 173,184 --a------ D:\WINDOWS\system32\ygpss.scr
    2007-11-03 12:10 <REP> d-------- D:\WINDOWS\system32\QuickTime
    2007-11-03 12:10 <REP> d-------- D:\WINDOWS\occache
    2007-11-03 12:10 <REP> d-------- D:\Program Files\Viewpoint
    2007-11-03 12:10 <REP> d-------- D:\Program Files\QuickTime
    2007-11-03 12:10 <REP> d-------- D:\Program Files\Learn2.com
    2007-11-03 12:10 <REP> d-------- D:\Program Files\Fichiers communs\Nullsoft
    2007-11-03 12:10 <REP> d-------- D:\Program Files\Fichiers communs\aolback
    2007-11-03 12:10 <REP> d-------- D:\Program Files\AOL Toolbar
    2007-11-03 12:10 <REP> d-------- D:\DOCUME~1\GoraK\APPLIC~1\You've Got Pictures Screensaver
    2007-11-03 12:10 <REP> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
    2007-11-03 12:10 <REP> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
    2007-11-03 12:09 8,552 --a------ D:\WINDOWS\system32\drivers\asctrm.sys
    2007-11-03 12:09 <REP> d-------- D:\Program Files\Real
    2007-11-03 12:09 <REP> d-------- D:\Program Files\Fichiers communs\Real
    2007-11-03 12:09 <REP> d-------- D:\My Music
    2007-11-03 12:09 <REP> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2007-11-03 12:08 33,588 --a------ D:\WINDOWS\system32\drivers\wanatw4.sys
    2007-11-03 12:08 153,088 --a------ D:\WINDOWS\system32\jgdwmie.dll
    2007-11-03 12:08 <REP> d-------- D:\Program Files\Fichiers communs\aolshare
    2007-11-03 12:08 <REP> d-------- D:\Program Files\AOL 9.0
    2007-11-03 12:08 <REP> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
    2007-11-03 12:07 335 --a------ D:\WINDOWS\nsreg.dat
    2007-11-03 12:07 <REP> d-------- D:\Program Files\TechCity Solutions
    2007-11-03 12:07 <REP> d-------- D:\Program Files\Fichiers communs\AOL
    2007-11-03 12:03 743,136 --a------ D:\WINDOWS\system32\drivers\alcaudsl.sys


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-11-20 18:57 48616 --a------ D:\WINDOWS\system32\perfc00C.dat
    2007-11-20 18:57 367658 --a------ D:\WINDOWS\system32\perfh00C.dat
    2007-11-04 22:06 1008695 --a------ D:\WINDOWS\explorer.exe


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast!"="D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
    "SpeedTouch USB Diagnostics"="D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15]
    "AOLSAV"="D:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe" [2004-03-15 12:39]
    "AOLDialer"="D:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe" [2007-06-21 11:01]
    "HostManager"="D:\Program Files\Fichiers communs\AOL\1194089131\ee\AOLSoftware.exe" [2006-09-26 01:52]
    "!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
    "MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
    path=D:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk
    backup=D:\WINDOWS\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    D:\WINDOWS\System32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
    D:\DOCUME~1\GoraK\LOCALS~1\Temp\winlogon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    %systemroot%\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "D:\Program Files\QuickTime\qttask.exe" -atboottime

    R2 Distributed Allocated Memory Unit;Distributed Allocated Memory Unit;"D:\WINDOWS\system32\dllcache\mravsc32.exe"
    R3 P101bVID;Creative WebCam;D:\WINDOWS\System32\DRIVERS\P101bVid.sys
    R3 STAC97NA;SigmaTel 3D Environmental Audio;D:\WINDOWS\System32\drivers\stac97na.sys
    R3 STAC97NH;STAC97NH;D:\WINDOWS\System32\drivers\stac97nh.sys
    S2 Microsoft wscntfy Service;Microsoft wscntfy Service;"D:\WINDOWS\wscntfy.exe"
    S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);D:\WINDOWS\System32\DRIVERS\alcan5ln.sys
    S4 Microsoft Windows Video Driver;Microsoft Windows Video Driver;"D:\Program Files\Fichiers communs\System\MSWVR32.exe"


