Se connecter / S'enregistrer
Votre question

Démarrage avec page bleue Sauf en mode "Dernière configuration fo

Tags :
  • Config PC
  • Sécurité
Dernière réponse : dans Sécurité et virus
16 Août 2007 16:42:16

Bonjour,

suite à l'exécution d'un fichier qui sans doute était un virus voici les symptomes que je rencontre.

Que je démarre en modem Normal ou sans echac, j'ai un écran bleu au redémarrage avec comme message les mots suivants:
PAGE_FAULT_IN_NONPAGEDAREA 0x00000050(0XFF91xx66,0x00000000,0XFF91xx66,0x00000000).

PAr contre quand je démarre sous la dernière configuration fonctionnelle, j'accède au windows MAIS mon antivirus n'est plus présent. Quand j'essaye d'installer Avast, il commence l'install ensuite les icones disparaissent. Même chose pour spybot ou tout autre antivirus. Impossible de faire l'install

Je ne sais pas retourner à un point de restauration car je n'avais plus 200Mo de dispo sur la partition C

J'ai tenté un chkdsk /p/r mais toujours rien....

J'avais un autre pc sur le réseau sur lequel j'avais également exécuté un fichier que je suppose en être la cause qui avait des symptomes similaires. A part que je pouvais démarrer en mode normal mais pas en mode sans echec. Quand j'ouvrais Ajout suppression de programmes par exemple j'avais un ecran bleu avec 0x0000008E (0xC00000005,0x8060953A,0xA1F16788

Après avoir fait une restauration à un point de sauvegarde j'ai pu récup l'ensemble...

MAis que puis je faire pour CE PC. Voici mon HIjack.

PS: je sais qu'il n'est pas en SP2 et qu'il y avait avast et que j'ai lu ce que vous en disiez dessus. J'ai essayé d'installer Antivir mais il ne veut pas non plus s'installer.

Merci pour votre aide, çà fait 2 jours que je galère


Logfile of HijackThis v1.99.1
Scan saved at 10:44, on 07-08-16
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Documents and Settings\Wise\Application Data\My-disgo\MyKey disgo.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\wincmd\WINCMD32.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.02.0002.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.2001.0001\fr-be\msntb.dll
O4 - HKLM\..\Run: [BackgroundSwitcher] C:\WINDOWS\System32\bgswitch.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\Wise\Application Data\My-disgo\MyKey disgo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O8 - Extra context menu item: Download Flash with Flash Capture - C:\Program Files\Flash Capture\dl.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Fichiers communs\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Program Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: Translator - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Program Files\LingoCom\Translator.lnk
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mod: C:\Program Files\Internet Explorer\PLUGINS\npmod32.dll
O16 - DPF: {29DFBD41-3B7D-4368-9021-894C5A30E054} (RemoteWeb Control) - http://211.62.253.87/CAB/RemoteWeb.cab
O16 - DPF: {3CA6DFF6-C6B0-11D4-8035-0050BF0BA18C} (BMSPX Control) - http://62.72.111.240/bmspx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?11387962...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2005111...all/xscan5...
O16 - DPF: {8FEED82A-42A6-4117-A803-7EC3EB9339E0} (ClientControl Class) - http://3emebureau.dyndns.org:81/plugin/client.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://192.168.1.81:81/plugin/h263ctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CA51253-CC9B-4B90-B076-9C52B3EACCA7}: NameServer = 195.238.2.21,195.238.2.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAA95B73-FFAE-47C5-B73D-B958859B2DEC}: NameServer = 195.238.2.21,195.238.2.22
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\Ctsvccda.exe (file missing)
O23 - Service: InteractiveLogon - Unknown owner - C:\WINDOWS\System32\Fast.exe (file missing)
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\PROGRA~1\SERV-U\ServUDaemon.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Autres pages sur : demarrage page bleue mode derniere configuration

16 Août 2007 17:42:14

Après avoir fait quelques recherches, j'ai réussi à retourner en mode sans echec grace à un fichier reg "bootsafe"....

De là j'ai pu installé Antivir mais je ne savais pas faire la mise à jour.

J'ai lancé manuellement (par l'explorateur)celui ci car il n'apparaissait pas dans les menus du windows.

Il m'a détecté et supprimer un virus "bagle..."

En effet, en regardant ce que ce virus était, j'ai reconnu par l'url http://www.avira.com/en/threats/section/details/id_vir/3635/tr_dldr.bagle.bv.852.html que j'avais eu cette éxécution.

