Aide
Bonsoir à tous,
j'ai besoin de votre aide pour l'infection du pc d'un copain :
après avoir fait une analyse en mode sans echec avec Antivir PE, j'ai quelques worm résidants dans le dossier caché "c:\_restore\temp" et je ne peux les éradiquer !!!!
Alors avant d'aller plus loin dans le nettoyage (hijackthis et consor), toute aide est la bienvenue.
Merci d'avance.
Voici les 2 rapports de scan fait avec Antivir PE :
AntiVir PersonalEdition Classic
Report file date: samedi 7 octobre 2006 20:26
Scanning for 522603 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-WURGE-0001
Platform: Windows Me
Windows version: (plain) [4.90.3000]
Username: unknown
Computer name: OEMCOMPUTER
Version information:
AVSCAN.EXE : 7.0.0.47 196648 21/08/2006 10:06:50
AVSCAN.DLL : 7.0.0.45 41000 07/09/2006 10:51:52
LUKE.DLL : 7.0.0.47 110632 07/09/2006 10:32:30
LUKERES.DLL : 7.0.0.47 9256 07/09/2006 10:51:52
ANTIVIR0.VDF : 6.35.0.1 7371264 31/05/2006 10:35:12
ANTIVIR1.VDF : 6.36.0.89 1745920 02/10/2006 18:16:18
ANTIVIR2.VDF : 6.36.0.90 2048 02/10/2006 18:16:18
ANTIVIR3.VDF : 6.36.0.96 62976 06/10/2006 18:16:18
AVEWIN32.DLL : 7.2.0.25 1860096 07/10/2006 18:16:18
AVPREF.DLL : 7.0.0.2 17960 24/07/2006 12:35:38
AVREP.DLL : 6.36.0.79 569384 07/10/2006 18:16:18
AVRPBASE.DLL : 7.0.0.0 1544232 30/03/2006 08:42:44
AVPACK32.DLL : 7.2.0.0 360488 21/07/2006 06:00:30
AVREG.DLL : 6.31.0.90 25128 28/07/2005 10:06:12
NETNW.DLL : 7.0.0.0 9768 24/07/2006 12:35:40
RCIMAGE.DLL : 7.0.0.74 1642536 01/08/2006 11:22:52
RCTEXT.DLL : 7.0.1.4 77864 07/10/2006 18:16:12
Configuration settings for the scan:
Jobname.......................: Local Hard Disks
Configuration file............: C:\PROGRAM FILES\ANTIVIR PERSONALEDITION CLASSIC\alldiscs.avp
Boot sectors..................: C
Scan memory...................: 1
Process scan..................: 1
Scan all files................: 1
Scan archives.................: 1
Recursion depth...............: 20
Smart extensions..............: 1
Skipped archive types.........: 1000,1001,1002,1003,1004,1005,
Macro heuristic...............: 1
File heuristic................: 3
Primary action................: 1
Secondary action..............: 0
Start of the scan: samedi 7 octobre 2006 20:26
The scan of running processes will be started
8 Processes were scanned
Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Starting to scan the registry.
The registry was scanned ( 33 files ).
Starting the file scan:
C:\_RESTORE\TEMP\A0286374.CPY
[DETECTION] Contains signature of the worm WORM/Netsky.D.3
[WARNING] The file could not be deleted!
C:\WINDOWS\WIN386.SWP
[WARNING] The file could not be opened!
C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\GKMDQ5SQ\document_full.pif
[DETECTION] Contains signature of the worm WORM/Netsky.D.3
[INFO] The file was deleted!
C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\7QI1BLV5\Mail Delivery (failure jean.marc.berot.inard@freesbee.fr).dat
[DETECTION] Contains signature of the worm WORM/NetSky.P.Expl
[INFO] The file was deleted!
C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\31NCQWI9\ParisVoyeur[1].exe
[DETECTION] Contains signature of the dial-up program DIAL/45992.A
[INFO] The file was deleted!
C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\31NCQWI9\Mail Delivery (failure jean.marc.berot.inard@freesbee.fr).dat
[DETECTION] Contains signature of the worm WORM/NetSky.P.Expl
[INFO] The file was deleted!
C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\V5LHP5QF\.dat
[DETECTION] Contains signature of the VBS script virus VBS/Kakworm.Tamem
[INFO] The file was deleted!
C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\V5LHP5QF\Re-essai.RB0
[DETECTION] Contains signature of the VBS script virus VBS/Kakworm.Tamem
[INFO] The file was deleted!