    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-22 12:50:42
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-11-22 12:52:20 - machine was rebooted
    D:\ComboFix-quarantined-files.txt ... 2007-11-22 12:51
    D:\ComboFix2.txt ... 2007-11-06 19:41

    --- E O F ---


    Et enfin, le rapport hijackthis:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:54:02, on 22/11/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\System32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    D:\Program Files\Alwil Software\Avast4\ashServ.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
    D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    D:\WINDOWS\system32\dllcache\mravsc32.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\wanmpsvc.exe
    D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    D:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
    D:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
    D:\Program Files\Fichiers communs\AOL\1194089131\ee\AOLSoftware.exe
    D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    D:\Program Files\MSN Messenger\MsnMsgr.Exe
    D:\Documents and Settings\GoraK\Bureau\HiJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.fr/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = D:\Program Files\AOL Toolbar\welcome.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - D:\Program Files\AOL Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [AOLSAV] D:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
    O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [HostManager] D:\Program Files\Fichiers communs\AOL\1194089131\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &Recherche AOL Toolbar - res://D:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - D:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - D:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.google.fr/
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - D:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Distributed Allocated Memory Unit - Unknown owner - D:\WINDOWS\system32\dllcache\mravsc32.exe
    O23 - Service: Microsoft wscntfy Service - Unknown owner - D:\WINDOWS\wscntfy.exe (file missing)
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - D:\WINDOWS\wanmpsvc.exe

    --
    End of file - 5428 bytes
    22 Novembre 2007 21:49:41

    bonsoir

    supprime:
    D:\WINDOWS\system32\ba.exe

    mravsc32.exe est toujours présent.
    pour info:
    http://www.sophos.fr/security/analyses/w32rbotgua.html


    on va le supprimer à l'aide d'un autre outil qui prends en charge cette infection:

    Cette procédure doit être imprimée pour que tu puisses l’avoir sous les yeux quand tu seras en mode sans échec.

    Télécharge SDFix(créé par AndyManchesta) et sauvegarde le sur ton Bureau.
    ***Si le lien ne fonctionne pas, essaie celui-ci : http://download.bleepingcomputer.com/andymanchesta/SDFi... ***

    Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
  • Redémarre ton ordinateur
  • Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde).
  • A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
  • Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
  • Choisis ton compte.
    Déroule la liste des instructions ci-dessous :
  • Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
  • Appuie sur Y pour commencer le processus de nettoyage.
  • Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
  • Appuie sur une touche pour redémarrer le PC.
  • Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
  • Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
  • Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
  • Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
  • Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum, avec un nouveau log Hijackthis !


    23 Novembre 2007 12:38:14

    Bonjour,
    Voici le rapport SDfix suivit du rapport Hijackthis:


    SDFix: Version 1.115

    Run by GoraK on 23/11/2007 at 11:53

    Microsoft Windows XP [version 5.1.2600]

    Running From: D:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    Distributed Allocated Memory Unit

    Path:
    "D:\WINDOWS\system32\dllcache\mravsc32.exe"

    Distributed Allocated Memory Unit - Deleted



    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    D:\WINDOWS\system32\dllcache\mravsc32.exe - Deleted
    D:\WINDOWS\system32\i - Deleted
    D:\WINDOWS\system32\o - Deleted




    Removing Temp Files...

    ADS Check:

    D:\WINDOWS
    No streams found.

    D:\WINDOWS\system32
    No streams found.

    D:\WINDOWS\system32\svchost.exe
    No streams found.

    D:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-23 11:57:01
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    D:\Documents and Settings\GoraK\Local Settings\Application Data\Microsoft\Messenger\frere____soyeux@jcssr.com\SharingMetadata\frerejesus@hotmail.fr\DFSR\Staging\CS{14BCE249-1281-2A1F-7B9E-3D8F24DDD7AF}\01\11-{14BCE249-1281-2A1F-7B9E-3D8F24DDD7AF}-v1-{D6622A09-5816-43AC-B6AE-25A6ED93C4F4}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 1