Voici à nouveau mon hijack. MErci dem edonner votre opinion quand à savoir si ce virus est VRAIMENT parti

MErci pour vos conseils.

Logfile of HijackThis v1.99.1
Scan saved at 17:26, on 07-08-16
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\wincmd\WINCMD32.EXE
C:\Program Files\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\AntiVir PersonalEdition Premium\avcenter.exe
C:\Program Files\AntiVir PersonalEdition Premium\avscan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - (no file)
O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6E90A04C-50A3-45E7-9688-C8DB1116E877} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {8519CAA3-58C4-4B9B-8B06-1E9A94595D8A} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\fr-be\msntb.dll
O2 - BHO: (no name) - {C0FC795E-1477-443D-A436-85FD55EBA033} - (no file)
O2 - BHO: (no name) - {DD573442-1F45-4655-AAFC-3991EAC41110} - (no file)
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogitechCameraService(E)] "C:\WINDOWS\System32\ElkCtrl.exe" /automation
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Download Flash with Flash Capture - C:\Program Files\Flash Capture\dl.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Fichiers communs\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Program Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: Translator - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Program Files\LingoCom\Translator.lnk
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mod: C:\Program Files\Internet Explorer\PLUGINS\npmod32.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 -
O16 - DPF: ConferenceRoom Java Client -
O16 - DPF: {00000000-0000-0000-0000-000020030000} -
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} -
O16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} -
O16 - DPF: {29DFBD41-3B7D-4368-9021-894C5A30E054} (RemoteWeb Control) - http://211.62.253.87/CAB/RemoteWeb.cab
O16 - DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} -
O16 - DPF: {3CA6DFF6-C6B0-11D4-8035-0050BF0BA18C} (BMSPX Control) - http://62.72.111.240/bmspx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls...
O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} -
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -
O16 - DPF: {69F62FC3-3FEC-4073-BF33-5C64401C0E5D} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2005111401/housecall...
O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {8FEED82A-42A6-4117-A803-7EC3EB9339E0} (ClientControl Class) - http://3emebureau.dyndns.org:81/plugin/client.cab
O16 - DPF: {98264495-6376-443C-9340-2996038BD143} (VaCtrl Class) -
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://192.168.1.81:81/plugin/h263ctrl.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} -
O16 - DPF: {C79D3167-6133-4E7C-821C-5C114611022D} (CamImage Class) -
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {CE1F3566-6BB9-4B67-BC87-9CB46DAE0A3C} -
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CA51253-CC9B-4B90-B076-9C52B3EACCA7}: NameServer = 195.238.2.21,195.238.2.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAA95B73-FFAE-47C5-B73D-B958859B2DEC}: NameServer = 195.238.2.21,195.238.2.22
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: gebcc - C:\WINDOWS\
O20 - Winlogon Notify: klogon - C:\WINDOWS\
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: winwym32 - C:\WINDOWS\
O23 - Service: AntiVir PersonalEdition Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: AntiVir PersonalEdition Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AntiVir PersonalEdition Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\Ctsvccda.exe (file missing)
O23 - Service: InteractiveLogon - Unknown owner - C:\WINDOWS\System32\Fast.exe (file missing)
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\PROGRA~1\SERV-U\ServUDaemon.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)



a b 8 Sécurité
16 Août 2007 17:43:21

Bonjour,

Tu as combien d'antivirus ?!
16 Août 2007 17:52:28

Bonjour,
actuellement je n'en ai plus que un seul d'installé.

En effet, ce pc est installé depuis plus de 5 ans avec le même Windows.

En lisant maintenant ta question, je me demandais pourquoi cette question mais je viens de comprendre en voyant la fin du log hijack....

Mais apparemment il reste des restes de tous les antivirus que j'ai testés...

S'il y a des solution pour les désisntallé proprement à chaque antivirus je suis preneur (tel qun lien que j'avais trouvé pour désisntallé Avast).

Maintenant, le virus Bagle est il éradiqué?... je ne vois plus de symptomes puisque démarrage en modem NORMAL enfin possible mais durant le scan, toujours en cours, de Antivir il me détecte toujours des fichiers infectés par Bagle..