C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\V5LHP5QF\Re.RB0
[DETECTION] Contains signature of the VBS script virus VBS/Kakworm.Tamem
[INFO] The file was deleted!
C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\V5LHP5QF\Pour voir !!!.RB0
[DETECTION] Contains signature of the VBS script virus VBS/Kakworm.Tamem
[INFO] The file was deleted!
C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\V5LHP5QF\Re-essai (1).RB0
[DETECTION] Contains signature of the VBS script virus VBS/Kakworm.Tamem
[INFO] The file was deleted!
C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\V5LHP5QF\Pour voir !!! (1).RB0
[DETECTION] Contains signature of the VBS script virus VBS/Kakworm.Tamem
[INFO] The file was deleted!
C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\V5LHP5QF\ (1).RB0
[DETECTION] Contains signature of the VBS script virus VBS/Kakworm.Tamem
[INFO] The file was deleted!
C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\V5LHP5QF\BEST OF.RB0
[DETECTION] Contains signature of the VBS script virus VBS/Kakworm.Tamem
[INFO] The file was deleted!
C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\V5LHP5QF\Re-essai (2).RB0
[DETECTION] Contains signature of the VBS script virus VBS/Kakworm.Tamem
[INFO] The file was deleted!
C:\WINDOWS\backup\T\61007000.DAT
[DETECTION] Contains signature of the worm WORM/Netsky.D.3
[INFO] The file was deleted!
C:\Program Files\Carpe Diem\PARISVOYEUR\PARISVOYEUR.EXE
[DETECTION] Contains signature of the dial-up program DIAL/45992.A
[INFO] The file was deleted!
C:\Program Files\Disney Interactive\Frère des Ours\System\WinKeyHook.dll
[DETECTION] Contains signature of the SPR/PSW.Hooker.A program
[INFO] The file was deleted!
End of the scan: samedi 7 octobre 2006 21:54
Used time: 1:28:56 min
The scan has been done completely.
1970 Scanning directories
183933 Files were scanned
17 viruses and/or unwanted programs were found
16 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2670 Archives were scanned
2 Warnings
18 Notes
Et le 2eme rapport :
AntiVir PersonalEdition Classic
Report file date: samedi 7 octobre 2006 22:15
Scanning for 522603 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-WURGE-0001
Platform: Windows Me
Windows version: (plain) [4.90.3000]
Username: unknown
Computer name: OEMCOMPUTER
Version information:
AVSCAN.EXE : 7.0.0.47 196648 21/08/2006 10:06:50
AVSCAN.DLL : 7.0.0.45 41000 07/09/2006 10:51:52
LUKE.DLL : 7.0.0.47 110632 07/09/2006 10:32:30
LUKERES.DLL : 7.0.0.47 9256 07/09/2006 10:51:52
ANTIVIR0.VDF : 6.35.0.1 7371264 31/05/2006 10:35:12
ANTIVIR1.VDF : 6.36.0.89 1745920 02/10/2006 18:16:18
ANTIVIR2.VDF : 6.36.0.90 2048 02/10/2006 18:16:18
ANTIVIR3.VDF : 6.36.0.96 62976 06/10/2006 18:16:18
AVEWIN32.DLL : 7.2.0.25 1860096 07/10/2006 18:16:18
AVPREF.DLL : 7.0.0.2 17960 24/07/2006 12:35:38
AVREP.DLL : 6.36.0.79 569384 07/10/2006 18:16:18
AVRPBASE.DLL : 7.0.0.0 1544232 30/03/2006 08:42:44
AVPACK32.DLL : 7.2.0.0 360488 21/07/2006 06:00:30
AVREG.DLL : 6.31.0.90 25128 28/07/2005 10:06:12
NETNW.DLL : 7.0.0.0 9768 24/07/2006 12:35:40
RCIMAGE.DLL : 7.0.0.74 1642536 01/08/2006 11:22:52
RCTEXT.DLL : 7.0.1.4 77864 07/10/2006 18:16:12
Configuration settings for the scan:
Jobname.......................: Manual Selection
Configuration file............: C:\WINDOWS\Application Data\AntiVir PersonalEdition Classic\PROFILES\folder.avp
Boot sectors..................: C
Scan memory...................: 1
Process scan..................: 1
Scan all files................: 1
Scan archives.................: 1
Recursion depth...............: 20
Smart extensions..............: 1
Skipped archive types.........: 1000,1001,1002,1003,1004,1005,
Macro heuristic...............: 1
File heuristic................: 3
Primary action................: 1
Secondary action..............: 0
Start of the scan: samedi 7 octobre 2006 22:15
The scan of running processes will be started
9 Processes were scanned
Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Starting to scan the registry.