    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

    Remaining Files:
    ---------------

    File Backups: - D:\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Fri 9 Apr 2004 54,384 A..H. --- "D:\Program Files\AOL 9.0\aolphx.exe"
    Fri 9 Apr 2004 156,784 A..H. --- "D:\Program Files\AOL 9.0\aoltray.exe"
    Fri 9 Apr 2004 31,344 A..H. --- "D:\Program Files\AOL 9.0\RBM.exe"
    Thu 21 Jun 2007 46,384 A..H. --- "D:\Program Files\AOL 9.0 VR\AOLphx.exe"
    Thu 24 May 2007 54,832 A..H. --- "D:\Program Files\AOL 9.0 VR\AOLphxex.exe"
    Thu 24 May 2007 33,328 A..H. --- "D:\Program Files\AOL 9.0 VR\rbm.exe"
    Sat 3 Nov 2007 36,573 ..SHR --- "D:\Program Files\Fichiers communs\System\MSWVR32.exe"
    Sat 3 Nov 2007 96,072 ...H. --- "D:\Program Files\Fichiers communs\AOL\TopSpeed\3.0\WBUnins.exe"

    Finished!



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:59:30, on 23/11/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\System32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    D:\Program Files\Alwil Software\Avast4\ashServ.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
    D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\wanmpsvc.exe
    D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    D:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
    D:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
    D:\Program Files\Fichiers communs\AOL\1194089131\ee\AOLSoftware.exe
    D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    D:\Program Files\MSN Messenger\MsnMsgr.Exe
    D:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
    D:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe
    D:\Documents and Settings\GoraK\Bureau\HiJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.fr/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = D:\Program Files\AOL Toolbar\welcome.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - D:\Program Files\AOL Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [AOLSAV] D:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
    O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [HostManager] D:\Program Files\Fichiers communs\AOL\1194089131\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &Recherche AOL Toolbar - res://D:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - D:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - D:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.google.fr/
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - D:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Microsoft wscntfy Service - Unknown owner - D:\WINDOWS\wscntfy.exe (file missing)
    O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - D:\WINDOWS\wanmpsvc.exe

    --
    End of file - 5723 bytes
    23 Novembre 2007 18:02:18

    parfait

    tu vas maintenant remplacer Avast! par Antivir, qui lui est un vrai antivirus, tu vas faire un scan avec et poster le rapport. :) 


    Désinstalle correctement Avast!


    Pour le remplacer par Antivir.

    -->Tuto<--


    Pourquoi changer ? : Avast! vs Antivir
    24 Novembre 2007 12:56:50

    Bonjour.
    La mise a jour n'a pas pu etre faites car je n'ai pas internet pour le moment sur l'autre pc... mais voici tout de meme le rapport:


    AntiVir PersonalEdition Classic
    Report file date: samedi 24 novembre 2007 12:20

    Scanning for 1036370 virus strains and unwanted programs.

    Licensed to: Avira AntiVir PersonalEdition Classic
    Serial number: 0000149996-ADJIE-0001
    Platform: Windows XP
    Windows version: (Service Pack 1) [5.1.2600]
    Username: GoraK
    Computer name: GORUK

    Version information:
    BUILD.DAT : 269 15604 Bytes 10/09/2007 14:31:00
    AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
    AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
    LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
    LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
    ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 31/05/2006 12:32:40
    ANTIVIR1.VDF : 6.39.0.129 7251968 Bytes 10/07/2007 12:32:46
    ANTIVIR2.VDF : 6.39.1.43 1542656 Bytes 25/08/2007 17:21:02
    ANTIVIR3.VDF : 6.39.1.51 29696 Bytes 28/08/2007 07:22:36
    AVEWIN32.DLL : 7.6.0.5 2789888 Bytes 29/08/2007 17:09:10
    AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
    AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
    AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
    AVPACK32.DLL : 7.3.0.15 360488 Bytes 03/08/2007 08:46:00
    AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
    AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
    AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
    NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
    RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
    RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
    SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

    Configuration settings for the scan:
    Jobname..........................: Local Hard Disks
    Configuration file...............: d:\program files\avira\antivir personaledition classic\alldiscs.avp
    Logging..........................: low
    Primary action...................: interactive
    Secondary action.................: ignore
    Scan master boot sector..........: off
    Scan boot sector.................: on
    Boot sectors.....................: D:,
    Scan memory......................: on
    Process scan.....................: on
    Scan registry....................: on
    Search for rootkits..............: off
    Scan all files...................: Intelligent file selection
    Scan archives....................: on
    Recursion depth..................: 20
    Smart extensions.................: on
    Macro heuristic..................: on
    File heuristic...................: medium