Merci pour vos réponses et vos attentions.
a b 8 Sécurité
16 Août 2007 17:54:04

Re,

Télécharge Blacklight (F-Secure), clique sur " I ACCEPT " en bas de la page :
Clique sur le premier " Download " afin de télécharger le programme
Sauvegarde le sur ton Bureau
Double-clique fsbl.exe et accepte la licence; clique Scan puis Next.

A la fin du scan, NE TOUCHE A RIEN !

Tu verras un rapport, sur ton Bureau, nommé fsbl.xxxxxxx.log (les xxxxxxx sont des chiffres).
Nous devons analyser ce rapport, ferme donc le BlackLight.

Poste le rapport sur le forum.

AIDE : Tuto sur BlackLight (Malekal)
16 Août 2007 17:58:14

Merci pour ton aide.

Voici ce que tu as demandé:

08/16/07 17:55:49 [Info]: BlackLight Engine 1.0.64 initialized
08/16/07 17:55:49 [Info]: OS: 5.1 build 2600 ()
08/16/07 17:55:49 [Note]: 7019 4
08/16/07 17:55:49 [Note]: 7005 0
08/16/07 17:56:05 [Note]: 7006 0
08/16/07 17:56:05 [Note]: 7011 1340
08/16/07 17:56:05 [Note]: 7026 0
08/16/07 17:56:05 [Note]: 7026 0
08/16/07 17:56:13 [Note]: FSRAW library version 1.7.1022
08/16/07 17:56:43 [Note]: 2000 1012
a b 8 Sécurité
16 Août 2007 18:02:23

Tu peux poster le rapport Antivir ?
16 Août 2007 18:05:29

j'espère que c'est ce qui suit:



AntiVir PersonalEdition Premium
Report file date: 07-08-16 17:22

Scanning for 1025692 virus strains and unwanted programs.

Licensed to: Wise3
Serial number: ********-*****-****
Platform: Windows XP
Windows version: (plain) [5.1.2600]
Username: Wise
Computer name: ATHLON

Version information:
BUILD.DAT : 287 15691 Bytes 10/05/2007 12:16:00
AVSCAN.EXE : 7.0.4.15 282664 Bytes 16/08/2007 15:15:56
AVSCAN.DLL : 7.0.4.4 33832 Bytes 27/03/2007 11:31:56
LUKE.DLL : 7.0.4.11 143400 Bytes 27/03/2007 11:26:06
LUKERES.DLL : 7.0.4.0 10280 Bytes 19/03/2007 11:19:00
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 31/05/2006 13:08:58
ANTIVIR1.VDF : 6.39.0.129 7251968 Bytes 10/07/2007 15:16:06
ANTIVIR2.VDF : 6.39.0.226 1223680 Bytes 10/08/2007 15:16:06
ANTIVIR3.VDF : 6.39.1.10 232960 Bytes 16/08/2007 15:16:06
AVEWIN32.DLL : 7.4.1.62 2724352 Bytes 16/08/2007 15:16:20
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 09:36:28
AVPREF.DLL : 7.0.2.1 24616 Bytes 27/03/2007 11:31:52
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 12:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 16/08/2007 15:16:20
AVREG.DLL : 7.0.1.2 31784 Bytes 15/03/2007 08:05:10
AVEVTLOG.DLL : 7.0.0.18 86056 Bytes 27/03/2007 11:16:06
AVARKT.DLL : 1.0.0.17 278568 Bytes 16/08/2007 15:15:56
NETNT.DLL : 7.0.0.0 7720 Bytes 8/03/2007 10:09:44
RCIMAGE.DLL : 7.0.1.15 2461736 Bytes 13/03/2007 10:07:54
RCTEXT.DLL : 7.0.45.0 86056 Bytes 19/03/2007 12:02:46

Configuration settings for the scan:
Jobname..........................: Local Drives
Configuration file...............: C:\Program Files\AntiVir PersonalEdition Premium\alldrives.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: J:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 07-08-16 17:22

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avmailc.exe' - '1' Module(s) have been scanned
Scan process 'avesvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'WINCMD32.EXE' - '1' Module(s) have been scanned
Scan process 'EliBaglA.exe' - '1' Module(s) have been scanned
Scan process 'LogMeInSystray.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'WINVNC4.EXE' - '1' Module(s) have been scanned
Scan process 'WDFMGR.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'NVSVC32.EXE' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'LogMeIn.exe' - '1' Module(s) have been scanned
Scan process 'RAMAINT.EXE' - '1' Module(s) have been scanned
Scan process 'CDANTSRV.EXE' - '1' Module(s) have been scanned
Scan process 'ALG.EXE' - '1' Module(s) have been scanned
Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'RUNDLL32.EXE' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'DEVLDR32.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
34 processes with 34 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!
Boot sector 'E:\'
[NOTE] No virus was found!
Boot sector 'A:\'
[NOTE] In the drive 'A:\' no data medium is inserted!