The registry was scanned ( 33 files ).
Starting the file scan:
C:\_RESTORE\TEMP\A0286374.CPY
[DETECTION] Contains signature of the worm WORM/Netsky.D.3
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0290522.CPY
[DETECTION] Contains signature of the dial-up program DIAL/45992.A
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0290523.CPY
[DETECTION] Contains signature of the SPR/PSW.Hooker.A program
[WARNING] The file could not be deleted!
C:\WINDOWS\WIN386.SWP
[WARNING] The file could not be opened!
End of the scan: samedi 7 octobre 2006 22:21
Used time: 05:54 min
The scan has been canceled!
36 Scanning directories
3147 Files were scanned
3 viruses and/or unwanted programs were found
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
209 Archives were scanned
4 Warnings
0 Notes
Page 1 sur 1
infection avec des WORM's sous Windows millenium
comment faire pour virer les fichiers de restauration ?
Noter :
#1
minikisskool 
- Member
-
- Groupe : Membres
- Messages : 83
- Inscrit(e) : 30-août 03
Posté 07 octobre 2006 - 10:06
C frais mais C pas grâââââve !
Fixe : CM Asus P5NE-SLI / XP SP2 / NVidia 8800GTS 640mo / C2D E4300 @ 3033Mhz/ 4x1 GO Gskill Extreme HK PC6400 @4.4.3.5.2T
Portable : Alienware M9750 // T7600@2.45 // SLI 7950GTX 512mo 575*700 // 4GO DDR2 667mhz // 160GO 7200trs // XP Pro SP2 /// 3DM06 = 9118 (Nv 167.51)
Fixe : CM Asus P5NE-SLI / XP SP2 / NVidia 8800GTS 640mo / C2D E4300 @ 3033Mhz/ 4x1 GO Gskill Extreme HK PC6400 @4.4.3.5.2T
Portable : Alienware M9750 // T7600@2.45 // SLI 7950GTX 512mo 575*700 // 4GO DDR2 667mhz // 160GO 7200trs // XP Pro SP2 /// 3DM06 = 9118 (Nv 167.51)
#2
O.Fournier
- Godlike Member
-
- Groupe : Membres / développeurs
- Messages : 2869
- Inscrit(e) : 04-février 03
Posté 06 novembre 2006 - 07:48
B'Jour,
C:\_RESTORE est le module des restaurations de WinME. Connu pour être un nid à virus et une usine à gaz occupant des centaines de Mo. En plus il n'est pas fiable. Mais il est protégé par Windows. Il existe des dizaines d'autres moyens de sauvegarder le disque/partition système.
Pour supprimer définitivement tout le dossier le mieux est de télécharger SRRPRO et de l'installer, comme cela plus de soucis : http://www.google.fr/search?q=SRRPRO
Sinon la manip est simple sous DOS (sans Windows): démarrer l'ordi avec une disquette WinME et au prompt (attente A:>) entrer au clavier exactement et successivement
C:\_RESTORE est le module des restaurations de WinME. Connu pour être un nid à virus et une usine à gaz occupant des centaines de Mo. En plus il n'est pas fiable. Mais il est protégé par Windows. Il existe des dizaines d'autres moyens de sauvegarder le disque/partition système.
Pour supprimer définitivement tout le dossier le mieux est de télécharger SRRPRO et de l'installer, comme cela plus de soucis : http://www.google.fr/search?q=SRRPRO
Sinon la manip est simple sous DOS (sans Windows): démarrer l'ordi avec une disquette WinME et au prompt (attente A:>) entrer au clavier exactement et successivement
ATTRIB -H -S -R C:\_RESTORE DEL C:\_RESTOREEt hop tout le dossier est viré. Mais il sera recréé par WinME à chaque démarrage ... D'ou SRRPRO ...
Ce message a été modifié par O.Fournier - 06 novembre 2006 - 07:52 .
Olive pour les intimes ... 
Je suis un V.C. et j'aime ça ! Elles aussi ...
... 
J'en ai marre de la terre peuplée de c.... ! Hop, y en a moins sur la mer. _/) , on va aller voir les Albatros
Je suis un V.C. et j'aime ça ! Elles aussi ... ... J'en ai marre de la terre peuplée de c.... ! Hop, y en a moins sur la mer. _/) , on va aller voir les Albatros
Page 1 sur 1