    Start of the scan: samedi 24 novembre 2007 12:20

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
    Scan process 'wanmpsvc.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'guard.exe' - '0' Module(s) have been scanned
    Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'NMIndexStoreSvr.exe' - '1' Module(s) have been scanned
    Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
    Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
    Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'avgas.exe' - '1' Module(s) have been scanned
    Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
    Scan process 'AOLDial.exe' - '1' Module(s) have been scanned
    Scan process 'AOLAgent.exe' - '1' Module(s) have been scanned
    Scan process 'dragdiag.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    32 processes with 32 modules were scanned

    Start scanning boot sectors:
    Boot sector 'C:\'
    [NOTE] No virus was found!
    Boot sector 'D:\'
    [NOTE] No virus was found!

    Starting to scan the registry.
    The registry was scanned ( '25' files ).


    Starting the file scan:

    Begin scan in 'C:\'
    Begin scan in 'D:\'
    D:\pagefile.sys
    [WARNING] The file could not be opened!
    D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G1KFMHOL\wr[1].exe
    [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
    [INFO] The file was moved to '47a30ac9.qua'!
    D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QVMHQLAZ\if[1].exe
    [DETECTION] Is the Trojan horse TR/Crypt.U.Gen
    [INFO] The file was moved to '47a30ac2.qua'!
    D:\QooBox\Quarantine\D\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00001.dll.vir
    [DETECTION] Is the Trojan horse TR/PWS.Sinowal.Gen
    [INFO] The file was moved to '47b50bc6.qua'!
    D:\QooBox\Quarantine\D\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00002.dll.vir
    [DETECTION] Is the Trojan horse TR/PWS.Sinowal.Gen
    [INFO] The file was moved to '47b50bc9.qua'!


    End of the scan: samedi 24 novembre 2007 12:35
    Used time: 14:24 min

    The scan has been done completely.

    2161 Scanning directories
    78885 Files were scanned
    4 viruses and/or unwanted programs were found
    0 Files were classified as suspicious:
    0 files were deleted
    0 files were repaired
    4 files were moved to quarantine
    0 files were renamed
    1 Files cannot be scanned
    78881 Files not concerned
    1964 Archives were scanned
    1 Warnings
    0 Notes

    J'essaye de remettre une conexion assez rapidement et je relance un scan
    24 Novembre 2007 15:55:00

    Hop et voila le rapport:

    AntiVir PersonalEdition Classic
    Report file date: samedi 24 novembre 2007 13:55

    Scanning for 941284 virus strains and unwanted programs.

    Licensed to: Avira AntiVir PersonalEdition Classic
    Serial number: 0000149996-ADJIE-0001
    Platform: Windows XP
    Windows version: (Service Pack 1) [5.1.2600]
    Username: SYSTEM
    Computer name: GORUK

    Version information:
    BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
    AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
    AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
    LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
    LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
    ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 12:46:30
    ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 13/09/2007 12:46:30
    ANTIVIR2.VDF : 7.0.1.0 1393152 Bytes 23/11/2007 12:46:30
    ANTIVIR3.VDF : 7.0.1.4 11776 Bytes 23/11/2007 12:46:30
    AVEWIN32.DLL : 7.6.0.34 3125760 Bytes 24/11/2007 12:46:33
    AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
    AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
    AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
    AVPACK32.DLL : 7.3.0.15 360488 Bytes 03/08/2007 08:46:00
    AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
    AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
    AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
    NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
    RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
    RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
    SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

    Configuration settings for the scan:
    Jobname..........................: Complete system scan
    Configuration file...............: d:\program files\avira\antivir personaledition classic\sysscan.avp
    Logging..........................: low
    Primary action...................: interactive
    Secondary action.................: ignore
    Scan master boot sector..........: off
    Scan boot sector.................: on
    Boot sectors.....................: D:,
    Scan memory......................: on
    Process scan.....................: on
    Scan registry....................: on
    Search for rootkits..............: off
    Scan all files...................: All files
    Scan archives....................: on
    Recursion depth..................: 20
    Smart extensions.................: on
    Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox,
    Macro heuristic..................: on
    File heuristic...................: medium
    Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,

    Start of the scan: samedi 24 novembre 2007 13:55

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
    Scan process 'wanmpsvc.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'guard.exe' - '0' Module(s) have been scanned
    Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'NMIndexStoreSvr.exe' - '1' Module(s) have been scanned
    Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
    Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
    Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'avgas.exe' - '1' Module(s) have been scanned
    Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
    Scan process 'AOLDial.exe' - '1' Module(s) have been scanned
    Scan process 'AOLAgent.exe' - '1' Module(s) have been scanned
    Scan process 'dragdiag.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Module is infected -> 'D:\WINDOWS\Explorer.EXE'
    Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned

    32 processes with 32 modules were scanned

    Start scanning boot sectors:
    Boot sector 'C:\'
    [NOTE] No virus was found!
    Boot sector 'D:\'
    [NOTE] No virus was found!