Starting to scan the registry.
The registry was scanned ( '9' files ).


Starting the file scan:

Begin scan in 'C:\' <DISK1_VOL1>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\srosa.sys
[DETECTION] Contains signature of the worm WORM/Bagle.SSG
[INFO] The file was deleted!
C:\WINDOWS\system32\drivers\pci32.sys
[DETECTION] Contains signature of the worm WORM/Bagle.CE.SYS
[INFO] The file was deleted!
C:\WINDOWS\exefnd\128027437.exe
[DETECTION] Contains signature of the worm WORM/Bagle.CE
[INFO] The file was deleted!
C:\WINDOWS\exefnd\314546.exe
[DETECTION] Contains signature of the worm WORM/Bagle.CE
[INFO] The file was deleted!
C:\System Volume Information\_restore{1E948F4A-AD14-477C-AF49-501B72FF6F55}\RP4\A0001211.exe
[DETECTION] Is the Trojan horse TR/ServU.HR.2
[INFO] The file was deleted!
C:\System Volume Information\_restore{1E948F4A-AD14-477C-AF49-501B72FF6F55}\RP4\A0001213.sys
[DETECTION] Contains signature of the worm WORM/Bagle.SSG
[INFO] The file was deleted!
C:\System Volume Information\_restore{1E948F4A-AD14-477C-AF49-501B72FF6F55}\RP4\A0001214.sys
[DETECTION] Contains signature of the worm WORM/Bagle.CE.SYS
[INFO] The file was deleted!
C:\System Volume Information\_restore{1E948F4A-AD14-477C-AF49-501B72FF6F55}\RP4\A0001215.exe
[DETECTION] Contains signature of the worm WORM/Bagle.CE
[INFO] The file was deleted!
C:\System Volume Information\_restore{1E948F4A-AD14-477C-AF49-501B72FF6F55}\RP4\A0001216.exe
[DETECTION] Contains signature of the worm WORM/Bagle.CE
[INFO] The file was deleted!
Begin scan in 'D:\' <DISK1_VOL2>
D:\System Volume Information\_restore{1E948F4A-AD14-477C-AF49-501B72FF6F55}\RP4\A0000009.dll
[DETECTION] Is the Trojan horse TR/Agent.ZS.2
[INFO] The file was deleted!
D:\System Volume Information\_restore{1E948F4A-AD14-477C-AF49-501B72FF6F55}\RP4\A0000010.exe
[DETECTION] Contains signature of the dropper DR/Inject.BA
[INFO] The file was deleted!
D:\Kazaa\002.part
[0] Archive type: RAR
--> Netcam Watcher Professional v1.7.5.25 Final\Crack\Crack_ttdown.com.exe
[DETECTION] The file name contains an executable file extension disguised as a harmless one HEUR-DBLEXT/Crypted
[INFO] The file was deleted!
Begin scan in 'E:\' <DISK1_VOL3>
Begin scan in 'A:\'
Search path A:\ could not be opened!
Le périphérique n'est pas prêt.

Begin scan in 'J:\'
Search path J:\ could not be opened!
Le périphérique n'est pas prêt.



End of the scan: 07-08-16 17:53
Used time: 31:21 min

The scan has been done completely.

3628 Scanning directories
203985 Files were scanned
12 viruses and/or unwanted programs were found
1 classified as suspicious:
12 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
203972 Files not concerned
1528 Archives were scanned
1 Warnings
57 Notes
0 Hidden objects were found

a b 8 Sécurité
16 Août 2007 18:09:10

Les fichiers reviennent ?
16 Août 2007 18:10:43

je relance le scan de nouveau pour voir
16 Août 2007 19:07:13

PlusBagle en vue dans le dernier rapport de Antivir.

Merci encore pour l'aide.
Tom's guide dans le monde
  • Allemagne
  • Italie
  • Irlande
  • Royaume Uni
  • Etats Unis
Suivre Tom's Guide
Inscrivez-vous à la Newsletter
  • ajouter à twitter
  • ajouter à facebook
  • ajouter un flux RSS