    Starting to scan the registry.

    The registry was scanned ( '21' files ).


    Starting the file scan:

    Begin scan in 'C:\'
    C:\ntlds
    [DETECTION] Is the Trojan horse TR/Dropper.Gen
    [INFO] The file was deleted!
    C:\ntlds.exe
    [DETECTION] Is the Trojan horse TR/StartPage.XA
    [INFO] The file was deleted!
    C:\System Volume Information\_restore{8C163484-9D34-4153-A55E-789490632ABF}\RP18\A0008417.exe
    [DETECTION] Is the Trojan horse TR/StartPage.XA
    [INFO] The file was moved to '477820d7.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0008549.exe
    [DETECTION] Is the Trojan horse TR/PWS.Sinowal.Gen
    [INFO] The file was moved to '477820db.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0008560.exe
    [DETECTION] Is the Trojan horse TR/PWS.Sinowal.Gen
    [INFO] The file was moved to '477820e0.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0008562.exe
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '477820e3.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0008563.exe
    [DETECTION] Is the Trojan horse TR/Dldr.Agent.eta.11
    [INFO] The file was moved to '477820e8.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0008567.exe
    [DETECTION] Is the Trojan horse TR/Dldr.iBill.BC
    [INFO] The file was moved to '46f244f9.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009554.exe
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '477820e9.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009555.exe
    [DETECTION] Is the Trojan horse TR/PWS.Sinowal.Gen
    [INFO] The file was moved to '46f244fa.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009558.exe
    [DETECTION] Is the Trojan horse TR/Dldr.Agent.eta.11
    [INFO] The file was moved to '477820eb.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009560.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820ea.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009561.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244fb.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009562.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820ec.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009563.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244fc.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009564.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820ed.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009565.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244fe.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009566.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820ef.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009567.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244fd.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009568.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820ee.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009569.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244e0.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009570.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820f1.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009571.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244e2.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009572.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244ff.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009573.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '47782110.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009574.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f24501.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009575.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820f3.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009576.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244e4.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009577.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820f5.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009578.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820f0.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009579.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244e1.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009580.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820f2.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009581.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244e3.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009582.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244e6.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009583.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820f7.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009584.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244e8.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009585.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820f4.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009586.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244e5.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009587.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820f6.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009588.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244e7.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009589.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820f9.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009590.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244ea.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009591.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820fb.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009592.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820f8.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0009593.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244e9.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0011579.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820fa.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0011580.exe
    [DETECTION] Is the Trojan horse TR/PWS.Sinowal.Gen
    [INFO] The file was moved to '46f244eb.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0011582.exe
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '46f244ec.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0011583.exe
    [DETECTION] Is the Trojan horse TR/Dldr.iBill.BC
    [INFO] The file was moved to '477820fd.qua'!
    C:\System Volume Information\_restore{EDF7B362-9377-4277-B355-ACB1307491D0}\RP11\A0011584.exe
    [DETECTION] Is the Trojan horse TR/Dldr.Agent.eta.10
    [INFO] The file was moved to '46f244ee.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000027.exe
    [DETECTION] Is the Trojan horse TR/Dropper.Gen
    [INFO] The file was moved to '477820fc.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000028.exe
    [DETECTION] Contains detection pattern of the dropper DR/Delphi.Gen
    [INFO] The file was moved to '46f244ed.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000029.exe
    [DETECTION] Is the Trojan horse TR/Dropper.Gen
    [INFO] The file was moved to '477820ff.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000031.exe
    [DETECTION] Is the Trojan horse TR/Dldr.iBill.BC
    [INFO] The file was moved to '46f24510.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000032.exe
    [DETECTION] Is the Trojan horse TR/Dropper.Gen
    [INFO] The file was moved to '47782101.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000033.exe
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '477820fe.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000034.exe
    [DETECTION] Is the Trojan horse TR/PWS.Sinowal.Gen
    [INFO] The file was moved to '46f244ef.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000035.exe
    [DETECTION] Is the Trojan horse TR/Dldr.iBill.BC
    [INFO] The file was moved to '46f244f1.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000036.exe
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '46f24512.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000037.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '47782103.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000039.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f24514.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000040.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820e2.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000041.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244f3.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000042.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820e4.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000043.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244f5.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000044.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '47782105.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000045.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f24516.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000046.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '47782107.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000047.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '477820e6.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000048.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f244f7.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000049.exe
    [DETECTION] Is the Trojan horse TR/Dldr.iBill.BC
    [INFO] The file was moved to '47782112.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000050.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f24503.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000051.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f24518.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000052.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '47782109.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000053.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f2451a.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000054.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '47782100.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000055.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f24511.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000056.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '47782102.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000057.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '4778210b.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000058.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f2451c.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000059.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '4778210d.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000060.exe
    [DETECTION] Is the Trojan horse TR/Dropper.Gen
    [INFO] The file was moved to '46f2451e.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000061.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f24513.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000062.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '47782104.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000063.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f24515.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000064.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '4778210f.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000065.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f24500.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000066.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '47782111.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000067.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f24502.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000068.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '47782106.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000069.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f24517.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000070.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '47782108.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000071.exe
    [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
    [INFO] The file was moved to '47782113.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000072.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f24504.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000073.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '47782115.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000074.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '46f24506.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000075.exe
    [DETECTION] Is the Trojan horse TR/PWS.Sinowal.Gen
    [INFO] The file was moved to '46f24519.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000076.exe
    [DETECTION] Contains detection pattern of the worm WORM/Zhelatin.Gen
    [INFO] The file was moved to '4778210a.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000077.exe
    [DETECTION] Is the Trojan horse TR/PWS.Sinowal.Gen
    [INFO] The file was moved to '46f2451b.qua'!
    C:\System Volume Information\_restore{FFA2B673-7B59-48C6-A4F9-72E55C4004AA}\RP1\A0000078.exe
    [DETECTION] Contains detection pattern of the dropper DR/Delphi.Gen
    [INFO] The file was moved to '47782117.qua'!
    Begin scan in 'D:\'
    D:\pagefile.sys
    [WARNING] The file could not be opened!
    D:\Documents and Settings\GoraK\Bureau\ComboFix.exe
    [0] Archive type: RAR SFX (self extracting)
    --> nircmd.exe
    [DETECTION] Contains detection pattern of the application APPL/NirCmd.1
    [INFO] The file was moved to '47b52165.qua'!
    D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G72L2ZC1\t[1].exe
    [DETECTION] Contains detection pattern of the worm WORM/SdBot.431616
    [INFO] The file was moved to '4779215d.qua'!
    D:\Program Files\Fichiers communs\System\MSWVR32.exe
    [DETECTION] Is the Trojan horse TR/PCK.PolyCrypt.D.486
    [INFO] The file was moved to '479f2208.qua'!
    D:\QooBox\Quarantine\D\WINDOWS\rundll32.exe.vir
    [DETECTION] Is the Trojan horse TR/Dropper.Gen
    [INFO] The file was moved to '47b622ff.qua'!
    D:\QooBox\Quarantine\D\WINDOWS\wscntfy.exe.vir
    [DETECTION] Contains detection pattern of the worm WORM/SdBot.431616
    [INFO] The file was moved to '47ab22fe.qua'!
    D:\QooBox\Quarantine\D\WINDOWS\system32\crehcjid.dll.vir
    [DETECTION] Is the Trojan horse TR/SpamBot.AD
    [INFO] The file was moved to '47ad22fd.qua'!
    D:\QooBox\Quarantine\D\WINDOWS\system32\mdm.exe.vir
    [DETECTION] Is the Trojan horse TR/Dropper.Gen
    [INFO] The file was moved to '47b522ef.qua'!
    D:\Rustbfix\avenger.exe
    [DETECTION] Contains detection pattern of the SPR/Avenger program
    [INFO] The file was moved to '47ad2302.qua'!
    D:\SDFix\backups\backups.zip
    [0] Archive type: ZIP
    --> backups/mravsc32.exe
    [DETECTION] Contains detection pattern of the worm WORM/Rbot.385536.3
    [INFO] The file was moved to '47ab22f0.qua'!
    D:\System Volume Information\_restore{8C163484-9D34-4153-A55E-789490632ABF}\RP13\A0005555.exe
    [DETECTION] Contains detection pattern of the application APPL/NirCmd.1
    [INFO] The file was moved to '477822bf.qua'!
    D:\System Volume Information\_restore{8C163484-9D34-4153-A55E-789490632ABF}\RP14\A0005576.dll
    [DETECTION] Is the Trojan horse TR/PWS.Sinowal.Gen
    [INFO] The file was moved to '477822c1.qua'!
    D:\System Volume Information\_restore{8C163484-9D34-4153-A55E-789490632ABF}\RP14\A0005577.dll
    [DETECTION] Is the Trojan horse TR/PWS.Sinowal.Gen
    [INFO] The file was moved to '46f246d2.qua'!
    D:\System Volume Information\_restore{8C163484-9D34-4153-A55E-789490632ABF}\RP14\A0005578.exe
    [DETECTION] Is the Trojan horse TR/Dropper.Gen
    [INFO] The file was moved to '477822c3.qua'!
    D:\System Volume Information\_restore{8C163484-9D34-4153-A55E-789490632ABF}\RP14\A0005579.dll
    [DETECTION] Is the Trojan horse TR/SpamBot.AD
    [INFO] The file was moved to '46f246d4.qua'!
    D:\System Volume Information\_restore{8C163484-9D34-4153-A55E-789490632ABF}\RP14\A0005580.exe
    [DETECTION] Is the Trojan horse TR/Dropper.Gen
    [INFO] The file was moved to '477822c2.qua'!
    D:\System Volume Information\_restore{8C163484-9D34-4153-A55E-789490632ABF}\RP14\A0005581.exe
    [DETECTION] Contains detection pattern of the worm WORM/SdBot.431616
    [INFO] The file was moved to '46f246d3.qua'!
    D:\System Volume Information\_restore{8C163484-9D34-4153-A55E-789490632ABF}\RP14\A0005635.exe
    [DETECTION] Contains detection pattern of the application APPL/NirCmd.1
    [INFO] The file was moved to '477822c4.qua'!
    D:\System Volume Information\_restore{8C163484-9D34-4153-A55E-789490632ABF}\RP16\A0006248.exe
    [DETECTION] Is the Trojan horse TR/PCK.PolyCrypt.D.486
    [INFO] The file was moved to '477822d8.qua'!
    D:\System Volume Information\_restore{8C163484-9D34-4153-A55E-789490632ABF}\RP16\A0006250.exe
    [DETECTION] Contains detection pattern of the worm WORM/Rbot.385536.3
    [INFO] The file was moved to '477822d9.qua'!
    D:\System Volume Information\_restore{8C163484-9D34-4153-A55E-789490632ABF}\RP16\A0006258.exe
    [DETECTION] Contains detection pattern of the worm WORM/Rbot.385536.3
    [INFO] The file was moved to '46f246ca.qua'!
    D:\System Volume Information\_restore{8C163484-9D34-4153-A55E-789490632ABF}\RP18\A0008420.exe
    [0] Archive type: RAR SFX (self extracting)
    --> nircmd.exe
    [DETECTION] Contains detection pattern of the application APPL/NirCmd.1
    [INFO] The file was moved to '477822e0.qua'!
    D:\System Volume Information\_restore{8C163484-9D34-4153-A55E-789490632ABF}\RP18\A0008421.exe
    [DETECTION] Is the Trojan horse TR/PCK.PolyCrypt.D.486
    [INFO] The file was moved to '46f246f1.qua'!
    D:\System Volume Information\_restore{8C163484-9D34-4153-A55E-789490632ABF}\RP18\A0008423.exe
    [DETECTION] Contains detection pattern of the SPR/Avenger program
    [INFO] The file was moved to '477822e2.qua'!
    D:\WINDOWS\explorer.exe
    [DETECTION] Is the Trojan horse TR/Patched.Explor.B
    [WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
    [WARNING] The file could not be deleted!
    D:\WINDOWS\NirCmd.exe
    [DETECTION] Contains detection pattern of the application APPL/NirCmd.1
    [INFO] The file was moved to '47ba2324.qua'!
    D:\WINDOWS\system32\gsvuror.exe
    [DETECTION] Contains detection pattern of the worm WORM/IrcBot.34816.7
    [INFO] The file was moved to '47be247f.qua'!
    D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CT274HU3\mmdmm[2].exe
    [DETECTION] Is the Trojan horse TR/Dropper.Gen
    [INFO] The file was moved to '47ac24b1.qua'!
    D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GXAZKLMR\mode[1].jpg
    [DETECTION] Is the Trojan horse TR/Dropper.Gen
    [INFO] The file was moved to '47ac24b4.qua'!


    End of the scan: samedi 24 novembre 2007 14:18
    Used time: 23:29 min

    The scan has been done completely.

    2198 Scanning directories
    80339 Files were scanned
    129 viruses and/or unwanted programs were found
    0 Files were classified as suspicious:
    2 files were deleted
    0 files were repaired
    125 files were moved to quarantine
    0 files were renamed
    1 Files cannot be scanned
    80210 Files not concerned
    1966 Archives were scanned
    2 Warnings
    0 Notes


    Apparement il y aurait un probleme avec "Explorer.exe", il revient tout le temps...
    24 Novembre 2007 17:25:48

    ta version de xp est-elle légale?

    Rends toi sur ce lien : Virus Total
  • Clique sur Parcourir
  • Rends toi jusque sur ce fichier si tu le trouves :

    D:\WINDOWS\Explorer.EXE

  • Clique sur Envoyer le fichier et laisse travailler tant que "Situation actuelle : en cours d'analyse" est affiché.
  • Il est possible que le fichier soit mis en file d'attente en raison d'un grand nombre de demandes d'analyses. En ce cas, il te faudra patienter sans actualiser la page.
  • Lorsque l'analyse est terminée ("Situation actuelle: terminé"), clique sur Formaté
  • Une nouvelle fenêtre de ton navigateur va apparaître
  • Clique alors sur cette image :
  • Fais un clic droit sur la page, et choisis Sélectionner tout, puis copier
  • Enfin colle le résultat dans ta prochaine réponse.
    Note : Peu importe le résultat, il est important de me communiquer le résultat de toute l'analyse.
    Il est possible que tes outils de sécurité réagissent à l'envoi du fichier, en ce cas il te faudra ignorer les alertes.
    24 Novembre 2007 19:17:31

    il n'est pas la! Pourtant les alertes continuent de dire qu'un d:\windows\Explorer.exe (ou explorer.exe, ou Explorer.EXE) embéte mon pc. Alors que je ne trouve qu'un exploere.exe, un explorer.exe.bat et un explorer sans extension (type de fichier: Windows Explorer Command)
    25 Novembre 2007 11:39:24

    bonjour

    tu n'as pas répondu à ma question:windows cracké?

    Citation :
    Pour afficher les dossiers et fichiers cachés du système:
    Panneau de configuration/Options des dossiers/onglet Affichage/cocher Afficher les fichiers et dossiers cachés, décocher Masquer les extensions de fichiers connus, décocher Masquer les fichiers protégés du Système.

    Les fichiers et dossiers cachés du système apparaissent alors dans l'explorateur Windows en transparence.



    25 Novembre 2007 13:24:13

    Bonjour,
    Effectivement je dispose d'une version crackée :$.
    Ces cases, je les avais déja décoché.
    25 Novembre 2007 14:07:11

    re
    pour moi c'est mort

    la version est bricolée avec un fichier explorer qui devrait être légitime. (il est placé à son emplacement normal)

    pas moyen de réparer, on va exploser windows.

    pas d'autre soluce que d'acheter une version légale; de récupérer tes données et de formater...

    cracks/P2P
    27 Novembre 2007 15:11:40

    Bonjour,
    Moué bah de toute facon windaube a laché... j'me replis sur linux en attendant de récupérer une version officiel de windows...
    Tom's guide dans le monde
    • Allemagne
    • Italie
    • Irlande
    • Royaume Uni
    • Etats Unis
    Suivre Tom's Guide
    Inscrivez-vous à la Newsletter
    • ajouter à twitter
    • ajouter à facebook
    • ajouter un flux RSS